Fix CS issues

.github/workflows/code-quality.yml

@@ -0,0 +1,31 @@
+name: PHP Code Linting
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - master
+
+jobs:
+  php-lint:
+    name: PHP Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+
+      - name: Validate Composer configuration
+        run: composer validate
+
+      - name: Install PHP dependencies
+        uses: ramsey/composer-install@83af392bf5f031813d25e6fe4cd626cdba9a2df6
+        with:
+          composer-options: '--prefer-dist --no-progress --no-interaction'
+
+      - name: Run tests
+        run: composer run-script phpcs

.phpcs.xml.dist

@@ -90,6 +90,32 @@
 		</properties>
 	</rule>
 
+	<!-- Disallows grouped use declarations. -->
+	<rule ref="SlevomatCodingStandard.Namespaces.DisallowGroupUse" />
+	<!-- Disallows leading backslash in use statement. -->
+	<rule ref="SlevomatCodingStandard.Namespaces.UseDoesNotStartWithBackslash" />
+	<!-- Checks whether uses at the top of a file are alphabetically sorted. -->
+	<rule ref="SlevomatCodingStandard.Namespaces.AlphabeticallySortedUses" />
+	<!-- Prohibits uses from the same namespace. -->
+	<rule ref="SlevomatCodingStandard.Namespaces.UseFromSameNamespace" />
+	<!-- Looks for unused imports from other namespaces. -->
+	<rule ref="SlevomatCodingStandard.Namespaces.UnusedUses">
+		<properties>
+			<property name="searchAnnotations" value="true" />
+		</properties>
+	</rule>
+	<!-- All references to functions, classes and constants should import using a use statement. -->
+	<rule ref="SlevomatCodingStandard.Namespaces.ReferenceUsedNamesOnly">
+		<properties>
+		<property name="allowFullyQualifiedGlobalFunctions" value="true" />
+		<property name="allowFullyQualifiedGlobalClasses" value="true" />
+		<property name="allowFullyQualifiedGlobalConstants" value="true" />
+		<property name="allowFallbackGlobalFunctions" value="true" />
+		<property name="allowFallbackGlobalConstants" value="true" />
+		<property name="allowFullyQualifiedNameForCollidingClasses" value="true" />
+	</properties>
+	</rule>
+
 	<!-- Loads the PHP Compatibility ruleset. -->
 	<rule ref="PHPCompatibilityWP" />
 

devtools/composer.json

@@ -2,6 +2,7 @@
   "require-dev": {
     "dealerdirect/phpcodesniffer-composer-installer": "^1.0",
     "phpcompatibility/phpcompatibility-wp": "^2.1",
+    "slevomat/coding-standard": "^8.15",
     "wp-cli/i18n-command": "^2.6",
     "wp-coding-standards/wpcs": "^3.1"
   },

includes/classes/class-ns-featured-posts-admin.php

@@ -5,6 +5,7 @@
  * @package NS_Featured_Posts
  */
 
+use Nilambar\AdminNotice\Notice;
 use Nilambar\Optioner\Optioner;
 
 /**
@@ -105,9 +106,13 @@ private function __construct() {
 		add_action( 'wp_ajax_nsfp_nsbl_get_posts', array( $this, 'get_posts_ajax_callback' ) );
 	}
 
+	/**
+	 * Setup admin notice.
+	 *
+	 * @since 2.0.10
+	 */
 	public function setup_custom_notice() {
-		// Setup notice.
-		\Nilambar\AdminNotice\Notice::init(
+		Notice::init(
 			array(
 				'slug' => $this->plugin_slug,
 				'name' => esc_html__( 'NS Featured Posts', 'ns-featured-posts' ),
@@ -364,31 +369,31 @@ public function ajax_handler_featured_toggle() {
 		);
 
 		// Nonce check.
-		$nonce = isset( $_POST['nonce'] ) ? $_POST['nonce'] : null; // phpcs:ignore WordPress.Security.NonceVerification
+		$nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : null; // phpcs:ignore WordPress.Security.NonceVerification
 
 		if ( ! wp_verify_nonce( $nonce, 'ajax-nonce' ) ) {
 			$output['message'] = esc_html__( 'Nonce verification failed.', 'ns-featured-posts' );
 
 			wp_send_json( $output );
 		}
 
-		$uno = isset( $_POST['uno'] ) ? rest_sanitize_boolean( $_POST['uno'] ) : false;
+		$uno = isset( $_POST['uno'] ) ? rest_sanitize_boolean( sanitize_text_field( wp_unslash( $_POST['uno'] ) ) ) : false;
 
