Justin Young
asked 10 years ago

Wanted to ask about data validation with the twitter widget.  I got some feedback that indicated the widget needs to add some of the escaping properly for data validation.  Here’s what I’ve been directed to update:  

 class dw_twitter_query_Widget extends WP_Widget { function dw_twitter_query_Widget() {  
 $widget_ops = array( 'classname' => 'dw_twitter latest-twitter', 'description' => __('Display latest Tweets from Twitter. With query search: from:<your twitter name>, <@ or #><search string>','dw') );  
 $this->WP_Widget( 'dw_twitter', __('DW Twitter','dw'), $widget_ops );  
 } function widget( $args, $instance ) {  
 extract( $args, EXTR_SKIP );  
 $instance = wp_parse_args( $instance, array(  
 'title' => 'Latest Tweets',   
 'query' => 'from:siiimple',  
 'number' => 1,  
 'show_follow' => 'false',  
 'show_avatar' => 'false',  
 'show_account' => 'true',  
 'exclude_replies' => 'false',  
 'consumer_key' => '',  
 'consumer_secret' => ''  
 ) );  
 $this->get_tweets_bearer_token( $instance['consumer_key'], $instance['consumer_secret'] );  
 echo $before_widget;  
 echo $before_title . $instance['title'] . $after_title;  
 echo '<div class="dw-twitter-inner '.(isset($instance['show_follow'])&&$instance['show_follow']?'has-follow-button':'').'" >';  
 $this->get_tweets($instance);   
 echo '</div>';  
 echo $after_widget;  
 } function update( $new_instance, $old_instance ) {  
 if( ! isset($new_instance['show_follow']) ) {  
 $new_instance['show_follow'] = false;  
 }  
 if( ! isset($new_instance['show_avatar']) ) {  
 $new_instance['show_avatar'] = false;  
 }  
 if( ! isset($new_instance['show_account']) ) {  
 $new_instance['show_account'] = false;  
 }  
 $updated_instance = $new_instance;  
 return $updated_instance;  
 } function form( $instance ) {  
 $instance = wp_parse_args( $instance, array(   
 'title' => 'Latest Tweets',  
 'query' => 'from:siiimple',  
 'number' => 1,  
 'show_follow' => 'false',  
 'show_avatar' => 'false',  
 'show_account' => 'true',  
 'consumer_key' => '',  
 'consumer_secret' => '',  
 'exclude_replies' => false  
 ) );  
 ?>   
 <p>  
 <label for="<?php echo $this->get_field_id('title') ?>"><?php _e('Title','dw'); ?></label>  
 <br>  
 <input type="text" name="<?php echo $this->get_field_name('title') ?>" id="<?php echo $this->get_field_id('title') ?>" class="widefat" value="<?php echo $instance['title'] ?>">  
 </p>  
 <p><label for="<?php echo $this->get_field_id('consumer_key'); ?>"><?php _e('Consumer Key','dw') ?></label><br />  
 <input type="text" name="<?php echo $this->get_field_name('consumer_key') ?>" id="<?php echo $this->get_field_id('consumer_key') ?>" class="widefat" value="<?php echo $instance['consumer_key'] ?>">  
 </p>  
 <p>  
