WPCS scan for sanitization, escaping, nonces, sql, and strict comparison checks where applicable

assets/js/sidebars/helpers.js

@@ -14,6 +14,7 @@ export function request(action, name) {
 	return new Promise((resolve, reject) => {
 		const request = $.post(window.ajaxurl, {
 			action: `carbon_fields_${action}_sidebar`,
+			nonce: carbonFieldsSecurity[`${action}SidebarNonce`],
 			name: name
 		}, null, 'json');
 

core/Container/Condition/Comparer/Any_Contain_Comparer.php

@@ -23,7 +23,9 @@ class Any_Contain_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_array( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not an array: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 

core/Container/Condition/Comparer/Any_Equality_Comparer.php

@@ -22,9 +22,9 @@ class Any_Equality_Comparer extends Comparer {
 	public function is_correct( $a, $comparison_operator, $b ) {
 		switch ( $comparison_operator ) {
 			case '=':
-				return in_array( $b, $a );
+				return in_array( $b, $a, true );
 			case '!=':
-				return ! in_array( $b, $a );
+				return ! in_array( $b, $a, true );
 		}
 		return false;
 	}

core/Container/Condition/Comparer/Comparer.php

@@ -18,7 +18,7 @@ abstract class Comparer {
 	 * @return bool
 	 */
 	public function supports_comparison_operator( $comparison_operator ) {
-		return in_array( $comparison_operator, $this->supported_comparison_operators );
+		return in_array( $comparison_operator, $this->supported_comparison_operators, true );
 	}
 
 	/**

core/Container/Condition/Comparer/Contain_Comparer.php

@@ -23,15 +23,17 @@ class Contain_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_array( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not an array: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 
 		switch ( $comparison_operator ) {
 			case 'IN':
-				return in_array( $a, $b );
+				return in_array( $a, $b, true );
 			case 'NOT IN':
-				return ! in_array( $a, $b );
+				return ! in_array( $a, $b, true );
 		}
 		return false;
 	}

core/Container/Condition/Comparer/Custom_Comparer.php

@@ -23,7 +23,9 @@ class Custom_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_callable( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not a callable: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 

core/Container/Condition/Comparer/Scalar_Comparer.php

@@ -23,12 +23,16 @@ class Scalar_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_scalar( $a ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Environment value for comparison is not scalar: ' . print_r( $a, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 
 		if ( ! is_scalar( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not scalar: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 

core/Container/Condition/Term_Condition.php

@@ -100,11 +100,11 @@ public function is_fulfilled( $environment ) {
 				break;
 			case 'IN':
 				$value_term_ids = $this->get_term_ids_from_full_term_descriptors( $this->get_value() );
-				return in_array( $term_id, $value_term_ids );
+				return in_array( $term_id, $value_term_ids, true );
 				break;
 			case 'NOT IN':
 				$value_term_ids = $this->get_term_ids_from_full_term_descriptors( $this->get_value() );
-				return ! in_array( $term_id, $value_term_ids );
+				return ! in_array( $term_id, $value_term_ids, true );
 				break;
 		}
 

core/Container/Container.php

@@ -565,7 +565,7 @@ public function get_field_by_name( $field_name ) {
 	 * @return boolean
 	 */
 	protected function register_field_name( $name ) {
-		if ( in_array( $name, $this->registered_field_names ) ) {
+		if ( in_array( $name, $this->registered_field_names, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Field name "' . $name . '" already registered' );
 			return false;
 		}
@@ -692,7 +692,7 @@ protected function get_untabbed_fields() {
 		}
 
 		$untabbed_fields = array_filter( $this->fields, function( $field ) use ( $tabbed_fields_names ) {
-			return ! in_array( $field->get_name(), $tabbed_fields_names );
+			return ! in_array( $field->get_name(), $tabbed_fields_names, true );
 		} );
 
 		return $untabbed_fields;

