From db6943acfbdeb9a30ac7eb8bb6300b25061d6ec4 Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paul.schreiber@espn.com>
Date: Tue, 27 Jan 2015 10:40:58 -0500
Subject: [PATCH 1/4] PHPCS: fix whitespace

---
 mathjax-latex.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mathjax-latex.php b/mathjax-latex.php
index d30f86e..798bc9f 100644
--- a/mathjax-latex.php
+++ b/mathjax-latex.php
@@ -276,7 +276,7 @@ public static function allow_mathml_tags_in_tinymce( $options ) {
 		}
 
 		$options['extended_valid_elements'] .= ',' . implode( ',' , $extended_tags );
-		$options['extended_valid_elements'] = trim(  $options['extended_valid_elements'] , ',' );
+		$options['extended_valid_elements'] = trim( $options['extended_valid_elements'] , ',' );
 
 		return $options;
 	}

From dcf6504ad2e44696c7054f31a8414733a3627cd0 Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paul.schreiber@espn.com>
Date: Tue, 27 Jan 2015 10:43:05 -0500
Subject: [PATCH 2/4] PHPCS cleanup: superglobal inspection

---
 mathjax-latex-admin.php | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/mathjax-latex-admin.php b/mathjax-latex-admin.php
index 21ad63f..f8af309 100644
--- a/mathjax-latex-admin.php
+++ b/mathjax-latex-admin.php
@@ -58,8 +58,8 @@ function plugin_options_menu() {
 		$this->table_head( $nonce );
 
 		// save options if this is a valid post
-		if ( isset( $_POST['kblog_mathjax_latex_save_field'] ) &&
-			wp_verify_nonce( $_POST['kblog_mathjax_latex_save_field'], 'kblog_mathjax_latex_save_action' )
+		if ( isset( $_POST['kblog_mathjax_latex_save_field'] ) && // input var okay
+			wp_verify_nonce( sanitize_text_field( $_POST['kblog_mathjax_latex_save_field'] ), 'kblog_mathjax_latex_save_action' ) // input var okay
 		) {
 			echo "<div class='updated settings-error' id='etting-error-settings_updated'><p><strong>Settings saved.</strong></p></div>\n";
 			$this->admin_save();
@@ -155,26 +155,26 @@ function config_options() {
 	}
 
 	function admin_save() {
-		update_option( 'kblog_mathjax_force_load', array_key_exists( 'kblog_mathjax_force_load', $_POST ) );
+		update_option( 'kblog_mathjax_force_load', array_key_exists( 'kblog_mathjax_force_load', $_POST ) ); // input var okay
 
-		if ( array_key_exists( 'kblog_mathjax_latex_inline', $_POST ) &&
-			in_array( $_POST['kblog_mathjax_latex_inline'], array( 'inline', 'display' ) )
+		if ( array_key_exists( 'kblog_mathjax_latex_inline', $_POST ) && isset( $_POST['kblog_mathjax_latex_inline'] ) && // input var okay
+			in_array( sanitize_text_field( $_POST['kblog_mathjax_latex_inline'] ), array( 'inline', 'display' ) ) // input var okay
 		) {
-			update_option( 'kblog_mathjax_latex_inline', $_POST['kblog_mathjax_latex_inline'] );
+			update_option( 'kblog_mathjax_latex_inline', sanitize_text_field( $_POST['kblog_mathjax_latex_inline'] ) ); // input var okay
 		}
 
-		update_option( 'kblog_mathjax_use_wplatex_syntax', array_key_exists( 'kblog_mathjax_use_wplatex_syntax', $_POST ) );
+		update_option( 'kblog_mathjax_use_wplatex_syntax', array_key_exists( 'kblog_mathjax_use_wplatex_syntax', $_POST ) ); // input var okay
 
-		update_option( 'kblog_mathjax_use_cdn', array_key_exists( 'kblog_mathjax_use_cdn', $_POST ) );
+		update_option( 'kblog_mathjax_use_cdn', array_key_exists( 'kblog_mathjax_use_cdn', $_POST ) ); // input var okay
 
-		if ( array_key_exists( 'kblog_mathjax_custom_location', $_POST ) ) {
-			update_option( 'kblog_mathjax_custom_location', esc_url_raw( $_POST['kblog_mathjax_custom_location'] ) );
+		if ( array_key_exists( 'kblog_mathjax_custom_location', $_POST ) && isset( $_POST['kblog_mathjax_custom_location'] ) ) { // input var okay
+			update_option( 'kblog_mathjax_custom_location', esc_url_raw( $_POST['kblog_mathjax_custom_location'] ) ); // input var okay
 		}
 
-		if ( array_key_exists( 'kblog_mathjax_config', $_POST ) &&
-			in_array( $_POST['kblog_mathjax_config'], $this->config_options() )
+		if ( array_key_exists( 'kblog_mathjax_config', $_POST ) && isset( $_POST['kblog_mathjax_config'] ) && // input var okay
+			in_array( sanitize_text_field( $_POST['kblog_mathjax_config'] ), $this->config_options() ) // input var okay
 		) {
-			update_option( 'kblog_mathjax_config', $_POST['kblog_mathjax_config'] );
+			update_option( 'kblog_mathjax_config', sanitize_text_field( $_POST['kblog_mathjax_config'] ) ); // input var okay
 		}
 	}
 