 <label for="<?php echo $this->get_field_id('consumer_secret') ?>"><?php _e('Consumer Secret', 'dw') ?></label><br />  
 <input type="text" name="<?php echo $this->get_field_name('consumer_secret') ?>" class="widefat" id="<?php echo $this->get_field_id('consumer_secret') ?>" value="<?php echo $instance['consumer_secret'] ?>">  
 </p>  
 <p><label for="<?php echo $this->get_field_id('query') ?>"><?php _e('Search Query (<a href="https://dev.twitter.com/docs/using-search" target="_blank" title="Read more about Twitter Search query">?</a>)','dw') ?></label><br />  
 <input type="text" name="<?php echo $this->get_field_name('query'); ?>" id="<?php echo $this->get_field_id('query'); ?>" class="widefat" value="<?php echo $instance['query'] ?>">  
 </p>  
 <p><label for="<?php echo $this->get_field_id('number') ?>"><?php _e('Number of Tweets','dw') ?></label> <input type="text" name="<?php echo $this->get_field_name  
 ('number') ?>" id="<?php echo $this->get_field_id  
 ('number') ?>" size="3" value="<?php echo $instance['number'] ?>" >  
 </p>  
 <p><label for="<?php echo $this->get_field_id('show_follow') ?>">  
 <input type="checkbox" name="<?php echo $this->get_field_name('show_follow'); ?>" id="<?php echo $this->get_field_id('show_follow'); ?>" <?php checked( 'true', $instance['show_follow'] ) ?> value="true" >  
 <?php _e('Show Follow Button?', 'dw') ?></label>  
 </p>  
 <p><label for="<?php echo $this->get_field_id('show_account') ?>">  
 <input type="checkbox" name="<?php echo $this->get_field_name('show_account'); ?>" id="<?php echo $this->get_field_id('show_account'); ?>" <?php checked( 'true', $instance['show_account'] ) ?> value="true" >  
 <?php _e('Show Account Info?', 'dw') ?></label>  
 </p>  
 <p><label for="<?php echo $this->get_field_id('show_avatar') ?>">  
 <input type="checkbox" name="<?php echo $this->get_field_name('show_avatar'); ?>" id="<?php echo $this->get_field_id('show_avatar'); ?>" <?php checked( 'true', $instance['show_avatar'] ) ?> value="true" >  
 <?php _e('Show User Avatar?', 'dw') ?></label>  
 </p>  
 <p><label for="<?php echo $this->get_field_id('exclude_replies') ?>">  
 <input type="checkbox" name="<?php echo $this->get_field_name('exclude_replies'); ?>" id="<?php echo $this->get_field_id('exclude_replies'); ?>" <?php checked( 'true', $instance['exclude_replies'] ) ?> value="true" >  
 <?php _e('Exclude replies for UserTimeline <span class="description">( from:* )<span>', 'dw') ?></label>  
 </p> <?php  
 } function update_tweet_urls($content) {  
 $maxLen = 16;  
 //split long words  
 $pattern = '/[^\s\t]{'.$maxLen.'}[^\s\.\,\+\-\_]+/';  
 $content = preg_replace($pattern, '$0 ', $content); //  
 $pattern = '/\w{2,4}\:\/\/[^\s\"]+/';  
 $content = preg_replace($pattern, '<a href="$0" title="" target="_blank">$0</a>', $content);  

