Merge remote-tracking branch 'origin/main' into chore-update-examples-iteration-1

Author: ahuseyn

package.json

@@ -9,7 +9,9 @@
   "pnpm": {
     "overrides": {
       "@babel/runtime": "7.27.0",
-      "webpack-dev-server@<=5.2.0": ">=5.2.1"
+      "webpack-dev-server@<=5.2.0": ">=5.2.1",
+      "on-headers@<1.1.0": ">=1.1.0",
+      "form-data@>=4.0.0 <4.0.4": ">=4.0.4"
     }
   },
   "scripts": {

plugins/composer-packages.json

@@ -1,6 +1,32 @@
 {
   "packages": {
     "wpengine/hwp-previews": {
+      "0.0.8": {
+        "name": "wpengine/hwp-previews",
+        "version": "0.0.8",
+        "type": "wordpress-plugin",
+        "description": "A WordPress plugin for headless previews.",
+        "homepage": "https://github.com/wpengine/hwptoolkit",
+        "license": "GPL-2.0",
+        "authors": [
+          {
+            "name": "WP Engine Headless OSS Development Team",
+            "email": "[email protected]",
+            "homepage": "https://wpengine.com/"
+          }
+        ],
+        "support": {
+          "issues": "https://github.com/wpengine/hwptoolkit/issues",
+          "email": "[email protected]"
+        },
+        "dist": {
+          "url": "https://github.com/wpengine/hwptoolkit/releases/download/%40wpengine%2Fhwp-previews-wordpress-plugin-0.0.8/hwp-previews.zip",
+          "type": "zip"
+        },
+        "require": {
+          "composer/installers": "~1.0 || ~2.0"
+        }
+      },
       "0.0.7": {
         "name": "wpengine/hwp-previews",
         "version": "0.0.7",
@@ -106,7 +132,61 @@
         }
       }
     },
+    "wpengine/wpgraphql-debug-extensions": {
+      "0.0.1": {
+        "name": "wpengine/wpgraphql-debug-extensions",
+        "version": "0.0.1",
+        "type": "wordpress-plugin",
+        "description": "A WordPress plugin for wpgraphql debug extensions.",
+        "homepage": "https://github.com/wpengine/hwptoolkit",
+        "license": "GPL-2.0",
+        "authors": [
+          {
+            "name": "WP Engine Headless OSS Development Team",
+            "email": "[email protected]",
+            "homepage": "https://wpengine.com/"
+          }
+        ],
+        "support": {
+          "issues": "https://github.com/wpengine/hwptoolkit/issues",
+          "email": "[email protected]"
+        },
+        "dist": {
+          "url": "https://github.com/wpengine/hwptoolkit/releases/download/%40wpengine%2Fwpgraphql-debug-extensions-plugin-0.0.1/wpgraphql-debug-extensions.zip",
+          "type": "zip"
+        },
+        "require": {
+          "composer/installers": "~1.0 || ~2.0"
+        }
+      }
+    },
     "wpengine/wp-graphql-webhooks": {
+      "0.0.4": {
+        "name": "wpengine/wp-graphql-webhooks",
+        "version": "0.0.4",
+        "type": "wordpress-plugin",
+        "description": "Headless webhooks for WPGraphQL",
+        "homepage": "https://github.com/wpengine/hwptoolkit",
+        "license": "GPL-2.0",
+        "authors": [
+          {
+            "name": "WP Engine Headless OSS Development Team",
+            "email": "[email protected]",
+            "homepage": "https://wpengine.com/"
+          }
+        ],
+        "support": {
+          "issues": "https://github.com/wpengine/hwptoolkit/issues",
+          "email": "[email protected]"
+        },
+        "dist": {
+          "url": "https://github.com/wpengine/hwptoolkit/releases/download/%40wpengine%2Fwpgraphql-webhooks-wordpress-plugin-0.0.4/wp-graphql-webhooks.zip",
+          "type": "zip"
+        },
+        "require": {
+          "composer/installers": "~1.0 || ~2.0"
+        }
+      },
       "0.0.3": {
         "name": "wpengine/wp-graphql-webhooks",
         "version": "0.0.3",

plugins/hwp-previews/CHANGELOG.md

@@ -1,5 +1,11 @@
 # HWP Previews
 
+## 0.0.8
+
+### Patch Changes
+
+- [#333](https://github.com/wpengine/hwptoolkit/pull/333) [`cf0a040`](https://github.com/wpengine/hwptoolkit/commit/cf0a0405ae04e0355745a81bf53b3c9065f10739) Thanks [@ahuseyn](https://github.com/ahuseyn)! - 1. Disables Faust front-end redirects for preview url's to solve the iframe conflict. 2. Introduced methods in Faust_Integration to replace Faust-generated preview URLs with the site’s home URL as needed.
+
 ## 0.0.7
 
