Changeset 3423632

Timestamp:

12/19/2025 12:09:57 PM (3 months ago)

Author:

domainsupport

Message:

Tagging version 1.8.5

Location:

deny-all-firewall

Files:

• tags/1.8.5 (copied) (copied from deny-all-firewall/trunk)
• tags/1.8.5/403.php (copied) (copied from deny-all-firewall/trunk/403.php) (11 diffs)
• tags/1.8.5/deny-all-firewall.php (copied) (copied from deny-all-firewall/trunk/deny-all-firewall.php) (47 diffs)
• tags/1.8.5/includes (copied) (copied from deny-all-firewall/trunk/includes)
• tags/1.8.5/includes/class-daf-common.php (copied) (copied from deny-all-firewall/trunk/includes/class-daf-common.php) (30 diffs)
• tags/1.8.5/includes/class-webd.php (deleted)
• tags/1.8.5/includes/customize-controls.js (copied) (copied from deny-all-firewall/trunk/includes/customize-controls.js)
• tags/1.8.5/readme.txt (copied) (copied from deny-all-firewall/trunk/readme.txt) (3 diffs)
• tags/1.8.5/remote-addr.php (copied) (copied from deny-all-firewall/trunk/remote-addr.php) (1 diff)
• trunk/403.php (modified) (11 diffs)
• trunk/deny-all-firewall.php (modified) (47 diffs)
• trunk/includes/class-daf-common.php (modified) (30 diffs)
• trunk/readme.txt (modified) (3 diffs)
• trunk/remote-addr.php (modified) (1 diff)

deny-all-firewall/tags/1.8.5/403.php

@@ -4 +4 @@
 header("Cache-Control: post-check=0, pre-check=0", false);
 header("Pragma: no-cache");
-header($_SERVER['SERVER_PROTOCOL']." 403 Forbidden", true, 403);
-
-$request_uri = $_SERVER['REQUEST_URI'];
-
-if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) {
-
-    $redirect_url = preg_replace('/\?.*/', '', $request_uri);
-
-    if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
-
-        $remote_addr = $_SERVER['HTTP_CF_CONNECTING_IP'];
-
-    } else {
-
-        $remote_addr = $_SERVER['REMOTE_ADDR'];
+http_response_code(403);
+
+if (isset($_SERVER['REQUEST_URI'])) {
+
+    define('SHORTINIT', true);
+    require_once('../../../wp-load.php');
+    require_once(ABSPATH . WPINC . '/kses.php');
+    require_once(ABSPATH . WPINC . '/blocks.php');
+    require_once(ABSPATH . WPINC . '/formatting.php');
+    require_once(ABSPATH . WPINC . '/class-wp-block-parser.php');
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_request_uri = sanitize_url(wp_unslash($_SERVER['REQUEST_URI']));
+
+    if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_redirect_url = preg_replace('/\?.*/', '', $deny_all_firewall_request_uri);
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_remote_addr = '';
+
+        if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+            $deny_all_firewall_remote_addr = filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP);
+
+        } elseif (isset($_SERVER['REMOTE_ADDR'])) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+            $deny_all_firewall_remote_addr = filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP);
+
+        }
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_log_entry = json_encode(array(
+            'time' => time(),
+            'remote_addr' => $deny_all_firewall_remote_addr,
+            'redirect_url' => $deny_all_firewall_redirect_url
+            // 'query_string' => $_GET,
+            // 'post' => $_POST
+            // 'server' => $_SERVER
+        )).PHP_EOL;
+        file_put_contents(dirname(dirname(__DIR__)).'/403.log', $deny_all_firewall_log_entry, FILE_APPEND | LOCK_EX);
 
     }
-
-    $log_entry = json_encode(array(
-        'time' => time(),
-        'remote_addr' => $remote_addr,
-        'redirect_url' => $redirect_url
-        // 'query_string' => $_GET,
-        // 'post' => $_POST
-        // 'server' => $_SERVER
-    )).PHP_EOL;
-    file_put_contents(dirname(dirname(__DIR__)).'/403.log', $log_entry, FILE_APPEND | LOCK_EX);
-
-}
 
 ?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
@@ -39 +55 @@
 <style>
 body {
-    font-family: 'Courier New', Courier, monospace;
+    font-family: Arial, Helvetica, sans-serif;
     position: absolute;
     box-sizing: border-box;
@@ -46 +62 @@
     top: 50%;
     transform: translateY(-50%);
-    border: 1px dashed black;
+    border: 1px solid #d9d9d9;
     padding: 1rem;
+    color: #515151;
 }
 h1, h2, h3, h4, h5, h6 {
-    font-weight: normal;
+    color: #d9d9d9;
+    text-transform: lowercase;
+}
+a {
+    color: #55c1e4;
+    text-decoration: none;
+}
+a:hover {
+    color: #515151;
 }
 hr {
-    border-top: 1px dashed black;
+    border: none;
+    border-top: 1px solid #d9d9d9;
 }
 .alignleft {
@@ -60 +86 @@
     margin-right: 1.5em;
 }
-
 .alignright {
     display: inline;
@@ -66 +91 @@
     margin-left: 1.5em;
 }
-
 .aligncenter {
     clear: both;
@@ -76 +100 @@
     margin-bottom: 0;
 }
-form {
-    text-align: center;
-}
 </style>
 </head>
@@ -84 +105 @@
 <?php
 
-    $admin_hints = '<h2>If you own this site ...</h2>
-';
-
-    if (substr($request_uri, 0, strlen('/wp-login.php')) === '/wp-login.php') {
-
-        $admin_hints .= '<p>If this is your website and you are trying to login to your dashboard:</p>
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_admin_hints = '<h2>If you own this site ...</h2>
+';
+
+    if (substr($deny_all_firewall_request_uri, 0, strlen('/wp-login.php')) === '/wp-login.php') {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_admin_hints .= '<p>If this is your website and you are trying to login to your dashboard:</p>
 <ul>
 <li>You need to login using your secret login address</li>
@@ -96 +119 @@
 ';
 
-    } elseif (substr($request_uri, 0, strlen('/wp-admin/')) === '/wp-admin/') {
-
-        $admin_hints .= '<p>If this is your website and you are trying to use your dashboard:</p>
+    } elseif (substr($deny_all_firewall_request_uri, 0, strlen('/wp-admin/')) === '/wp-admin/') {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_admin_hints .= '<p>If this is your website and you are trying to use your dashboard:</p>
 <ul>
 <li>You need to <a href="/wp-admin/">login first</a></li>
@@ -107 +131 @@
     } else {
 
-        $admin_hints .= '<p>If this is your website and this page should not be blocked you can try the following to unblock this page:</p>
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_admin_hints .= '<p>If this is your website and this page should not be blocked you can try the following to unblock this page:</p>
 <ul>
-<li>Sign into your Wordpress dashboard</li>
+<li>Sign into your WordPress dashboard</li>
 <li>Go to "Settings - Deny All Firewall"</li>
 <li>Tick the box "Enable Log" and click "Save Changes"</li>
 <li>Visit this blocked page again and return to "Dashboard - Settings - Deny All Firewall"</li>
 <li>Find the blocked page in the log file, click "Unblock", untick "Enable logging of blocked requests" and then "Save Changes"</li>
-<li>If that doesn\'t work, select "Firewall Disabled", click "Save Changes" and <a href="https://wordpress.org/support/plugin/deny-all-firewall/" title="Support Forum">contact us on the support forum</a></li>
+<li>If that doesn\'t work, select "Firewall Disabled", click "Save Changes" and <a href="https://webd.uk/support/" title="Web:D support">contact us for support</a></li>
 </ul>
 ';
@@ -120 +145 @@
     }
 
