Plugin check #502
tillkrusslint.yml
on: pull_request
EditorConfig
4s
PluginCheck
1m 54s
Matrix: phpstan
Annotations
10 errors and 13 warnings
|
WordPress.Security.EscapeOutput.UnsafePrintingFunction:
includes/ui/tabs/diagnostics.php#L19
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
|
|
WordPress.WP.I18n.MissingArgDomain:
includes/ui/tabs/diagnostics.php#L21
Missing $domain parameter in function call to _e().
|
|
WordPress.Security.EscapeOutput.UnsafePrintingFunction:
includes/ui/tabs/diagnostics.php#L21
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
|
|
Squiz.PHP.Heredoc.NotAllowed:
includes/class-plugin.php#L830
Use of heredoc and nowdoc syntax ("<<<") is not allowed; use standard strings or inline HTML instead
|
|
Squiz.PHP.Heredoc.NotAllowed:
includes/class-plugin.php#L854
Use of heredoc and nowdoc syntax ("<<<") is not allowed; use standard strings or inline HTML instead
|
|
WordPress.Security.EscapeOutput.OutputNotEscaped:
includes/class-plugin.php#L1087
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.
|
|
WordPress.WP.I18n.NonSingularStringLiteralText:
includes/class-plugin.php#L1087
The $text parameter must be a single text string literal. Found: $message
|
|
hidden_files:
.gitignore#L1
Hidden files are not permitted.
|
|
WordPress.Security.EscapeOutput.OutputNotEscaped:
includes/ui/settings.php#L101
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$this'.
|
|
WordPress.Security.EscapeOutput.OutputNotEscaped:
includes/ui/widget.php#L37
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'network_admin_url'.
|
|
EditorConfig
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
|
|
PHPStan (PHP 7.4; Relay 0.7.0)
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
|
|
PHPStan (PHP 8.2; Relay 0.7.0)
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
|
|
WordPress.Security.ValidatedSanitizedInput.InputNotValidated:
includes/class-plugin.php#L1079
Detected usage of a possibly undefined superglobal array index: $_POST['nonce']. Use isset() or empty() to check the index exists before using it
|
|
WordPress.Security.ValidatedSanitizedInput.MissingUnslash:
includes/class-plugin.php#L1079
$_POST['nonce'] not unslashed before sanitization. Use wp_unslash() or similar
|
|
WordPress.Security.ValidatedSanitizedInput.InputNotSanitized:
includes/class-plugin.php#L1079
Detected usage of a non-sanitized input variable: $_POST['nonce']
|
|
WordPress.Security.NonceVerification.Missing:
includes/class-plugin.php#L1603
Processing form data without nonce verification.
|
|
WordPress.Security.NonceVerification.Missing:
includes/class-plugin.php#L1603
Processing form data without nonce verification.
|
|
WordPress.Security.NonceVerification.Missing:
includes/class-plugin.php#L1603
Processing form data without nonce verification.
|
|
Squiz.PHP.DiscouragedFunctions.Discouraged:
.github/workflows/cluster/cluster.php#L3
The use of function ini_set() is discouraged
|
|
Squiz.PHP.DiscouragedFunctions.Discouraged:
.github/workflows/cluster/cluster.php#L4
The use of function ini_set() is discouraged
|
|
WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting:
.github/workflows/cluster/cluster.php#L6
error_reporting() can lead to full path disclosure.
|
|
WordPress.PHP.DevelopmentFunctions.error_log_var_dump:
.github/workflows/cluster/cluster.php#L39
var_dump() found. Debug code should not normally be used in production.
|