Skip to content

Commit 1d8070f

Browse files
georgeolaruclaude
georgeolaru
and
claude
committed
Update CLAUDE.md with all security fix references (#349-#361)
Document all 13 security findings from the audit, organized by severity (high, medium, low) with issue numbers and file locations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent a5881b3 commit 1d8070f

File tree

1 file changed

+19
-5
lines changed

1 file changed

+19
-5
lines changed

CLAUDE.md

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -202,13 +202,27 @@ When a block editor feature "doesn't work on the frontend," the first place to l
202202

203203
## Security Fixes (Milestone 2.0.12)
204204

205-
The following XSS vulnerabilities were identified and fixed:
205+
### High — Stored XSS (fixed)
206206

207-
- **#349** — Menu item badge output escaped with `esc_html()` (`inc/admin/class-admin-nav-menus.php:977`)
208-
- **#350** — Menu item description output sanitized with `wp_kses_post()` (`inc/extras.php:380`)
209-
- **#351** — WooCommerce product title output escaped with `esc_html()` (`inc/integrations/woocommerce.php:288`)
207+
- **#349** — Menu item badge: `esc_html()` (`inc/admin/class-admin-nav-menus.php:977`)
208+
- **#350** — Menu item description: `wp_kses_post()` (`inc/extras.php:380`)
209+
- **#351** — WooCommerce product title: `esc_html()` (`inc/integrations/woocommerce.php:288`)
210210

211-
All three were stored XSS vectors where data from the database was rendered without output escaping on the frontend. Input sanitization existed on save, but defense-in-depth requires escaping on output as well.
211+
### Medium — Input/output sanitization (fixed)
212+
213+
- **#352** — Search query: `esc_attr()` on `get_search_query()` (`inc/admin/class-admin-nav-menus.php:834`)
214+
- **#353** — Body class options: `sanitize_html_class()` (`inc/template-functions.php:69,77`)
215+
- **#354** — Transparent logo sanitize callback: `absint()` (`inc/admin/class-admin-customize.php:104`)
216+
- **#355** — Separator symbol: allowlist validation before `get_template_part()` (`inc/integrations/novablocks.php:171`)
217+
- **#356** — Upgrade notice: `esc_html()` on theme name and version (`inc/upgrade/class-Anima_Upgrade.php:148`)
218+
- **#361**`save_custom_fields` nonce: relies on WP core nonce (no code change, documented)
219+
220+
### Low — Defense-in-depth (fixed)
221+
222+
- **#357** — Admin field labels/IDs: `esc_attr()` and `esc_html()` (`inc/admin/class-admin-nav-menus.php:226-230,586-590`)
223+
- **#358** — Pixelgrade Care installer: `esc_html()` on title, `esc_js()` on status (`inc/integrations/pixelgrade-care.php:139,188`)
224+
- **#359** — CSS selector output: `esc_html()` (`inc/admin/class-admin-nav-menus.php:292`)
225+
- **#360** — Removed unused `debug()` method with `var_dump()` (`inc/upgrade/class-Anima_Upgrade.php:176`)
212226

213227
## Coding Conventions
214228

0 commit comments

Comments
 (0)