Merge branch 'main' into poc-wpgraphql-logging-monolog

colinmurphy · colinmurphy · commit c9ba02004a75 · 2025-07-21T19:32:16.000+01:00
diff --git a/.changeset/spotty-mice-behave.md b/.changeset/spotty-mice-behave.md
@@ -0,0 +1,10 @@
+---
+"@wpengine/wpgraphql-webhooks-wordpress-plugin": patch
+---
+
+fix: security improvements for webhooks plugin
+
+- Enhanced input validation and sanitization
+- Improved output escaping
+- Strengthened authorization checks
+- Added additional security hardening measures
diff --git a/plugins/composer-packages.json b/plugins/composer-packages.json
@@ -1,6 +1,32 @@
 {
   "packages": {
     "wpengine/hwp-previews": {
+      "0.0.8": {
+        "name": "wpengine/hwp-previews",
+        "version": "0.0.8",
+        "type": "wordpress-plugin",
+        "description": "A WordPress plugin for headless previews.",
+        "homepage": "https://github.com/wpengine/hwptoolkit",
+        "license": "GPL-2.0",
+        "authors": [
+          {
+            "name": "WP Engine Headless OSS Development Team",
+            "email": "headless-oss@wpengine.com",
+            "homepage": "https://wpengine.com/"
+          }
+        ],
+        "support": {
+          "issues": "https://github.com/wpengine/hwptoolkit/issues",
+          "email": "support@wpengine.com"
+        },
+        "dist": {
+          "url": "https://github.com/wpengine/hwptoolkit/releases/download/%40wpengine%2Fhwp-previews-wordpress-plugin-0.0.8/hwp-previews.zip",
+          "type": "zip"
+        },
+        "require": {
+          "composer/installers": "~1.0 || ~2.0"
+        }
+      },
       "0.0.7": {
         "name": "wpengine/hwp-previews",
         "version": "0.0.7",
diff --git a/plugins/hwp-previews/CHANGELOG.md b/plugins/hwp-previews/CHANGELOG.md
@@ -1,5 +1,11 @@
 # HWP Previews
 
+## 0.0.8
+
+### Patch Changes
+
+- [#333](https://github.com/wpengine/hwptoolkit/pull/333) [`cf0a040`](https://github.com/wpengine/hwptoolkit/commit/cf0a0405ae04e0355745a81bf53b3c9065f10739) Thanks [@ahuseyn](https://github.com/ahuseyn)! - 1. Disables Faust front-end redirects for preview url's to solve the iframe conflict. 2. Introduced methods in Faust_Integration to replace Faust-generated preview URLs with the site’s home URL as needed.
+
 ## 0.0.7
 
 ### Patch Changes
diff --git a/plugins/hwp-previews/composer.json b/plugins/hwp-previews/composer.json
@@ -3,7 +3,7 @@
 	"type": "wordpress-plugin",
 	"description": "A WordPress plugin for headless previews.",
 	"license": "GPL-2.0",
-	"version": "0.0.7",
+	"version": "0.0.8",
 	"authors": [
 		{
 			"name": "WP Engine Headless OSS Development Team",
diff --git a/plugins/hwp-previews/hwp-previews.php b/plugins/hwp-previews/hwp-previews.php
@@ -7,7 +7,7 @@
  * Author: WPEngine Headless OSS Team
  * Author URI: https://github.com/wpengine
  * Update URI: https://github.com/wpengine/hwptoolkit
- * Version: 0.0.7
+ * Version: 0.0.8
  * Text Domain: hwp-previews
  * Domain Path: /languages
  * Requires at least: 6.0
@@ -67,7 +67,7 @@ function hwp_previews_init(): void {
 	 */
 	function hwp_previews_constants(): void {
 		if ( ! defined( 'HWP_PREVIEWS_VERSION' ) ) {
-			define( 'HWP_PREVIEWS_VERSION', '0.0.7' );
+			define( 'HWP_PREVIEWS_VERSION', '0.0.8' );
 		}
 
 		if ( ! defined( 'HWP_PREVIEWS_PLUGIN_DIR' ) ) {
diff --git a/plugins/hwp-previews/package.json b/plugins/hwp-previews/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "@wpengine/hwp-previews-wordpress-plugin",
-	"version": "0.0.7",
+	"version": "0.0.8",
 	"private": true,
 	"description": "Headless Previews solution for WordPress: fully configurable preview URLs via the settings page.",
 	"scripts": {
diff --git a/plugins/hwp-previews/readme.txt b/plugins/hwp-previews/readme.txt
@@ -4,7 +4,7 @@ Tags: GraphQL, Headless, Previews, WPGraphQL, React, Rest
 Requires at least: 6.0
 Tested up to: 6.8.1
 Requires PHP: 7.4
-Stable tag: 0.0.7
+Stable tag: 0.0.8
 License: GPL-2.0
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
diff --git a/plugins/hwp-previews/src/Hooks/Preview_Hooks.php b/plugins/hwp-previews/src/Hooks/Preview_Hooks.php
@@ -5,6 +5,7 @@
 namespace HWP\Previews\Hooks;
 