-    $search = '<form role="search" method="get" class="search-form" action="/">
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_search = '<form role="search" method="get" class="search-form" action="/">
     <label for="search-form">Search…</label>
-    <input type="search" id="search-form" class="search-field" value="' . trim(strtolower(preg_replace('/\s+/', ' ', preg_replace('/[^a-zA-Z ]/', ' ', $request_uri)))) . '" name="s">
+    <input type="search" id="search-form" class="search-field" value="' . trim(strtolower(preg_replace('/\s+/', ' ', preg_replace('/[^a-zA-Z ]/', ' ', $deny_all_firewall_request_uri)))) . '" name="s">
     <input type="submit" class="search-submit" value="Search">
-</form>';
-
-    $contents = '<h1>Forbidden</h1>
+</form>
+';
+
+    if (file_exists(dirname(dirname(__DIR__)).'/403.html')) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_contents = file_get_contents(dirname(dirname(__DIR__)) . '/403.html');
+
+    } else {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_contents = '<h1>Forbidden</h1>
 <p>You don\'t have permission to access [requested-page] on this server.</p>
 [search]
 <hr>
 <h2>Why am I seeing this page?</h2>
-<p>This address has been blocked by <a href="https://wordpress.org/plugins/deny-all-firewall/" title="Deny All Firewall">Deny All Firewall</a> plugin for Wordpress by <a href="https://webd.uk" title="webd.uk">webd.uk</a>.</i></p>
-[admin-hints]';
-
-    if (file_exists(dirname(dirname(__DIR__)).'/403.html')) {
-
-        $contents = file_get_contents(dirname(dirname(__DIR__)) . '/403.html');
+<p>This address has been blocked by Deny All Firewall plugin for WordPress by <a href="https://webd.uk" title="Web:D"><strong>Web:D</strong></a>.</i></p>
+[admin-hints]
+';
 
     }
 
-    $contents = str_replace(array('[requested-page]', '[admin-hints]', '[search]'), array(htmlentities($request_uri), $admin_hints, $search), $contents);
-    echo $contents;
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_contents = str_replace(
+        array(
+            '[requested-page]',
+            '[admin-hints]',
+            '[search]'
+        ), array(
+            htmlentities($deny_all_firewall_request_uri),
+            $deny_all_firewall_admin_hints,
+            $deny_all_firewall_search
+        ),
+        $deny_all_firewall_contents
+    );
+
+    echo wp_kses($deny_all_firewall_contents, array_merge(
+        wp_kses_allowed_html('post'),
+        array(
+            'form' => array(
+                'role' => array(),
+                'method' => array(),
+                'class' => array(),
+                'action' => array()
+            ),
+            'input' => array(
+                'type' => array(),
+                'class' => array(),
+                'id' => array(),
+                'value' => array(),
+                'name' => array()
+            )
+        )
+    ));
 
 ?>
@@ -147 +209 @@
 <?php
 
+}
+
     die();
 

deny-all-firewall/tags/1.8.5/deny-all-firewall.php

@@ -2 +2 @@
 /*
  * Plugin Name: Deny All Firewall
- * Version: 1.8.4
+ * Version: 1.8.5
  * Plugin URI: https://webd.uk/support/
  * Description: Blocks access to everything except genuine site content using .htaccess
  * Author: Webd Ltd
  * Author URI: https://webd.uk
+ * License: GPLv2 or later
+ * License URI: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
  * Text Domain: deny-all-firewall
  */
@@ -22 +24 @@
     class daf_class {
 
-        public static $version = '1.8.4';
+        public static $version = '1.8.5';
 
         private $black_list;
@@ -106 +108 @@
                     if (get_post_types(array('name' => $second->post_type, 'exclude_from_search' => false))) {
 
-                        if (!$this->daf_is_permalink_in_htaccess(parse_url(get_permalink($item_id)))) {
+                        if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_permalink($item_id)))) {
 
                             update_option('daf_content_changed', true);
@@ -118 +120 @@
                 } elseif (!isset($options['allow_all_content']) && current_action() == 'edited_term') {
 
-                    if (!$this->daf_is_permalink_in_htaccess(parse_url(get_term_link($item_id)))) {
+                    if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_term_link($item_id)))) {
 
                         update_option('daf_content_changed', true);
@@ -128 +130 @@
                 } elseif (!isset($options['allow_all_content']) && current_action() == 'created_term') {
 
-                    if (!$this->daf_is_permalink_in_htaccess(parse_url(get_term_link($item_id)))) {
+                    if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_term_link($item_id)))) {
 
                         update_option('daf_content_changed', true);
@@ -138 +140 @@
                 } elseif (!isset($options['allow_all_content']) && current_action() == 'attachment_updated' && $second instanceof WP_Post && isset($second->post_status) && in_array($second->post_status, array('inherit', 'publish', 'private'))) {
 
-                    if (!$this->daf_is_permalink_in_htaccess(parse_url(get_permalink($second->ID)))) {
+                    if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_permalink($second->ID)))) {
 
                         update_option('daf_content_changed', true);
@@ -166 +168 @@
                     }
 
-                    if (isset($second->post_status) && !($second->post_status == 'private' && $extension == 'zip') && in_array($second->post_status, array('inherit', 'publish', 'private')) && !$this->daf_is_permalink_in_htaccess(parse_url(get_permalink($second->ID)))) {
+                    if (isset($second->post_status) && !($second->post_status == 'private' && $extension == 'zip') && in_array($second->post_status, array('inherit', 'publish', 'private')) && !$this->daf_is_permalink_in_htaccess(wp_parse_url(get_permalink($second->ID)))) {
 
                         update_option('daf_content_changed', true);
@@ -198 +200 @@
             }
 
-            if ($reconstructed_host == $_SERVER['HTTP_HOST'] && $permalink['path'] !== '/') {
+            if (
+                isset($_SERVER['HTTP_HOST']) &&
+                $reconstructed_host === $_SERVER['HTTP_HOST'] &&
+                $permalink['path'] !== '/'
+            ) {
 
                 $current_htaccess = file_get_contents(dafCommon::get_home_path() . '.htaccess');
@@ -240 +246 @@
                 data: {
                     action: 'daf_refresh_rules',
-                    _ajax_nonce: '<?php echo wp_create_nonce('daf-refresh-rules'); ?>'
+                    _ajax_nonce: '<?php echo esc_attr(wp_create_nonce('daf-refresh-rules')); ?>'
                 },
                 success: function(result){
@@ -371 +377 @@
             if (!isset($options['enable_log'])) {
 
-                if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) { unlink(dirname(dirname(__DIR__)).'/ENABLE_403_LOG'); }
-                if (file_exists(dirname(dirname(__DIR__)).'/403.log')) { unlink(dirname(dirname(__DIR__)).'/403.log'); }
+                if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) { wp_delete_file(dirname(dirname(__DIR__)).'/ENABLE_403_LOG'); }
+                if (file_exists(dirname(dirname(__DIR__)).'/403.log')) { wp_delete_file(dirname(dirname(__DIR__)).'/403.log'); }
 
             } else {
@@ -422 +428 @@
 <h3>Top 50 Blocked Requests in the last 24 Hours</h3>
 
-<p>Your logfile contains details of <strong><?php echo $count_log_entries; ?></strong> blocked requests since <?php echo date_i18n(get_option('date_format') . ' ' . get_option('time_format'), $log_started); ?>.</p>
+<p>Your logfile contains details of <strong><?php echo esc_html($count_log_entries); ?></strong> blocked requests since <?php echo esc_html(date_i18n(get_option('date_format') . ' ' . get_option('time_format'), $log_started)); ?>.</p>
 
