Skip to content

Version 1.7.7#228

Merged
sushmak02 merged 28 commits intomasterfrom
release-candidate
Mar 11, 2026
Merged

Version 1.7.7#228
sushmak02 merged 28 commits intomasterfrom
release-candidate

Conversation

@akshayurankar48
Copy link
Contributor

@akshayurankar48 akshayurankar48 commented Feb 24, 2026

No description provided.

akshayurankar48 and others added 27 commits February 23, 2026 15:56
@akshayurankar48
fix: add capability checks to AJAX handlers
7f0bf90 
- Add current_user_can('manage_options') to submit_request handler
- Add current_user_can('edit_posts') to bsf_oembed_ajax_results handler
- Fix submit_request control flow: bail early on nonce failure instead
  of running wp_mail() with empty fields
- Add sanitize_text_field(wp_unslash()) to nonce verification inputs

Fixes #218
@akshayurankar48
fix: replace esc_attr() misuse with proper input sanitization
ef1479c 
- Replace esc_attr() on $_POST/$_GET with sanitize_text_field(),
  absint(), or intval() depending on data type
- Add wp_unslash() before sanitization on superglobal access
- Fix nonce values to use sanitize_text_field(wp_unslash()) before
  wp_verify_nonce()
- Fix post IDs to use absint() instead of esc_attr()
- Fix star ratings to use intval() instead of esc_attr()

Fixes #219
@akshayurankar48
fix: strengthen nonce verification across plugin
6b078b9 
- Replace generic 'ajax_nonce' action with 'bsf_meta_box_ajax_nonce'
  to prevent cross-plugin nonce collision
- Replace basename(__FILE__) nonce action with explicit
  'bsf_meta_box_nonce_action' string
- Gate bsf_reset_options() behind $nonce_verified flag so it only
  executes after a per-option nonce check passes
- Sanitize nonce and option values in reset handler

Fixes #220
@akshayurankar48
fix: use capability instead of role in add_menu_page
4aaeba2 
Replace deprecated 'administrator' role string with 'manage_options'
capability in add_menu_page() call. Using role names as capabilities
is deprecated WordPress behavior and may fail on custom installations
or multisite.

Fixes #221
@akshayurankar48
fix: prevent information disclosure in error handling
fb7495d 
- Replace DateTime exception echo with error_log() to prevent
  leaking PHP internals (file paths, timezone info) to frontend
  visitors; return $content unchanged instead of bare return
- Sanitize field_id parameter in oEmbed AJAX response with
  sanitize_text_field(wp_unslash()) before output

Fixes #222
@sushmak02
Merge pull request #223 from brainstormforce/fix/ajax-capability-checks
d3b9842 
fix: add capability checks to AJAX handlers
@sushmak02
Merge pull request #224 from brainstormforce/fix/input-sanitization
c4b1d59 
fix: replace esc_attr() misuse with proper input sanitization
@sushmak02
Merge pull request #226 from brainstormforce/fix/menu-capability
911fd1a 
fix: use capability instead of role in add_menu_page
@sushmak02
Merge pull request #227 from brainstormforce/fix/information-disclosure
5c25c7d 
fix: prevent information disclosure in error handling
@akshayurankar48
fix: resolve merge conflicts for security fixes into release-candidate
615b32f 
Resolved conflicts in init.php and admin/index.php:
- bsf_force_send(): sanitize nonce with sanitize_text_field(wp_unslash()) + correct action 'bsf_meta_box_ajax_nonce'
- bsf_oembed_ajax_results(): sanitized nonce + capability check + wp_send_json_error() instead of die()
- Added isset() guard on $_REQUEST['field_id']
- Replaced die() with wp_die() at end of AJAX handler
- admin/index.php: kept $nonce_verified flag initialization, removed extra blank lines
@akshayurankar48
fix: align array arrows and equals signs per WPCS
91ead2e 
- Align 'post_id' double arrow with 'bsf_meta_box_ajax_nonce' in array
- Align $return equals sign with $field_id assignment
@akshayurankar48
addec changelog
3f106f9
@akshayurankar48
fix: correct post_id array arrow alignment to 17 spaces
af8abbc
@sushmak02
Merge pull request #225 from brainstormforce/fix/nonce-verification
47eef5f 
fix: strengthen nonce verification across plugin
@akshayurankar48 @claude
fix: security audit round 2 - XSS, JSON-LD injection, die() replacement
b63b759 
- Sanitize $_SERVER values in get_the_ip() to prevent XSS
- Escape IP output in rating form hidden field
- Use wp_json_encode with JSON_HEX_TAG to prevent JSON-LD script injection
- Escape product_rating option output to prevent stored XSS
- Replace die() with wp_send_json_error/success in rating handlers
- Sanitize nonce field in submit_color before wp_verify_nonce

