All of the widgets in includes/widgets need a full re-coding of the widgets' update() methods. Essentially, each widget option is wrapped with strip_tags(). There are a few that aren't sanitized at all.

strip_tags() is not really acceptable here for most options. It's not just about sanitizing (making safe), it's also about making sure that the data is really the type of data that should be stored.

For example, the "Columns" option for the "TO Post Types" widget has only 6 allowed options. So, in the update() method, this bit of code:

$instance['columns'] = strip_tags( $new_instance['columns'] );

Would work better as:

$instance['columns'] = in_array( $new_instance['columns'], range( 1, 6 ) ) ? $new_instance['columns'] : 1;

That's an example of whitelist validating, which is one of the safest and best ways to validate if you have a known list of values that are allowed.

Another example from the same widget is the "Title Link" field. This is how it's currently sanitized:

$instance['title_link'] = strip_tags( $new_instance['title_link'] );

Because it's a URL, it should be sanitized like so:

$instance['title_link'] = esc_url_raw( $new_instance['title_link'] );

Always use the most appropriate method for the type of data that you expect. Don't just run strip_tags() over everything.

• In includes/post-order.php method load_script_css, no need to enqueue jquery or jquery-ui-sortable
• Just add it as dependency scripts as line 74
• Once you add script as dependency script, it will be enqueued automatically it it is present in core

I'm seeing a lot of things like this in the plugin:

sanitize_text_field(wp_unslash($_GET['taxonomy']))

I'm guessing you've been running a code sniffer that's telling you to unslash and sanitize these superglobals. That's definitely a good idea. However, sanitize_text_field() isn't generally the most appropriate function.

Like I wrote about in issue #45, you want to always use the most appropriate function for the job.

How to deal with these will happen on a case-by-case basis. In the example above, you could simply do this:

sanitize_key( $_GET['taxonomy'] )

No need to unslash there because sanitize_key() removes slashes. A taxonomy name will only consist of characters allowed by sanitize_key(), so that's a good choice.

A good rule of thumb: just because something's technically "safe" doesn't mean that it's correct. So, if possible, always try to make sure you're dealing with the correct type of data.

In Tour_Operator::apply_filters_the_content() in module.php, this bit of code on line 478 breaks plugins:

$output = apply_filters( 'the_content', $output );

The the_content filter hook should only ever be run in The Loop context. Other plugins rely on the global $post to be set. If not, it breaks things in all kinds of weird ways. This is one of the most common issues I have with other themes/plugins breaking one of my plugins.

Basically, only ever run it if you're explicitly running it over the post content and within The Loop.

I've written out a full explanation and a tutorial on how to handle this issue here: http://themehybrid.com/weblog/how-to-apply-content-filters

Here are all the files and line numbers where I see this issue:

module.php

• 478

classes/class-frontend.php

• 373

classes/class-units.php

• 175

includes/template-tags/general.php

• 536

includes/template-tags/tour.php

• 147
• 155
• 180

• Accommodation archive page gives following issue:
  Warning: number_format() expects parameter 1 to be float, string given in .../classes/class-accommodation.php on line 515

When building options pages, make sure to stick with the core WP UI. This is the UI that users are familiar with. Any deviation from that makes the plugin look unprofessional.

There are several issues in the following screenshot.

1. There shouldn't be a "box" around the page title area with the red border.
2. Don't change the style of the page title itself.
3. The save button should be at the bottom of the page.
4. The save button should be a primary button, not secondary.
5. The save button should be an actual <button> rather than a link.

It's standard practice to use an underscore rather than a hyphen when a taxonomy name (and post type names, for that matter) has multiple words. So, instead of travel-style and accommodation-type, they should be named travel_style and accommodation_type, respectively.

Of course, if it's too late in the game to change these (already in use on sites), just leave them be. But, definitely keep this in mind in the future.

If WP Rocket is active, then the Consultant on the single pages will random once, then the cached page will show all the time. So the "random' doesnt look like it working.

• Plugin uses LSX_ or lsx_ as prefix for classes and functions
• You need to use your plugin slug which is tour_operator
• Reason for this, is to avoid function clash with other themes and plugins
• Check http://themereview.co/prefix-all-the-things/ which is for themes, but can apply for plugins as well

@krugazul:

If you set the layout to 2 columns, then the sidebar floats a bit upwards. which sits over the navgation and the breadcrumb.