 <p>That's <strong><?php echo absint($count_log_entries / ((time() - $log_started) / 3600)) ?> requests</strong> blocked per hour!
@@ -450 +456 @@
 
 <tr>
-<td class="check-column"><?php echo $i; ?>)</td>
-<td class="plugin-title column-primary"><?php echo $key; ?> <?php
-
-                        if (!preg_match('/\/(.*)\.(.*)\//', $key) && file_exists($_SERVER['DOCUMENT_ROOT'] . $key)) {
+<td class="check-column"><?php echo esc_attr($i); ?>)</td>
+<td class="plugin-title column-primary"><?php echo esc_attr($key); ?> <?php
+
+                        if (
+                            !preg_match('/\/(.*)\.(.*)\//', $key) &&
+                            isset($_SERVER['DOCUMENT_ROOT']) &&
+                            file_exists(sanitize_text_field(wp_unslash($_SERVER['DOCUMENT_ROOT'])) . $key)
+                        ) {
 
                             if (preg_match('/\/$/', $key)) {
@@ -468 +478 @@
 
 ?><span class="daf-unblock button button-small" data-request="<?php echo esc_html($key); ?>"><?php esc_html_e('Unblock', 'deny-all-firewall'); ?></span></td>
-<td class="column-total-requests"><?php echo $value; ?></td>
+<td class="column-total-requests"><?php echo esc_html($value); ?></td>
 <td class="column-description"><?php
 
@@ -475 +485 @@
                             if ($request_type['suspicious']) { echo '<span style="color: red;">'; }
 
-                            echo $request_type['description'];
+                            echo esc_html($request_type['description']);
 
                             if ($request_type['suspicious']) { echo '</span>'; }
@@ -750 +760 @@
 
 ?>
+<div class="notice notice-error daf-notice">
+<h2><?php esc_html_e('This plugin is moving home ...','deny-all-firewall'); ?></h2>
+<p><?php esc_html_e('We have taken the decision to move this plugin from the official WordPress repository to our own, in-house repository.','deny-all-firewall'); ?></p>
+<p><?php esc_html_e('This move will happen in early 2026 because the plugin is solely used by clients of Domain Support Ltd (who will automatically be migrated to the new plugin).','deny-all-firewall'); ?></p>
+<p><?php esc_html_e('If you are not a client of Domain Support Ltd and still want to continue to receive updates for this plugin, get in touch ...','deny-all-firewall'); ?></p>
+<p><a href="https://webd.uk/support/" title="<?php esc_attr_e('Contact us', 'deny-all-firewall'); ?>" class="button-primary"><?php esc_html_e('Contact us', 'deny-all-firewall'); ?></a></p>
+</div>
 <p><?php esc_html_e('Use these settings to configure the firewall. You can save these settings again to quickly allow new content through the firewall.','deny-all-firewall'); ?></p>
 <?php
@@ -858 +875 @@
 
 ?>
-<span class="dashicons dashicons-trash"></span><input type="checkbox" onclick="jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>').prop('disabled', function(i, v) { return !v; });" />
+<span class="dashicons dashicons-trash"></span><input type="checkbox" onclick="jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>').prop('disabled', function(i, v) { return !v; });" />
 <?php
 
@@ -864 +881 @@
 
 ?>
-<input id="whitelist_<?php echo $args['whitelist_id']; ?>" class="whitelist" name="daf_options[whitelist_<?php echo $args['whitelist_id']; ?>]" type="text" value="<?php echo ((isset($options['whitelist_' . $args['whitelist_id']])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id']]) : ''); ?>" placeholder="/hello-world/" />
-301 Redirect <input type="checkbox" onclick="jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>_301').val(''); jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>_301').prop('disabled', function(i, v) { return !v; }); jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>_301_wrapper').toggle();"<?php checked(isset($options['whitelist_' . $args['whitelist_id'] . '_301']), true); ?> />
-<span id="whitelist_<?php echo $args['whitelist_id']; ?>_301_wrapper"<?php echo ((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? ' style="display: none;"' : ''); ?>>to <input id='whitelist_<?php echo $args['whitelist_id']; ?>_301' name='daf_options[whitelist_<?php echo $args['whitelist_id']; ?>_301]' type='text' value='<?php echo ((isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id'] . '_301']) : ''); ?>'<?php echo ((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? ' disabled="disabled"' : ''); ?> placeholder="https://www.hello.com/world/" /></span>
+<input id="whitelist_<?php echo esc_attr($args['whitelist_id']); ?>" class="whitelist" name="daf_options[whitelist_<?php echo esc_attr($args['whitelist_id']); ?>]" type="text" value="<?php echo esc_attr((isset($options['whitelist_' . $args['whitelist_id']])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id']]) : ''); ?>" placeholder="/hello-world/" />
+301 Redirect <input type="checkbox" onclick="jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301').val(''); jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301').prop('disabled', function(i, v) { return !v; }); jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301_wrapper').toggle();"<?php checked(isset($options['whitelist_' . $args['whitelist_id'] . '_301']), true); ?> />
+<span id="whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301_wrapper" style="<?php echo esc_attr((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? 'display:none;' : ''); ?>">to <input id='whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301' name='daf_options[whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301]' type='text' value='<?php echo esc_attr((isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id'] . '_301']) : ''); ?>'<?php echo esc_attr((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? ' disabled' : ''); ?> placeholder="https://www.hello.com/world/" /></span>
 <?php
 
@@ -894 +911 @@
 
 ?>
-<p style="color: red"><strong>Yoast SEO is installed so you'll need to <a href="<?php echo 
-add_query_arg( 'page', 'wpseo_page_settings', admin_url('admin.php#/site-features#card-wpseo-enable_xml_sitemap') ); ?>">turn off "XML sitemaps" in the settings</a> to use this sitemap instead.</strong></p>
+<p style="color: red"><strong>Yoast SEO is installed so you'll need to <a href="<?php echo esc_url(add_query_arg( 'page', 'wpseo_page_settings', admin_url('admin.php#/site-features#card-wpseo-enable_xml_sitemap'))); ?>">turn off "XML sitemaps" in the settings</a> to use this sitemap instead.</strong></p>
 <?php
 
@@ -1007 +1023 @@
 
                 $options['forbidden_content'] = wp_kses_post($input['forbidden_content']);
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
                 file_put_contents(dirname(dirname(__DIR__)).'/403.html', apply_filters('the_content', $input['forbidden_content']));
 
@@ -1012 +1029 @@
 
                 unset($options['forbidden_content']);
-                if (file_exists(dirname(dirname(__DIR__)).'/403.html')) { unlink(dirname(dirname(__DIR__)).'/403.html'); } 
+                if (file_exists(dirname(dirname(__DIR__)).'/403.html')) { wp_delete_file(dirname(dirname(__DIR__)).'/403.html'); } 
 
             }
@@ -1134 +1151 @@
         function daf_remove_rules() {
 
-            if (is_writable(dafCommon::get_home_path() . '.htaccess')) {
+            global $wp_filesystem;
+
+            if (!$wp_filesystem) {
+
+                require_once (ABSPATH . '/wp-admin/includes/file.php');
+
+                WP_Filesystem();
+
+            }
+
+            if ($wp_filesystem->is_writable(dafCommon::get_home_path() . '.htaccess')) {
 
                 copy(dafCommon::get_home_path() . '.htaccess', dafCommon::get_home_path() . '.htaccess_bak');
@@ -1171 +1198 @@
                     $newdata = trim($newdata,"\n");
 