-		$max_posts  = isset( $_POST['max_posts'] ) ? absint( $_POST['max_posts'] ) : 0;
-		$max_status = isset( $_POST['max_status'] ) ? rest_sanitize_boolean( $_POST['max_status'] ) : false;
+		$max_posts  = isset( $_POST['max_posts'] ) ? absint( sanitize_text_field( wp_unslash( $_POST['max_posts'] ) ) ) : 0;
+		$max_status = isset( $_POST['max_status'] ) ? rest_sanitize_boolean( sanitize_text_field( wp_unslash( $_POST['max_status'] ) ) ) : false;
 
-		$ns_featured = isset( $_POST['ns_featured'] ) ? $_POST['ns_featured'] : null;
+		$ns_featured = isset( $_POST['ns_featured'] ) ? sanitize_text_field( wp_unslash( $_POST['ns_featured'] ) ) : null;
 
 		$post_id = 0;
 
 		if ( isset( $_POST['post_id'] ) ) {
-			$post_id = (int) $_POST['post_id'];
+			$post_id = (int) sanitize_text_field( wp_unslash( $_POST['post_id'] ) );
 		}
 
 		$post_type = null;
 
 		if ( isset( $_POST['post_type'] ) ) {
-			$post_type = (string) $_POST['post_type'];
+			$post_type = (string) sanitize_text_field( wp_unslash( $_POST['post_type'] ) );
 		}
 
 		if ( ! empty( $post_id ) && ! empty( $post_type ) && null !== $ns_featured ) {
@@ -474,8 +479,8 @@ private function get_other_posts( $post_id, $post_type ) {
 		$qargs = array(
 			'posts_per_page' => -1,
 			'post__not_in'   => array( $post_id ),
-			'meta_key'       => '_is_ns_featured_post',
-			'meta_value'     => 'yes',
+			'meta_key'       => '_is_ns_featured_post', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
+			'meta_value'     => 'yes', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value
 			'post_type'      => $post_type,
 			'post_status'    => array( 'publish', 'pending', 'draft', 'auto-draft', 'future', 'private', 'inherit', 'trash' ),
 		);
@@ -489,6 +494,13 @@ private function get_other_posts( $post_id, $post_type ) {
 		return $output;
 	}
 
+	/**
+	 * Load settings assets.
+	 *
+	 * @since 2.0.0
+	 *
+	 * @param string $hook Hook name.
+	 */
 	public function load_settings_assets( $hook ) {
 		if ( 'settings_page_ns-featured-posts' !== $hook ) {
 			return;
@@ -589,7 +601,7 @@ public function save_featured_meta_box( $post_id ) {
 		}
 
 		// If our nonce isn't there, or we can't verify it, bail.
-		if ( ! isset( $_POST['nsfp_featured_metabox_nonce'] ) || ! wp_verify_nonce( $_POST['nsfp_featured_metabox_nonce'], plugin_basename( __FILE__ ) ) ) {
+		if ( ! isset( $_POST['nsfp_featured_metabox_nonce'] ) || ! wp_verify_nonce( $_POST['nsfp_featured_metabox_nonce'], plugin_basename( __FILE__ ) ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			return $post_id;
 		}
 
@@ -659,7 +671,7 @@ public function custom_table_filtering() {
 		$selected_now = '';
 
 		if ( isset( $_GET['filter-ns-featured-posts'] ) ) {
-			$selected_now = esc_attr( $_GET['filter-ns-featured-posts'] );
+			$selected_now = sanitize_text_field( wp_unslash( $_GET['filter-ns-featured-posts'] ) );
 		}
 
 		echo '<select name="filter-ns-featured-posts" id="filter-ns-featured-posts">';
@@ -683,7 +695,7 @@ public function custom_query_filtering( $query ) {
 
 		if ( is_admin() && 'edit.php' === $pagenow ) {
 			if ( ! isset( $qv['meta_query'] ) ) {
-				$qv['meta_query'] = array();
+				$qv['meta_query'] = array(); // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
 			}
 
 			if ( ! empty( $_GET['filter-ns-featured-posts'] ) ) {
@@ -721,10 +733,8 @@ public function custom_query_filtering( $query ) {
 	 * Adding filtering link.
 	 *
 	 * @since 1.0.0
-	 *
-	 * @param WP_Query $wp_query Instance of WP_Query object.
 	 */
-	public function custom_filtering_query_for_listing( $wp_query ) {
+	public function custom_filtering_query_for_listing() {
 		if ( is_admin() ) {
 			$allowed = $this->get_allowed_post_types();
 
@@ -744,7 +754,7 @@ public function custom_filtering_query_for_listing( $wp_query ) {
 	 * @param array $views Views.
 	 */
 	public function add_views_link( $views ) {
-		$post_type = ( ( isset( $_GET['post_type'] ) && '' !== $_GET['post_type'] ) ? $_GET['post_type'] : 'post' );
+		$post_type = ( ( isset( $_GET['post_type'] ) && '' !== $_GET['post_type'] ) ? sanitize_text_field( wp_unslash( $_GET['post_type'] ) ) : 'post' );
 