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@akshayurankar48 @claude
fix: email header injection, die() replacement, nonce sanitization
56f36e6 
- Strip CRLF from name/email in From: header to prevent email header injection
- Replace die() with wp_send_json_success/error in submit_request() and submit_color()
- Add sanitize_text_field(wp_unslash()) around nonce values in admin/index.php form handlers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@akshayurankar48 @claude
fix: enforce WordPress Coding Standards compliance across all PHP files
b8af60f 
- Add ABSPATH direct access guards to 5 files missing them
- Convert 80+ loose comparisons (== / !=) to strict (=== / !==)
- Fix non-Yoda conditions to use constant-on-left pattern
- Add strict flag (true) to all in_array() calls
- Sanitize nonce values with sanitize_text_field(wp_unslash()) before wp_verify_nonce()
- Replace print/exit with wp_die() for nonce failures in admin settings
- Replace raw header() redirect with wp_safe_redirect()
- Escape site_url() output with esc_url()
- Remove closing PHP tags from PHP-only files
- Fix equals sign alignment and double blank lines
- Fix inline comment formatting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@akshayurankar48 @claude
feat: add WCAG accessibility improvements across plugin
a0f0bb5 
- Add screen-reader-only CSS class and focus styles for keyboard navigation
- Add fieldset/legend and aria-labels to star rating radio buttons
- Replace generic image alt text with dynamic contextual values
- Mark decorative star images as aria-hidden with empty alt
- Add role="complementary" and aria-label to snippet boxes
- Add role="presentation" to admin meta box layout table
- Add aria-hidden state management to toggle.js show/hide logic
- Refactor toggle.js to use lookup maps (reduces duplication)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sushmak02
Merge pull request #230 from brainstormforce/fix/security-audit-round2
5982d31 
fix: security audit round 2 - XSS, JSON-LD injection, die() replacement
@akshayurankar48
Merge remote-tracking branch 'origin/release-candidate' into fix/wpcs…
338e161 
…-coding-standards
@akshayurankar48
Merge branch 'release-candidate' into fix/wpcs-coding-standards
d26114a
@akshayurankar48
updated phpcs
eb30590
@sushmak02
Merge pull request #232 from brainstormforce/fix/wpcs-coding-standards
07ac495 
Fix: Enforce WordPress Coding Standards compliance
@akshayurankar48
Merge remote-tracking branch 'origin/release-candidate' into feat/acc…
7755c69 
…essibility-improvements
@akshayurankar48
Merge branch 'release-candidate' into feat/accessibility-improvements
0c565e7
@sushmak02
Merge pull request #234 from brainstormforce/feat/accessibility-impro…
7dcd211 
…vements

Add WCAG accessibility improvements
@akshayurankar48
added changelog and updated version nnumber
3dc75f6
sushmak02
sushmak02 reviewed Mar 11, 2026
View reviewed changes
@sushmak02
Merge pull request #237 from brainstormforce/1.7.7
e0b0a50 
Added changelog and updated version number
@sushmak02 sushmak02 merged commit f806d55 into master Mar 11, 2026
2 checks passed
@sushmak02 sushmak02 deleted the release-candidate branch March 11, 2026 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sushmak02 sushmak02 sushmak02 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akshayurankar48 @sushmak02