Fix/pcp compat fixes

custom-post-type-ui.php

@@ -19,7 +19,6 @@
  * Version: 1.18.0
  * Author URI: https://webdevstudios.com/
  * Text Domain: custom-post-type-ui
- * Domain Path: /languages
  * License: GPL-2.0+
  * Requires at least: 6.6
  * Requires PHP: 7.4
@@ -110,18 +109,6 @@ function cptui_deactivation() {
 }
 register_deactivation_hook( __FILE__, 'cptui_deactivation' );
 
-/**
- * Register our text domain.
- *
- * @since 0.8.0
- *
- * @internal
- */
-function cptui_load_textdomain() {
-	load_plugin_textdomain( 'custom-post-type-ui' );
-}
-add_action( 'init', 'cptui_load_textdomain' );
-
 /**
  * Load our main menu.
  *
@@ -935,26 +922,34 @@ function cptui_admin_notices( string $action = '', string $object_type = '', boo
 
 	if ( 'add' === $action ) {
 		if ( $success ) {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has been successfully added', 'custom-post-type-ui' ), $object_type );
 		} else {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has failed to be added', 'custom-post-type-ui' ), $object_type );
 		}
 	} elseif ( 'update' === $action ) {
 		if ( $success ) {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has been successfully updated', 'custom-post-type-ui' ), $object_type );
 		} else {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has failed to be updated', 'custom-post-type-ui' ), $object_type );
 		}
 	} elseif ( 'delete' === $action ) {
 		if ( $success ) {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has been successfully deleted', 'custom-post-type-ui' ), $object_type );
 		} else {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has failed to be deleted', 'custom-post-type-ui' ), $object_type );
 		}
 	} elseif ( 'import' === $action ) {
 		if ( $success ) {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has been successfully imported', 'custom-post-type-ui' ), $object_type );
 		} else {
+			// translators: placeholder holds content name.
 			$message .= sprintf( esc_html__( '%s has failed to be imported', 'custom-post-type-ui' ), $object_type );
 		}
 	} elseif ( 'error' === $action ) {
@@ -1039,28 +1034,50 @@ function cptui_get_preserved_label( string $type = '', string $key = '', string
 
 	$preserved_labels = [
 		'post_types' => [
+			// translators: placeholder holds content label.
 			'add_new_item'       => sprintf( esc_html__( 'Add new %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'edit_item'          => sprintf( esc_html__( 'Edit %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'new_item'           => sprintf( esc_html__( 'New %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'view_item'          => sprintf( esc_html__( 'View %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'view_items'         => sprintf( esc_html__( 'View %s', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'all_items'          => sprintf( esc_html__( 'All %s', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'search_items'       => sprintf( esc_html__( 'Search %s', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'not_found'          => sprintf( esc_html__( 'No %s found.', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'not_found_in_trash' => sprintf( esc_html__( 'No %s found in trash.', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 		],
 		'taxonomies' => [
+			// translators: placeholder holds content label.
 			'search_items'               => sprintf( esc_html__( 'Search %s', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'popular_items'              => sprintf( esc_html__( 'Popular %s', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'all_items'                  => sprintf( esc_html__( 'All %s', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'parent_item'                => sprintf( esc_html__( 'Parent %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'parent_item_colon'          => sprintf( esc_html__( 'Parent %s:', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'edit_item'                  => sprintf( esc_html__( 'Edit %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'update_item'                => sprintf( esc_html__( 'Update %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'add_new_item'               => sprintf( esc_html__( 'Add new %s', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'new_item_name'              => sprintf( esc_html__( 'New %s name', 'custom-post-type-ui' ), $singular ),
+			// translators: placeholder holds content label.
 			'separate_items_with_commas' => sprintf( esc_html__( 'Separate %s with commas', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'add_or_remove_items'        => sprintf( esc_html__( 'Add or remove %s', 'custom-post-type-ui' ), $plural ),
+			// translators: placeholder holds content label.
 			'choose_from_most_used'      => sprintf( esc_html__( 'Choose from the most used %s', 'custom-post-type-ui' ), $plural ),
 		],
 	];
@@ -1081,36 +1098,59 @@ function cptui_get_preserved_labels() {
 	return [
 		'post_types' => [
 			'singular' => [
+				// translators: placeholder holds content label.
 				'add_new_item'  => esc_html__( 'Add new %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'edit_item'     => esc_html__( 'Edit %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'new_item'      => esc_html__( 'New %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'view_item'     => esc_html__( 'View %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'template_name' => esc_html__( 'Single item: %s', 'custom-post-type-ui' ),
 			],
 			'plural'   => [
+				// translators: placeholder holds content label.
 				'view_items'         => esc_html__( 'View %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'all_items'          => esc_html__( 'All %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'search_items'       => esc_html__( 'Search %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'not_found'          => esc_html__( 'No %s found.', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'not_found_in_trash' => esc_html__( 'No %s found in trash.', 'custom-post-type-ui' ),
 			],
 		],
 		'taxonomies' => [
 			'singular' => [
+				// translators: placeholder holds content label.
 				'parent_item'       => esc_html__( 'Parent %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'parent_item_colon' => esc_html__( 'Parent %s:', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'edit_item'         => esc_html__( 'Edit %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'update_item'       => esc_html__( 'Update %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'add_new_item'      => esc_html__( 'Add new %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'new_item_name'     => esc_html__( 'New %s name', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'template_name'     => esc_html__( '%s Archives', 'custom-post-type-ui' ),
 			],
 			'plural'   => [
+				// translators: placeholder holds content label.
 				'search_items'               => esc_html__( 'Search %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'popular_items'              => esc_html__( 'Popular %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'all_items'                  => esc_html__( 'All %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'separate_items_with_commas' => esc_html__( 'Separate %s with commas', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'add_or_remove_items'        => esc_html__( 'Add or remove %s', 'custom-post-type-ui' ),
+				// translators: placeholder holds content label.
 				'choose_from_most_used'      => esc_html__( 'Choose from the most used %s', 'custom-post-type-ui' ),
 			],
 		],

