EPS-1063: UAE Lite remove the instace of //phpcs:ignore WordPress.Security in the repo

README.md

@@ -129,6 +129,9 @@ To access the advanced features and premium widgets, you’ll need to upgrade to
 
 ## Changelog ##
 
+### 2.2.0.1 ###
+- Improvement: Enhanced the codebase to strengthen security measures.
+
 ### 2.2.0 ###
 - New: Ultimate Addons for Elementor now includes translations for Dutch, French, Spanish, and German enhancing multilingual accessibility.
 - Fix: Navigation Menu - Anchor links now correctly scroll to sections/container when submenu items with IDs are clicked.

admin/bsf-analytics/class-bsf-analytics.php

@@ -500,24 +500,35 @@ public function maybe_track_analytics() {
 		}
 
 		/**
-		 * Save analytics option to network.
-		 *
-		 * @param string $option name of option.
-		 * @param string $value value of option.
-		 * @return void
-		 * @since 1.0.0
-		 */
-		public function add_option_to_network( $option, $value ) {
-
-			// If action coming from general settings page.
-			if ( isset( $_POST['option_page'] ) && 'general' === $_POST['option_page'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
+ * Save analytics option to network.
+ *
+ * @param string $option Name of the option.
+ * @param string $value Value of the option.
+ * @return void
+ * @since 1.0.0
+ */
+public function add_option_to_network( $option, $value ) {
+
+    // Verify nonce to prevent CSRF attacks.
+    if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'general-options' ) ) {
+        return; // Stop execution if nonce is invalid.
+    }
+
+    // Ensure request is coming from the general settings page.
+    if ( isset( $_POST['option_page'] ) && 'general' === sanitize_text_field( wp_unslash( $_POST['option_page'] ) ) ) {
+
+        // Sanitize the option name and value
+        $option = sanitize_key( $option ); // Ensures the option name is safe
+        $value  = sanitize_text_field( $value ); // Ensures the value is safe
+
+        // Save the option securely
+        if ( get_site_option( $option ) ) {
+            update_site_option( $option, $value );
+        } else {
+            add_site_option( $option, $value );
+        }
+    }
+}
 
-				if ( get_site_option( $option ) ) {
-					update_site_option( $option, $value );
-				} else {
-					add_site_option( $option, $value );
-				}
-			}
-		}
 	}
 }

admin/class-hfe-addons-actions.php

@@ -84,7 +84,7 @@ public function hfe_plugin_install() {
 			$plugin_slug = isset( $_POST['slug'] ) && is_string( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
 
 			if ( empty( $plugin_slug ) ) {
-				wp_send_json_error( array( 'message' => __( 'Plugin slug is missing.', 'header-footer-elementor' ) ) );
+				wp_send_json_error( [ 'message' => __( 'Plugin slug is missing.', 'header-footer-elementor' ) ] );
 			}
 
 			// Schedule the database update if the plugin is installed successfully.
@@ -107,7 +107,7 @@ function () use ( $plugin_slug ) {
 				// @psalm-suppress NoValue
 				wp_ajax_install_plugin();
 			} else {
-				wp_send_json_error( array( 'message' => __( 'Plugin installation function not found.', 'header-footer-elementor' ) ) );
+				wp_send_json_error( [ 'message' => __( 'Plugin installation function not found.', 'header-footer-elementor' ) ] );
 			}
 		}
 
@@ -130,7 +130,7 @@ public function hfe_theme_install() {
 			$theme_slug = isset( $_POST['slug'] ) && is_string( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
 
 			if ( empty( $theme_slug ) ) {
-				wp_send_json_error( array( 'message' => __( 'Theme slug is missing.', 'header-footer-elementor' ) ) );
+				wp_send_json_error( [ 'message' => __( 'Theme slug is missing.', 'header-footer-elementor' ) ] );
 			}
 
 			// Schedule the database update if the theme is installed successfully.
@@ -153,7 +153,7 @@ function () use ( $theme_slug ) {
 				// @psalm-suppress NoValue
 				wp_ajax_install_theme();
 			} else {
-				wp_send_json_error( array( 'message' => __( 'Theme installation function not found.', 'header-footer-elementor' ) ) );
+				wp_send_json_error( [ 'message' => __( 'Theme installation function not found.', 'header-footer-elementor' ) ] );
 			}
 		}
 
@@ -272,32 +272,49 @@ public function hfe_admin_modal() {
 		 */
 		public function update_subscription() {
 
