fix Plugin Check findings 1

escape translations and user input
rolandbaer · Nov 11, 2024 · aa83790 · aa83790
1 parent 7b0fcc4
commit aa83790
Showing 1 changed file with 36 additions and 28 deletions.
diff --git a/src/simple-matomo-tracking-code.php b/src/simple-matomo-tracking-code.php
@@ -66,7 +66,7 @@ static function config_page() : void {
 			}
 
 			if ( isset($_POST['submit']) ) {
-				if ( ! current_user_can('manage_options') ) die(__('You cannot edit the Simple Matomo Tracking Code options.', 'simple-matomo-tracking-code'));
+				if ( ! current_user_can('manage_options') ) die(esc_html__('You cannot edit the Simple Matomo Tracking Code options.', 'simple-matomo-tracking-code'));
 				check_admin_referer('analyticspp-config');
 				$siteid = SMTC_Admin::sanitize_siteid($_POST['siteid']);
 				if( $siteid> 0 ) {
@@ -99,75 +99,78 @@ static function config_page() : void {
 			$options  = get_option('MatomoAnalyticsPP');
 			?>
 			<div class="wrap">
-				<h2><?php _e('Simple Matomo Tracking Code', 'simple-matomo-tracking-code'); ?></h2>
+				<h2><?php esc_html_e('Simple Matomo Tracking Code', 'simple-matomo-tracking-code'); ?></h2>
 				<form action="" method="post" id="analytics-conf">
 					<?php
 					if ( function_exists('wp_nonce_field') )
 						wp_nonce_field('analyticspp-config');
 					?>
 
 					<p>
-						<?php _e("Matomo, formerly known as Piwik, is a downloadable web analytics software platform free of charge under the GPL license.", 'simple-matomo-tracking-code'); ?>
+						<?php esc_html_e("Matomo, formerly known as Piwik, is a downloadable web analytics software platform free of charge under the GPL license.", 'simple-matomo-tracking-code'); ?>
 						<br />
-						<?php _e('If you don\'t have Matomo installed, you can get it at <a href="https://matomo.org/">matomo.org</a>.', 'simple-matomo-tracking-code'); ?>
+						<?php printf(
+							esc_html__('If you don\'t have Matomo installed, you can get it at %1$s.', 'simple-matomo-tracking-code'),
+							'<a href="https://matomo.org/">matomo.org</a>');
+						?>
 					</p>
 
