Release v0.7.0 - Security Hardening

Security Fixes:
- Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods)
- Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait)
- Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait)
- Added file size limit (2MB), row limit (1000), and rate limiting to CSV import
- Added JSON decode error handling in StoreApiExtension
- Added license ID validation in frontend.js to prevent selector injection

New Files:
- src/Api/IpDetectionTrait.php - Shared IP detection with proxy support
- src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations

Breaking Changes:
- None

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/Checkout/StoreApiExtension.php

@@ -200,6 +200,11 @@ final class StoreApiExtension
     {
         $requestData = json_decode(file_get_contents('php://input'), true);
 
+        // Handle JSON decode errors gracefully
+        if (json_last_error() !== JSON_ERROR_NONE) {
+            $requestData = null;
+        }
+
         if (SettingsController::isMultiDomainEnabled()) {
             $this->processMultiDomainOrder($order, $requestData);
         } else {
@@ -270,7 +275,7 @@ final class StoreApiExtension
         // Check for wclp_license_domains (from our hidden input - JSON string)
         if (empty($domainData) && isset($requestData['wclp_license_domains'])) {
             $parsed = json_decode($requestData['wclp_license_domains'], true);
-            if (is_array($parsed)) {
+            if (json_last_error() === JSON_ERROR_NONE && is_array($parsed)) {
                 $domainData = $this->normalizeDomainsData($parsed);
             }
         }