-                    $f = @fopen(dafCommon::get_home_path() . '.htaccess', 'w');
-                    fwrite($f, $newdata);
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . '.htaccess',
+                        $newdata,
+                        FS_CHMOD_FILE
+                    );
 
                     return true;
@@ -1186 +1216 @@
         function daf_remove_sitemap() {
 
-            if (is_writable(dafCommon::get_home_path() . 'sitemap.xml')) {
-
-                unlink(dafCommon::get_home_path() . 'sitemap.xml');
+            global $wp_filesystem;
+
+            if (!$wp_filesystem) {
+
+                require_once (ABSPATH . '/wp-admin/includes/file.php');
+
+                WP_Filesystem();
+
+            }
+
+            if ($wp_filesystem->is_writable(dafCommon::get_home_path() . 'sitemap.xml')) {
+
+                wp_delete_file(dafCommon::get_home_path() . 'sitemap.xml');
 
             }
 
-            if (is_writable(dafCommon::get_home_path() . 'robots.txt')) {
-
-                unlink(dafCommon::get_home_path() . 'robots.txt');
+            if ($wp_filesystem->is_writable(dafCommon::get_home_path() . 'robots.txt')) {
+
+                wp_delete_file(dafCommon::get_home_path() . 'robots.txt');
 
             }
@@ -1201 +1241 @@
 
         function daf_create_htaccess($current_user_id = false) {
+
+            global $wp_filesystem;
+
+            if (!$wp_filesystem) {
+
+                require_once (ABSPATH . '/wp-admin/includes/file.php');
+
+                WP_Filesystem();
+
+            }
 
             $options = get_option('daf_options');
@@ -1210 +1260 @@
                 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-                    if (0 === strpos($_SERVER['HTTP_CF_CONNECTING_IP'], $external_ip)) { return false; }
+                    if (0 === strpos(filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP), $external_ip)) { return false; }
 
                 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-                    if (0 === strpos( $_SERVER['REMOTE_ADDR'] , $external_ip )) { return false; }
+                    if (0 === strpos(filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP), $external_ip )) { return false; }
 
                 }
@@ -1276 +1326 @@
                 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', $_SERVER['HTTP_CF_CONNECTING_IP']);
+                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP));
 
                 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', $_SERVER['REMOTE_ADDR']);
+                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP));
 
                 }
@@ -1313 +1363 @@
             }
 
-            $http_url = ((isset($_SERVER['HTTPS']) ? "https" : "http") . '://' . $_SERVER['HTTP_HOST']);
-
             $detected_urls = array();
 
@@ -1342 +1390 @@
                 class_exists('WooCommerce') &&
                 !in_array('/.well-known/apple-developer-merchantid-domain-association', $whitelisted_requests, true) &&
-                file_exists($_SERVER['DOCUMENT_ROOT'] . '/.well-known/apple-developer-merchantid-domain-association')
+                isset($_SERVER['DOCUMENT_ROOT']) &&
+                file_exists(sanitize_text_field(wp_unslash($_SERVER['DOCUMENT_ROOT'])) . '/.well-known/apple-developer-merchantid-domain-association')
             ) {
 
@@ -1363 +1412 @@
                     if (in_array($post->post_type, $all_post_types) && comments_open($post)) {
 
-                        $parsed_url = parse_url(site_url('wp-comments-post.php'));
+                        $parsed_url = wp_parse_url(site_url('wp-comments-post.php'));
 
                         if (!in_array($parsed_url['path'], $whitelisted_requests)) {
@@ -1375 +1424 @@
                     if (class_exists('WooCommerce') && $post->post_type == 'product') {
                 
-                        $parsed_url = parse_url(get_permalink($post));
+                        $parsed_url = wp_parse_url(get_permalink($post));
 
                         if (!in_array($parsed_url['path'], $whitelisted_requests)) {
@@ -1420 +1469 @@
                 $whitelisted_requests[] = $wc_options['product_base'] . '/';
                 $cart_page_id = wc_get_page_id('cart');
-                $parsed_url = parse_url($cart_page_id ? get_permalink($cart_page_id) : '');
+                $parsed_url = wp_parse_url($cart_page_id ? get_permalink($cart_page_id) : '');
 
                 if (isset($parsed_url['path'])) {
@@ -1525 +1574 @@
                 foreach($detected_urls as $key => $url) {
 
-                    $parsed_url = parse_url($url);
+                    $parsed_url = wp_parse_url($url);
 
                     if (isset($parsed_url['port'])) {
@@ -1537 +1586 @@
                     }
 
-                    if ($reconstructed_host != $_SERVER['HTTP_HOST']) {
+                    if (
+                        !isset($_SERVER['HTTP_HOST']) ||
+                        (
+                            isset($_SERVER['HTTP_HOST']) &&
+                            $reconstructed_host !== filter_var(wp_unslash($_SERVER['HTTP_HOST'], FILTER_SANITIZE_URL))
+                        )
+                    ) {
 
                         unset($detected_urls[$key]);
@@ -1580 +1635 @@
 
                 if (!$sitemap_disabled && isset($sitemap_urls) && $sitemap_urls && isset($options['enable_sitemap']) && $options['enable_sitemap'] && 
-                ((!file_exists(dafCommon::get_home_path() . 'sitemap.xml') && is_writable(dafCommon::get_home_path())) || is_writable(dafCommon::get_home_path() . 'sitemap.xml')) && 
-                ((!file_exists(dafCommon::get_home_path() . 'robots.txt') && is_writable(dafCommon::get_home_path())) || is_writable(dafCommon::get_home_path() . 'robots.txt'))) {
+                ((!file_exists(dafCommon::get_home_path() . 'sitemap.xml') && $wp_filesystem->is_writable(dafCommon::get_home_path())) || $wp_filesystem->is_writable(dafCommon::get_home_path() . 'sitemap.xml')) && 
+                ((!file_exists(dafCommon::get_home_path() . 'robots.txt') && $wp_filesystem->is_writable(dafCommon::get_home_path())) || $wp_filesystem->is_writable(dafCommon::get_home_path() . 'robots.txt'))) {
 
                     $sitemap = '<?xml version="1.0" encoding="UTF-8"?>
@@ -1588 +1643 @@
     <url>
         <loc>' . htmlspecialchars(site_url()) . '</loc>
-        <lastmod>' . date('Y-m-d') . '</lastmod>
+        <lastmod>' . gmdate('Y-m-d') . '</lastmod>
         <changefreq>daily</changefreq>
         <priority>1.0</priority>
@@ -1608 +1663 @@
                     $sitemap .= '</urlset>
 ';
-                    $f = @fopen(dafCommon::get_home_path() . 'sitemap.xml', 'w');
-                    fwrite($f, $sitemap);
+
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . 'sitemap.xml',
+                        $sitemap,
+                        FS_CHMOD_FILE
+                    );
+
                     $robots = 'User-agent: *
 Disallow: /wp-admin/
@@ -1615 +1675 @@
 Sitemap: ' . site_url('sitemap.xml') . '
 ';
-                    $f = @fopen(dafCommon::get_home_path() . 'robots.txt', 'w');
-                    fwrite($f, $robots);
+
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . 'robots.txt',
+                        $robots,
+                        FS_CHMOD_FILE
+                    );
 
                 } else {
@@ -2355 +2419 @@
                 if (get_option('page_for_posts')) {
 
-                    $parsed_url = parse_url(get_permalink(get_option('page_for_posts')));
+                    $parsed_url = wp_parse_url(get_permalink(get_option('page_for_posts')));
                     $htaccess .= "# Allow pages of posts on the posts page
 RewriteCond %{REQUEST_URI} \"!^" . $parsed_url['path'] . "page/([0-9]+)/$\"
@@ -2433 +2497 @@
                 if (isset($checkout_page_url) && $checkout_page_url) {
 