 use HWP\Previews\Admin\Settings\Fields\Settings_Field_Collection;
+use HWP\Previews\Integration\Faust_Integration;
 use HWP\Previews\Preview\Parameter\Preview_Parameter_Registry;
 use HWP\Previews\Preview\Post\Post_Editor_Service;
 use HWP\Previews\Preview\Post\Post_Preview_Service;
@@ -226,6 +227,13 @@ public function update_preview_post_link( string $preview_link, WP_Post $post ):
 
 		// If the iframe option is enabled, we need to resolve preview on the template redirect level.
 		if ( $post_type_service->is_iframe() ) {
+			$faust_helper = new Faust_Integration();
+
+			// If Faust post & category rewrites enabled, we should revert the preview link rewrites.
+			if ( $faust_helper->is_faust_rewrites_enabled() ) {
+				return $faust_helper->replace_faust_preview_rewrite( $preview_link );
+			}
+
 			return $preview_link;
 		}
 
diff --git a/plugins/hwp-previews/src/Integration/Faust_Integration.php b/plugins/hwp-previews/src/Integration/Faust_Integration.php
@@ -181,6 +181,41 @@ public function register_faust_admin_notice(): void {
 		}, 10, 0 );
 	}
 
+	/**
+	 * Check if Faust rewrites are enabled.
+	 */
+	public function is_faust_rewrites_enabled(): bool {
+		if ( $this->get_faust_enabled() && function_exists( '\WPE\FaustWP\Settings\is_rewrites_enabled' ) ) {
+			return (bool) \WPE\FaustWP\Settings\is_rewrites_enabled();
+		}
+		
+		return false;
+	}
+
+	/**
+	 * Replace Faust preview rewrites with the home URL.
+	 *
+	 * @param string $url The URL to be rewritten.
+	 */
+	public function replace_faust_preview_rewrite($url): string {
+		if ( ! function_exists( '\WPE\FaustWP\Settings\faustwp_get_setting' ) ) {
+			return $url;
+		}
+
+		$frontend_uri = \WPE\FaustWP\Settings\faustwp_get_setting( 'frontend_uri' );
+
+		// Return the URL as is if frontend uri is empty.
+		if ( ! $frontend_uri ) {
+			return $url;
+		}
+
+		$frontend_uri = trailingslashit( $frontend_uri );
+		$home_url     = trailingslashit( get_home_url() );
+
+
+		return str_replace( $frontend_uri, $home_url, $url );
+	}
+
 	/**
 	 * Dismiss the Faust admin notice.
 	 */
@@ -202,9 +237,26 @@ protected function configure_faust(): void {
 		// Remove FaustWP post preview link filter to avoid conflicts with our custom preview link generation.
 		remove_filter( 'preview_post_link', 'WPE\FaustWP\Replacement\post_preview_link', 1000 );
 
+		// Prevent Faust from redirecting preview URLs to the frontend in iframe mode.
+		$this->disable_faust_redirects();
+
 		$this->display_faust_admin_notice();
 	}
 
+	/**
+	 * Disable Faust's redirect functionality for preview URLs.
+	 */
+	protected function disable_faust_redirects(): void {
+		add_action( 'template_redirect', static function (): void {
+			// Only run for preview URLs (e.g., ?p=ID&preview=true).
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verification not required for disabling front-end redirects.
+			if ( isset( $_GET['preview'] ) && 'true' === $_GET['preview'] ) {
+				// Remove Faust's redirect callback.
+				remove_action( 'template_redirect', 'WPE\FaustWP\Deny_Public_Access\deny_public_access', 99 );
+			}
+		}, 10, 0 );
+	}
+
 	/**
 	 * If Faust is enabled, show an admin notice about the migration on the settings page.
 	 */
diff --git a/plugins/wp-graphql-webhooks/src/Admin/WebhooksAdmin.php b/plugins/wp-graphql-webhooks/src/Admin/WebhooksAdmin.php
@@ -168,7 +168,7 @@ private function verify_admin_permission(): bool {
 	 * @return bool True if nonce is valid, false otherwise.
 	 */
 	private function verify_nonce( string $nonce_name, string $action ): bool {
-		if ( ! isset( $_REQUEST[ $nonce_name ] ) || ! wp_verify_nonce( $_REQUEST[ $nonce_name ], $action ) ) {
+		if ( ! isset( $_REQUEST[ $nonce_name ] ) || ! wp_verify_nonce( wp_unslash( $_REQUEST[ $nonce_name ] ), $action ) ) {
 			wp_die( __( 'Security check failed.', 'wp-graphql-webhooks' ) );
 			return false;
 		}
@@ -185,11 +185,6 @@ public function handle_webhook_save() {
 			wp_die( __( 'Unauthorized', 'wp-graphql-webhooks' ) );
 		}
 
