Bugfix/escaping

crm-system.php

@@ -12,6 +12,10 @@
 // Exit if accessed directly
 if ( !defined( 'ABSPATH' ) ) exit;
 
+// Ignoring the following warnings for this file. We need to use direct database query but rest assured, we are using it in a safe way.
+// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery
+// phpcs:disable WordPress.DB.DirectDatabaseQuery.NoCaching
+
 /**
  * Basic plugin definitions 
  * 

includes/admin/class-dx-crm-roadmap-tracker.php

@@ -10,6 +10,10 @@
 // Exit if accessed directly
 if ( !defined( 'ABSPATH' ) ) exit;
 
+// Ignoring the following warnings for this file. We need to use direct database query but rest assured, we are using it in a safe way.
+// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery
+// phpcs:disable WordPress.DB.DirectDatabaseQuery.NoCaching
+
 Class DX_CRM_ROADMAP_TRACKING{
 
 	/**

includes/admin/forms/crm-activity-log.php

@@ -12,16 +12,16 @@
 global $current_user, $dx_crm_roadmap;
 ?>
 <div class="wrap">
-	<h1><?php _e( 'Activity Log', 'dxcrm' ); ?></h1>	
-	<p><?php _e( 'All Projects progress and updates', 'dxcrm' ); ?></p>
+	<h1><?php esc_html_e( 'Activity Log', 'dxcrm' ); ?></h1>	
+	<p><?php esc_html_e( 'All Projects progress and updates', 'dxcrm' ); ?></p>
 	<?php
 		global $dx_crm_roadmap;
 
 		//  && wp_verify_nonce( $_POST['filter-nonce-activity-log'], 'activity-log-filter' ) )
 
 		if ( ( ( isset( $_POST['month'] ) || isset( $_POST['user'] ) ) && ( ! isset( $_POST['filter-nonce-activity-log'] ) || ! wp_verify_nonce( $_POST['filter-nonce-activity-log'], 'activity-log-filter' ) ) || ( isset( $_POST['s'] ) && ( ! isset( $_POST['search-nonce-activity-log'] ) || ! wp_verify_nonce( $_POST['search-nonce-activity-log'], 'activity-log-search' ) ) ) )
 		) {
-			echo __( 'Problem occurred! Please try again.', 'dxcrm' );
+			echo esc_html__( 'Problem occurred! Please try again.', 'dxcrm' );
 			exit();
 		}
 
@@ -89,7 +89,7 @@
 			 * @since 1.0.0
 			*/
 			if ( $page_links ) {
-				echo '<div class="pagination"><span class="pagination">' . $roadmap_count . __( ' items', 'dxcrm' ) . '</span>' . $page_links . '</div>';
+				echo '<div class="pagination"><span class="pagination">' . esc_html( $roadmap_count ) . esc_html__( ' items', 'dxcrm' ) . '</span>' . wp_kses_post( $page_links ) . '</div>';
 			}
 
 			do_action( 'dx_crm_roadmap_filters', 10 );
@@ -123,7 +123,7 @@
 			}	
 			$html .= '</table><br />';
 
-			echo $html;
+			echo wp_kses_post( $html );
 
 			/**
 			 * Display pagination only if there's data
@@ -132,7 +132,7 @@
 			 * @since 1.0.0
 			*/
 			if ( $page_links ) {
-			    echo '<div class="pagination"><span class="pagination">' . $roadmap_count . __( ' items', 'dxcrm' ) . '</span>' . $page_links . '</div>';
+			    echo '<div class="pagination"><span class="pagination">' . esc_html( $roadmap_count ) . esc_html__( ' items', 'dxcrm' ) . '</span>' . wp_kses_post( $page_links ) . '</div>';
 			}
 		} else {
 			/**
@@ -151,7 +151,7 @@
 			 * @since 1.0.0
 			 */
 			$log_message = isset( $_GET['s'] ) ? __( 'No log found!', 'dxcrm' ) : __( 'Roadmap tracking is empty!', 'dxcrm' ) ;			
-			printf( '<div class="activity-log-error"><p>%s</p></div>', $log_message );
+			printf( '<div class="activity-log-error"><p>%s</p></div>', esc_html( $log_message ) );
 		}
 	?>
 </div>