-                    $parsed_url = parse_url($checkout_page_url);
+                    $parsed_url = wp_parse_url($checkout_page_url);
                     $htaccess .= "RewriteCond %{REQUEST_URI} \"!^" . $parsed_url['path'] . "order-pay/\"
 ";
@@ -2441 +2505 @@
                 if (isset($my_account_page_url) && $my_account_page_url) {
 
-                    $parsed_url = parse_url($my_account_page_url);
+                    $parsed_url = wp_parse_url($my_account_page_url);
                     $htaccess .= "RewriteCond %{REQUEST_URI} \"!^" . $parsed_url['path'] . "view-order/\"
 ";
@@ -2496 +2560 @@
         function daf_inject_rules($htaccess = false) {
 
-            if ($htaccess && is_writable(dafCommon::get_home_path() . '.htaccess')) {
+            if ($htaccess && $wp_filesystem->is_writable(dafCommon::get_home_path() . '.htaccess')) {
 
                 $htaccess_rules = file(dafCommon::get_home_path() . '.htaccess');
@@ -2504 +2568 @@
                     $htaccess = $htaccess . "\n" . implode('', $htaccess_rules);
 
-                    $f = @fopen(dafCommon::get_home_path() . '.htaccess', 'w');
-                    fwrite($f, $htaccess);
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . '.htaccess',
+                        $htaccess,
+                        FS_CHMOD_FILE
+                    );
 
                     delete_option('daf_content_changed');
@@ -2529 +2596 @@
                 $current_ip_in_htaccess = true;
 
-                if (isset($_SERVER['HTTP_CF_CONNECTING_IP']) && strpos($current_htaccess, '^' . str_replace('.', '\.', $_SERVER['HTTP_CF_CONNECTING_IP']) . '$') === false) {
+                if (
+                    isset($_SERVER['HTTP_CF_CONNECTING_IP']) &&
+                    false === strpos($current_htaccess, '^' . str_replace('.', '\.', filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP)) . '$')
+                ) {
 
                     $current_ip_in_htaccess = false;
 
-                } elseif (isset($_SERVER['REMOTE_ADDR']) && strpos($current_htaccess, '^' . str_replace('.', '\.', $_SERVER['REMOTE_ADDR']) . '$') === false) {
+                } elseif (
+                    isset($_SERVER['REMOTE_ADDR']) &&
+                    false === strpos($current_htaccess, '^' . str_replace('.', '\.', filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP)) . '$')
+                ) {
 
                     $current_ip_in_htaccess = false;
@@ -2577 +2650 @@
                     }
 
-                }http://localhost:8888/wp-admin/admin.php?page=wpide#
+                }
 
             }
@@ -2642 +2715 @@
                 data: {
                     action: 'daf_refresh_rules',
-                    _ajax_nonce: '<?php echo wp_create_nonce('daf-refresh-rules'); ?>'
+                    _ajax_nonce: '<?php echo esc_attr(wp_create_nonce('daf-refresh-rules')); ?>'
                 },
                 success: function(result){
@@ -2703 +2776 @@
             $current_user = wp_get_current_user();
 
-            if ($current_user->exists() && $_SERVER["SCRIPT_NAME"] !== strrchr(wp_login_url(), '/')) {
+            if (
+                $current_user->exists() &&
+                isset($_SERVER['SCRIPT_NAME']) &&
+                $_SERVER['SCRIPT_NAME'] !== strrchr(wp_login_url(), '/')
+            ) {
 
                 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-                    $current_ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
+                    $current_ip = filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP);
 
                 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-                    $current_ip = $_SERVER['REMOTE_ADDR'];
+                    $current_ip = filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP);
 
                 }
@@ -2735 +2812 @@
     }
 
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
     $daf = new daf_class();
 

deny-all-firewall/tags/1.8.5/includes/class-daf-common.php

@@ -1 +1 @@
 <?php
 /*
- * Version: 1.3.9
+ * Version: 1.4.4
  */
 
@@ -43 +43 @@
         public static function plugin_text_domain() {
 
-            return self::$plugin_text_domain;
+            return 'deny-all-firewall';
 
         }
@@ -61 +61 @@
         public static function support_url() {
 
-            return 'https://wordpress.org/support/plugin/' . self::$plugin_text_domain . '/';
+            return 'https://wordpress.org/support/plugin/' . 'deny-all-firewall' . '/';
 
         }
@@ -67 +67 @@
         public static function control_upgrade_text() {
 
-            $upgrade_text = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name)) . '">' . sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name) . '</a>';
+/* translators: name of the plugin */
+            $upgrade_text = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name)) . '">' . sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name) . '</a>';
 
             if (!class_exists(self::$plugin_premium_class) || !get_option(self::$plugin_prefix . '_purchased')) {
@@ -73 +74 @@
                 if (!class_exists(self::$plugin_premium_class)) {
 
-                    $upgrade_text .= sprintf(wp_kses(__(' or <a href="%s" title="Download Free Trial">trial it for 7 days</a>', self::$plugin_text_domain), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::premium_link()));
+/* translators: link to the premium upgrade */
+                    $upgrade_text .= sprintf(wp_kses(__(' or <a href="%s" title="Download Free Trial">trial it for 7 days</a>', 'deny-all-firewall'), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::premium_link()));
 
                 }
@@ -85 +87 @@
         public static function control_section_description() {
 
-            $default_description = sprintf(wp_kses(__('If you have any requests for new features, please <a href="%s" title="Support Forum">let us know in the support forum</a>.', self::$plugin_text_domain), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::support_url()));
+/* translators: link to the plugin's support forum */
+            $default_description = sprintf(wp_kses(__('If you have any requests for new features, please <a href="%s" title="Support Forum">let us know in the support forum</a>.', 'deny-all-firewall'), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::support_url()));
 
             if (self::$plugin_premium_class) {
@@ -95 +98 @@
                     if (!class_exists(self::$plugin_premium_class)) {
 
-                        $section_description = '<strong>' . __('For even more options', self::$plugin_text_domain) . '</strong>' . ' ' . $upgrade_text;
+                        $section_description = '<strong>' . __('For even more options', 'deny-all-firewall') . '</strong>' . ' ' . $upgrade_text;
 
                     } else {
 
-                        $section_description = '<strong>' . __('To keep using premium options', self::$plugin_text_domain) . '</strong>' . ' ' . $upgrade_text;
+                        $section_description = '<strong>' . __('To keep using premium options', 'deny-all-firewall') . '</strong>' . ' ' . $upgrade_text;
 
                     }
@@ -119 +122 @@
                 $section_description .= ' ' . sprintf(
                     wp_kses(
+/* translators: link to plugin install page */
                         __(
                             '<strong>To reset this section of options to default settings</strong> without affecting other sections in the customizer, install <a href="%s" title="Reset Customizer">Reset Customizer</a>.',
-                            self::$plugin_text_domain
+                            'deny-all-firewall'
                         ),
                         array('strong' => array(), 'a' => array('href' => array(), 'title' => array()))
@@ -145 +149 @@
         public static function control_setting_upgrade_nag() {
 
-            $upgrade_nag = self::control_upgrade_text() . __(' to use this option.', self::$plugin_text_domain);
+            $upgrade_nag = self::control_upgrade_text() . __(' to use this option.', 'deny-all-firewall');
 
             return $upgrade_nag;
@@ -234 +238 @@
 
                 $generated_css = sprintf('%s { %s: %s; }', $selector, $style, $prefix.$mod.$postfix);
-                echo $generated_css;
+
+// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+                echo wp_strip_all_tags($generated_css);
 
             } elseif ($mod) {
 
                 $generated_css = sprintf('%s { %s:%s; }', $selector, $style, $prefix.$value.$postfix);
-                echo $generated_css;
+
+// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+                echo wp_strip_all_tags($generated_css);
 