core/Container/Fulfillable/Fulfillable_Collection.php

@@ -119,7 +119,7 @@ public function is_condition_type_list_whitelist() {
 	 * @return bool
 	 */
 	public function is_condition_type_allowed( $condition_type ) {
-		$in_list = in_array( $condition_type, $this->get_condition_type_list() );
+		$in_list = in_array( $condition_type, $this->get_condition_type_list(), true );
 		if ( $this->is_condition_type_list_whitelist() ) {
 			return $in_list;
 		}
@@ -224,7 +224,7 @@ protected function where_collection( $collection_callable, $fulfillable_comparis
 	 * @param string      $fulfillable_comparison See static::$supported_fulfillable_comparisons
 	 */
 	public function add_fulfillable( Fulfillable $fulfillable, $fulfillable_comparison ) {
-		if ( ! in_array( $fulfillable_comparison, $this->supported_fulfillable_comparisons ) ) {
+		if ( ! in_array( $fulfillable_comparison, $this->supported_fulfillable_comparisons, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Invalid fulfillable comparison passed: ' . $fulfillable_comparison );
 			return;
 		}
@@ -277,7 +277,7 @@ public function filter( $condition_whitelist ) {
 				$collection->add_fulfillable( $filtered_collection, $fulfillable_comparison );
 			} else {
 				$type = $this->condition_factory->get_type( get_class( $fulfillable ) );
-				if ( ! in_array( $type, $condition_whitelist ) ) {
+				if ( ! in_array( $type, $condition_whitelist, true ) ) {
 					continue;
 				}
 
@@ -315,12 +315,12 @@ public function evaluate( $condition_types, $environment, $comparison_operators
 				$type = $this->condition_factory->get_type( get_class( $fulfillable ) );
 				$comparison_operator = $fulfillable->get_comparison_operator();
 
-				$condition_type_match = in_array( $type, $condition_types );
+				$condition_type_match = in_array( $type, $condition_types, true );
 				if ( $condition_types_blacklist ) {
 					$condition_type_match = ! $condition_type_match;
 				}
 
-				$comparison_operator_match = in_array( $comparison_operator, $comparison_operators );
+				$comparison_operator_match = in_array( $comparison_operator, $comparison_operators, true );
 				if ( $comparison_operators_blacklist ) {
 					$comparison_operator_match = ! $comparison_operator_match;
 				}
@@ -362,13 +362,13 @@ public function is_fulfilled( $environment ) {
 
 			// minor optimization - avoid unnecessary AND check if $fulfilled is currently false
 			// false && whatever is always false
-			if ( $fulfillable_comparison == 'AND' && $fulfilled ) {
+			if ( $fulfillable_comparison === 'AND' && $fulfilled ) {
 				$fulfilled = $fulfillable->is_fulfilled( $environment );
 			}
 
 			// minor optimization - avoid unnecessary OR check if $fulfilled is currently true
 			// true || whatever is always true
-			if ( $fulfillable_comparison == 'OR' && ! $fulfilled ) {
+			if ( $fulfillable_comparison === 'OR' && ! $fulfilled ) {
 				$fulfilled = $fulfillable->is_fulfilled( $environment );
 			}
 		}

core/Container/Fulfillable/Translator/Array_Translator.php

@@ -82,7 +82,9 @@ protected function fulfillable_collection_to_foreign( Fulfillable_Collection $fu
 	 */
 	public function foreign_to_fulfillable( $foreign ) {
 		if ( ! is_array( $foreign ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Invalid data passed to array condition translator: ' . print_r( $foreign, true ) );
+			// @codingStandardsIgnoreEnd
 			return null;
 		}
 

core/Container/Fulfillable/Translator/Translator.php

@@ -24,7 +24,9 @@ public function fulfillable_to_foreign( Fulfillable $fulfillable ) {
 			return $this->fulfillable_collection_to_foreign( $fulfillable );
 		}
 
+		// @codingStandardsIgnoreStart
 		Incorrect_Syntax_Exception::raise( 'Attempted to translate an unsupported object: ' . print_r( $fulfillable, true ) );
+		// @codingStandardsIgnoreEnd
 		return null;
 	}
 

core/Container/Repository.php

@@ -170,7 +170,7 @@ public function get_active_containers() {
 	 * @param string $id
 	 */
 	public function is_unique_container_id( $id ) {
-		return ! in_array( $id, $this->registered_container_ids );
+		return ! in_array( $id, $this->registered_container_ids, true );
 	}
 
 	/**

core/Container/Theme_Options_Container.php

@@ -235,7 +235,7 @@ protected function register_page() {
 			static::$registered_pages[ $parent ] = array();
 		}
 