includes/admin/forms/crm-add-company-popup.php

@@ -17,22 +17,32 @@
 <div class="dx-crm-comp-popup-content">
 
 	<div class="dx-crm-comp-header">
-		<div class="dx-crm-comp-header-title"><?php _e( 'Add New Company', 'dxcrm' );?></div>
-		<div class="dx-crm-comp-popup-close"><a href="javascript:void(0);" class="dx-crm-comp-close-button"><img src="<?php echo DX_CRM_IMG_URL;?>/tb-close.png" title="Close"></a></div>
+		<div class="dx-crm-comp-header-title"><?php esc_html_e( 'Add New Company', 'dxcrm' ); ?></div>
+		<div class="dx-crm-comp-popup-close">
+			<a href="javascript:void(0);" class="dx-crm-comp-close-button">
+				<img src="<?php echo esc_url( DX_CRM_IMG_URL ); ?>/tb-close.png" title="<?php esc_attr_e( 'Close', 'dxcrm' ); ?>">
+			</a>
+		</div>
 	</div>
 
 	<div class="dx-crm-comp-popup">
 		<div class="dx-crm-comp-add-company-title">
 			<div>
-				<label for="dx_crm_company_title"><?php _e( 'Enter Company Title', 'dxcrm' );?></label>
+				<label for="dx_crm_company_title"><?php esc_html_e( 'Enter Company Title', 'dxcrm' ); ?></label>
 				<input type="text" class="dx_crm_company_title_text" name="dx_crm_company_title" id="dx_crm_company_title" size="31">
 			</div>
-			<div class="dx-crm-comp-title-error"><?php _e('Please Enter title for Company', 'dxcrm') ?></div>
+			<div class="dx-crm-comp-title-error"><?php esc_html_e( 'Please Enter title for Company', 'dxcrm' ); ?></div>
 
-			<div class="dx-crm-comp-title-success"><?php _e('Company Added Successfully.', 'dxcrm') ?></div>
+			<div class="dx-crm-comp-title-success"><?php esc_html_e( 'Company Added Successfully.', 'dxcrm' ); ?></div>
 			<div>
-				<input type="button" class="dx_crm_add_company_button button" id="dx_crm_add_company_button" value="Add Company" />		
-				<input type="button" class="dx_crm_add_more_company_button button" id="dx_crm_add_more_company_button" value="Save and Add More" />				
+				<input type="button" 
+					   class="dx_crm_add_company_button button" 
+					   id="dx_crm_add_company_button" 
+					   value="<?php esc_attr_e( 'Add Company', 'dxcrm' ); ?>" />		
+				<input type="button" 
+					   class="dx_crm_add_more_company_button button" 
+					   id="dx_crm_add_more_company_button" 
+					   value="<?php esc_attr_e( 'Save and Add More', 'dxcrm' ); ?>" />				
 			</div>			
 		</div>		
 	</div><!--.edd-points-popup-->

includes/admin/forms/crm-add-customer-popup.php

@@ -17,26 +17,26 @@
 <div class="dx-crm-cust-popup-content">
 
 	<div class="dx-crm-cust-header">
-		<div class="dx-crm-cust-header-title"><?php _e( 'Add New Customer', 'dxcrm' );?></div>
-		<div class="dx-crm-cust-popup-close"><a href="javascript:void(0);" class="dx-crm-cust-close-button"><img src="<?php echo DX_CRM_IMG_URL;?>/tb-close.png" title="Close"></a></div>
+		<div class="dx-crm-cust-header-title"><?php esc_html_e( 'Add New Customer', 'dxcrm' );?></div>
+		<div class="dx-crm-cust-popup-close"><a href="javascript:void(0);" class="dx-crm-cust-close-button"><img src="<?php echo esc_url( DX_CRM_IMG_URL );?>/tb-close.png" title="<?php esc_html_e( 'Close', 'dxcrm' );?>"></a></div>
 	</div>
 