             }
@@ -249 +257 @@
             if (self::$plugin_premium_class) {
 
-                return add_query_arg('url', (isset($_SERVER['HTTPS']) ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST'], 'https://webd.uk/product/' . self::$plugin_text_domain . '-upgrade/');
-
+                if (isset($_SERVER['HTTP_HOST'])) {
+
+                    return add_query_arg('url', (isset($_SERVER['HTTPS']) ? 'https' : 'http') . '://' . filter_var(wp_unslash($_SERVER['HTTP_HOST'], FILTER_SANITIZE_URL)), 'https://webd.uk/product/' . 'deny-all-firewall' . '-upgrade/');
+
+                } else {
+
+                    return 'https://webd.uk/product/' . 'deny-all-firewall' . '-upgrade/';
+
+                }
 
             } else {
@@ -276 +291 @@
             $settings_links = array();
 
-            $settings_links[] = '<a href="' . esc_url($settings_link) . '" title="' . esc_attr(__('Settings', self::$plugin_text_domain)) . '">' . __('Settings', self::$plugin_text_domain) . '</a>';
+            $settings_links[] = '<a href="' . esc_url($settings_link) . '" title="' . esc_attr(__('Settings', 'deny-all-firewall')) . '">' . __('Settings', 'deny-all-firewall') . '</a>';
 
             if (!get_option(self::$plugin_prefix . '_purchased')) {
@@ -284 +299 @@
                     if (self::$plugin_upgrade) {
 
-                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s Premium', self::$plugin_text_domain), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', self::$plugin_text_domain) . '</a>';
+/* translators: name of the plugin */
+                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s Premium', 'deny-all-firewall'), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', 'deny-all-firewall') . '</a>';
 
                     } else {
 
-                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s', self::$plugin_text_domain), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', self::$plugin_text_domain) . '</a>';
+/* translators: name of the plugin */
+                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s', 'deny-all-firewall'), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', 'deny-all-firewall') . '</a>';
 
                     }
@@ -294 +311 @@
                 } else {
 
-                    $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr((self::$plugin_premium_class ? sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name) : sprintf(__('Contribute to %s', self::$plugin_text_domain), self::$plugin_name))) . '" style="color: orange; font-weight: bold;">' . (self::$plugin_premium_class ? __('Upgrade', self::$plugin_text_domain) : __('Support Us', self::$plugin_text_domain)) . '</a>';
+/* translators: name of the plugin */
+                    $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr((self::$plugin_premium_class ? sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name) : sprintf(__('Contribute to %s', 'deny-all-firewall'), self::$plugin_name))) . '" style="color: orange; font-weight: bold;">' . (self::$plugin_premium_class ? __('Upgrade', 'deny-all-firewall') : __('Support Us', 'deny-all-firewall')) . '</a>';
 
                 }
@@ -300 +318 @@
                 if ($premium) {
 
-                    $settings_links[] = '<a href="' . wp_nonce_url('?activate-' . self::$plugin_prefix . '=true', self::$plugin_prefix . '_activate') . '" id="' . self::$plugin_prefix . '_activate_upgrade" title="' . esc_attr(__('Activate Purchase', self::$plugin_text_domain)) . '" onclick="jQuery(this).append(&#39; <img src=&#34;/wp-admin/images/loading.gif&#34; style=&#34;float: none; width: auto; height: auto;&#34; />&#39;); setTimeout(function(){document.getElementById(\'' . self::$plugin_prefix . '_activate_upgrade\').removeAttribute(\'href\');},1); return true;">' . __('Activate Purchase', self::$plugin_text_domain) . '</a>';
-
-                } elseif (self::$plugin_trial && !is_plugin_active(self::$plugin_text_domain . '-premium/' . self::$plugin_text_domain . '-premium.php')) {
-
-                    $settings_links[] = '<a href="' . esc_url(self::premium_link()) . '" title="' . esc_attr(sprintf(__('Trial %s Premium', self::$plugin_text_domain), self::$plugin_name)) . ' for 7 days">' . __('Download Trial', self::$plugin_text_domain) . '</a>';
+                    $settings_links[] = '<a href="' . wp_nonce_url('?activate-' . self::$plugin_prefix . '=true', self::$plugin_prefix . '_activate') . '" id="' . self::$plugin_prefix . '_activate_upgrade" title="' . esc_attr(__('Activate Purchase', 'deny-all-firewall')) . '" onclick="jQuery(this).append(&#39; <img src=&#34;/wp-admin/images/loading.gif&#34; style=&#34;float: none; width: auto; height: auto;&#34; />&#39;); setTimeout(function(){document.getElementById(\'' . self::$plugin_prefix . '_activate_upgrade\').removeAttribute(\'href\');},1); return true;">' . __('Activate Purchase', 'deny-all-firewall') . '</a>';
+
+                } elseif (self::$plugin_trial && !is_plugin_active('deny-all-firewall' . '-premium/' . 'deny-all-firewall' . '-premium.php')) {
+
+/* translators: name of the plugin */
+                    $settings_links[] = '<a href="' . esc_url(self::premium_link()) . '" title="' . esc_attr(sprintf(__('Trial %s Premium', 'deny-all-firewall'), self::$plugin_name)) . ' for 7 days">' . __('Download Trial', 'deny-all-firewall') . '</a>';
 
                 }
@@ -310 +329 @@
             } elseif ($premium) {
 
-                $settings_links[] = '<strong style="color: green; display: inline;">' . __('Purchase Confirmed', self::$plugin_text_domain) . '</strong>';
+                $settings_links[] = '<strong style="color: green; display: inline;">' . __('Purchase Confirmed', 'deny-all-firewall') . '</strong>';
 
             }
@@ -320 +339 @@
         public static function plugin_row_meta($plugin_meta, $plugin_file, $plugin_data, $status) {
 
-            if ($plugin_file === self::$plugin_text_domain . '/' . self::$plugin_text_domain . '.php') {
-
-                $plugin_meta[] = '<a href="' . esc_url(self::support_url()) . '" title="' . __('Problems? We are here to help!', self::$plugin_text_domain) . '" style="color: orange; font-weight: bold;">' . __('Need help?', self::$plugin_text_domain) . '</a>';
-                $plugin_meta[] = '<a href="https://wordpress.org/support/plugin/' . self::$plugin_text_domain . '/reviews/#new-post" title="' . esc_attr(sprintf(__('If you like %s, please leave a review!', self::$plugin_text_domain), self::$plugin_name)) . '">' . __('Review plugin', self::$plugin_text_domain) . '</a>';
+            if ($plugin_file === 'deny-all-firewall' . '/' . 'deny-all-firewall' . '.php') {
+
+                $plugin_meta[] = '<a href="' . esc_url(self::support_url()) . '" title="' . __('Problems? We are here to help!', 'deny-all-firewall') . '" style="color: orange; font-weight: bold;">' . __('Need help?', 'deny-all-firewall') . '</a>';
+/* translators: name of the plugin */
+                $plugin_meta[] = '<a href="https://wordpress.org/support/plugin/' . 'deny-all-firewall' . '/reviews/#new-post" title="' . esc_attr(sprintf(__('If you like %s, please leave a review!', 'deny-all-firewall'), self::$plugin_name)) . '">' . __('Review plugin', 'deny-all-firewall') . '</a>';
 