-		if ( in_array( $file, static::$registered_pages[ $parent ] ) ) {
+		if ( in_array( $file, static::$registered_pages[ $parent ], true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Page "' . $file . '" with parent "' . $parent . '" is already registered. Please set a name for the container.' );
 			return false;
 		}

core/Container/Widget_Container.php

@@ -48,7 +48,7 @@ public function is_valid_attach_for_request() {
 		$request_action = isset( $input['action'] ) ? $input['action'] : '';
 		$is_widget_save = ( $request_action === 'save-widget' );
 
-		if ( ( ! $screen || ! in_array( $screen->id, array( 'widgets', 'customize' ) ) ) && ! $is_widget_save ) {
+		if ( ( ! $screen || ! in_array( $screen->id, array( 'widgets', 'customize' ), true ) ) && ! $is_widget_save ) {
 			return false;
 		}
 

core/Datastore/Meta_Datastore.php

@@ -26,13 +26,15 @@ protected function get_storage_array( Field $field, $storage_key_patterns ) {
 
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`meta_key`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$storage_array = $wpdb->get_results( '
 			SELECT `meta_key` AS `key`, `meta_value` AS `value`
 			FROM ' . $this->get_table_name() . '
 			WHERE `' . $this->get_table_field_name() . '` = ' . intval( $this->get_object_id() ) . '
 				AND ' . $storage_key_comparisons . '
 			ORDER BY `meta_key` ASC
 		' );
+		// @codingStandardsIgnoreEnd
 
 		$storage_array = apply_filters( 'carbon_fields_datastore_storage_array', $storage_array, $this, $storage_key_patterns );
 
@@ -69,12 +71,14 @@ public function delete( Field $field ) {
 		);
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`meta_key`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$meta_keys = $wpdb->get_col( '
 			SELECT `meta_key`
 			FROM `' . $this->get_table_name() . '`
 			WHERE `' . $this->get_table_field_name() . '` = ' . intval( $this->get_object_id() ) . '
 				AND ' . $storage_key_comparisons . '
 		' );
+		// @codingStandardsIgnoreEnd
 
 		foreach ( $meta_keys as $meta_key ) {
 			delete_metadata( $this->get_meta_type(), $this->get_object_id(), $meta_key );

core/Datastore/Term_Meta_Datastore.php

@@ -49,6 +49,7 @@ public static function create_table() {
 			$charset_collate .= ' COLLATE ' . $wpdb->collate;
 		}
 
+		// @codingStandardsIgnoreStart sanitized above.
 		$wpdb->query( 'CREATE TABLE ' . $wpdb->prefix . 'termmeta (
 			meta_id bigint(20) unsigned NOT NULL auto_increment,
 			term_id bigint(20) unsigned NOT NULL default "0",
@@ -58,6 +59,7 @@ public static function create_table() {
 			KEY term_id (term_id),
 			KEY meta_key (meta_key)
 		) ' . $charset_collate . ';' );
+		// @codingStandardsIgnoreEnd
 	}
 
 	/**

core/Datastore/Theme_Options_Datastore.php

@@ -26,12 +26,14 @@ protected function get_storage_array( Field $field, $storage_key_patterns ) {
 
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`option_name`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$storage_array = $wpdb->get_results( '
 			SELECT `option_name` AS `key`, `option_value` AS `value`
 			FROM ' . $wpdb->options . '
 			WHERE ' . $storage_key_comparisons . '
 			ORDER BY `option_name` ASC
 		' );
+		// @codingStandardsIgnoreEnd
 
 		$storage_array = apply_filters( 'carbon_fields_datastore_storage_array', $storage_array, $this, $storage_key_patterns );
 
@@ -114,11 +116,13 @@ public function delete( Field $field ) {
 		);
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`option_name`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$option_names = $wpdb->get_col( '
 			SELECT `option_name`
 			FROM `' . $wpdb->options . '`
 			WHERE ' . $storage_key_comparisons . '
 		' );
+		// @codingStandardsIgnoreEnd
 
 		foreach ( $option_names as $option_name ) {
 			delete_option( $option_name );

