Skip to content

Security hardening: escaping, CSRF, SVN URL#81

Merged
Zodiac1978 merged 2 commits intoZodiac1978:developfrom
apermo:fix/security-hardening
Apr 14, 2026
Merged

Security hardening: escaping, CSRF, SVN URL#81
Zodiac1978 merged 2 commits intoZodiac1978:developfrom
apermo:fix/security-hardening

Conversation

@apermo
Copy link
Copy Markdown
Contributor

@apermo apermo commented Apr 13, 2026
edited
Loading

Summary

Fixes several security issues identified in #80:

  • Output escaping: All unescaped plugin header data, wp.org API responses, and internal values in render_table_row() are now wrapped with esc_html(), esc_url(), or esc_attr() as appropriate
  • CSRF protection: Cache clear action now requires a valid nonce via wp_nonce_url() / wp_verify_nonce()
  • SVN check: Switched from http://svn.wp-plugins.org/ (broken SSL cert, plain HTTP) to https://plugins.svn.wordpress.org/ with rawurlencode() on the slug. Behavior is identical (200 for existing, 404 for non-existent).
  • Capability check: settings_page() and the AJAX handler now use manage_sites on multisite, matching register_settings_page()

Closes #80

Test in WordPress Playground

Before (develop — baseline): Open in WordPress Playground

After (this branch — security hardened): Open in WordPress Playground

Pre-installed test plugins: Apermo Admin Bar (outdated), giWeather (closed/removed)

Test plan

  • Open both links — verify identical report page behavior (no regression)
  • In the After link, verify the "Clear cached plugin data" link now contains a nonce parameter
  • Verify closed plugins (giWeather) are still correctly detected via the new SVN URL

@apermo
fix(security): harden output escaping, CSRF, and SVN check
9018917 
- Add esc_html/esc_url/esc_attr to all unescaped
  output in render_table_row()
- Add nonce verification to cache clear handler
- Use wp_nonce_url for cache clear link
- Switch SVN check to HTTPS canonical domain
- Use rawurlencode on SVN slug
- Fix capability check for multisite in
  settings_page() and AJAX handler
apermo added a commit to apermo/plugin-report that referenced this pull request Apr 13, 2026
@apermo
fix(svn): use correct HTTPS URL for SVN check
fd29e44 
Same fix as PR Zodiac1978#81 — the old http://svn.wp-plugins.org
URL is broken, causing closed plugins to show as
"Not found" instead of "Closed".
@apermo apermo mentioned this pull request Apr 13, 2026
Open
6 tasks
apermo added a commit to apermo/plugin-report that referenced this pull request Apr 13, 2026
@apermo
fix(svn): use correct HTTPS URL for SVN check
9e61951 
Same fix as PR Zodiac1978#81 — the old http://svn.wp-plugins.org
URL is broken, causing closed plugins to show as
"Not found" instead of "Closed".
This was referenced Apr 13, 2026
Open
Open
@apermo
fix(phpstan): cast timestamp to string for esc_attr
d19b7a4 
DateTime::getTimestamp() returns int but esc_attr()
expects string. Fixes PHPStan build-test failure.
@apermo apermo mentioned this pull request Apr 14, 2026
Open
Zodiac1978
Zodiac1978 approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@Zodiac1978 Zodiac1978 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the PR :)

@Zodiac1978 Zodiac1978 merged commit bea9472 into Zodiac1978:develop Apr 14, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Zodiac1978 Zodiac1978 Zodiac1978 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security hardening: output escaping, CSRF, SVN URL

2 participants

@apermo @Zodiac1978