magdev/wc-licensed-product
1
Fork 0
Code Issues Pull Requests Actions Releases 4 Activity

Security improvements and API compatibility fixes (v0.3.6)

Browse Source 
- Add recursive key sorting for response signing compatibility
- Fix IP header spoofing in rate limiting with trusted proxy support
- Add CSRF protection to CSV export with nonce verification
- Explicit Twig autoescape for XSS prevention
- Escape status values in CSS classes
- Update README with security documentation and trusted proxy config
- Update translations for v0.3.6

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-01-23 21:18:32 +01:00
parent c7967f71ab
commit 35d802c2b8
11 changed files with 669 additions and 392 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/Plugin.php
View File

@@ -98,6 +98,7 @@ final class Plugin
$this->twig = new Environment($loader, [
'cache' => WP_CONTENT_DIR . '/cache/wc-licensed-product/twig',
'auto_reload' => true, // Always check for template changes
'autoescape' => 'html', // Explicitly enable HTML autoescape for XSS protection
]);
// Add WordPress functions as Twig functions