Security hardening: nonce updates, sanitization, and version bump to 2.3.1

Author: anandkumar

inc/meta.php

@@ -4,10 +4,15 @@
  *
  * @package    Header and Footer Scripts
  * @author     Anand Kumar <anand@anandkumar.net>
- * @copyright  Copyright (c) 2013 - 2025, Anand Kumar
+ * @copyright  Copyright (c) 2013 - 2026, Anand Kumar
  * @link       https://github.com/anandkumar/header-and-footer-scripts
  * @license    http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- */?>
+ *
+ */
+
+if (! defined('ABSPATH') ) {
+    exit;
+}?>
  <div class="shfs_meta_control">
 
 	<p><?php esc_html_e('The script in the following textbox will be inserted to the &lt;head&gt; section', 'header-and-footer-scripts'); ?>.</p>

inc/options.php

@@ -4,10 +4,14 @@
  *
  * @package    Header and Footer Scripts
  * @author     Anand Kumar <anand@anandkumar.net>
- * @copyright  Copyright (c) 2013 - 2025, Anand Kumar
+ * @copyright  Copyright (c) 2013 - 2026, Anand Kumar
  * @link       https://github.com/anandkumar/header-and-footer-scripts
  * @license    http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- */?>
+ */
+
+if (! defined('ABSPATH') ) {
+    exit;
+}?>
 <div class="wrap">
   <h2><?php esc_html_e( 'Header and Footer Scripts - Options', 'header-and-footer-scripts'); ?> <a class="add-new-h2" target="_blank" href="<?php echo esc_url( "https://digitalliberation.org/docs/header-and-footer-scripts/?utm_source=wpdash_hfs" ); ?>"><?php esc_html_e( 'Read Tutorial', 'header-and-footer-scripts'); ?></a></h2>
 
@@ -30,6 +34,7 @@
                  </select>
              </p>
              <p class="description"><?php esc_html_e( 'Select the minimum capability required to add scripts to posts using the meta box.', 'header-and-footer-scripts'); ?></p>
+             <p class="description" style="color: #ea580c; font-weight: bold;"><?php esc_html_e( 'Caution: Giving access to non-admins allows them to execute arbitrary JavaScript on your site.', 'header-and-footer-scripts'); ?></p>
              <hr />
 
             <h3 class="shfs-labels" for="shfs_insert_header"><?php esc_html_e( 'Scripts in header:', 'header-and-footer-scripts'); ?></h3>
@@ -43,7 +48,7 @@
             <p><?php esc_html_e( 'The following script, if any, will be inserted before &lt;/body&gt; tag using wp_footer hook.', 'header-and-footer-scripts'); ?></p>
             <textarea style="width:98%;font-family:monospace;" rows="10" cols="57" id="shfs_insert_footer" name="shfs_insert_footer"><?php echo esc_html( get_option( 'shfs_insert_footer' ) ); ?></textarea>
 
-            <p><label for="shfs_insert_footer_priority"><?php _e('Priority'); ?></label>
+            <p><label for="shfs_insert_footer_priority"><?php esc_html_e('Priority', 'header-and-footer-scripts'); ?></label>
             <input type="number" value="<?php echo \esc_html( \get_option( 'shfs_insert_footer_priority', 10 ) ); ?>" name="shfs_insert_footer_priority" id="shfs_insert_footer_priority" style="width:6em;" /> <?php \esc_html_e('Default', 'header-and-footer-scripts'); ?>: 10</p>
 
           <p class="submit">

inc/sidebar.php

@@ -4,10 +4,14 @@
  *
  * @package    Header and Footer Scripts
  * @author     Anand Kumar <anand@anandkumar.net>
- * @copyright  Copyright (c) 2013 - 2025, Anand Kumar
+ * @copyright  Copyright (c) 2013 - 2026, Anand Kumar
  * @link       https://github.com/anandkumar/header-and-footer-scripts
  * @license    http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- */?>
+ */
+
+if (! defined('ABSPATH') ) {
+    exit;
+}?>
 <div id="postbox-container-1" class="postbox-container">
 
