Automattic · tbradsha · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/projects/plugins/crm/.phan/baseline.php b/projects/plugins/crm/.phan/baseline.php
@@ -181,7 +181,7 @@
         'includes/ZeroBSCRM.DAL3.Obj.Segments.php' => ['PhanEmptyForeach', 'PhanPluginNeverReturnMethod', 'PhanPluginUnreachableCode', 'PhanRedundantCondition', 'PhanTypeArraySuspiciousNullable', 'PhanTypeMismatchDefault', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnProbablyReal', 'PhanUndeclaredMethod', 'PhanUndeclaredVariable', 'PhanUnextractableAnnotationElementName'],
         'includes/ZeroBSCRM.DAL3.Obj.Transactions.php' => ['PhanCommentParamWithoutRealParam', 'PhanEmptyForeach', 'PhanImpossibleTypeComparison', 'PhanNoopBinaryOperator', 'PhanPluginDuplicateConditionalNullCoalescing', 'PhanPluginDuplicateExpressionAssignmentOperation', 'PhanPluginRedundantAssignment', 'PhanPluginUnreachableCode', 'PhanPossiblyUndeclaredVariable', 'PhanRedundantCondition', 'PhanSuspiciousValueComparison', 'PhanSuspiciousWeakTypeComparison', 'PhanTypeArraySuspicious', 'PhanTypeArraySuspiciousNull', 'PhanTypeArraySuspiciousNullable', 'PhanTypeComparisonFromArray', 'PhanTypeComparisonToArray', 'PhanTypeConversionFromArray', 'PhanTypeExpectedObjectPropAccess', 'PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentInternalReal', 'PhanTypeMismatchArgumentNullable', 'PhanTypeMismatchArgumentNullableInternal', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchDefault', 'PhanTypeMismatchDimFetchNullable', 'PhanTypeMismatchForeach', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnNullable', 'PhanTypeMismatchReturnProbablyReal', 'PhanTypePossiblyInvalidDimOffset', 'PhanUndeclaredVariable', 'PhanUndeclaredVariableDim', 'PhanUnextractableAnnotationElementName'],
         'includes/ZeroBSCRM.DAL3.ObjectLayer.php' => ['PhanCommentParamWithoutRealParam', 'PhanEmptyForeach', 'PhanPluginDuplicateConditionalNullCoalescing', 'PhanPluginDuplicateExpressionAssignmentOperation', 'PhanPossiblyUndeclaredVariable', 'PhanRedundantCondition', 'PhanTypeArraySuspicious', 'PhanTypeExpectedObjectPropAccess', 'PhanTypeMismatchArgumentInternal', 'PhanTypeMismatchArgumentInternalProbablyReal', 'PhanTypeMismatchDefault', 'PhanTypeMismatchForeach', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnNullable', 'PhanTypeMismatchReturnProbablyReal', 'PhanUndeclaredFunction', 'PhanUnextractableAnnotationElementName'],
-        'includes/ZeroBSCRM.DAL3.php' => ['PhanAccessMethodPrivate', 'PhanCommentParamWithoutRealParam', 'PhanPluginDuplicateConditionalNullCoalescing', 'PhanPluginDuplicateExpressionAssignmentOperation', 'PhanPluginRedundantAssignment', 'PhanPluginUnreachableCode', 'PhanPossiblyUndeclaredVariable', 'PhanRedundantCondition', 'PhanSuspiciousValueComparison', 'PhanSuspiciousWeakTypeComparison', 'PhanSuspiciousWeakTypeComparisonInLoop', 'PhanTypeArraySuspiciousNull', 'PhanTypeArraySuspiciousNullable', 'PhanTypeComparisonFromArray', 'PhanTypeExpectedObjectPropAccess', 'PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentInternal', 'PhanTypeMismatchArgumentInternalReal', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchDefault', 'PhanTypeMismatchForeach', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnProbablyReal', 'PhanUndeclaredMethod', 'PhanUndeclaredTypeParameter', 'PhanUndeclaredTypeReturnType', 'PhanUndeclaredVariable', 'PhanUnextractableAnnotationElementName', 'PhanUnextractableAnnotationSuffix'],
+        'includes/ZeroBSCRM.DAL3.php' => ['PhanAccessMethodPrivate', 'PhanCommentParamWithoutRealParam', 'PhanPluginDuplicateConditionalNullCoalescing', 'PhanPluginDuplicateExpressionAssignmentOperation', 'PhanPluginRedundantAssignment', 'PhanPluginUnreachableCode', 'PhanPossiblyUndeclaredVariable', 'PhanRedundantCondition', 'PhanSuspiciousValueComparison', 'PhanSuspiciousWeakTypeComparison', 'PhanSuspiciousWeakTypeComparisonInLoop', 'PhanTypeArraySuspiciousNull', 'PhanTypeArraySuspiciousNullable', 'PhanTypeComparisonFromArray', 'PhanTypeExpectedObjectPropAccess', 'PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentInternal', 'PhanTypeMismatchArgumentInternalReal', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchDefault', 'PhanTypeMismatchForeach', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnProbablyReal', 'PhanTypePossiblyInvalidDimOffset', 'PhanUndeclaredMethod', 'PhanUndeclaredTypeParameter', 'PhanUndeclaredTypeReturnType', 'PhanUndeclaredVariable', 'PhanUnextractableAnnotationElementName', 'PhanUnextractableAnnotationSuffix'],
         'includes/ZeroBSCRM.DataIOValidation.php' => ['PhanTypeMismatchArgument'],
         'includes/ZeroBSCRM.Database.php' => ['PhanRedundantCondition', 'PhanSuspiciousValueComparison'],
         'includes/ZeroBSCRM.Delete.php' => ['PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentInternal'],