core/Field/Association_Field.php

@@ -279,7 +279,7 @@ protected function get_post_options( $type ) {
 				'type' => $type['type'],
 				'subtype' => $type['post_type'],
 				'label' => $this->get_item_label( $p, $type['type'], $type['post_type'] ),
-				'is_trashed' => ( get_post_status( $p ) == 'trash' ),
+				'is_trashed' => ( get_post_status( $p ) === 'trash' ),
 				'edit_link' => $this->get_object_edit_link( $type, $p ),
 			);
 		}
@@ -550,7 +550,7 @@ protected function value_to_json() {
 				'id' => intval( $entry['id'] ),
 				'title' => $this->get_title_by_type( $entry['id'], $entry['type'], $entry['subtype'] ),
 				'label' => $this->get_item_label( $entry['id'], $entry['type'], $entry['subtype'] ),
-				'is_trashed' => ( $entry['type'] == 'post' && get_post_status( $entry['id'] ) === 'trash' ),
+				'is_trashed' => ( $entry['type'] === 'post' && get_post_status( $entry['id'] ) === 'trash' ),
 			);
 			$value[] = $item;
 		}

core/Field/Complex_Field.php

@@ -230,7 +230,7 @@ public function add_fields() {
 
 		$reserved_names = array( Value_Set::VALUE_PROPERTY, static::TYPE_PROPERTY );
 		foreach ( $fields as $field ) {
-			if ( in_array( $field->get_base_name(), $reserved_names ) ) {
+			if ( in_array( $field->get_base_name(), $reserved_names, true ) ) {
 				Incorrect_Syntax_Exception::raise( '"' . $field->get_base_name() . '" is a reserved keyword for Complex fields and cannot be used for a field name.' );
 				return $this;
 			}
@@ -266,7 +266,7 @@ public function get_group_by_name( $group_name ) {
 		$group_object = null;
 
 		foreach ( $this->groups as $group ) {
-			if ( $group->get_name() == $group_name ) {
+			if ( $group->get_name() === $group_name ) {
 				$group_object = $group;
 			}
 		}
@@ -601,7 +601,7 @@ public function set_layout( $layout ) {
 			static::LAYOUT_TABBED_VERTICAL,
 		);
 
-		if ( ! in_array( $layout,  $available_layouts ) ) {
+		if ( ! in_array( $layout,  $available_layouts, true ) ) {
 			$error_message = 'Incorrect layout ``' . $layout . '" specified. ' .
 				'Available layouts: ' . implode( ', ', $available_layouts );
 

core/Field/Field.php

@@ -315,7 +315,7 @@ public function activate() {
 	 * @param string $class_name
 	 */
 	public static function activate_field_type( $class_name ) {
-		if ( in_array( $class_name, static::$activated_field_types ) ) {
+		if ( in_array( $class_name, static::$activated_field_types, true ) ) {
 			return;
 		}
 
@@ -380,7 +380,7 @@ public function is_simple_root_field() {
 		return (
 			empty( $hierarchy )
 			&&
-			in_array( $this->get_value_set()->get_type(), array( Value_Set::TYPE_SINGLE_VALUE, Value_Set::TYPE_MULTIPLE_PROPERTIES ) )
+			in_array( $this->get_value_set()->get_type(), array( Value_Set::TYPE_SINGLE_VALUE, Value_Set::TYPE_MULTIPLE_PROPERTIES ), true )
 		);
 	}
 
@@ -749,7 +749,7 @@ public function set_attribute( $name, $value = '' ) {
 			$name = preg_replace( '/^\-+|\-+$/', '', $name );
 		}
 
-		if ( ! $is_data_attribute && ! in_array( $name, $this->allowed_attributes ) ) {
+		if ( ! $is_data_attribute && ! in_array( $name, $this->allowed_attributes, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Only the following attributes are allowed: ' . implode( ', ', array_merge( $this->allowed_attributes, array( 'data-*' ) ) ) );
 			return $this;
 		}
@@ -968,13 +968,13 @@ protected function parse_conditional_rule( $rule ) {
 			'value' => '',
 		), $rule );
 
-		if ( ! in_array( $rule['compare'], $allowed_operators ) ) {
+		if ( ! in_array( $rule['compare'], $allowed_operators, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Invalid conditional logic compare operator: <code>' . $rule['compare'] . '</code><br>Allowed operators are: <code>' .
 			implode( ', ', $allowed_operators ) . '</code>' );
 			return null;
 		}
 
-		if ( in_array( $rule['compare'], $array_operators ) && ! is_array( $rule['value'] ) ) {
+		if ( in_array( $rule['compare'], $array_operators, true ) && ! is_array( $rule['value'] ) ) {
 			Incorrect_Syntax_Exception::raise( 'Invalid conditional logic value format. An array is expected, when using the "' . $rule['compare'] . '" operator.' );
 			return null;
 		}