brainstormforce · sushmak02 · Mar 10, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/admin/index.php b/admin/index.php
@@ -982,7 +982,7 @@ function rich_snippet_dashboard() {
 }
 // Update options.
 if ( isset( $_POST['setting_analytics_submit'] ) ) {
-	if ( ! isset( $_POST['snippet_analytics_nonce_field'] ) || ! wp_verify_nonce( $_POST['snippet_analytics_nonce_field'], 'snippet_analytics_form_action' ) || ! current_user_can( 'manage_options' )
+	if ( ! isset( $_POST['snippet_analytics_nonce_field'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['snippet_analytics_nonce_field'] ) ), 'snippet_analytics_form_action' ) || ! current_user_can( 'manage_options' )
 		) {
 		print 'Sorry, your nonce did not verify.';
 		exit;
@@ -995,7 +995,7 @@ function rich_snippet_dashboard() {
 	}
 }
 if ( isset( $_POST['setting_submit'] ) ) {
-	if ( ! isset( $_POST['snippet_woocommerce_nonce_field'] ) || ! wp_verify_nonce( $_POST['snippet_woocommerce_nonce_field'], 'snippet_woocommerce_form_action' ) || ! current_user_can( 'manage_options' )
+	if ( ! isset( $_POST['snippet_woocommerce_nonce_field'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['snippet_woocommerce_nonce_field'] ) ), 'snippet_woocommerce_form_action' ) || ! current_user_can( 'manage_options' )
 		) {
 		print 'Sorry, your nonce did not verify.';
 		exit;

diff --git a/functions.php b/functions.php
@@ -609,7 +609,7 @@ function display_rich_snippet( $content ) {
 		$product .= '<div class="aio-info">';
 		if ( '' != trim( $product_rating ) ) {
 			if ( '' != $args_product['product_brand'] ) {
-				$product .= '<div class="snippet-label-img">' . $args_product['product_rating'] . '</div>';
+				$product .= '<div class="snippet-label-img">' . esc_html( $args_product['product_rating'] ) . '</div>';
 			}
 			$product            .= '<div class="snippet-data-img"><span class="star-img">';
 			$ceil_product_rating = ceil( $product_rating );
@@ -916,7 +916,7 @@ function display_rich_snippet( $content ) {
 		);
 
 		// Output the schema as JSON-LD only once.
-		$video .= '<script type="application/ld+json">' . json_encode( $schema ) . '</script>'; // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+		$video .= '<script type="application/ld+json">' . wp_json_encode( $schema, JSON_HEX_TAG | JSON_HEX_AMP ) . '</script>';
 
 		// Start the video rendering logic.
 		$video .= '<div id="snippet-box" class="snippet-type-' . esc_attr( $type ) . '" style="background:' . esc_attr( $args_color['snippet_box_bg'] ) . '; color:' . esc_attr( $args_color['snippet_box_color'] ) . '; border:1px solid ' . esc_attr( $args_color['snippet_border'] ) . ';">';
@@ -1185,11 +1185,11 @@ function display_rich_snippet( $content ) {
  */
 function get_the_ip() {
 	if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
-		return $_SERVER['HTTP_X_FORWARDED_FOR'];
+		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
 	} elseif ( isset( $_SERVER['HTTP_CLIENT_IP'] ) ) {
-		return $_SERVER['HTTP_CLIENT_IP'];
+		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_CLIENT_IP'] ) );
 	} else {
-		return $_SERVER['REMOTE_ADDR'];
+		return isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : '';
 	}
 }
 /**
@@ -1309,8 +1309,10 @@ function bsf_add_rating() {
 		'user_rating' => $stars,
 	);
 
-	echo false == add_post_meta( $postid, 'post-rating', $user_rating ) ? esc_html_e( 'Error adding your rating', 'rich-snippets' ) : esc_html_e( 'Ratings added successfully !', 'rich-snippets' );
-	die();
+	if ( false === add_post_meta( $postid, 'post-rating', $user_rating ) ) {
+		wp_send_json_error( __( 'Error adding your rating', 'rich-snippets' ) );
+	}
+	wp_send_json_success( __( 'Ratings added successfully !', 'rich-snippets' ) );
 }
 /**
  * Bsf_update_rating.
@@ -1339,8 +1341,10 @@ function bsf_update_rating() {
 		'user_rating' => $stars,
 	);
 