external/wpgraphql.php

@@ -188,11 +188,11 @@ public function get_setting_fields( $ui, $current, $name_array ) {
 			<div class="postbox-header">
 
 				<h2 class="hndle ui-sortable-handle">
-					<span><?php esc_html_e( 'WPGraphQL', 'wp-graphql-custom-post-type-ui' ); ?></span>
+					<span><?php esc_html_e( 'WPGraphQL', 'custom-post-type-ui' ); ?></span>
 				</h2>
 				<div class="handle-actions hide-if-no-js">
 					<button type="button" class="handlediv">
-						<span class="screen-reader-text"><?php esc_html_e( 'Toggle panel: GraphQL Settings', 'wp-graphql-custom-post-type-ui' ); ?></span>
+						<span class="screen-reader-text"><?php esc_html_e( 'Toggle panel: GraphQL Settings', 'custom-post-type-ui' ); ?></span>
 						<span class="toggle-indicator" aria-hidden="true"></span>
 					</button>
 				</div>
@@ -206,11 +206,11 @@ public function get_setting_fields( $ui, $current, $name_array ) {
 							'options' => [
 								[
 									'attr' => '0',
-									'text' => esc_attr__( 'False', 'wp-graphql-custom-post-type-ui' ),
+									'text' => esc_attr__( 'False', 'custom-post-type-ui' ),
 								],
 								[
 									'attr' => '1',
-									'text' => esc_attr__( 'True', 'wp-graphql-custom-post-type-ui' ),
+									'text' => esc_attr__( 'True', 'custom-post-type-ui' ),
 								],
 							],
 						];
@@ -220,10 +220,10 @@ public function get_setting_fields( $ui, $current, $name_array ) {
 
 						echo $ui->get_select_input( // phpcs:ignore.
 							[
-								'namearray'  => $name_array,
+								'namearray'  => esc_attr( $name_array ),
 								'name'       => 'show_in_graphql',
-								'labeltext'  => esc_html__( 'Show in GraphQL', 'wp-graphql-custom-post-type-ui' ),
-								'aftertext'  => esc_html__( 'Whether or not to show data of this type in the WPGraphQL. Default: false', 'wp-graphql-custom-post-type-ui' ),
+								'labeltext'  => esc_html__( 'Show in GraphQL', 'custom-post-type-ui' ),
+								'aftertext'  => esc_html__( 'Whether or not to show data of this type in the WPGraphQL. Default: false', 'custom-post-type-ui' ),
 								'selections' => $selections, // phpcs:ignore.
 								'default'    => false,
 								'required'   => true,
@@ -232,21 +232,21 @@ public function get_setting_fields( $ui, $current, $name_array ) {
 
 						echo $ui->get_text_input( // phpcs:ignore.
 							[
-								'namearray' => $name_array,
+								'namearray' => esc_attr( $name_array ),
 								'name'      => 'graphql_single_name',
-								'labeltext' => esc_html__( 'GraphQL Single Name', 'wp-graphql-custom-post-type-ui' ),
-								'aftertext' => esc_attr__( 'Singular name for reference in the GraphQL API.', 'wp-graphql-custom-post-type-ui' ),
+								'labeltext' => esc_html__( 'GraphQL Single Name', 'custom-post-type-ui' ),
+								'aftertext' => esc_attr__( 'Singular name for reference in the GraphQL API.', 'custom-post-type-ui' ),
 								'textvalue' => ( isset( $current['graphql_single_name'] ) ) ? esc_attr( $current['graphql_single_name'] ) : '', // phpcs:ignore.
 								'required'  => true,
 							]
 						);
 