Initial reported in task #9.

• The featured and archive pages of all Custom Post Type posts need work
• Check screenshot for new destination
  
• This is the case for all the CPTs registered by theme

• Check href value in includes/settings/help.php, line no 104

• See issue #31
• Ref: includes/widgets/cta-widget.php
• This file as mentioned in escaping issues #21 has a lot of unnecessary wp_kses_post calls
• Because of method upload_scripts, the scripts are loaded in all admin pages, you need to restrict it to only widget page as in method described in Enqueuing admin scripts/styles, issue #26
• The function here just enqueues media-upload and thickbox, which isn't being utilized
• You need a supporting JS script for this which is missing and making this method and enqueue obsolete

The "Post Order" filters overwrite this all the time, so you can never sort by "name" or "slug".

I disabled the fail-safe in the plugin and am testing with PHP 5.2.4 (the lowest WP supports). It seems to be working thus far. Admittedly, I'm only in the early stages of testing the plugin.

Is there a reason that you've made the plugin 5.6+ only?

In templates/content-gallery.php, I'm seeing reference to these two globals:

global $image,$size;

However, I can't find where those are coming from. If these are globals that are set by your plugin, they need to be prefixed. Those are very generic variable names and will likely conflict with something.

• I found that wp_kses_post being used excessively in this plugin, so you need to check in details. Like in templates/content-gallery.php line 13. This functions here serves no purpose.
  It is being used throughout, check out issue #18

• In following files, only wp_reset_postdata is sufficient, no need of wp_reset_query
  • includes/template-tags/destination.php
  • includes/template-tags/helpers.php
  • includes/widgets/post-type-widget.php

• In classes/class-admin.php method enqueue_admin_stylescripts, admin scripts/styles are being loaded in all admin screens
• To restrict these to certain pages only, use $hook parameter available. Check https://codex.wordpress.org/Plugin_API/Action_Reference/admin_enqueue_scripts#Example:_Load_CSS_File_from_a_plugin_on_specific_Admin_Page
• This issue is present everywhere where admin_enqueue_scripts is used. You need to check thoroughly on all files

• Got following script errors on theme welcome page:

TypeError: a is undefined   
TypeError: i is not a function
TypeError: jQuery is not a function

Check console

• Getting following error on front end
  TypeError: jQuery(...).scrollspy ics not a function .../assets/js/custom.min.js?ver=1.0.5 line 1

Don't include "Plugin" in the plugin name. Users already know it's a plugin. :)

Seriously, the WP theme directory doesn't allow this. It's probably frowned on in the plugin directory if you are submitting it there.

Make sure the Google Maps API key is moved there, and is registering properly on frontend. (the addons will need to be changed to)

Expand the post type tabs on the settings page to include a text input of how many "posts per page" you would like the archive to show.

This must have an option to disable pagination per post type together, (show all)

The frontend will need to be adjusted to that it can handle the option (pre_get_posts filter)

• Use antispambot() function before showing email on front end
  • In includes/template-tags/general.php, line no 453, you need to use antispambot function, E.g:
    <div class="meta email"><i class="fa fa-envelope orange"></i> <a href="mailto:<?php echo esc_attr( antispambot( $fields[ 'enquiry_contact_email' ] ) ); ?>"><?php echo esc_html( antispambot( $fields[ 'enquiry_contact_email' ] ) ); ?></a></div>
• Escape using esc_attr() in the following
  • classes/class-frontend.php, line no 340 get_the_ID()
  • templates/content-gallery.php, line no 13 apply_filters('the_title',$image->post_title)

As in issue #39, you should follow core's lead with your settings tabs. The following is a screenshot of how it's done in your theme.

This screenshot is how it's done in core on the Plugins and Themes screens:

If you disable the LSX Banner plugin, then the navigation and the breadcrumbs conflict. Could you please fix with CSS.

Also, if you set the layout to 2 columns, then the sidebar floats a bit upwards. which sits over the navgation and the breadcrumb.

