Release v0.7.0 - Security Hardening

Security Fixes:
- Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods)
- Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait)
- Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait)
- Added file size limit (2MB), row limit (1000), and rate limiting to CSV import
- Added JSON decode error handling in StoreApiExtension
- Added license ID validation in frontend.js to prevent selector injection

New Files:
- src/Api/IpDetectionTrait.php - Shared IP detection with proxy support
- src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations

Breaking Changes:
- None

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/Frontend/AccountController.php

@@ -10,6 +10,7 @@ declare(strict_types=1);
 namespace Jeremias\WcLicensedProduct\Frontend;
 
 use Jeremias\WcLicensedProduct\Api\ResponseSigner;
+use Jeremias\WcLicensedProduct\Common\RateLimitTrait;
 use Jeremias\WcLicensedProduct\License\LicenseManager;
 use Jeremias\WcLicensedProduct\Product\VersionManager;
 use Twig\Environment;
@@ -19,6 +20,8 @@ use Twig\Environment;
  */
 final class AccountController
 {
+    use RateLimitTrait;
+
     private Environment $twig;
     private LicenseManager $licenseManager;
     private VersionManager $versionManager;
@@ -575,6 +578,15 @@ final class AccountController
      */
     public function handleTransferRequest(): void
     {
+        // Rate limit: 5 transfer attempts per hour per user
+        if (!$this->checkUserRateLimit('transfer', 5, 3600)) {
+            $retryAfter = $this->getRateLimitRetryAfter('transfer', 3600);
+            wp_send_json_error([
+                'message' => __('Too many transfer attempts. Please try again later.', 'wc-licensed-product'),
+                'retry_after' => $retryAfter,
+            ], 429);
+        }
+
         // Verify nonce
         if (!check_ajax_referer('wclp_customer_transfer', 'nonce', false)) {
             wp_send_json_error(['message' => __('Security check failed.', 'wc-licensed-product')], 403);

src/Frontend/DownloadController.php

@@ -9,6 +9,7 @@ declare(strict_types=1);
 
 namespace Jeremias\WcLicensedProduct\Frontend;
 
+use Jeremias\WcLicensedProduct\Common\RateLimitTrait;
 use Jeremias\WcLicensedProduct\License\LicenseManager;
 use Jeremias\WcLicensedProduct\Product\VersionManager;
 
@@ -17,6 +18,8 @@ use Jeremias\WcLicensedProduct\Product\VersionManager;
  */
 final class DownloadController
 {
+    use RateLimitTrait;
+
     private LicenseManager $licenseManager;
     private VersionManager $versionManager;
 
@@ -110,6 +113,15 @@ final class DownloadController
             exit;
         }
 
+        // Rate limit: 30 downloads per hour per user
+        if (!$this->checkUserRateLimit('download', 30, 3600)) {
+            wp_die(
+                __('Too many download attempts. Please try again later.', 'wc-licensed-product'),
+                __('Download Error', 'wc-licensed-product'),
+                ['response' => 429]
+            );
+        }
+
         // Get license
         $license = $this->licenseManager->getLicenseById($licenseId);
         if (!$license) {