+			// Verify the nonce for security
 			check_ajax_referer( 'hfe-admin-nonce', 'nonce' );
-
+
+			// Check if the user has the required capability
 			if ( ! current_user_can( 'manage_options' ) ) {
-				wp_send_json_error( 'You can\'t perform this action.' );
+				wp_send_json_error( __( 'You can\'t perform this action.', 'header-footer-elementor' ) );
 			}
-
-			$api_domain = trailingslashit( $this->get_api_domain() );
-			// PHPCS:Ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-			$arguments = isset( $_POST['data'] ) ? array_map( 'sanitize_text_field', json_decode( stripslashes( wp_unslash( $_POST['data'] ) ), true ) ) : [];
-
-			$url = add_query_arg( $arguments, $api_domain . 'wp-json/starter-templates/v1/subscribe/' ); // add URL of your site or mail API.
-
-			$response = wp_remote_post( $url, [ 'timeout' => 60 ] );
-
-			if ( ! is_wp_error( $response ) || wp_remote_retrieve_response_code( $response ) === 200 ) {
-				$response = json_decode( wp_remote_retrieve_body( $response ), true );
-
-				// Successfully subscribed.
-				if ( isset( $response['success'] ) && $response['success'] ) {
-					update_user_meta( get_current_user_ID(), 'hfe-subscribed', 'yes' );
-					wp_send_json_success( $response );
+
+			// Get API domain and ensure it is valid
+			$api_domain = esc_url( trailingslashit( $this->get_api_domain() ) );
+
+			// Sanitize and validate the input data
+			$arguments = [];
+			if ( isset( $_POST['data'] ) ) {
+				$decoded_data = json_decode( stripslashes( wp_unslash( $_POST['data'] ) ), true );
+
+				if ( is_array( $decoded_data ) ) {
+					$arguments = array_map( 'sanitize_text_field', $decoded_data );
 				}
+			}
+
+			// Ensure API endpoint is safe
+			$url = esc_url( add_query_arg( $arguments, $api_domain . 'wp-json/starter-templates/v1/subscribe/' ) ); // add URL of your site or mail API.
+
+			// Make the request with error handling
+			$response = wp_remote_post( $url, [ 'timeout' => 60 ] );
+
+			if ( is_wp_error( $response ) ) {
+				wp_send_json_error( [ 'error' => $response->get_error_message() ] );
+			}
+
+			$response_code = wp_remote_retrieve_response_code( $response );
+			$response_body = json_decode( wp_remote_retrieve_body( $response ), true );
+
+			// Check for a valid response
+			if ( $response_code === 200 && isset( $response_body['success'] ) && $response_body['success'] ) {
+				update_user_meta( get_current_user_ID(), 'hfe-subscribed', 'yes' );
+				wp_send_json_success( $response_body );
 			} else {
-				wp_send_json_error( $response );
+				wp_send_json_error( $response_body );
 			}
 		}
+
 
 		/**
 		 * Get the API URL.

admin/class-hfe-admin.php

@@ -47,7 +47,7 @@ public static function instance() {
 	 */
 	public static function load_admin() {
 		add_action( 'elementor/editor/after_enqueue_styles', __CLASS__ . '::hfe_admin_enqueue_scripts' );
-		add_action( 'admin_head', __CLASS__ . '::hfe_admin_enqueue_scripts' );		
+		add_action( 'admin_head', __CLASS__ . '::hfe_admin_enqueue_scripts' );      
 	}
 
 	/**
@@ -107,24 +107,24 @@ private function __construct() {
 
 
 
-/**
- * Hide admin notices on the custom settings page.
- *
- * @since x.x.x
- * @return void
- */
-public static function hide_admin_notices() {
-    $screen = get_current_screen();
-    $pages_to_hide_notices = array(
-        'edit-elementor-hf',     // Edit screen for elementor-hf post type
-        'elementor-hf',          // New post screen for elementor-hf post type
-    );
-
-    if ( in_array( $screen->id, $pages_to_hide_notices ) || 'toplevel_page_hfe' === $screen->id ) {
-        remove_all_actions( 'admin_notices' );
-        remove_all_actions( 'all_admin_notices' );
-    }
-}
+	/**
+	 * Hide admin notices on the custom settings page.
+	 *
+	 * @since x.x.x
+	 * @return void
+	 */
+	public static function hide_admin_notices() {
+		$screen                = get_current_screen();
+		$pages_to_hide_notices = [
+			'edit-elementor-hf',     // Edit screen for elementor-hf post type
+			'elementor-hf',          // New post screen for elementor-hf post type
+		];
+
+		if ( in_array( $screen->id, $pages_to_hide_notices ) || 'toplevel_page_hfe' === $screen->id ) {
+			remove_all_actions( 'admin_notices' );
+			remove_all_actions( 'all_admin_notices' );
+		}
+	}
 