• In following, you have used esc_url() when initializing the link and wp_kses_post on escaping. Remove both because static content does not need escaping
  • in includes/settings/add-ons.php
    • ln 28 $tour_operator_link
    • ln 54 $map_link
    • ln 69 $specials_link
    • ln 84 $reviews_link
    • ln 101 $activities_link
    • ln 116 $search_link
    • ln 131 $galleries_link
    • ln 148 $vehicles_link
    • ln 163 $team_link
    • ln 178 $video_link
    • ln 195 $wetu_importer_link
  • In includes/settings/help.php
    • ln 45 $lsx_to_documentation
    • ln 63 $map_link_doc
    • ln 64 $galleries_link_doc
    • ln 65 $team_link_doc
    • ln 66 $activities_link_doc
    • ln 67 $reviews_link_doc
    • ln 68 $specials_link_doc
    • ln 69 $search_link_doc
    • ln 70 $vehicles_link_doc
    • ln 71 $videos_link_doc
    • ln 72 $wetu_importer_link_doc
    • ln 91 $tour_operator_link
    • Lines 117-130 has similar issue
  • In includes/settings/welcome.php lines 31-76
• In includes/settings/add-ons.php, line no 29-188, there is no need to escape static image sources

• In includes/settings/welcome.php, line no 8 and 9, you do not need to do ssl check. Just do it as follows:
  wp_enqueue_script( 'mailchimpembed', '//s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js', array(), false, true);

• Theme uses thickbox ad media uploader in Widgets and custom taxonomy add/edit Pages
• Check: http://wordpress.stackexchange.com/questions/127299/create-image-uploader-for-widget and http://jeroensormani.com/how-to-include-the-wordpress-media-selector-in-your-plugin/ to update the media addition button

Register an addons tab, where we will display blurbs and links to the addons that can be purchased.

• Currency selection in settings is limited
• Spoken Language selections is limited

In classes/class-tour.php and classes/class-accommodation.php, you have defined the $plugin_slug property. This is very confusing because it's not the "plugin" slug. It's the "post type" slug.

protected $plugin_slug = 'tour';

I'm just looking through the classes and wondering why the code keeps referencing the plugin slug. That's likely to create some headaches down the line when you're looking through the code in a few years wondering the same thing.

From a purely architectural standpoint, I see both the classes/class-accommodation.php and classes/class-tour.php classes as a bit of a mess. I really think each class should be cut down to its most basic purpose (if you even need a class at all).

Each class has a mix-match of all sorts of things, such as:

• Post type registration.
• Taxonomy registration.
• Functions that should be standalone.
• Admin-side meta box code.
• Admin-side plugin settings.

Classes should have a unified, defined purpose. At the very least, I'd start breaking things down just by the above list into their own classes and functions.

I'd like to share one of my own plugins. While not as big of a plugin, the basic principles of setting up post types, taxonomies, etc. still apply. I have my own coding style and organization system. You definitely do not have to follow my system, but it might be helpful to get a few ideas about how I build these things out. https://github.com/justintadlock/custom-content-portfolio

Side note: I'd make both of these classes a final class unless you plan on allowing add-on plugins to extend them.

When using the TO Taxonomies widget, you need to check that there's an image before attempting to display it. When a term doesn't have an image, it outputs the following HTML:

<img alt="thumbnail" class="attachment-responsive wp-post-image lsx-responsive" src="">

There are several areas within the theme where there's either a variable or function used within an internationalization function call, such as:

__( $some_variable )

Only hardcoded text strings are allowed here. Otherwise, translations will not work properly.

The following is a list of the file names and line numbers of all the issues like this. I've also added the text next to each that needs to be corrected.

classes\class-accommodation.php

• 604 - lsx_to_get_post_type_section_title('accommodation', $type_key.'s', $type_label.'s')

classes\class-admin.php

• 111 - 'Add '.$type_label
• 111 - 'Add '.$type_label
• 115 - $tax_label_plural
• 115 - $tax_label_plural

classes\class-itinerary.php

• 396 - $label

classes\class-units.php

• 377 - lsx_to_get_post_type_section_title('accommodation', $type_key.'s', $type_label.'s')

includes\layout.php

• 139 - lsx_to_get_post_type_section_title('accommodation', 'similar', 'Related Accommodation')
• 317 - lsx_to_get_post_type_section_title('tour', 'related', 'Related Tours')

includes\template-tags\destination.php

• 25 - lsx_to_get_post_type_section_title('accommodation', '', esc_html__('Featured Accommodation','tour-operator'))
• 55 - lsx_to_get_post_type_section_title('destination', 'regions', 'Regions')
• 97 - lsx_to_get_post_type_section_title('tour', '', esc_html__('Featured Tours','tour-operator'))
• 119 - lsx_to_get_post_type_section_title('activity', '', esc_html__('Featured Activities','tour-operator'))

templates\archive-accommodation.php

• 48 - lsx_to_get_post_type_section_title('accommodation', 'brands', 'Accommodation Brands')

Add in a hook so that the add-ons can include their menu items when needed.