 	<div class="dx-crm-cust-popup">
 		<div class="dx-crm-cust-add-customer-title">
 			<div>
-				<label for="dx_crm_customer_title"><?php _e( 'Enter Customer Title', 'dxcrm' );?></label>
+				<label for="dx_crm_customer_title"><?php esc_html_e( 'Enter Customer Title', 'dxcrm' );?></label>
 				<input type="text" class="dx_crm_customer_title_text" name="dx_crm_customer_title" id="dx_crm_customer_title" size="31">
 			</div>
-			<div class="dx-crm-cust-title-error"><?php _e('Please Enter title for customer', 'dxcrm') ?></div>
+			<div class="dx-crm-cust-title-error"><?php esc_html_e('Please Enter title for customer', 'dxcrm') ?></div>
 			<br /><div>
-				<label for="dx_crm_customer_email"><?php _e( 'Enter Customer Email', 'dxcrm' );?></label>
+				<label for="dx_crm_customer_email"><?php esc_html_e( 'Enter Customer Email', 'dxcrm' );?></label>
 				<input type="text" class="dx_crm_customer_email_text" name="dx_crm_customer_email" id="dx_crm_customer_email" size="31">
 			</div>			
-			<div class="dx-crm-cust-email-error"><?php _e('Please Enter email for customer', 'dxcrm') ?></div>
-			<div class="dx-crm-cust-title-success"><?php _e('Customer Added Successfully.', 'dxcrm') ?></div>
+			<div class="dx-crm-cust-email-error"><?php esc_html_e('Please Enter email for customer', 'dxcrm') ?></div>
+			<div class="dx-crm-cust-title-success"><?php esc_html_e('Customer Added Successfully.', 'dxcrm') ?></div>
 			<div>
-				<input type="button" class="dx_crm_add_customer_button button" id="dx_crm_add_customer_button" value="Add customer" />
-				<input type="button" class="dx_crm_add_more_customer_button button" id="dx_crm_add_more_customer_button" value="Save and Add More" />			
+				<input type="button" class="dx_crm_add_customer_button button" id="dx_crm_add_customer_button" value="<?php esc_html_e( 'Add customer', 'dxcrm' ); ?>" />
+				<input type="button" class="dx_crm_add_more_customer_button button" id="dx_crm_add_more_customer_button" value="<?php esc_html_e( 'Save and Add More', 'dxcrm' ); ?>" />			
 			</div>			
 		</div>		
 	</div><!--.edd-points-popup-->

includes/admin/forms/crm-add-project-popup.php

@@ -17,21 +17,21 @@
 <div class="dx-crm-pro-popup-content">
 
 	<div class="dx-crm-pro-header">
-		<div class="dx-crm-pro-header-title"><?php _e( 'Add New Project', 'dxcrm' );?></div>
-		<div class="dx-crm-pro-popup-close"><a href="javascript:void(0);" class="dx-crm-pro-close-button"><img src="<?php echo DX_CRM_IMG_URL;?>/tb-close.png" title="Close"></a></div>
+		<div class="dx-crm-pro-header-title"><?php esc_html_e( 'Add New Project', 'dxcrm' );?></div>
+		<div class="dx-crm-pro-popup-close"><a href="javascript:void(0);" class="dx-crm-pro-close-button"><img src="<?php echo esc_url( DX_CRM_IMG_URL ); ?>/tb-close.png" title="<?php esc_attr_e( 'Close', 'dxcrm' ); ?>"></a></div>
 	</div>
 