   <div class="postbox">
@@ -30,15 +34,15 @@
     <h3 class="hndle"><?php esc_html_e( 'Rate 5 Stars', 'header-and-footer-scripts'); ?></h3>
     <div class="inside">
       <p><?php esc_html_e( 'Find this plugin useful rate it 5 stars and leave a nice little comment at wordpress.org. I would really appreciate that.', 'header-and-footer-scripts'); ?></p>
-      <p><a href="<?php echo esc_url( "https://wordpress.org/support/plugin/header-and-footer-scripts/reviews/?filter=5#new-post" ); ?>" class="button"><?php esc_html_e( 'Rate 5 Stars', 'header-and-footer-scripts'); ?></a></p>
+      <p><a href="<?php echo esc_url( "https://wordpress.org/support/plugin/header-and-footer-scripts/reviews/" ); ?>" class="button"><?php esc_html_e( 'Rate 5 Stars', 'header-and-footer-scripts'); ?></a></p>
     </div>
   </div>
 
   <div class="postbox">
     <h3 class="hndle"><?php esc_html_e( 'Join Our Community', 'header-and-footer-scripts'); ?></h3>
     <div class="inside">
       <p><?php esc_html_e( 'We are small WordPress community who welcomes you to join us. Here you will find and share more plugins and themes or even ideas. Ideas are not limited to WordPress. It could be vague or liberal. This is why we are "Digital Liberation .ORG', 'header-and-footer-scripts'); ?></p>
-      <p><a href="<?php echo esc_url( "https://github.com/anandkumar/header-and-footer-scripts" ); ?>" class="button"><?php esc_html_e( 'Join Digital Liberation', 'header-and-footer-scripts'); ?></a></p>
+      <p><a href="<?php echo esc_url( "https://github.com/anandkumar/header-and-footer-scripts/discussions" ); ?>" class="button"><?php esc_html_e( 'Join Discussions', 'header-and-footer-scripts'); ?></a></p>
     </div>
   </div>
 

readme.txt

@@ -5,7 +5,7 @@ Donate link: https://github.com/anandkumar/header-and-footer-scripts
 Tags: head, header, footer, scripts, post
 Requires at least: 4.6
 Tested up to: 6.9
-Stable tag: 2.3.0
+Stable tag: 2.3.1
 Requires PHP: 8.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -75,6 +75,16 @@ A. Nope, There is none. If you need more feature send us feedback or feature req
 
 == Changelog ==
 
+= 2.3.1 =
+* Security: Hardened nonce implementation with static action names.
+* Security: Added strict sanitization for access level settings.
+* Security: Improved input validation with isset() checks and wp_unslash().
+* Security: Replaced __FILE__ menu slug to prevent path exposure.
+* Security: Added security warning for privilege delegation.
+* New: Added uninstall.php for clean database removal.
+* Fix: Added proper ABSPATH checks to all files.
+* Improvement: Added phpcs:ignore comments for intentional raw output.
+
 = 2.3.0 =
 * Fix: Stored Cross-Site Scripting (XSS) vulnerability.
 * New Feature: Add minimum capability required to add scripts to posts.

shfs.php

@@ -3,7 +3,7 @@
  * Plugin Name: Header and Footer Scripts
  * Plugin URI: https://github.com/anandkumar/header-and-footer-scripts
  * Description: Essential WordPress plugin for almost every website to insert codes like Javascript and CSS. Inserting script to your wp_head and wp_footer made easy.
- * Version: 2.3.0
+ * Version: 2.3.1
  * Author: Anand Kumar
  * Author URI: http://www.anandkumar.net
  * Text Domain: header-and-footer-scripts
@@ -29,6 +29,10 @@
 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */
 
+if (! defined('ABSPATH') ) {
+    exit;
+}
+
 define('SHFS_PLUGIN_DIR',str_replace('\\','/',dirname(__FILE__)));
 
 if ( !class_exists( 'HeaderAndFooterScripts' ) ) {
@@ -57,7 +61,7 @@ function admin_init() {
 			register_setting( 'header-and-footer-scripts', 'shfs_insert_footer', 'trim' );
 			register_setting( 'header-and-footer-scripts', 'shfs_insert_header_priority', 'intval' );
 			register_setting( 'header-and-footer-scripts', 'shfs_insert_footer_priority', 'intval' );
-			register_setting( 'header-and-footer-scripts', 'shfs_script_access_level' );
+			register_setting( 'header-and-footer-scripts', 'shfs_script_access_level', array( &$this, 'sanitize_access_level' ) );
 
