Last Updated on February 22, 2022 by Neil Murray

Notation System

• [ ] – to do
• [X] – done
• [-] – no action required

cf7skins\ Dev + contact-form-7-skins\ Live #

• includes
  • [X] admin.php
  • [X] admin-notice.php
  • [X] admin-visual.php – modified on visual branch
  • [X] cf7-connect.php
  • [-] EDD_SL_Plugin_Updater.php
  • [X] export.php
  • [X] front-visual.php – modified on visual branch
  • [-] getting-started.php
  • [X] label.php
  • [X] pro-version.php
  • [X] settings.php
  • [X] skin.php
  • [X] style.php
  • [-] style-instructions.php
  • [X] tab.php
  • [X] template.php
  • [-] template-instructions.php

• js
  • [-] jquery.admin.js
  • [-] jquery.settings.js

Other Items #

• [X] <part name=”Tab 1”/> initially displayed use Save Visual button
  • https://bitbucket.org/../393/security-notice-contact-form-7-skins#comment-61725237
• [X] 397: Add Tab in Visual not working
• [X] license keys not displayed
  • https://bitbucket.org/../393/security-notice-contact-form-7-skins#comment-61719738
• includes/tab.php
  • [X] remove add_action( ‘wp_ajax_nopriv_cf7s_sort_skin’, array( &$this, ‘sort_skin’ ) );
  • https://bitbucket.org/../393/security-notice-contact-form-7-skins#comment-61655997
• [X] function save_visual( $cf7 )
  • https://bitbucket.org/../393/security-notice-contact-form-7-skins#comment-61713550
• includes/template.php
  • [-] contact-form-7-skins/includes/template.php:395: $locale = isset( $_GET[‘locale’] ) ? $_GET[‘locale’] : ”; – should we remove it?
  • https://bitbucket.org/../393/security-notice-contact-form-7-skins#comment-61713540

WordPress Plugin Review Team #

# sanitizing any $_ and all inputs

• [X] contact-form-7-skins/includes/admin-visual.php:101: $visual = json_decode( stripslashes( $_POST[‘cf7s-visual’] ) );
• [X] contact-form-7-skins/includes/admin-visual.php:140: $cf7svisual = json_decode( stripslashes( $_POST[‘visual’] ) ); // treeData @since 2.3.0
• [X] contact-form-7-skins/includes/admin-visual.php:162: ‘post_title’ => $_POST[‘title’], // sanitized by WP
• [X] contact-form-7-skins/includes/admin-visual.php:707: $template = $templates[$_POST[‘template’]];
• [X] contact-form-7-skins/includes/settings.php:35: $section = isset( $_GET[‘tab’] ) ? $_GET[‘tab’] : ‘advanced’;
• [X] contact-form-7-skins/includes/admin.php:84: update_post_meta( $form_id, ‘cf7s_postbox’, $_POST[‘cf7s-postbox’] );
• [X] contact-form-7-skins/includes/template.php:51: $template = $templates[$_POST[‘template’]];
• [X] contact-form-7-skins/includes/template.php:390: $id = isset( $_POST[‘id’] ) ? $_POST[‘id’] : $this->get_id();
• [X] contact-form-7-skins/includes/template.php:395: $locale = isset( $_GET[‘locale’] ) ? $_GET[‘locale’] : ”;
• [X] contact-form-7-skins/includes/style.php:381: $id = isset( $_POST[‘id’] ) ? $_POST[‘id’] : $this->get_id();

## Don’t use esc_ functions to sanitize

• [X] contact-form-7-skins/includes/settings.php:35: $section = isset( $_GET[‘tab’] ) ? esc_attr( $_GET[‘tab’] ) : ‘advanced’;
• [X] contact-form-7-skins/includes/tab.php:76: $keyword = esc_attr( sanitize_text_field( $_POST[‘keyword’] ) );
• [X] contact-form-7-skins/includes/tab.php:152: $keyword = esc_attr( sanitize_text_field( $_POST[‘keyword’] ) );
• [X] contact-form-7-skins/includes/admin-visual.php:169: update_post_meta( $form_id, ‘cf7s_template’, esc_attr( $_POST[‘template’] ) );
• [X] contact-form-7-skins/includes/admin-visual.php:177: update_post_meta( $form_id, ‘cf7s_style’, esc_attr( $_POST[‘style’] ) );
• [X] contact-form-7-skins/includes/tab.php:77: $keyword = esc_attr( $_POST[‘keyword’] );
• [X] contact-form-7-skins/includes/tab.php:153: $keyword = esc_attr( $_POST[‘keyword’] );
• [X] contact-form-7-skins/includes/admin.php:75: update_post_meta( $form_id, ‘cf7s_template’, esc_attr( $_POST[‘cf7s-template’] ) );
• [X] contact-form-7-skins/includes/admin.php:79: update_post_meta( $form_id, ‘cf7s_style’, esc_attr( $_POST[‘cf7s-style’] ) );