-		$webhook_id = isset( $_POST['webhook_id'] ) ? intval( $_POST['webhook_id'] ) : 0;
-		if ( ! $this->verify_admin_permission() || ! $this->verify_nonce( 'webhook_nonce', 'webhook_save' ) ) {
-			wp_die( __( 'Unauthorized', 'wp-graphql-webhooks' ) );
-		}
-
 		$webhook_id = isset( $_POST['webhook_id'] ) ? intval( $_POST['webhook_id'] ) : 0;
 		$webhook = new Webhook(
 			$webhook_id,
@@ -375,7 +370,7 @@ public function ajax_test_webhook(): void {
 			] );
 		}
 
-		if ( ! current_user_can( 'manage_options' ) ) {
+		if ( ! $this->verify_admin_permission() ) {
 			wp_send_json_error( [ 
 				'message' => __( 'You do not have permission to test webhooks.', 'wp-graphql-webhooks' ),
 				'error_code' => 'insufficient_permissions'
diff --git a/plugins/wp-graphql-webhooks/src/Admin/WebhooksListTable.php b/plugins/wp-graphql-webhooks/src/Admin/WebhooksListTable.php
@@ -92,13 +92,13 @@ public function process_bulk_action() {
 		}
 
 		// Verify nonce
-		if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'bulk-' . $this->_args['plural'] ) ) {
-			wp_die( __( 'Security check failed.', 'wp-graphql-webhooks' ) );
+		if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( wp_unslash( $_REQUEST['_wpnonce'] ), 'bulk-' . $this->_args['plural'] ) ) {
+			wp_die( esc_html__( 'Security check failed.', 'wp-graphql-webhooks' ) );
 		}
 
 		// Check permissions
 		if ( ! current_user_can( 'manage_options' ) ) {
-			wp_die( __( 'You do not have sufficient permissions to access this page.', 'wp-graphql-webhooks' ) );
+			wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'wp-graphql-webhooks' ) );
 		}
 
 		// Get selected webhooks
@@ -137,8 +137,8 @@ public function prepare_items() {
 		$total_items = count( $webhooks );
 		
 		// Handle sorting
-		$orderby = ! empty( $_GET['orderby'] ) ? $_GET['orderby'] : 'name';
-		$order = ! empty( $_GET['order'] ) ? $_GET['order'] : 'asc';
+		$orderby = ! empty( $_GET['orderby'] ) ? sanitize_key( $_GET['orderby'] ) : 'name';
+		$order = ! empty( $_GET['order'] ) ? sanitize_key( $_GET['order'] ) : 'asc';
 		
 		usort( $webhooks, function( $a, $b ) use ( $orderby, $order ) {
 			$result = 0;
@@ -253,7 +253,7 @@ public function column_name( $item ) {
 	 * Display when no items
 	 */
 	public function no_items() {
-		_e( 'No webhooks found.', 'wp-graphql-webhooks' );
+		esc_html_e( 'No webhooks found.', 'wp-graphql-webhooks' );
 	}
 
 	/**
diff --git a/plugins/wp-graphql-webhooks/src/Events/SmartCacheWebhookManager.php b/plugins/wp-graphql-webhooks/src/Events/SmartCacheWebhookManager.php
@@ -116,7 +116,9 @@ private function trigger_webhooks( string $event, array $payload ): void {
 			$payload['uri'] = $payload['path'] ?? '';
 		}
 
-		error_log( "[Webhook] Triggering webhooks for event: $event with payload: " . var_export( $payload, true ) );
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			error_log( "[Webhook] Triggering webhooks for event: $event with payload: " . var_export( $payload, true ) );
+		}
 
 		do_action( 'graphql_webhooks_before_trigger', $event, $payload );
 