 						echo $ui->get_text_input( // phpcs:ignore.
 							[
-								'namearray' => $name_array,
+								'namearray' => esc_attr( $name_array ),
 								'name'      => 'graphql_plural_name',
-								'labeltext' => esc_html__( 'GraphQL Plural Name', 'wp-graphql-custom-post-type-ui' ),
-								'aftertext' => esc_attr__( 'Plural name for reference in the GraphQL API.', 'wp-graphql-custom-post-type-ui' ),
+								'labeltext' => esc_html__( 'GraphQL Plural Name', 'custom-post-type-ui' ),
+								'aftertext' => esc_attr__( 'Plural name for reference in the GraphQL API.', 'custom-post-type-ui' ),
 								'textvalue' => ( isset( $current['graphql_plural_name'] ) ) ? esc_attr( $current['graphql_plural_name'] ) : '', // phpcs:ignore.
 								'required'  => true,
 							]
@@ -337,8 +337,8 @@ function () {
 				<?php
 				echo sprintf(
 					// phpcs:ignore.
-					esc_html__( 'Custom Post Type UI has native support for WPGraphQL. Please <a href="%s">de-active</a> the "WPGraphQL for Custom Post Type UI" extension to proceed.', 'custom-post-type-ui' ),
-					$link // phpcs:ignore.
+					esc_html__( 'Custom Post Type UI has native support for WPGraphQL. Please <a href="%s">de-activate</a> the "WPGraphQL for Custom Post Type UI" extension to proceed.', 'custom-post-type-ui' ),
+					esc_url( $link )
 				);
 				?>
 					</p>

inc/post-types.php

@@ -779,7 +779,7 @@ function cptui_manage_post_types() {
 									]
 								);
 
-								echo $ui->get_text_input( // phpcs:ignore.Z
+								echo $ui->get_text_input( // phpcs:ignore.
 									[
 										'labeltext' => esc_html__( 'Attributes', 'custom-post-type-ui' ),
 										'helptext'  => esc_html__( 'Used for the title of the post attributes meta box.', 'custom-post-type-ui' ),
@@ -1232,7 +1232,7 @@ function cptui_manage_post_types() {
 							echo $ui->get_tr_start() . $ui->get_th_start(); // phpcs:ignore.
 							echo $ui->get_label( 'hierarchical', esc_html__( 'Hierarchical', 'custom-post-type-ui' ) ); // phpcs:ignore.
 							echo $ui->get_p( esc_html__( '"False" behaves like posts, "True" behaves like pages.', 'custom-post-type-ui' ) ); // phpcs:ignore.
-							echo $ui->get_th_end() . $ui->get_td_start();
+							echo $ui->get_th_end() . $ui->get_td_start(); // phpcs:ignore.
 
 							$select = [
 								'options' => [
@@ -1454,7 +1454,7 @@ function cptui_manage_post_types() {
 									'namearray'      => 'cpt_custom_post_type',
 									'name'           => 'show_in_menu_string',
 									'textvalue'      => isset( $current['show_in_menu_string'] ) ? esc_attr( $current['show_in_menu_string'] ) : '', // phpcs:ignore.
-									'helptext'       => $ui->get_label( 'show_in_menu_string', esc_attr__( 'The top-level admin menu page file name for which the post type should be in the sub menu of.', 'custom-post-type-ui' ) ),
+									'helptext'       => $ui->get_label( 'show_in_menu_string', esc_attr__( 'The top-level admin menu page file name for which the post type should be in the sub menu of.', 'custom-post-type-ui' ) ), // phpcs:ignore.
 									'helptext_after' => true,
 									'wrap'           => false,
 								]
@@ -1522,7 +1522,7 @@ function cptui_manage_post_types() {
 
 							echo $ui->get_p( esc_html__( 'Featured images and Post Formats need theme support added, to be used.', 'custom-post-type-ui' ) ); // phpcs:ignore.
 