-	echo false == update_post_meta( $postid, 'post-rating', $user_rating, $prev_data ) ? esc_html_e( 'Error updating your rating', 'rich-snippets' ) : esc_html_e( 'Ratings updated successfully !', 'rich-snippets' );
-	die();
+	if ( false === update_post_meta( $postid, 'post-rating', $user_rating, $prev_data ) ) {
+		wp_send_json_error( __( 'Error updating your rating', 'rich-snippets' ) );
+	}
+	wp_send_json_success( __( 'Ratings updated successfully !', 'rich-snippets' ) );
 }
 /**
  * Display_rating.
@@ -1356,7 +1360,7 @@ function display_rating() {
 		$rating .= '<input type="radio" name="star-review" class="star star-3" value="3"/>';
 		$rating .= '<input type="radio" name="star-review" class="star star-4" value="4"/>';
 		$rating .= '<input type="radio" name="star-review" class="star star-5" value="5"/>';
-		$rating .= '<input type="hidden" name="ip" value="' . get_the_ip() . '" />';
+		$rating .= '<input type="hidden" name="ip" value="' . esc_attr( get_the_ip() ) . '" />';
 		$rating .= '<input type="hidden" name="post_id" value="' . $post->ID . '" />';
 		$rating .= '</form>';
 		$rating .= '</div></span>';

diff --git a/index.php b/index.php
@@ -355,13 +355,17 @@ public function submit_request() {
 				</body>
 			</html>
 			';
-			$headers  = 'MIME-Version: 1.0' . "\r\n";
-			$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
-			$headers .= 'From:' . $name . '<' . $from . '>' . "\r\n";
-			$result   = wp_mail( $to, $subject, wp_kses_post( $html ), $headers );
-			echo $result ? esc_html_e( 'Thank you!', 'rich-snippets' ) : esc_html_e( 'Something went wrong!', 'rich-snippets' );
-
-			die();
+			$safe_name = str_replace( array( "\r", "\n" ), '', $name );
+			$safe_from = str_replace( array( "\r", "\n" ), '', $from );
+			$headers   = 'MIME-Version: 1.0' . "\r\n";
+			$headers  .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
+			$headers  .= 'From:' . $safe_name . '<' . $safe_from . '>' . "\r\n";
+			$result    = wp_mail( $to, $subject, wp_kses_post( $html ), $headers );
+			if ( $result ) {
+				wp_send_json_success( __( 'Thank you!', 'rich-snippets' ) );
+			} else {
+				wp_send_json_error( __( 'Something went wrong!', 'rich-snippets' ) );
+			}
 		}
 		/**
 		 * Submit_color.
@@ -371,7 +375,7 @@ public function submit_color() {
 				// return if current user is not allowed to manage options.
 				return;
 			} else {
-				if ( ! isset( $_POST['snippet_color_nonce_field'] ) || ! wp_verify_nonce( $_POST['snippet_color_nonce_field'], 'snippet_color_form_action' )
+				if ( ! isset( $_POST['snippet_color_nonce_field'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['snippet_color_nonce_field'] ) ), 'snippet_color_form_action' )
 				) {
 					print esc_attr( 'Sorry, your nonce did not verify.' );
 					exit;
@@ -388,9 +392,11 @@ public function submit_color() {
 						'snippet_title_color' => $title_color,
 						'snippet_box_color'   => $box_color,
 					);
-					echo update_option( 'bsf_custom', $color_opt ) ? esc_html_e( 'Settings saved !', 'rich-snippets' ) : esc_html_e( 'Error occured. Settings were not saved !', 'rich-snippets' );
-
-					die();
+					if ( update_option( 'bsf_custom', $color_opt ) ) {
+						wp_send_json_success( __( 'Settings saved !', 'rich-snippets' ) );
+					} else {
+						wp_send_json_error( __( 'Error occured. Settings were not saved !', 'rich-snippets' ) );
+					}
 				}
 			}
 		}