diff --git a/projects/plugins/crm/admin/dashboard/main.page.php b/projects/plugins/crm/admin/dashboard/main.page.php
@@ -407,12 +407,13 @@ function jpcrm_render_dashboard_page() {
 		}
 	}
 
-	$jpcrm_dash_data  = 'const jpcrm_funnel_data = ' . wp_json_encode( $funnel_data ) . ';';
+	$jpcrm_dash_data  = 'const jpcrm_funnel_data = ' . wp_json_encode( $funnel_data, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ';';
 	$jpcrm_dash_data .= 'const jpcrm_revenue_chart_data = ' . wp_json_encode(
 		array(
 			'labels' => $labels,
 			'data'   => $chartdata,
-		)
+		),
+		JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP
 	);
 	wp_add_inline_script( 'jpcrm-dash', $jpcrm_dash_data, 'before' );
 }

diff --git a/projects/plugins/crm/admin/dashboard/partials/first-use-dashboard-woo.block.php b/projects/plugins/crm/admin/dashboard/partials/first-use-dashboard-woo.block.php
@@ -101,7 +101,7 @@
 	</div>
 </div>
 <?php // PHPCS:Ignore WordPress.Security.NonceVerification.Recommended ?>
-<script>var jpcrm_show_first_use_dash = <?php echo wp_json_encode( ! isset( $_GET['zbs-welcome-tour'] ) ); ?>;</script>
+<script>var jpcrm_show_first_use_dash = <?php echo isset( $_GET['zbs-welcome-tour'] ) ? 'false' : 'true'; ?>;</script>
 <?php
 
 ##/WLREMOVE
diff --git a/projects/plugins/crm/admin/dashboard/partials/first-use-dashboard.block.php b/projects/plugins/crm/admin/dashboard/partials/first-use-dashboard.block.php
@@ -122,7 +122,7 @@
 	</div>
 </div>
 <?php // PHPCS:Ignore WordPress.Security.NonceVerification.Recommended ?>
-<script>var jpcrm_show_first_use_dash = <?php echo wp_json_encode( ! isset( $_GET['zbs-welcome-tour'] ) ); ?>;</script>
+<script>var jpcrm_show_first_use_dash = <?php echo isset( $_GET['zbs-welcome-tour'] ) ? 'false' : 'true'; ?>;</script>
 <?php
 
