MIssing token and misused functions

Hello Dareboost

Nice plugin, it will help people to improve their website.

However, here’s some point you have to work on:
– get_bloginfo(‘language’) -> use get_locale() instead, this is the right way to get this value correctly.
– get_site_url() -> your comment says “// get the url of the home page” but site_url != home_url.
– dbwp_new_analysis() -> this function is called by ajax when a user is logged in (hook wp_ajax_new_analysis) so even a subscriber can launch it, you have to set a nonce token.
– dbwp_get_report() -> same
– dbwp_get_image_gauge_link() -> you’re using Curl even if the website can’t use it, you have to use the HTTP API from WP, check wp_remote_get or _head, _post etc
– $json_response[‘report’][‘summary’][‘requestsCount’] . __(‘ requetes’,self::DBWP_TEXT_DOMAIN); -> sprintf( __(‘%d requetes’,self::DBWP_TEXT_DOMAIN), $json_response[‘report’][‘summary’][‘requestsCount’] );
– self::DBWP_TEXT_DOMAIN -> technically you have to hardcode the real domain into a string
– $tipsFormated .= ‘<span class=”dbwp_bold”>’ . __(‘Priority’,self::DBWP_TEXT_DOMAIN) . ‘ ‘ . ($i+1) . __(‘: ‘,self::DBWP_TEXT_DOMAIN) . ‘</span>’ . $tips[$i][‘name’] . ‘
‘; -> no no no what’s that l10n! “__(‘: ‘,self::DBWP_TEXT_DOMAIN)” really??
$tipsFormated .= ‘<span class=”dbwp_bold”>’ . sprintf( __(‘Priority %d:’,self::DBWP_TEXT_DOMAIN), $i+1 ) . ‘</span>’ . $tips[$i][‘name’] . ‘
‘;
and same for __(‘Page is fully loaded’,self::DBWP_TEXT_DOMAIN) . ‘* ‘ . round($fullyLoaded) . __(‘ ms’,self::DBWP_TEXT_DOMAIN) etc, you move
– There is a lack of data type check.
– Too much () like ($i+1), this is useless to cast this as a variable, bad php perf.

Since we’re french and we know you (wp-rocket ;p), if you need help, poke me @boiteaweb

See you ??

https://www.ads-software.com/plugins/performance-tester/