 //search  
 $pattern = '/\#([a-zA-Z0-9_-]+)/';  
 $content = preg_replace($pattern, '<a href="https://twitter.com/search?q=#$1&src=hash" title="" target="_blank">$0</a>', $content);  
 //user  
 $pattern = '/\@([a-zA-Z0-9_-]+)/';  
 $content = preg_replace($pattern, '<a href="https://twitter.com/#!/$1" title="" target="_blank">$0</a>', $content); return $content;  
 }   
 function get_tweets_bearer_token( $consumer_key, $consumer_secret ){  
 $consumer_key = rawurlencode( $consumer_key );  
 $consumer_secret = rawurlencode( $consumer_secret ); $token = maybe_unserialize( get_option( 'dw_twitter_widget' ) ); if( ! is_array($token) || empty($token) || $token['consumer_key'] != $consumer_key || empty($token['access_token']) ) {  
 $authorization = base64_encode( $consumer_key . ':' . $consumer_secret ); $args = array(  
 'httpversion' => '1.1',  
 'headers' => array(   
 'Authorization' => 'Basic ' . $authorization,  
 'Content-Type' => 'application/x-www-form-urlencoded;charset=UTF-8'  
 ),  
 'body' => array( 'grant_type' => 'client_credentials' )  
 );  
 add_filter('https_ssl_verify', '__return_false'); $remote_get_tweets = wp_remote_post( 'https://api.twitter.com/oauth2/token', $args );  
 $result = json_decode( wp_remote_retrieve_body( $remote_get_tweets ) );   
 $token = serialize( array(  
 'consumer_key' => $consumer_key,  
 'access_token' => $result->access_token  
 ) );  
 update_option( 'dw_twitter_widget', $token );  
 }  
 } function get_tweets( $instance ){  
 extract($instance);  
 $token = maybe_unserialize( get_option( 'dw_twitter_widget' ) );  
 if( strpos($query, 'from:') === 0 ) {  
 $query_type = 'user_timeline';  
 $query = substr($query, 5);  
 $url = 'https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name='.rawurlencode($query).'&count='.$number;  
 if( $exclude_replies ) {  
 $url .= '&exclude_replies=true';  
 }  
 } else {  
 $query_type = 'search';  
 $url = 'https://api.twitter.com/1.1/search/tweets.json?q='.rawurlencode($query).'&count='.$number;  
 } $remote_get_tweets = wp_remote_get( $url, array(  
 'headers' => array(  
 'Authorization' => 'Bearer '. (is_array($token) && isset($token['access_token']) ? $token['access_token'] : '')  
 ),  
 // disable checking SSL sertificates   
 'sslverify'=>false  
 ) ); $result = json_decode( wp_remote_retrieve_body( $remote_get_tweets ) ); if( empty($result) || (isset( $result->errors ) && ( $result->errors[0]->code == 89 || $result->errors[0]->code == 215 ) ) ) {  
 delete_option( 'dw_twitter_widget' );  
 $this->get_tweets_bearer_token();  
 return $this->get_tweets();  
 } $tweets = array();  
 if( 'user_timeline' == $query_type ) {  
 if( !empty($result) ) {  
 $tweets = $result;  
 }  
 } else {  
 if( !empty($result->statuses) ) {  
 $tweets = $result->statuses;  
 } } $follow_button = '<a href="https://twitter.com/__name__" class="twitter-follow-button" data-show-count="false" data-lang="en">Follow @__name__</a><script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>'; if( !empty($tweets) ) {  
 foreach ($tweets as $tweet ) {  
 $text = $this->update_tweet_urls( $tweet->text );  
 $time = human_time_diff( strtotime($tweet->created_at), time() );  
 $url = 'http://twitter.com/'.$tweet->user->id.'/status/'.$tweet->id_str;  
 $screen_name = $tweet->user->screen_name;  
 $name = $tweet->user->name;  
 $profile_image_url = $tweet->user->profile_image_url; echo '<div class="tweet-item '.$query_type.'">';  
 if( 'search' == $query_type ) {  
 echo '<div class="twitter-user">';  
 if( $show_account ) {  
 echo '<a href="https://twitter.com/'.$screen_name.'" class="user">';  
 if( $show_avatar && $profile_image_url ) {  
 echo '<img src="'.$profile_image_url.'" width="16px" height="16px" >';  
 }  
 echo ' <strong class="name">'.$name.'</strong> <span class="screen_name">@'.$screen_name.'</span></a>';  
 }  
 echo '</div>';  
 } echo '<div class="tweet-content">'.$text.' <span class="time"><a target="_blank" title="" href="'.$url.'"> about '.$time.' ago</a></span></div>';  

 if( 'search' == $query_type ) {  
 if( $show_follow ) {  
 echo str_replace('__name__', $screen_name, $follow_button);  
 }  
 }  
 echo '</div>';  
 } if( 'user_timeline' == $query_type ) {  
 echo '<div class="twitter-user">';  
 if( $show_account ) {  
 echo '<a href="https://twitter.com/'.$screen_name.'" class="user">';  
 if( $show_avatar && $profile_image_url ) {  
 echo '<img src="'.$profile_image_url.'" width="16px" height="16px" >';  
 }  
 echo ' <strong class="name">'.$name.'</strong> <span class="screen_name">@'.$screen_name.'</span></a>';  
 }  
 if( $show_follow ) {  
 echo str_replace('__name__', $screen_name, $follow_button);  
 }  
 echo '</div>';  
 }   
 }  
 }  
}  
add_action( 'widgets_init', create_function( '', "register_widget('dw_twitter_query_Widget');" ) ); 

  With this link:  http://codex.wordpress.org/Data_Validation Thanks for any help!

Powered by DW Question & Answer Pro