 					<table class="form-table" style="width:100%;">
 					<tr>
 						<th scope="row" valign="top">
-							<label for="siteid"><?php _e('Matomo site ID', 'simple-matomo-tracking-code'); ?></label>
+							<label for="siteid"><?php esc_html_e('Matomo site ID', 'simple-matomo-tracking-code'); ?></label>
 						</th>
 						<td>
-							<input id="siteid" name="siteid" class="small-text" type="number" size="3" maxlength="4" value="<?php echo $options['siteid']; ?>" /><br/>
+							<input id="siteid" name="siteid" class="small-text" type="number" size="3" maxlength="4" value="<?php echo esc_html( $options['siteid'] ); ?>" /><br/>
 							<div id="expl">
 								<p>
-								<?php _e('In the Matomo interface, when you "Add Website" you are shown a piece of JavaScript that you are told to insert into the page, in that script is a unique string that identifies the website you just defined, that is your site ID (usually "1").', 'simple-matomo-tracking-code'); ?>
+								<?php esc_html_e('In the Matomo interface, when you "Add Website" you are shown a piece of JavaScript that you are told to insert into the page, in that script is a unique string that identifies the website you just defined, that is your site ID (usually "1").', 'simple-matomo-tracking-code'); ?>
 								</p>
 								<p>
-								<?php _e('Once you have entered your site ID in the box above your pages will be trackable by Matomo Web Analytics.', 'simple-matomo-tracking-code'); ?>
+								<?php esc_html_e('Once you have entered your site ID in the box above your pages will be trackable by Matomo Web Analytics.', 'simple-matomo-tracking-code'); ?>
 								</p>
 							</div>
 						</td>
 					</tr>
 					<tr>
 						<th scope="row" valign="top">
-							<label for="dltracking"><?php _e('Track downloads', 'simple-matomo-tracking-code'); ?></label><br/>
-							<small><?php _e('(default is YES)', 'simple-matomo-tracking-code'); ?></small>
+							<label for="dltracking"><?php esc_html_e('Track downloads', 'simple-matomo-tracking-code'); ?></label><br/>
+							<small><?php esc_html_e('(default is YES)', 'simple-matomo-tracking-code'); ?></small>
 						</th>
 						<td>
 							<input type="checkbox" id="dltracking" name="dltracking" <?php if ( $options['dltracking'] ) echo ' checked="unchecked" '; ?>/> 
 						</td>
 					</tr>
 					<tr>
 						<th scope="row" valign="top">
-							<label for="matomo_host"><?php _e('Hostname of the matomo server (optional)', 'simple-matomo-tracking-code'); ?></label>
+							<label for="matomo_host"><?php esc_html_e('Hostname of the matomo server (optional)', 'simple-matomo-tracking-code'); ?></label>
 						</th>
 						<td>
-							<input id="matomo_host" name="matomo_host" type="text" size="40" maxlength="99" value="<?php echo $options['matomo_host']; ?>" /><br/>
+							<input id="matomo_host" name="matomo_host" type="text" size="40" maxlength="99" value="<?php echo esc_html( $options['matomo_host'] ); ?>" /><br/>
 							<div id="expl3">
 								<p>
-								<?php _e('Example: www.yourdomain.com -- Leave blank (default) if this is the same as your website. Do NOT include the http(s):// bit.', 'simple-matomo-tracking-code'); ?>
+								<?php esc_html_e('Example: www.yourdomain.com -- Leave blank (default) if this is the same as your website. Do NOT include the http(s):// bit.', 'simple-matomo-tracking-code'); ?>
 								</p>
 							</div>
 						</td>
 					</tr>
 					<tr>
 						<th scope="row" valign="top">
-							<label for="matomo_baseurl"><?php _e('Base URL path of matomo installation', 'simple-matomo-tracking-code'); ?></label>
+							<label for="matomo_baseurl"><?php esc_html_e('Base URL path of matomo installation', 'simple-matomo-tracking-code'); ?></label>
 						</th>
 						<td>
-							<input id="matomo_baseurl" name="matomo_baseurl" type="text" size="40" maxlength="99" value="<?php echo $options['matomo_baseurl']; ?>" /><br/>
+							<input id="matomo_baseurl" name="matomo_baseurl" type="text" size="40" maxlength="99" value="<?php echo esc_html( $options['matomo_baseurl'] ); ?>" /><br/>
 							<div id="expl2" style="display:none;">
 								<p>
-								<?php _e("The URL path to the matomo installation. E.g. /matomo/ or /stats/. Don't forget the trailing slash!", 'simple-matomo-tracking-code'); ?>
+								<?php esc_html_e("The URL path to the matomo installation. E.g. /matomo/ or /stats/. Don't forget the trailing slash!", 'simple-matomo-tracking-code'); ?>
 								</p>
 							</div>
 						</td>
 					</tr>
 					<tr>
 						<th scope="row" valign="top">
-							<label for="admintracking"><?php _e('Track the admin user too', 'simple-matomo-tracking-code'); ?></label><br/>
-							<small><?php _e('(default is not to)', 'simple-matomo-tracking-code'); ?></small>
+							<label for="admintracking"><?php esc_html_e('Track the admin user too', 'simple-matomo-tracking-code'); ?></label><br/>
+							<small><?php esc_html_e('(default is not to)', 'simple-matomo-tracking-code'); ?></small>
 						</th>
 						<td>
 							<input type="checkbox" id="admintracking" name="admintracking" <?php if ( $options['admintracking'] ) echo ' checked="checked" '; ?>/> 
@@ -181,8 +184,13 @@ static function config_page() : void {
 				$matomo_url = SMTC_Admin::build_matomo_url($options);
 				printf(
 					/* translators: %s: URL of the Matomo installation */
-					__('All options set? Then <a href="%s" title="Matomo admin url" target="_blank">check out your stats</a>!', 'simple-matomo-tracking-code'),
-					$matomo_url
+					esc_html__('All options set? Then %1$s!', 'simple-matomo-tracking-code'),
+					sprintf(
+						'<a href="%s" title="%s" target="_blank">%s</a>',
+						esc_url($matomo_url),
+						esc_html__('Matomo admin url', 'simple-matomo-tracking-code'),
+						esc_html__('check out your stats', 'simple-matomo-tracking-code')
+					)
 				);
 				?>
 			</div>
@@ -203,16 +211,16 @@ static function config_page() : void {
 		static function success() : void {
 			echo "
 			<div id='analytics-warning' class='updated'><p><strong>";
-			_e('Simple Matomo Tracking Code Configuration successfully updated.', 'simple-matomo-tracking-code');
+			esc_html_e('Simple Matomo Tracking Code Configuration successfully updated.', 'simple-matomo-tracking-code');
 			echo "</strong></p></div>";
 		}
 
 		static function warning() : void {
 			echo "
 			<div id='analytics-warning' class='notice notice-warning'><p><strong>";
-			_e('Matomo Web Analytics is not active.', 'simple-matomo-tracking-code');
+			esc_html_e('Matomo Web Analytics is not active.', 'simple-matomo-tracking-code');
 			echo "</strong> ";
-			_e('You must enter your site ID for it to work.', 'simple-matomo-tracking-code');
+			esc_html_e('You must enter your site ID for it to work.', 'simple-matomo-tracking-code');
 			echo "</p></div>";
 		}
 
@@ -268,15 +276,15 @@ static function spool_analytics() : void {
 			if ( $options["siteid"] != "" && (!current_user_can('edit_users') || $options["admintracking"]) && !is_preview() ) {
 				$matomo_url = SMTC_Admin::build_matomo_url($options);
 
-				$link_tracking = "";
+				$link_tracking_safe = "";
 				if ( $options["dltracking"] ) {
-					$link_tracking = "_paq.push(['enableLinkTracking']);";
+					$link_tracking_safe = "_paq.push(['enableLinkTracking']);";
 				}
 
 				$transitions = array(
-					"{MATOMO_URL}" => $matomo_url,
-					"{IDSITE}" => $options["siteid"],
-					"{LINK_TRACKING}" => $link_tracking);
+					"{MATOMO_URL}" => esc_html( $matomo_url ),
+					"{IDSITE}" => esc_html( $options["siteid"] ),
+					"{LINK_TRACKING}" => $link_tracking_safe );
 				echo strtr($script_template, $transitions);
 			}
 		}