 ##/WLREMOVE
diff --git a/projects/plugins/crm/admin/settings/custom-fields.page.php b/projects/plugins/crm/admin/settings/custom-fields.page.php
@@ -466,8 +466,8 @@ function ( $field_name ) use ( $sort_field_names, $custom_type ) {
 
 		// all custom js moved to admin.settings.js 12/3/19 :)
 
-		var wpzbscrmCustomFields = <?php echo json_encode( $current_custom_fields ); ?>;
-		var wpzbscrmAcceptableTypes = <?php echo json_encode( $acceptableCFTypes ); ?>;
+		var wpzbscrmCustomFields = <?php echo wp_json_encode( $current_custom_fields, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>;
+		var wpzbscrmAcceptableTypes = <?php echo wp_json_encode( $acceptableCFTypes, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); /* phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase */ ?>;
 		var wpzbscrm_settings_page = 'customfields'; // this fires init js in admin.settings.min.js
 		var wpzbscrm_settings_lang = {
 

diff --git a/projects/plugins/crm/admin/settings/mail-delivery.ajax.php b/projects/plugins/crm/admin/settings/mail-delivery.ajax.php
@@ -899,5 +899,5 @@ function zeroBSCRM_AJAX_mailDelivery_setMailDeliveryAsDefault() {
 	// fini - lazy nocheck
 	$res['success'] = 1;
 
-	echo wp_json_encode( $res );
+	echo wp_json_encode( $res, JSON_UNESCAPED_SLASHES );
 }
diff --git a/projects/plugins/crm/admin/settings/tax.page.php b/projects/plugins/crm/admin/settings/tax.page.php
@@ -220,7 +220,7 @@
 
 	<script type="text/javascript">
 
-		var zeroBSCRMJS_taxTable = <?php echo json_encode( $taxTables ); ?>;
+		var zeroBSCRMJS_taxTable = <?php echo wp_json_encode( $taxTables, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); /* phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase */ ?>;
 		var zeroBSCRMJS_taxTableLang = {
 
 			defaultTaxName: '<?php echo esc_html( zeroBSCRM_slashOut( __( 'Tax Rate Name', 'zero-bs-crm' ) ) ); ?>',

diff --git a/projects/plugins/crm/admin/support/main.page.php b/projects/plugins/crm/admin/support/main.page.php
@@ -101,7 +101,7 @@
 		if ( $result === true ) {
 			$result = 'yes';
 		} elseif ( is_array( $result ) ) {
-			$result = wp_json_encode( $result );
+			$result = wp_json_encode( $result, JSON_UNESCAPED_SLASHES );
 		}
 
 		$site_data['Server Info'][] = "$env_name: $result";
@@ -192,7 +192,7 @@
 		<form id="support-form">
 			<input type="hidden" name="license" value="<?php echo esc_attr( $license_key ); ?>">
 			<input type="hidden" name="site_url" value="<?php echo esc_attr( $site_url ); ?>">
-			<input type="hidden" name="site_data" value='<?php echo wp_json_encode( $site_data ); ?>'>
+			<input type="hidden" name="site_data" value='<?php echo esc_attr( wp_json_encode( $site_data, JSON_HEX_AMP | JSON_UNESCAPED_SLASHES ) ); ?>'>
 			<div class="form-group">
 				<label for="subject"><?php echo esc_html__( 'Subject', 'zero-bs-crm' ); ?>:</label>
 				<input type="text" class="form-control" id="subject" name="subject">
@@ -207,7 +207,7 @@
 			<div class="data-shared">
 				<b>Site URL:</b> <?php echo esc_html( $site_url ); ?><br>
 				<b>License:</b> <?php echo esc_html( $license_key ); ?><br>
-				<b>Site data:</b><?php echo wp_json_encode( $site_data ); ?><br>
+				<b>Site data:</b><?php echo esc_html( wp_json_encode( $site_data, JSON_UNESCAPED_SLASHES | JSON_HEX_AMP ) ); ?><br>
 			</div>
 			<div class="text-center">
 				<button type="submit" class="btn btn-primary"><?php echo esc_html__( 'Submit', 'zero-bs-crm' ); ?></button>