@@ -240,7 +242,7 @@ public function get_path_from_key( $key ) {
 		}
 
 		if ( ! empty( $permalink ) && is_string( $permalink ) && ! is_wp_error( $permalink ) ) {
-			$parsed_path = parse_url( $permalink, PHP_URL_PATH );
+			$parsed_path = wp_parse_url( $permalink, PHP_URL_PATH );
 			if ( $parsed_path !== false ) {
 				$path = $parsed_path;
 				error_log( "[Webhook] Final path for key $key: $path" );
diff --git a/plugins/wp-graphql-webhooks/src/Handlers/WebhookHandler.php b/plugins/wp-graphql-webhooks/src/Handlers/WebhookHandler.php
@@ -22,12 +22,14 @@ class WebhookHandler implements Handler {
 	public function handle( Webhook $webhook, array $payload ): void {
 		// Log webhook dispatch initiation
 		$dispatch_timestamp = current_time( 'mysql' );
-		error_log( "\n========== WEBHOOK DISPATCH ==========" );
-		error_log( "Timestamp: {$dispatch_timestamp}" );
-		error_log( "Webhook: {$webhook->name} (ID: {$webhook->id})" );
-		error_log( "Event: {$webhook->event}" );
-		error_log( "Target URL: {$webhook->url}" );
-		error_log( "Method: {$webhook->method}" );
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			error_log( "\n========== WEBHOOK DISPATCH ==========" );
+			error_log( "Timestamp: {$dispatch_timestamp}" );
+			error_log( "Webhook: {$webhook->name} (ID: {$webhook->id})" );
+			error_log( "Event: {$webhook->event}" );
+			error_log( "Target URL: {$webhook->url}" );
+			error_log( "Method: {$webhook->method}" );
+		}
 		
 		$args = [ 
 			'headers' => $webhook->headers ?: [ 'Content-Type' => 'application/json' ],
@@ -52,7 +54,9 @@ public function handle( Webhook $webhook, array $payload ): void {
 		if ( strtoupper( $webhook->method ) === 'GET' ) {
 			$url = add_query_arg( $payload, $webhook->url );
 			$args['method'] = 'GET';
-			error_log( "Payload (GET query params): " . wp_json_encode( $payload ) );
+			if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+				error_log( "Payload (GET query params): " . wp_json_encode( $payload ) );
+			}
 		} else {
 			$url = $webhook->url;
 			$args['method'] = strtoupper( $webhook->method );
@@ -63,20 +67,28 @@ public function handle( Webhook $webhook, array $payload ): void {
 				$args['headers']['Content-Type'] = 'application/json';
 			}
 			
-			error_log( "Payload ({$args['method']} body): " . $args['body'] );
-			error_log( "Payload size: " . strlen( $args['body'] ) . " bytes" );
+			if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+				error_log( "Payload ({$args['method']} body): " . $args['body'] );
+				error_log( "Payload size: " . strlen( $args['body'] ) . " bytes" );
+			}
 		}
 		
 		// Log headers
-		error_log( "Headers: " . wp_json_encode( $args['headers'] ) );
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			error_log( "Headers: " . wp_json_encode( $args['headers'] ) );
+		}
 		
 		// For test mode or debugging, optionally use blocking mode
 		if ( apply_filters( 'graphql_webhooks_test_mode', false, $webhook ) ) {
 			$args['blocking'] = true;
-			error_log( "Test mode enabled - using blocking request" );
+			if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+				error_log( "Test mode enabled - using blocking request" );
+			}
 		}
 		
-		error_log( "====================================\n" );
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			error_log( "====================================\n" );
+		}
 		
 		// Send the webhook
 		$start_time = microtime( true );
@@ -85,7 +97,7 @@ public function handle( Webhook $webhook, array $payload ): void {
 		$duration = round( ( $end_time - $start_time ) * 1000, 2 );
 		
 		// Log response if in blocking mode
-		if ( $args['blocking'] ) {
+		if ( $args['blocking'] && defined( 'WP_DEBUG' ) && WP_DEBUG ) {
 			if ( is_wp_error( $response ) ) {
 				error_log( "\n========== WEBHOOK ERROR ==========" );
 				error_log( "❌ ERROR: " . $response->get_error_message() );
diff --git a/plugins/wp-graphql-webhooks/src/Rest/WebhookTestEndpoint.php b/plugins/wp-graphql-webhooks/src/Rest/WebhookTestEndpoint.php
diff --git a/plugins/wp-graphql-webhooks/src/Services/PluginServiceLocator.php b/plugins/wp-graphql-webhooks/src/Services/PluginServiceLocator.php

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"type": "wordpress-plugin",`
`4`	`4`	`"description": "A WordPress plugin for headless previews.",`
`5`	`5`	`"license": "GPL-2.0",`
`6`		`- "version": "0.0.7",`
	`6`	`+ "version": "0.0.8",`
`7`	`7`	`"authors": [`
`8`	`8`	`{`
`9`	`9`	`"name": "WP Engine Headless OSS Development Team",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@wpengine/hwp-previews-wordpress-plugin",`
`3`		`- "version": "0.0.7",`
	`3`	`+ "version": "0.0.8",`
`4`	`4`	`"private": true,`
`5`	`5`	`"description": "Headless Previews solution for WordPress: fully configurable preview URLs via the settings page.",`
`6`	`6`	`"scripts": {`