             }
@@ -353 +373 @@
             if (self::$plugin_premium_class) {
 
-                if (get_option(self::$plugin_prefix . '_purchased') && !class_exists(self::$plugin_premium_class) && get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()) {
-
-?>
-
-<div class="notice notice-error is-dismissible <?php echo self::$plugin_prefix; ?>-notice">
-
-<p><strong><?php echo self::$plugin_name; ?></strong><br />
-<?php esc_html_e('In order to use the premium features, you need to install the premium version of the plugin ...', self::$plugin_text_domain); ?></p>
-
-<p><a href="<?php echo esc_url(self::premium_link()); ?>" title="<?php echo esc_attr(sprintf(__('Download %s Premium', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Download %s Premium', self::$plugin_text_domain), self::$plugin_name); ?></a></p>
+                if (
+                    get_option(self::$plugin_prefix . '_purchased') &&
+                    !class_exists(self::$plugin_premium_class) &&
+                    get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()
+                ) {
+
+?>
+
+<div class="notice notice-error is-dismissible <?php echo esc_html(self::$plugin_prefix); ?>-notice">
+
+<p><strong><?php echo esc_html(self::$plugin_name); ?></strong><br />
+<?php esc_html_e('In order to use the premium features, you need to install the premium version of the plugin ...', 'deny-all-firewall'); ?></p>
+
+<p><a href="<?php
+/* translators: name of the plugin */
+echo esc_url(self::premium_link()); ?>" title="<?php echo esc_attr(sprintf(__('Download %s Premium', 'deny-all-firewall'), self::$plugin_name)); ?>" class="button-primary"><?php printf(esc_html(__('Download %s Premium', 'deny-all-firewall')), esc_html(self::$plugin_name)); ?></a></p>
 
 </div>
 
 <script type="text/javascript">
-    jQuery(document).on('click', '.<?php echo self::$plugin_prefix; ?>-notice .notice-dismiss', function() {
+    jQuery(document).on('click', '.<?php echo esc_attr(self::$plugin_prefix); ?>-notice .notice-dismiss', function() {
         jQuery.ajax({
             url: ajaxurl,
             data: {
-                action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
-                _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
+                _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
             }
         });
@@ -380 +406 @@
 <?php
 
-                } elseif (!class_exists(self::$plugin_premium_class) && time() > (strtotime('+1 hour', filectime(__DIR__))) && get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()) {
-
-?>
-
-<div class="notice notice-info is-dismissible <?php echo self::$plugin_prefix; ?>-notice">
-
-<p><strong><?php printf(__('Thank you for using %s plugin', self::$plugin_text_domain), self::$plugin_name); ?></strong><br />
+                } elseif (
+                    !class_exists(self::$plugin_premium_class) &&
+                    time() > (strtotime('+1 hour', filectime(__DIR__))) &&
+                    get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()
+                ) {
+
+?>
+
+<div class="notice notice-info is-dismissible <?php echo esc_attr(self::$plugin_prefix); ?>-notice">
+
+    <p style="font-size:15px;"><strong><?php
+/* translators: name of the plugin */
+printf(esc_html(__('Thank you for using %s plugin', 'deny-all-firewall')), esc_html(self::$plugin_name)); ?></strong></p>
 <?php
 
                     if (self::$plugin_trial == true) {
 
-                        _e('Would you like to try even more features? Download your 7 day free trial now!', self::$plugin_text_domain); 
+?>
+
+    <p><?php echo esc_html(__('Would you like to try even more features? Download your 7 day free trial now!', 'deny-all-firewall')); ?></p>
+<?php
 
                     } else {
 
-                        echo sprintf(__('Upgrade now to %s Premium to enable more options and features and contribute to the further development of this plugin.', self::$plugin_text_domain), self::$plugin_name);
+?>
+
+    <p>
+        <?php
+/* translators: name of the plugin */
+                        echo esc_html(sprintf(__('Upgrade now to %s Premium to enable more options and features and contribute to the further development of this plugin.', 'deny-all-firewall'), self::$plugin_name)); ?>
+    </p>
+<?php
 
                     }
 
-?></p>
-
-<p><?php
+?>
+
+    <p><?php
 
                     if (self::$plugin_trial == true) {
@@ -407 +449 @@
 ?>
 
-<a href="<?php echo esc_url(self::premium_link()); ?>" title="<?php echo esc_attr(sprintf(__('Try %s Premium', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Trial %s Premium for 7 days', self::$plugin_text_domain), self::$plugin_name); ?></a>
-
+        <a href="<?php echo esc_url(self::premium_link()); ?>" 
+           title="<?php
+/* translators: name of the plugin */
+echo esc_attr(sprintf(__('Try %s Premium', 'deny-all-firewall'), self::$plugin_name)); ?>" 
+           class="button-secondary">
+           <?php echo esc_html(__('Try premium plugin free for 7 days', 'deny-all-firewall')); ?>
+        </a>
 <?php
 
@@ -414 +461 @@
 
 ?>
-<a href="<?php echo esc_url(self::upgrade_link()); ?>" title="<?php echo esc_attr(sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name); ?></a></p>
+
+        <a href="<?php echo esc_url(self::upgrade_link()); ?>" 
+           title="<?php
+/* translators: name of the plugin */
+echo esc_attr(sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name)); ?>" 
+           class="button-primary">
+           <?php echo esc_html(__('Upgrade now to premium plugin', 'deny-all-firewall')); ?>
+        </a>
+
+    </p>
+
+    <hr style="margin:12px 0;">
+
+    <p>
+        <strong>✨ Need help with your WordPress site?</strong>
+        🚀 Slow, want new features, or need a glow-up?
+        <a href="https://webd.uk/services/?utm_campaign=notice&utm_term=deny-all-firewall" class="button-secondary" style="margin-left:6px; vertical-align: middle;">Explore our services</a>
+    </p>
 
 </div>
 
 <script type="text/javascript">
-    jQuery(document).on('click', '.<?php echo self::$plugin_prefix; ?>-notice .notice-dismiss', function() {
+    jQuery(document).on('click', '.<?php echo esc_attr(self::$plugin_prefix); ?>-notice .notice-dismiss', function() {
         jQuery.ajax({
             url: ajaxurl,
             data: {
-                action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
-                _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
+                _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
             }
         });
@@ -434 +498 @@
                 }
 
-            } elseif (time() > (strtotime('+1 hour', filectime(__DIR__))) && get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version() && !get_option(self::$plugin_prefix . '_donated')) {
-
-?>
-
-<div class="notice notice-info is-dismissible <?php echo self::$plugin_prefix; ?>-notice">
-<p><strong><?php printf(__('Thank you for using %s plugin', self::$plugin_text_domain), self::$plugin_name); ?></strong></p>
-<?php
-
+            } elseif (
+                time() > (strtotime('+1 hour', filectime(__DIR__))) &&
+                get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version() &&
+                !get_option(self::$plugin_prefix . '_donated')
+            ) {
+
+?>
+
+<div class="notice notice-info is-dismissible <?php echo esc_attr(self::$plugin_prefix); ?>-notice">
+
+    <p><strong><?php
+/* translators: name of the plugin */
+printf(esc_html(__('Thank you for using %s plugin', 'deny-all-firewall')), esc_html(self::$plugin_name)); ?></strong></p>
+<?php
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound
                 do_action(self::$plugin_prefix . '_admin_notice_donate');
 