 		$count = $this->get_total_featured_count( $post_type );
 		$class = ( isset( $_GET['featured'] ) && 'yes' === $_GET['featured'] ) ? 'current' : '';
@@ -778,8 +788,8 @@ public function get_total_featured_count( $post_type ) {
 		$args = array(
 			'post_type'      => $post_type,
 			'posts_per_page' => -1,
-			'meta_key'       => '_is_ns_featured_post',
-			'meta_value'     => 'yes',
+			'meta_key'       => '_is_ns_featured_post', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
+			'meta_value'     => 'yes', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value
 			'post_status'    => array( 'publish', 'pending', 'draft', 'auto-draft', 'future', 'private', 'inherit', 'trash' ),
 		);
 
@@ -801,9 +811,11 @@ public function register_custom_widgets() {
 	 * Render sidebar.
 	 *
 	 * @since 2.0.0
+	 *
+	 * @param Optioner $optioner_object Instance of Optioner.
 	 */
-	public function render_sidebar( $object ) {
-		$object->render_sidebar_box(
+	public function render_sidebar( $optioner_object ) {
+		$optioner_object->render_sidebar_box(
 			array(
 				'title'   => 'Help &amp; Support',
 				'icon'    => 'dashicons-editor-help',
@@ -812,15 +824,15 @@ public function render_sidebar( $object ) {
 				<h4>Wanna help make this plugin better?</h4>
 				<p><a href="https://wordpress.org/support/plugin/ns-featured-posts/reviews/#new-post" target="_blank">Review and rate this plugin on WordPress.org</a></p>',
 			),
-			$object
+			$optioner_object
 		);
 
-		$object->render_sidebar_box(
+		$optioner_object->render_sidebar_box(
 			array(
 				'title'   => 'Recent Blog Posts',
 				'content' => '<div class="ns-blog-list"></div>',
 			),
-			$object
+			$optioner_object
 		);
 	}
 
@@ -865,9 +877,9 @@ public function show_admin_message() {
 	 * @since 2.0.0
 	 *
 	 * @param array $attributes Attributes.
-	 * @param bool  $echo Whether to echo or not.
+	 * @param bool  $display    Whether to echo or not.
 	 */
-	public function render_attr( $attributes, $echo = true ) {
+	public function render_attr( $attributes, $display = true ) {
 		if ( empty( $attributes ) ) {
 			return;
 		}
@@ -890,13 +902,18 @@ public function render_attr( $attributes, $echo = true ) {
 			$html .= false !== $value ? sprintf( ' %s="%s"', esc_html( $name ), $esc_value ) : esc_html( " {$name}" );
 		}
 
-		if ( ! empty( $html ) && true === $echo ) {
+		if ( ! empty( $html ) && true === $display ) {
 			echo $html; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		} else {
 			return $html;
 		}
 	}
 
+	/**
+	 * AJAX callback for feed items.
+	 *
+	 * @since 2.0.0
+	 */
 	public function get_posts_ajax_callback() {
 		$output = array();
 
@@ -913,6 +930,11 @@ public function get_posts_ajax_callback() {
 		}
 	}
 
+	/**
+	 * Returns blog feed items.
+	 *
+	 * @since 2.0.0
+	 */
 	public function get_blog_feed_items() {
 		$output = array();
 

includes/classes/class-ns-featured-posts.php

@@ -199,7 +199,7 @@ private static function get_blog_ids() {
 
 		$ids = array();
 
-		$output = $wpdb->get_results( "SELECT blog_id FROM $wpdb->blogs WHERE archived = '0' AND spam = '0' AND deleted = '0'", ARRAY_A );
+		$output = $wpdb->get_results( "SELECT blog_id FROM $wpdb->blogs WHERE archived = '0' AND spam = '0' AND deleted = '0'", ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
 
 		if ( $output ) {
 			$ids = wp_list_pluck( $output, 'blog_id' );

includes/widgets/nsfp-featured-post-widget.php

@@ -60,8 +60,8 @@ public function widget( $args, $instance ) {
 						'no_found_rows'       => true,
 						'post_status'         => 'publish',
 						'ignore_sticky_posts' => true,
-						'meta_key'            => '_is_ns_featured_post',
-						'meta_value'          => 'yes',
+						'meta_key'            => '_is_ns_featured_post', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
+						'meta_value'          => 'yes', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value
 						'post_type'           => $post_type,
 						'orderby'             => $post_orderby,
 						'order'               => $post_order,
@@ -251,7 +251,7 @@ protected function render_select_dropdown( $choices, $main_args ) {
 			}
 
 			if ( $r['echo'] ) {
-				echo $output;
+				echo $output; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			}
 
 			return $output;