 ### Patch Changes

plugins/hwp-previews/composer.json

@@ -3,7 +3,7 @@
 	"type": "wordpress-plugin",
 	"description": "A WordPress plugin for headless previews.",
 	"license": "GPL-2.0",
-	"version": "0.0.7",
+	"version": "0.0.8",
 	"authors": [
 		{
 			"name": "WP Engine Headless OSS Development Team",

plugins/hwp-previews/hwp-previews.php

@@ -7,7 +7,7 @@
  * Author: WPEngine Headless OSS Team
  * Author URI: https://github.com/wpengine
  * Update URI: https://github.com/wpengine/hwptoolkit
- * Version: 0.0.7
+ * Version: 0.0.8
  * Text Domain: hwp-previews
  * Domain Path: /languages
  * Requires at least: 6.0
@@ -67,7 +67,7 @@ function hwp_previews_init(): void {
 	 */
 	function hwp_previews_constants(): void {
 		if ( ! defined( 'HWP_PREVIEWS_VERSION' ) ) {
-			define( 'HWP_PREVIEWS_VERSION', '0.0.7' );
+			define( 'HWP_PREVIEWS_VERSION', '0.0.8' );
 		}
 
 		if ( ! defined( 'HWP_PREVIEWS_PLUGIN_DIR' ) ) {

plugins/hwp-previews/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@wpengine/hwp-previews-wordpress-plugin",
-	"version": "0.0.7",
+	"version": "0.0.8",
 	"private": true,
 	"description": "Headless Previews solution for WordPress: fully configurable preview URLs via the settings page.",
 	"scripts": {

plugins/hwp-previews/readme.txt

@@ -4,7 +4,7 @@ Tags: GraphQL, Headless, Previews, WPGraphQL, React, Rest
 Requires at least: 6.0
 Tested up to: 6.8.1
 Requires PHP: 7.4
-Stable tag: 0.0.7
+Stable tag: 0.0.8
 License: GPL-2.0
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 

plugins/hwp-previews/src/Hooks/Preview_Hooks.php

@@ -5,6 +5,7 @@
 namespace HWP\Previews\Hooks;
 
 use HWP\Previews\Admin\Settings\Fields\Settings_Field_Collection;
+use HWP\Previews\Integration\Faust_Integration;
 use HWP\Previews\Preview\Parameter\Preview_Parameter_Registry;
 use HWP\Previews\Preview\Post\Post_Editor_Service;
 use HWP\Previews\Preview\Post\Post_Preview_Service;
@@ -226,6 +227,13 @@ public function update_preview_post_link( string $preview_link, WP_Post $post ):
 
 		// If the iframe option is enabled, we need to resolve preview on the template redirect level.
 		if ( $post_type_service->is_iframe() ) {
+			$faust_helper = new Faust_Integration();
+
+			// If Faust post & category rewrites enabled, we should revert the preview link rewrites.
+			if ( $faust_helper->is_faust_rewrites_enabled() ) {
+				return $faust_helper->replace_faust_preview_rewrite( $preview_link );
+			}
+
 			return $preview_link;
 		}
 

plugins/hwp-previews/src/Integration/Faust_Integration.php

@@ -181,6 +181,41 @@ public function register_faust_admin_notice(): void {
 		}, 10, 0 );
 	}
 
+	/**
+	 * Check if Faust rewrites are enabled.
+	 */
+	public function is_faust_rewrites_enabled(): bool {
+		if ( $this->get_faust_enabled() && function_exists( '\WPE\FaustWP\Settings\is_rewrites_enabled' ) ) {
+			return (bool) \WPE\FaustWP\Settings\is_rewrites_enabled();
+		}
+		
+		return false;
+	}
+
+	/**
+	 * Replace Faust preview rewrites with the home URL.
+	 *
+	 * @param string $url The URL to be rewritten.
+	 */
+	public function replace_faust_preview_rewrite($url): string {
+		if ( ! function_exists( '\WPE\FaustWP\Settings\faustwp_get_setting' ) ) {
+			return $url;
+		}
+
+		$frontend_uri = \WPE\FaustWP\Settings\faustwp_get_setting( 'frontend_uri' );
+
+		// Return the URL as is if frontend uri is empty.
+		if ( ! $frontend_uri ) {
+			return $url;
+		}
+
+		$frontend_uri = trailingslashit( $frontend_uri );
+		$home_url     = trailingslashit( get_home_url() );
+
+
+		return str_replace( $frontend_uri, $home_url, $url );
+	}
+
 	/**
 	 * Dismiss the Faust admin notice.
 	 */
@@ -202,9 +237,26 @@ protected function configure_faust(): void {
 		// Remove FaustWP post preview link filter to avoid conflicts with our custom preview link generation.
 		remove_filter( 'preview_post_link', 'WPE\FaustWP\Replacement\post_preview_link', 1000 );
 
+		// Prevent Faust from redirecting preview URLs to the frontend in iframe mode.
+		$this->disable_faust_redirects();
+
 		$this->display_faust_admin_notice();
 	}
 
+	/**
+	 * Disable Faust's redirect functionality for preview URLs.
+	 */
+	protected function disable_faust_redirects(): void {
+		add_action( 'template_redirect', static function (): void {
+			// Only run for preview URLs (e.g., ?p=ID&preview=true).
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verification not required for disabling front-end redirects.
+			if ( isset( $_GET['preview'] ) && 'true' === $_GET['preview'] ) {
+				// Remove Faust's redirect callback.
+				remove_action( 'template_redirect', 'WPE\FaustWP\Deny_Public_Access\deny_public_access', 99 );
+			}
+		}, 10, 0 );
+	}
+
 	/**
 	 * If Faust is enabled, show an admin notice about the migration on the settings page.
 	 */

plugins/wp-graphql-webhooks/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @wpengine/wpgraphql-webhooks-wordpress-plugin
 
+## 0.0.4
+
+### Patch Changes
+
+- [#336](https://github.com/wpengine/hwptoolkit/pull/336) [`cff50ab`](https://github.com/wpengine/hwptoolkit/commit/cff50abcdaccecbefe4969312df14f94d11663d7) Thanks [@josephfusco](https://github.com/josephfusco)! - fix: security improvements for webhooks plugin
+
+  - Enhanced input validation and sanitization
+  - Improved output escaping
+  - Strengthened authorization checks
+  - Added additional security hardening measures
+
 ## 0.0.3
 
 ### Patch Changes