[Security] Round 2: XSS, JSON-LD injection, and die() replacement #229
Description
Summary
Security audit round 2 identified several remaining vulnerabilities after the initial security fixes (PRs #223-#227).
Vulnerabilities Fixed
| # | Type | Severity | File | Description |
|---|---|---|---|---|
| V001 | XSS | HIGH | functions.php |
get_the_ip() returns unsanitized $_SERVER values |
| V002 | XSS | HIGH | functions.php |
IP output in hidden field unescaped |
| V003 | JSON-LD Injection | HIGH | functions.php |
json_encode() without JSON_HEX_TAG allows </script> injection in video schema |
| V004 | XSS | MEDIUM | functions.php |
product_rating option output without escaping |
| V005 | Improper Termination | MEDIUM | functions.php |
die() in rating AJAX handlers instead of wp_send_json_* |
| V006 | Nonce Sanitization | MEDIUM | index.php |
Nonce field in submit_color() not sanitized before verification |
Remaining Items (follow-up)
- Email header injection in
submit_request()-$name/$frominFrom:header need CRLF stripped die()insubmit_request()andsubmit_color()- replace withwp_send_json_*- Nonce sanitization in
admin/index.phpform handlers
Testing
- Verify rating submission still works on frontend
- Verify video schema output doesn't break
- Verify color customization AJAX still works