Also move the navigation into a hook above the content.

• Ref: https://www.lsdev.biz/documentation/homepage-configuration/
• I tried adding accommodation page, but it did not work as described in documentation above
• Only works for custom permalink structure. Not working for all permalink structures

Hi Fernando, i change the name of one of the filters that adds the lazy loading to envira, need some help finding it and correcting.

https://to-demo.lsdev.biz/tour/best-of-botswana/

• classes/class-frontend.php method enqueue_stylescripts lines 186 to 190, you have determined $min value but not used it further below

• Content has #333333 as default value
• Upload image uses old media library upload. Update it. Check: http://wordpress.stackexchange.com/questions/127299/create-image-uploader-for-widget and http://jeroensormani.com/how-to-include-the-wordpress-media-selector-in-your-plugin/
• Size and Repeat Options are dropdowns with no options
• Shows following errors on front end

Notice: Undefined variable: before_widget in .../includes/widgets/cta-widget.php on line 58
#333333
Notice: Undefined variable: after_widget in .../includes/widgets/cta-widget.php on line 82

• Unnecessary commented codes should be removed in production version of the theme
• Check assets/classes/class-accomodation.php, line no 292

• Escape using esc_url() in the following files*

  • classes/class-frontend.php, line no 340 get_permalink()
  • includes/layout.php, line no 59 get_permalink()
  • includes/template-tags/accommodation.php, line no 113 and 118 get_term_link( $heading->slug, 'facility' )
  • includes/template-tags/general.php, line no 172 $link_slug
  • includes/template-tags/helpers.php, line no 555 get_the_permalink($cp->ID)
  • includes/widgets/post-type-widget.php, line no 176 $title_link
  • includes/widgets/post-type-widget.php, line no 596 $link
    • Also, in few lines above this, why have you used wp_kses_post?
  • includes/widgets/taxonomy-widget.php, line no 172 $title_link
  • includes/widgets/taxonomy-widget.php, line no 540 $link
    • Also, in few lines above this, why have you used wp_kses_post?

• Escape using esc_url() in the following files for all image sources*

  • classes/class-admin.php, line no 531 $image_preview[0]
  • classes/class-itinerary.php, line no 303 $thumbnail_src
  • classes/class-units.php, line no 203 $thumbnail_src
  • includes/template-tags/helpers.php, line no 167 $img[0]
  • templates/content-gallery.php, line no 13 $srcset[0]
  • vendor/Custom-Meta-Boxes/classes.fields.php line 452 $src

• Use esc_url() instead of esc_attr in the following files*

  • templates/content-widget-accommodation-brand.php, line no 24
  • templates/content-widget-accommodation-type.php, line no 22
  • templates/content-widget-travel-style.php, line no 22

Move all of the "post type" menus registered by TO under 1 menu as follows

• Destinations
• Tours
• Travel Styles
• Accommodation
• Accommodation Types
• Brands
• Locations
• Facilities
• Team
• Settings
• Add-ons

• When adding address for map in CMB, following JS error occurs:

TypeError: place.geometry is undefined
.../vendor/Custom-Meta-Boxes/js/field-gmap.js?ver=4.7.2 line 74

• Use the_title_attribute() instead of the_title() where title is being displayed as html attribute
• Check templates/archive-destination.php, line no 51, 58 and 90

Welcome page example: https://to-demo.lsdev.biz/wp-admin/admin.php?page=to-settings&welcome-page=1

The CPTs have a ton of fields in the meta boxes for them. I'd consider cleaning that up and doing something like tabs.

WooCommerce has a tabbed interface. Here's a screenshot of a tabbed interface from my portfolio plugin.

Not just wanting to market my own code, but here's a small framework/library I built for doing meta boxes with lots of meta fields: https://github.com/justintadlock/butterbean

There are lots of options though. Just scrolling through what seems like an endless list of options down the page seems tedious.