### Variables and options must be escaped when echo’d

• [X] contact-form-7-skins/includes/tab.php:245: <span class="help balloon-hover balloon" title="<?php echo $value['note']; "><?php _e( '!', CF7SKINS_TEXTDOMAIN ); </span>
• [X] contact-form-7-skins/includes/tab.php:246: <span class="help balloon-hover balloon" title="<?php echo $value['help']; "><?php _e( '?', CF7SKINS_TEXTDOMAIN ); </span>
• [X] contact-form-7-skins/includes/tab.php:255: <div class="nav-tab-content <?php echo $color_scheme; ">
• [X] contact-form-7-skins/includes/tab.php:257: <div id="tab-<?php echo $value['name']; " class="tab-content wp-clearfix">
• [X] contact-form-7-skins/includes/skin.php:58: echo str_replace(' ', '-', $skin['dir'] );
• [X] contact-form-7-skins/includes/template.php:333: echo '<h4 class="feature-name">' . $feature_name . '</h4>';
• [X] contact-form-7-skins/includes/template.php:337: echo '<li><input type="checkbox" id="tab-template-' . $feature . '" value="' . $feature . '" /> ';
• [X] contact-form-7-skins/includes/template.php:338: echo '<label for="tab-template-' . $feature . '">' . $feature_name . '</label></li>';
• [X] contact-form-7-skins/includes/settings.php:114: echo “<a class=’nav-tab$class tab-$tab’ href=’?page=”. $this->slug .”&tab=$tab’>$name</a>”;
• [X] contact-form-7-skins/includes/settings.php:356: echo ‘<td style=”background-color: ‘.$bgcolor.'”> </td>’;
• [X] contact-form-7-skins/includes/settings.php:372: echo ‘<input type=”submit” name=”‘. “{$this->slug}[$id” .’_deactivate]” value=”‘. __(‘Deactivate License’,CF7SKINS_TEXTDOMAIN) .'”/>’;
• [X] contact-form-7-skins/includes/settings.php:401: echo ‘<p>’. $description .'</p>’;
• [X] contact-form-7-skins/includes/tab.php:242: <h2 class=”nav-tab-wrapper <?php echo $color_scheme; “>
• [X] contact-form-7-skins/includes/tab.php:244: <a href=”#tab-<?php echo $value[‘name’]; “>
• [X] contact-form-7-skins/includes/tab.php:245: <?php echo $value[‘label’];

Sanitize Functions

• sanitize_text_field, clean text input
• sanitize_title,
• …

Escape Functions

• esc_attr, can be used for any strings
• esc_attr__, for translation string, returns only value.
• esc_attr_e, for translation string, echoes value.
• …

cf7skins-single\src\ #

• cf7skins
• visual
• [ ] index.js

cf7skins- single\src\cf7skins\

• [ ] index.js
• [ ] window.js

cf7skins- single\src\visual\

• [ ] index.js

data

• [ ] actions.js
• [ ] index.js
• [ ] reducer.js
• [ ] selectors.js

Form

• Form
  • [ ] index.js

• Action
  • [ ] index.js

• Control
  • [ ] index.js

• Edit
  • [ ] index.js
  • Type
    • [ ] index.js

• Items
  • [ ] index.js
  • InputItem
    • [ ] index.js
  • InputItemMenu
    • [ ] index.js

• Notice
  • [ ] index.js

• Select
  • [ ] index.js
  • SelectItem
    • [ ] index.js
  • Tip
    • [ ] index.js

• Toolbar
  • [ ] index.js

• Topbar
  • [ ] index.js

util

• [ ] api.js
• [ ] cf7sItems.js
• [ ] cf7sRules.js
• [ ] data.js
• [ ] functions.js
• [ ] index.js

Further Reading:

• CF7 Skins Plugins – Folders & Files
• CF7 Skins Visual – Folders & Files