 
 			// add meta box to all post types
@@ -71,20 +75,19 @@ function admin_init() {
 			add_action('save_post','shfs_post_meta_save');
 		}
 
-		// adds menu item to wordpress admin dashboard
 		function admin_menu() {
-			$page = add_submenu_page( 'options-general.php', esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), 'manage_options', __FILE__, array( &$this, 'shfs_options_panel' ) );
+			$page = add_submenu_page( 'options-general.php', esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), 'manage_options', 'header-and-footer-scripts', array( &$this, 'shfs_options_panel' ) );
 			}
 
 		function wp_head() {
 			$meta = get_option( 'shfs_insert_header', '' );
 			if ( $meta != '' ) {
-				echo $meta, "\n";
+				echo $meta, "\n"; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			}
 
 			$shfs_post_meta = get_post_meta( get_the_ID(), '_inpost_head_script' , TRUE );
 			if ( is_singular() && $shfs_post_meta != '' ) {
-				echo $shfs_post_meta['synth_header_script'], "\n";
+				echo $shfs_post_meta['synth_header_script'], "\n"; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			}
 
 		}
@@ -96,7 +99,7 @@ function wp_footer() {
 				$text = do_shortcode( $text );
 
 				if ( $text != '' ) {
-					echo $text, "\n";
+					echo $text, "\n"; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				}
 			}
 		}
@@ -105,6 +108,14 @@ function shfs_options_panel() {
 				// Load options page
 				require_once(SHFS_PLUGIN_DIR . '/inc/options.php');
 		}
+
+		function sanitize_access_level( $input ) {
+			$valid_levels = array( 'manage_options', 'edit_others_posts', 'publish_posts' );
+			if ( in_array( $input, $valid_levels ) ) {
+				return $input;
+			}
+			return 'manage_options';
+		}
 	}
 
 	function shfs_meta_setup() {
@@ -118,18 +129,18 @@ function shfs_meta_setup() {
 		include_once(SHFS_PLUGIN_DIR . '/inc/meta.php');
 
 		// create a custom nonce for submit verification later
-		echo '<input type="hidden" name="shfs_post_meta_noncename" value="' . wp_create_nonce(__FILE__) . '" />';
+		echo '<input type="hidden" name="shfs_post_meta_noncename" value="' . esc_attr( wp_create_nonce('shfs_post_meta_save') ) . '" />';
 	}
 
 	function shfs_post_meta_save($post_id) {
 		// authentication checks
 
 		// make sure data came from our meta box
 		if ( ! isset( $_POST['shfs_post_meta_noncename'] )
-			|| !wp_verify_nonce($_POST['shfs_post_meta_noncename'],__FILE__)) return $post_id;
+			|| !wp_verify_nonce( sanitize_key( $_POST['shfs_post_meta_noncename'] ),'shfs_post_meta_save')) return $post_id;
 
 		// check user permissions
-		if ( $_POST['post_type'] == 'page' ) {
+		if ( isset( $_POST['post_type'] ) && 'page' === $_POST['post_type'] ) {
 
 			if (!current_user_can('edit_page', $post_id))
 				return $post_id;
@@ -149,7 +160,7 @@ function shfs_post_meta_save($post_id) {
 
 		$current_data = get_post_meta($post_id, '_inpost_head_script', TRUE);
 
-		$new_data = $_POST['_inpost_head_script'];
+		$new_data = isset( $_POST['_inpost_head_script'] ) ? wp_unslash( $_POST['_inpost_head_script'] ) : null; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 
 		shfs_post_meta_clean($new_data);
 

uninstall.php

@@ -0,0 +1,21 @@
+<?php
+/**
+ * Fired when the plugin is being uninstalled.
+ *
+ * @package    Header and Footer Scripts
+ * @author     Anand Kumar <anand@anandkumar.net>
+ * @copyright  Copyright (c) 2013 - 2026, Anand Kumar
+ * @link       https://github.com/anandkumar/header-and-footer-scripts
+ * @license    http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ */
+
+// If uninstall not called from WordPress, then exit.
+if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
+	exit;
+}
+
+delete_option( 'shfs_insert_header' );
+delete_option( 'shfs_insert_footer' );
+delete_option( 'shfs_insert_header_priority' );
+delete_option( 'shfs_insert_footer_priority' );
+delete_option( 'shfs_script_access_level' );