 	/**
 	 * Script for Elementor Pro full site editing support.
@@ -288,15 +288,15 @@ public function header_footer_posttype() {
 			'menu_icon'           => 'dashicons-editor-kitchensink',
 			'supports'            => [ 'title', 'thumbnail', 'elementor' ],
 			'menu_position'       => 5,
-			'capabilities'        => array(
+			'capabilities'        => [
 				'edit_post'          => 'manage_options',
 				'read_post'          => 'read',
 				'delete_post'        => 'manage_options',
 				'edit_posts'         => 'manage_options',
 				'edit_others_posts'  => 'manage_options',
 				'publish_posts'      => 'manage_options',
 				'read_private_posts' => 'manage_options',
-			),
+			],
 		];
 
 		register_post_type( 'elementor-hf', $args );

build/main.asset.php

@@ -1 +1,4 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-dom-ready', 'wp-element', 'wp-i18n', 'wp-polyfill'), 'version' => '040f153744e2d6563457');
+<?php return [
+	'dependencies' => [ 'react', 'react-dom', 'wp-api-fetch', 'wp-dom-ready', 'wp-element', 'wp-i18n', 'wp-polyfill' ],
+	'version'      => '92b2f0f86f5a8ad9d301',
+];

build/main.css

@@ -1,4 +1,10 @@
+/*!************************************************************************************************************!*\
+  !*** css ./node_modules/css-loader/dist/cjs.js!./node_modules/postcss-loader/dist/cjs.js!./src/styles.css ***!
+  \************************************************************************************************************/
 @import url(https://fonts.googleapis.com/css?family=Josefin+Sans);
+/*!****************************************************************************************************************************************!*\
+  !*** css ./node_modules/css-loader/dist/cjs.js!./node_modules/postcss-loader/dist/cjs.js!./node_modules/@fontsource/figtree/index.css ***!
+  \****************************************************************************************************************************************/
 /* figtree-latin-ext-400-normal */
 @font-face {
   font-family: 'Figtree';
@@ -18,6 +24,9 @@
   src: url(/8fbf595b398521a13438.woff2) format('woff2'), url(/0fe49b37405de5564a8c.woff) format('woff');
   unicode-range: U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
+/*!**************************************************************************************************************************************!*\
+  !*** css ./node_modules/css-loader/dist/cjs.js!./node_modules/postcss-loader/dist/cjs.js!./node_modules/@fontsource/figtree/400.css ***!
+  \**************************************************************************************************************************************/
 /* figtree-latin-ext-400-normal */
 @font-face {
   font-family: 'Figtree';
@@ -37,6 +46,9 @@
   src: url(/8fbf595b398521a13438.woff2) format('woff2'), url(/0fe49b37405de5564a8c.woff) format('woff');
   unicode-range: U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
+/*!*********************************************************************************************************************************************!*\
+  !*** css ./node_modules/css-loader/dist/cjs.js!./node_modules/postcss-loader/dist/cjs.js!./node_modules/@fontsource/figtree/400-italic.css ***!
+  \*********************************************************************************************************************************************/
 /* figtree-latin-ext-400-italic */
 @font-face {
   font-family: 'Figtree';
@@ -56,6 +68,9 @@
   src: url(/0c658d1bd687fc3b8ae1.woff2) format('woff2'), url(/2cd6f384ab13d382a241.woff) format('woff');
   unicode-range: U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
+/*!****************************************************************************************************************!*\
+  !*** css ./node_modules/css-loader/dist/cjs.js!./node_modules/postcss-loader/dist/cjs.js!./src/styles.css (1) ***!
+  \****************************************************************************************************************/
 *, ::before, ::after{
     --tw-border-spacing-x: 0;
     --tw-border-spacing-y: 0;
@@ -4334,5 +4349,3 @@ div#hfe-settings-app {
     height: 1.5rem;
 }
 
-
-/*# sourceMappingURL=main.css.map*/