From 44656c8b277d3416af5dc4b3775716cedc9af55c Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paul.schreiber@espn.com>
Date: Thu, 26 Feb 2015 12:37:18 -0500
Subject: [PATCH 3/4] rework table_head() and table_foot() to avoid escapaing
 warnings

move wp_nonce_field into table_head() instead of passing as a parameter
---
 mathjax-latex-admin.php | 69 ++++++++++++++++++++---------------------
 1 file changed, 33 insertions(+), 36 deletions(-)

diff --git a/mathjax-latex-admin.php b/mathjax-latex-admin.php
index f8af309..375bbaf 100644
--- a/mathjax-latex-admin.php
+++ b/mathjax-latex-admin.php
@@ -53,9 +53,7 @@ function plugin_options_menu() {
 			wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
 		}
 
-		$nonce = wp_nonce_field( 'kblog_mathjax_latex_save_action', 'kblog_mathjax_latex_save_field', true, false );
-
-		$this->table_head( $nonce );
+		$this->table_head();
 
 		// save options if this is a valid post
 		if ( isset( $_POST['kblog_mathjax_latex_save_field'] ) && // input var okay
@@ -178,42 +176,41 @@ function admin_save() {
 		}
 	}
 
-	function table_head( $nonce ) {
-		echo <<<EOT
-<div class="wrap" id="mathjax-latex-options">
-<h2>Mathjax-Latex by Kblog</h2>
-<form id="mathjaxlatex" name="mathjaxlatex" action="" method="POST">
-$nonce
-<table class="form-table">
-<caption class='screen-reader-text'>The following lists configuration options for the MathJax-LaTeX plugin.</caption>
-EOT;
+	function table_head() {
+		?>
+		<div class='wrap' id='mathjax-latex-options'>
+			<h2>Mathjax-Latex by Kblog</h2>
+			<form id='mathjaxlatex' name='mathjaxlatex' action='' method='POST'>
+				<?php wp_nonce_field( 'kblog_mathjax_latex_save_action', 'kblog_mathjax_latex_save_field', true ); ?>
+			<table class='form-table'>
+			<caption class='screen-reader-text'>The following lists configuration options for the MathJax-LaTeX plugin.</caption>
+		<?php
 	}
 
 	function table_foot() {
-		echo <<<EOT
-</table>
-
-<p class="submit"><input type="submit" class="button button-primary" value="Save Changes"/></p>
-</form>
-
-</div>
-<script type="text/javascript">
-jQuery(function($){
-	if(typeof($.fn.prop) !== 'function'){
-		return; // ignore this for sites with jquery < 1.6
-	}
-	// this is to disable or enable the cdn input field when
-	// checking or unchuecking the use cdn checkbox
-	var cdn_check = $('#use_cdn'),
-	cdn_location = $('#kblog_mathjax_custom_location');
-
-	cdn_check.change(function(){
-		var checked = cdn_check.is(':checked');
-		cdn_location.prop('disabled',checked);
-	});
-});
-</script>
-EOT;
+		?>
+		</table>
+
+		<p class="submit"><input type="submit" class="button button-primary" value="Save Changes"/></p>
+		</form>
+
+		</div>
+		<script type="text/javascript">
+		jQuery(function($) {
+			if (typeof($.fn.prop) !== 'function') {
+				return; // ignore this for sites with jquery < 1.6
+			}
+			// enable or disable the cdn input field when checking/unchuecking the "use cdn" checkbox
+			var cdn_check = $('#use_cdn'),
+			cdn_location = $('#kblog_mathjax_custom_location');
+
+			cdn_check.change(function() {
+				var checked = cdn_check.is(':checked');
+				cdn_location.prop('disabled', checked);
+			});
+		});
+		</script>
+	<?php
 	}
 
 	function admin_table_row( $head, $comment, $input, $input_id ) {

From 4dacc90b8c3745a45b160a9cd404bad8f0bcd2a6 Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paul.schreiber@espn.com>
Date: Thu, 26 Feb 2015 13:09:26 -0500
Subject: [PATCH 4/4] eliminate use of extract(). Fixes #8.

---
 mathjax-latex.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mathjax-latex.php b/mathjax-latex.php
index 798bc9f..994fa49 100644
--- a/mathjax-latex.php
+++ b/mathjax-latex.php
@@ -152,10 +152,11 @@ public static function latex_shortcode( $atts, $content ) {
 		self::$add_script = true;
 
 		// this gives us an optional "syntax" attribute, which defaults to "inline", but can also be "display"
-		extract( shortcode_atts( array( 'syntax' => get_option( 'kblog_mathjax_latex_inline' ) ), $atts ) );
-		if ( 'inline' === $syntax ) {
+		$shortcode_atts = shortcode_atts( array( 'syntax' => get_option( 'kblog_mathjax_latex_inline' ) ), $atts );
+
+		if ( 'inline' === $shortcode_atts['syntax'] ) {
 			return '\(' . $content . '\)';
-		} else if ( 'display' === $syntax ) {
+		} else if ( 'display' === $shortcode_atts['syntax'] ) {
 			return '\[' . $content . '\]';
 		}
 	}