-							echo $ui->get_p(
+							echo $ui->get_p( // phpcs:ignore.
 								sprintf(
 									'<a href="%s" target="_blank" rel="noopener">%s</a><br/><a href="%s" target="_blank" rel="noopener">%s</a>',
 									esc_url( 'https://developer.wordpress.org/reference/functions/add_theme_support/#post-thumbnails' ),
@@ -1768,7 +1768,7 @@ function cptui_manage_post_types() {
 											'name'       => esc_attr( $add_tax->name ),
 											'namearray'  => 'cpt_addon_taxes',
 											'textvalue'  => esc_attr( $add_tax->name ),
-											'labeltext'  => $add_tax->label . ' ' . $core_label,
+											'labeltext'  => esc_html( $add_tax->label . ' ' . $core_label ),
 											// phpcs:ignore.
 											'helptext'   => sprintf( esc_attr__( 'Adds %s support', 'custom-post-type-ui' ), $add_tax->label ),
 											// phpcs:ignore.
@@ -2138,7 +2138,7 @@ function cptui_update_post_type( $data = [] ) {
 	// We are handling this special because we can't accurately get to exclude the description index
 	// in the cptui_filtered_post_type_post_global() function. So we clean this up from the $_POST
 	// global afterwards here.
-	$description = wp_kses_post( stripslashes_deep( $_POST['cpt_custom_post_type']['description'] ) );
+	$description = cptui_get_saved_description();
 
 	$name                  = trim( $data['cpt_custom_post_type']['name'] );
 	$rest_base             = trim( $data['cpt_custom_post_type']['rest_base'] );
@@ -2584,3 +2584,20 @@ function cptui_custom_enter_title_here( $text, $post ) {
 	return $cptui_obj['enter_title_here'];
 }
 add_filter( 'enter_title_here', 'cptui_custom_enter_title_here', 10, 2 );
+
+/**
+ * Get saved description value with added nonce check for extra security.
+ *
+ * @since 1.18.1
+ * @return string
+ */
+function cptui_get_saved_description() {
+	if ( empty( $_POST['cpt_custom_post_type']['description'] ) ) {
+		return '';
+	}
+
+	if ( ! empty( $_POST['cptui_select_post_type_nonce_field'] ) ) {
+		check_admin_referer( 'cptui_select_post_type_nonce_action', 'cptui_select_post_type_nonce_field' );
+	}
+	return wp_kses_post( stripslashes_deep( $_POST['cpt_custom_post_type']['description'] ) );
+}

inc/taxonomies.php

@@ -377,9 +377,9 @@ function cptui_manage_taxonomies() {
 										],
 										true
 									) ? esc_html__( '(WP Core)', 'custom-post-type-ui' ) : '';
-									echo $ui->get_check_input( // phpcs:ignore.
+									echo $ui->get_check_input( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 										[
-											'checkvalue' => $post_type->name,
+											'checkvalue' => esc_attr( $post_type->name ),
 											'checked'    => ( ! empty( $current['object_types'] ) && is_array( $current['object_types'] ) && in_array( $post_type->name, $current['object_types'], true ) ) ? 'true' : 'false', // phpcs:ignore.
 											'name'       => esc_attr( $post_type->name ),
 											'namearray'  => 'cpt_post_types',

inc/tools-sections/tools-debug.php

@@ -22,7 +22,7 @@ function cptui_render_debuginfo_section() {
 	if ( ! empty( $_POST ) && isset( $_POST['cptui_debug_info_email'] ) && isset( $_POST['cptui_debuginfo_nonce_field'] ) ) {
 		if ( wp_verify_nonce( 'cptui_debuginfo_nonce_field', 'cptui_debuginfo_nonce_action' ) ) {
 			$email_args          = [];
-			$email_args['email'] = sanitize_text_field( $_POST['cptui_debug_info_email'] );
+			$email_args['email'] = sanitize_text_field( wp_unslash( $_POST['cptui_debug_info_email'] ) );
 			$debuginfo->send_email( $email_args );
 		}
 	}

inc/tools-sections/tools-get-code.php

@@ -31,6 +31,7 @@ function cptui_render_getcode_section() {
 			<h2 id="<?php echo esc_attr( $post_type['name'] ); ?>">
 				<?php
 				$type = ! empty( $post_type['label'] ) ? esc_html( $post_type['label'] ) : esc_html( $post_type['name'] );
+				// translators: placeholder will hold post type name.
 				printf( esc_html__( '%s Post Type', 'custom-post-type-ui' ), esc_html( $type ) ); ?></h2>
 			<p>
 				<label for="cptui_post_type_get_code_<?php echo esc_attr( $post_type['name'] ); ?>"><?php esc_html_e( 'Copy/paste the code below into your functions.php file.', 'custom-post-type-ui' ); ?></label>
@@ -56,6 +57,7 @@ function cptui_render_getcode_section() {
 			<h2 id="<?php echo esc_attr( $taxonomy['name'] ); ?>">
 				<?php
 				$tax = ! empty( $taxonomy['label'] ) ? esc_html( $taxonomy['label'] ) : esc_html( $taxonomy['name'] );
+				// translators: placeholder will hold taxonomy name.
 				printf( esc_html__( '%s Taxonomy', 'custom-post-type-ui' ), esc_html( $tax ) );
 				?>
 			</h2>