Release v0.7.0 - Security Hardening

Security Fixes: - Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods) - Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait) - Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait) - Added file size limit (2MB), row limit (1000), and rate limiting to CSV import - Added JSON decode error handling in StoreApiExtension - Added license ID validation in frontend.js to prevent selector injection New Files: - src/Api/IpDetectionTrait.php - Shared IP detection with proxy support - src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations Breaking Changes: - None Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 11:27:08 +01:00
parent d0af939f5e
commit b50969f701
12 changed files with 500 additions and 211 deletions
--- a/assets/js/frontend.js
+++ b/assets/js/frontend.js
@@ -11,6 +11,14 @@
        $modal: null,
        $form: null,

+        /**
+         * Sanitize a value for safe use in jQuery selectors
+         * License IDs should be numeric only
+         */
+        sanitizeForSelector: function(value) {
+            return String(value).replace(/[^\d]/g, '');
+        },
+
        init: function() {
            this.$modal = $('#wclp-transfer-modal');
            this.$form = $('#wclp-transfer-form');
@@ -171,6 +179,11 @@
            var licenseId = $btn.data('license-id');
            var currentDomain = $btn.data('current-domain');

+            // Validate license ID is numeric
+            if (!licenseId || !/^\d+$/.test(String(licenseId))) {
+                return;
+            }
+
            $('#transfer-license-id').val(licenseId);
            $('#transfer-current-domain').text(currentDomain);
            $('#transfer-new-domain').val('');
@@ -235,9 +248,12 @@
                            .removeClass('error').addClass('success').show();

                        // Update the domain display in the license card
-                        var $domainDisplay = $('.license-domain-display[data-license-id="' + licenseId + '"]');
-                        $domainDisplay.find('.domain-value').text(response.data.new_domain);
-                        $domainDisplay.find('.wclp-transfer-btn').data('current-domain', response.data.new_domain);
+                        var safeLicenseId = self.sanitizeForSelector(licenseId);
+                        if (safeLicenseId) {
+                            var $domainDisplay = $('.license-domain-display[data-license-id="' + safeLicenseId + '"]');
+                            $domainDisplay.find('.domain-value').text(response.data.new_domain);
+                            $domainDisplay.find('.wclp-transfer-btn').data('current-domain', response.data.new_domain);
+                        }

                        // Close modal after a short delay
                        setTimeout(function() {