v4.6.5

[apinto-uc]

User description

New Features

• Added Privacy Policy Generator (PPG) plugin page — install and activate the Usercentrics Privacy Policy Generator directly from the Cookiebot admin
• Added PPG promotional banner to dashboard pages for connected accounts
• Added WooCommerce addon to block Order Attribution Tracking scripts (SourceBuster) until consent is given
• Added "NEW" badge and separator to the sidebar navigation for the Policy Generator Plugin tab

Improvements

• Added user capability checks for admin actions in notices, network settings, and survey submissions
• Sanitized and unslashed all input data across settings, cookie consent, and AJAX handlers
• Escaped dynamic values in error and exception messages to prevent potential XSS
• Added JSON validation for user data payloads before storing
• Redesigned dashboard cards into a side-by-side layout with bordered styling for connected accounts
• Updated feedback link styling

---

CodeAnt-AI Description

Add Policy Generator admin page, PPG dashboard promo, WooCommerce script blocking, and admin input hardening

What Changed

• Admin: New "Policy Generator Plugin" page in the Cookiebot settings that lets admins install and activate the Usercentrics Privacy Policy Generator plugin from the WordPress admin (with install/activate buttons and AJAX flows).
• Admin UI: Dashboard now shows a promotional PPG banner for connected accounts and adds a side-by-side, bordered layout for some dashboard cards; the settings sidebar includes a separated "Policy Generator Plugin" tab with a "NEW" badge.
• Addon: New WooCommerce addon blocks WooCommerce Order Attribution Tracking scripts (SourceBuster) until user consent is given.
• Security & robustness: Admin actions and AJAX handlers now check user capabilities, unslash and sanitize incoming inputs, validate JSON payloads before storing, and escape dynamic values in messages to reduce XSS and malformed-data errors.

Impact

✅ Install privacy policy plugin from dashboard
✅ Blocks WooCommerce order attribution until consent
✅ Clearer admin-side errors and reduced XSS risk

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[qodo-code-review]

Review Summary by Qodo

v4.6.5 - Privacy Policy Generator plugin integration and security enhancements

✨ Enhancement 🐞 Bug fix

Walkthroughs

Description

• Added Privacy Policy Generator plugin page with install/activate functionality
• Implemented WooCommerce addon to block Order Attribution Tracking scripts
• Enhanced security with input sanitization, unslashing, and XSS prevention
• Added user capability checks for admin actions across multiple handlers
• Redesigned dashboard cards to side-by-side layout with bordered styling
• Added JSON validation for user data payloads before storage

Diagram

flowchart LR
  A["Plugin Version<br/>4.6.5"] --> B["PPG Plugin Page"]
  A --> C["WooCommerce Addon"]
  A --> D["Security Hardening"]
  B --> B1["Install/Activate UI"]
  B --> B2["PPG Banner on Dashboard"]
  C --> C1["Block SourceBuster Scripts"]
  D --> D1["Input Sanitization"]
  D --> D2["XSS Prevention"]
  D --> D3["Capability Checks"]
  D --> D4["JSON Validation"]

Loading

File Changes

1. cookiebot.php ⚙️ Configuration changes +1/-1

Update plugin version to 4.6.5

cookiebot.php

---

2. src/addons/Cookiebot_Addons.php Security enhancement +2/-2

Escape addon class names in error messages

src/addons/Cookiebot_Addons.php

---

3. src/addons/addons.php ✨ Enhancement +2/-0

Add WooCommerce addon to supported addons list

src/addons/addons.php

---

View more (28)

4. src/addons/controller/addons/Base_Cookiebot_Addon.php Security enhancement +3/-3