 	<div class="dx-crm-pro-popup">
 		<div class="dx-crm-pro-add-project-title">
 			<div>
-				<label for="dx_crm_project_title"><?php _e( 'Enter Project Title', 'dxcrm' );?></label>
+				<label for="dx_crm_project_title"><?php esc_html_e( 'Enter Project Title', 'dxcrm' );?></label>
 				<input type="text" class="dx_crm_project_title_text" name="dx_crm_project_title" id="dx_crm_project_title" size="33">
 			</div>
-			<div class="dx-crm-pro-title-error"><?php _e('Please Enter title for Project', 'dxcrm') ?></div>
-			<div class="dx-crm-pro-title-success"><?php _e('Project Added Successfully.', 'dxcrm') ?></div>
+			<div class="dx-crm-pro-title-error"><?php esc_html_e( 'Please Enter title for Project', 'dxcrm' ); ?></div>
+			<div class="dx-crm-pro-title-success"><?php esc_html_e( 'Project Added Successfully.', 'dxcrm' ); ?></div>
 			<div>
-				<input type="button" class="dx_crm_add_project_button button" id="dx_crm_add_project_button" value="Add Project" />	
-				<input type="button" class="dx_crm_add_more_project_button button" id="dx_crm_add_more_project_button" value="Save and Add More" />			
+				<input type="button" class="dx_crm_add_project_button button" id="dx_crm_add_project_button" value="<?php esc_attr_e( 'Add Project', 'dxcrm' ); ?>" />	
+				<input type="button" class="dx_crm_add_more_project_button button" id="dx_crm_add_more_project_button" value="<?php esc_attr_e( 'Save and Add More', 'dxcrm' ); ?>" />			
 			</div>
 
 		</div>		

includes/admin/forms/crm-add-project-type-popup.php

@@ -15,23 +15,23 @@
 ?>
 
 <div class="dx-crm-pro-type-popup-content">
-
+	<?php wp_nonce_field( 'dx_crm_add_project_type_popup', 'dx_crm_add_project_type_popup_nonce' ); ?>
 	<div class="dx-crm-pro-type-header">
-		<div class="dx-crm-pro-type-header-title"><?php _e( 'Add New Project Type', 'dxcrm' );?></div>
-		<div class="dx-crm-pro-type-popup-close"><a href="javascript:void(0);" class="dx-crm-pro-type-close-button"><img src="<?php echo DX_CRM_IMG_URL;?>/tb-close.png" title="Close"></a></div>
+		<div class="dx-crm-pro-type-header-title"><?php esc_html_e( 'Add New Project Type', 'dxcrm' );?></div>
+		<div class="dx-crm-pro-type-popup-close"><a href="javascript:void(0);" class="dx-crm-pro-type-close-button"><img src="<?php echo esc_url( DX_CRM_IMG_URL ); ?>/tb-close.png" title="<?php esc_attr_e( 'Close', 'dxcrm' ); ?>"></a></div>
 	</div>
 
 	<div class="dx-crm-pro-type-popup">
 		<div class="dx-crm-pro-type-add-project-title">
 			<div>
-				<label for="dx_crm_project_type_title"><?php _e( 'Enter Project Type Title', 'dxcrm' );?></label>
+				<label for="dx_crm_project_type_title"><?php esc_html_e( 'Enter Project Type Title', 'dxcrm' );?></label>
 				<input type="text" class="dx_crm_project_type_title_text" name="dx_crm_project_type_title" id="dx_crm_project_type_title" size="33">
 			</div>
-			<div class="dx-crm-pro-type-title-error"><?php _e('Please Enter title for Project Type', 'dxcrm') ?></div>
-			<div class="dx-crm-pro-type-title-success"><?php _e('Project Type Added Successfully.', 'dxcrm') ?></div>
+			<div class="dx-crm-pro-type-title-error"><?php esc_html_e( 'Please Enter title for Project Type', 'dxcrm' ); ?></div>
+			<div class="dx-crm-pro-type-title-success"><?php esc_html_e( 'Project Type Added Successfully.', 'dxcrm' ); ?></div>
 			<div>
-				<input type="button" class="dx_crm_add_project_type_button button" id="dx_crm_add_project_type_button" value="Add Project Type" />	
-				<input type="button" class="dx_crm_add_more_project_type_button button" id="dx_crm_add_more_project_type_button" value="Save and Add More" />			
+				<input type="button" class="dx_crm_add_project_type_button button" id="dx_crm_add_project_type_button" value="<?php esc_attr_e( 'Add Project Type', 'dxcrm' ); ?>" />	
+				<input type="button" class="dx_crm_add_more_project_type_button button" id="dx_crm_add_more_project_type_button" value="<?php esc_attr_e( 'Save and Add More', 'dxcrm' ); ?>" />			
 			</div>
 
 		</div>