diff --git a/projects/plugins/crm/changelog/fix-crm-audit_json_encode_flags_part_deux b/projects/plugins/crm/changelog/fix-crm-audit_json_encode_flags_part_deux
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Ensure proper flags are used with `json_encode()`.
diff --git a/projects/plugins/crm/includes/ZeroBSCRM.AdminStyling.php b/projects/plugins/crm/includes/ZeroBSCRM.AdminStyling.php
@@ -240,7 +240,7 @@ function zbs_color_grabber() {
 	// } Information here to get the colors
 	global $_wp_admin_css_colors, $zbsadmincolors;
 	$current_color = get_user_option( 'admin_color' );
-	echo '<script type="text/javascript">var zbsJS_admcolours = ' . json_encode( $_wp_admin_css_colors[ $current_color ] ) . ';</script>';
+	echo '<script type="text/javascript">var zbsJS_admcolours = ' . wp_json_encode( $_wp_admin_css_colors[ $current_color ], JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ';</script>';
 	echo '<script type="text/javascript">var zbsJS_unpaid = "' . esc_html__( 'unpaid', 'zero-bs-crm' ) . '";</script>';
 	$zbsadmincolors = $_wp_admin_css_colors[ $current_color ]->colors;
 	?>

diff --git a/projects/plugins/crm/includes/ZeroBSCRM.DAL3.Helpers.php b/projects/plugins/crm/includes/ZeroBSCRM.DAL3.Helpers.php
@@ -1574,18 +1574,6 @@ function zeroBSCRM_mergeCustomers($dominantID=-1,$slaveID=-1){
    					$slaveLogs = zeroBSCRM_getContactLogs($slaveID,true,10000,0); // id created name meta
    					if (is_array($slaveLogs) && count($slaveLogs) > 0){
 
-   						/* in fact, just save as json encode :D - rough but quicker
-   						// brutal str builder.
-   						$logStr = '';
-
-   						foreach ($slaveLogs as $log){
-
-   							if (!empty($logStr)) $logStr .= "\r\n";
-
-
-   						} */
-
-        				//update_post_meta($dominantID, 'zbs_merged_customer_log_bk_'.time(), json_encode($slaveLogs)); 
         				// no $change here, as this is kinda secret, kthx
 						$zbs->DAL->updateMeta(ZBS_TYPE_CONTACT,$dominantID,'merged_customer_log_bk_'.time(),$slaveLogs);
 

diff --git a/projects/plugins/crm/includes/ZeroBSCRM.DAL3.php b/projects/plugins/crm/includes/ZeroBSCRM.DAL3.php
@@ -2189,7 +2189,7 @@ public function addUpdateSetting($args=array()){
             // WH note: it was necessary to add JSON_UNESCAPED_SLASHES to properly save down without issue
             // combined with a more complex zeroBSCRM_stripSlashes recurrsive
             // https://stackoverflow.com/questions/7282755/how-to-remove-backslash-on-json-encode-function
-            $data['val'] = json_encode($data['val'],JSON_UNESCAPED_SLASHES);
+					$data['val'] = wp_json_encode( $data['val'], JSON_UNESCAPED_SLASHES ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UndefinedVariable
 
         }
 
@@ -2801,7 +2801,7 @@ public function addUpdateMeta($args=array()){
         #} Var up any val (json_encode)
         if (in_array(gettype($data['val']),array("object","array"))){
 
-            $data['val'] = json_encode($data['val']);
+					$data['val'] = wp_json_encode( $data['val'], JSON_UNESCAPED_SLASHES ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UndefinedVariable
 
         }