Escape dynamic values in validation error messages

src/addons/controller/addons/Base_Cookiebot_Addon.php

---

5. src/addons/controller/addons/woocommerce/WooCommerce.php ✨ Enhancement +33/-0

New WooCommerce addon blocking Order Attribution scripts

src/addons/controller/addons/woocommerce/WooCommerce.php

---

6. src/admin_notices/Cookiebot_Base_Notice.php Security enhancement +6/-2

Add capability checks and sanitize nonce verification

src/admin_notices/Cookiebot_Base_Notice.php

---

7. src/lib/Account_Service.php Security enhancement +14/-8

Sanitize and unslash all POST input data in AJAX handlers

src/lib/Account_Service.php

---

8. src/lib/Cookie_Consent.php Security enhancement +1/-1

Sanitize and unslash cookie consent data

src/lib/Cookie_Consent.php

---

9. src/lib/Cookiebot_Review.php Security enhancement +2/-2

Add capability checks and sanitize survey submission data

src/lib/Cookiebot_Review.php

---

10. src/lib/Cookiebot_WP.php ✨ Enhancement +4/-2

Update version constant and register PPG page hooks

src/lib/Cookiebot_WP.php

---

11. src/lib/Dependency_Container.php Security enhancement +2/-2

Escape dynamic values in exception messages

src/lib/Dependency_Container.php

---

12. src/lib/helper.php Security enhancement +5/-5

Escape file paths in exception messages

src/lib/helper.php

---

13. src/lib/traits/Class_Constant_Override_Validator_Trait.php Security enhancement +11/-11

Escape dynamic values in validation error messages

src/lib/traits/Class_Constant_Override_Validator_Trait.php

---

14. src/settings/Menu_Settings.php ✨ Enhancement +2/-0

Add PPG page to admin menu configuration

src/settings/Menu_Settings.php

---

15. src/settings/Network_Menu_Settings.php Security enhancement +11/-7

Add capability checks and sanitize network settings input

src/settings/Network_Menu_Settings.php

---

16. src/settings/pages/PPG_Page.php ✨ Enhancement +162/-0

New Privacy Policy Generator plugin management page

src/settings/pages/PPG_Page.php

---

17. src/view/admin/cb_frame/dashboard-page.php ✨ Enhancement +32/-25

Redesign dashboard cards to side-by-side layout with PPG banner

src/view/admin/cb_frame/dashboard-page.php

---

18. src/view/admin/cb_frame/settings-page.php Security enhancement +1/-1

Sanitize active tab parameter from GET request

src/view/admin/cb_frame/settings-page.php

---

19. src/view/admin/common/dashboard-page-old.php ✨ Enhancement +32/-25

Redesign dashboard cards to side-by-side layout with PPG banner

src/view/admin/common/dashboard-page-old.php

---

20. src/view/admin/common/ppg-page.php ✨ Enhancement +54/-0

New PPG plugin page template with install/activate buttons

src/view/admin/common/ppg-page.php

---

21. src/view/admin/common/settings-page.php Security enhancement +1/-1

Sanitize active tab parameter from GET request

src/view/admin/common/settings-page.php

---

22. src/view/admin/common/templates/main-tabs.php ✨ Enhancement +12/-0

Add PPG tab with NEW badge and separator to navigation

src/view/admin/common/templates/main-tabs.php

---

23. src/view/admin/common/templates/ppg-banner.php ✨ Enhancement +45/-0

New promotional banner template for Privacy Policy Generator

src/view/admin/common/templates/ppg-banner.php

---

24. src/view/admin/uc_frame/dashboard-page.php ✨ Enhancement +22/-19

Redesign dashboard cards to side-by-side layout with PPG banner

src/view/admin/uc_frame/dashboard-page.php

---

25. src/view/admin/uc_frame/settings-page.php Security enhancement +1/-1

Sanitize active tab parameter from GET request

src/view/admin/uc_frame/settings-page.php

---

26. assets/js/backend/ppg-page.js ✨ Enhancement +83/-0

New JavaScript for PPG plugin install and activate functionality

assets/js/backend/ppg-page.js

---

27. assets/css/backend/cookiebot_admin_main.css ✨ Enhancement +33/-1

Add styles for PPG tab badge, separator, and feedback link

assets/css/backend/cookiebot_admin_main.css

---

28. assets/css/backend/dashboard-old.css ✨ Enhancement +124/-0

Add styles for side-by-side card layout and PPG banner

assets/css/backend/dashboard-old.css

---

29. assets/css/backend/ppg_page.css ✨ Enhancement +70/-0

New stylesheet for PPG plugin page layout and styling

assets/css/backend/ppg_page.css

---

30. .phpcs-security.xml ⚙️ Configuration changes +19/-0

New PHPCS configuration for security-focused code analysis

.phpcs-security.xml

---

31. readme.txt 📝 Documentation +23/-1

Update version and add changelog for v4.6.5 release

readme.txt

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. JSON decoded type unchecked 🐞 Bug ⛯ Reliability

Description

AJAX handlers accept any syntactically-valid JSON and store the decoded result even if it’s a scalar
(string/bool/null). Downstream code assumes these options are arrays and reads nested keys, which
can trigger PHP “illegal offset” warnings and break subscription/banner/config logic.

Code

src/lib/Account_Service.php[R153-158]

		$data = json_decode( $raw_data, true );
+		if ( json_last_error() !== JSON_ERROR_NONE ) {
+			wp_send_json_error( 'Invalid user data format', 400 );
+			return;
+		}
		update_option( 'cookiebot-user-data', $data );

Evidence

ajax_post_user_data stores json_decode output without ensuring it’s an array.
Cookiebot_WP::has_upgraded() later indexes into the stored option as an array
(subscriptions/active), which is unsafe if a scalar was stored.

src/lib/Account_Service.php[139-161]
src/lib/Cookiebot_WP.php[666-676]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`ajax_post_user_data()` stores JSON-decoded data even when the decoded value is not an array (e.g., scalar JSON like `true`, `"x"`, `null`). Downstream code indexes into `cookiebot-user-data` assuming an array shape, which can cause PHP warnings/incorrect behavior.

### Issue Context
The PR added JSON syntax validation via `json_last_error()`, but it doesn’t enforce the expected decoded type.

### Fix Focus Areas
- src/lib/Account_Service.php[139-161]
- src/lib/Cookiebot_WP.php[666-676]

### Implementation notes
- After `json_decode(..., true)`, add `if ( ! is_array( $data ) ) { wp_send_json_error(..., 400); return; }`.
- Optionally validate presence of expected keys (e.g., `subscriptions`) before saving, or normalize to an empty array.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. activate_plugin include missing 🐞 Bug ⛯ Reliability

Description

The new PPG activation AJAX handler calls activate_plugin() without ensuring
wp-admin/includes/plugin.php is loaded. In contexts where that file isn’t already included, this can
fatal-error the AJAX request and leave the UI stuck/resetting without activating the plugin.

Code

src/settings/pages/PPG_Page.php[R47-51]

+		$result = activate_plugin( self::PPG_PLUGIN_SLUG );
+
+		if ( is_wp_error( $result ) ) {
+			wp_send_json_error( array( 'message' => $result->get_error_message() ), 500 );
+		}

Evidence

PPG_Page already defensively requires wp-admin/includes/plugin.php before using other plugin
functions (get_plugins/is_plugin_active). However, ajax_activate_plugin() calls activate_plugin()
directly without the same guard, creating an inconsistency and potential undefined-function fatal in
some load paths.

src/settings/pages/PPG_Page.php[32-53]
src/settings/pages/PPG_Page.php[146-161]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`PPG_Page::ajax_activate_plugin()` calls `activate_plugin()` without ensuring the function is available. The class already guards other plugin API calls with `require_once wp-admin/includes/plugin.php`, so this is inconsistent and can cause fatal errors in some load contexts.

### Issue Context
AJAX handlers should be robust against differing include/load sequences. If `activate_plugin()` is unavailable, the request will fatal and the UI will not complete activation.

### Fix Focus Areas
- src/settings/pages/PPG_Page.php[32-53]
- src/settings/pages/PPG_Page.php[146-161]

### Implementation notes
- Before calling `activate_plugin()`, add:
 - `if ( ! function_exists( 'activate_plugin' ) ) { require_once ABSPATH . 'wp-admin/includes/plugin.php'; }`
- Optionally add `return;` after `wp_send_json_error(...)` calls for readability (even though WP exits).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

1. Json decoded type unchecked 🐞 Bug ⛯ Reliability

AJAX handlers accept any syntactically-valid JSON and store the decoded result even if it’s a scalar
(string/bool/null). Downstream code assumes these options are arrays and reads nested keys, which
can trigger PHP “illegal offset” warnings and break subscription/banner/config logic.

Agent Prompt

### Issue description
`ajax_post_user_data()` stores JSON-decoded data even when the decoded value is not an array (e.g., scalar JSON like `true`, `"x"`, `null`). Downstream code indexes into `cookiebot-user-data` assuming an array shape, which can cause PHP warnings/incorrect behavior.

### Issue Context
The PR added JSON syntax validation via `json_last_error()`, but it doesn’t enforce the expected decoded type.

### Fix Focus Areas
- src/lib/Account_Service.php[139-161]
- src/lib/Cookiebot_WP.php[666-676]

### Implementation notes
- After `json_decode(..., true)`, add `if ( ! is_array( $data ) ) { wp_send_json_error(..., 400); return; }`.
- Optionally validate presence of expected keys (e.g., `subscriptions`) before saving, or normalize to an empty array.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[sonarqubecloud]

Quality Gate passed

Issues
10 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.9% Duplication on New Code

See analysis details on SonarQube Cloud