 ?>
-<p><?php esc_html_e('Funding plugins like this one with small financial contributions is essential to pay the developers to continue to do what they do. Please take a moment to give a small amount ...', self::$plugin_text_domain); ?></p>
-<p><a href="<?php echo esc_url(self::upgrade_link()); ?>" title="<?php echo esc_attr(sprintf(__('Contribute to %s', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Contribute to %s', self::$plugin_text_domain), self::$plugin_name); ?></a> <a href="#" id="<?php echo self::$plugin_prefix; ?>-already-paid" title="<?php echo esc_attr(__('Aleady Contributed!', self::$plugin_text_domain)); ?>" class="button-primary"><?php esc_html_e('Aleady Contributed!', self::$plugin_text_domain); ?></a></p>
+
+    <p><?php esc_html_e('Funding plugins like this one with small financial contributions is essential to pay the developers to continue to do what they do. Please take a moment to give a small amount ...', 'deny-all-firewall'); ?></p>
+
+    <p><a href="<?php echo esc_url(self::upgrade_link()); ?>" title="<?php
+/* translators: name of the plugin */
+echo esc_attr(sprintf(__('Contribute to %s', 'deny-all-firewall'), self::$plugin_name)); ?>" class="button-primary"><?php echo esc_html(__('Buy us a coffee ☕️', 'deny-all-firewall')); ?></a> <a href="#" id="<?php echo esc_attr(self::$plugin_prefix); ?>-already-paid" title="<?php echo esc_attr(__('Aleady Contributed!', 'deny-all-firewall')); ?>" class="button-secondary"><?php esc_html_e('Aleady Contributed!', 'deny-all-firewall'); ?></a></p>
+
+    <hr style="margin:12px 0;">
+
+    <p>
+        <strong>✨ Need help with your WordPress site?</strong>
+        🚀 Slow, want new features, or need a glow-up?
+        <a href="https://webd.uk/services/?utm_campaign=notice&utm_term=deny-all-firewall" class="button-secondary" style="margin-left:6px; vertical-align: middle;">Explore our services</a>
+    </p>
+
 </div>
 
 <script type="text/javascript">
-    jQuery(document).on('click', '#<?php echo self::$plugin_prefix; ?>-already-paid', function() {
-        if (confirm(<?php echo json_encode(__('Have you really? Press "Cancel" if you forgot to 🙂', self::$plugin_text_domain)); ?>)) {
-            alert(<?php echo json_encode(__('Thank you!', self::$plugin_text_domain)); ?>);
-            jQuery('.<?php echo self::$plugin_prefix; ?>-notice').fadeTo(100, 0, function() {
-                jQuery('.<?php echo self::$plugin_prefix; ?>-notice').slideUp(100, function() {
-                    jQuery('.<?php echo self::$plugin_prefix; ?>-notice').remove()
+    jQuery(document).on('click', '#<?php echo esc_attr(self::$plugin_prefix); ?>-already-paid', function() {
+        if (confirm(<?php echo json_encode(__('Have you really? Press "Cancel" if you forgot to 🙂', 'deny-all-firewall')); ?>)) {
+            alert(<?php echo json_encode(__('Thank you!', 'deny-all-firewall')); ?>);
+            jQuery('.<?php echo esc_attr(self::$plugin_prefix); ?>-notice').fadeTo(100, 0, function() {
+                jQuery('.<?php echo esc_attr(self::$plugin_prefix); ?>-notice').slideUp(100, function() {
+                    jQuery('.<?php echo esc_attr(self::$plugin_prefix); ?>-notice').remove()
                 });
             });
@@ -461 +546 @@
                 url: ajaxurl,
                 data: {
-                    action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
+                    action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
                     donated: 'true',
-                    _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                    _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
                 }
             });
         } else {
-            window.location.assign('<?php echo self::upgrade_link(); ?>');
+            window.location.assign('<?php echo esc_url(self::upgrade_link()); ?>');
         }
     });
-    jQuery(document).on('click', '.<?php echo self::$plugin_prefix; ?>-notice .notice-dismiss', function() {
+    jQuery(document).on('click', '.<?php echo esc_attr(self::$plugin_prefix); ?>-notice .notice-dismiss', function() {
         jQuery.ajax({
             url: ajaxurl,
             data: {
-                action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
-                _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
+                _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
             }
         });
@@ -509 +594 @@
                     is_admin() && 
                     $pagenow === 'customize.php' &&
-                    isset($_GET['theme']) && 
-                    !in_array($_GET['theme'], $themes, true)
+                    isset($_GET['theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    !in_array($_GET['theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 ) && !(
                     !is_admin() && 
                     $pagenow === 'index.php' &&
-                    isset($_GET['customize_theme']) && 
-                    isset($_GET['customize_changeset_uuid']) && 
-                    !in_array($_GET['customize_theme'], $themes, true)
+                    isset($_GET['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    isset($_GET['customize_changeset_uuid']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    !in_array($_GET['customize_theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 )
             ) {
@@ -530 +615 @@
                     is_admin() && 
                     $pagenow === 'customize.php' &&
-                    isset($_GET['theme']) && 
-                    in_array($_GET['theme'], $themes, true)
+                    isset($_GET['theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    in_array($_GET['theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 ) || (
                     !is_admin() && 
                     $pagenow === 'index.php' &&
-                    isset($_GET['customize_theme']) && 
-                    isset($_GET['customize_changeset_uuid']) && 
-                    in_array($_GET['customize_theme'], $themes, true)
+                    isset($_GET['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    isset($_GET['customize_changeset_uuid']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    in_array($_GET['customize_theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 ))
             ) {
@@ -549 +634 @@
                     !is_admin() && 
                     $pagenow === 'index.php' &&
-                    isset($_GET['customize_theme']) && 
-                    isset($_GET['customize_changeset_uuid'])
+                    isset($_GET['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    isset($_GET['customize_changeset_uuid']) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 
             ) {
 
-                $child = wp_get_theme($_GET['customize_theme']);
+                $child = wp_get_theme(sanitize_file_name(wp_unslash($_GET['customize_theme']))); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 
                 if (isset($child->template) && in_array($child->template, $themes, true)) {
@@ -568 +653 @@
                 is_admin() && 
                 ($pagenow === 'customize.php' || $pagenow === 'admin-ajax.php') &&
-                isset($_GET['theme']) || (isset($_POST['customize_theme']) && isset($_POST['customize_changeset_uuid']))
+                (
+                    isset($_GET['theme']) || // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    (
+                        isset($_POST['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Missing
+                        isset($_POST['customize_changeset_uuid']) // phpcs:ignore WordPress.Security.NonceVerification.Missing
+                    )
+                )
             ) {
 
-                if (isset($_GET['theme'])) {
-
-                    $child = wp_get_theme($_GET['theme']);
+                if (isset($_GET['theme'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+
+                    $child = wp_get_theme(sanitize_file_name(wp_unslash($_GET['theme']))); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 
                 } else {
 
-                    $child = wp_get_theme($_POST['customize_theme']);
+                    $child = wp_get_theme(sanitize_file_name(wp_unslash($_POST['customize_theme']))); // phpcs:ignore WordPress.Security.NonceVerification.Missing
 
                 }
@@ -599 +690 @@
 if (!function_exists('webd_customize_register')) {
 
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound
     function webd_customize_register($wp_customize) {
 
         if (!class_exists('webd_Customize_Control_Checkbox_Multiple')) {
 
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound
             class webd_Customize_Control_Checkbox_Multiple extends WP_Customize_Control {
 
@@ -622 +715 @@
 
 ?>
-<span class="description customize-control-description"><?php echo $this->description; ?></span>
+<span class="description customize-control-description"><?php echo esc_html($this->description); ?></span>
 <?php
 
@@ -647 +740 @@
 ?>
         </ul>
-        <input type="hidden" id="_customize-input-<?php echo $this->id; ?>" <?php $this->link(); ?> value="<?php echo esc_attr(implode(',', $multi_values)); ?>" />
+        <input type="hidden" id="_customize-input-<?php echo esc_attr($this->id); ?>" <?php $this->link(); ?> value="<?php echo esc_attr(implode(',', $multi_values)); ?>" />
 <?php
 

deny-all-firewall/tags/1.8.5/readme.txt

@@ -6 +6 @@
 Tested up to: 6.9
 Requires PHP: 5.6
-Stable tag: 1.8.4
+Stable tag: 1.8.5
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -50 +50 @@
 
 == Changelog ==
+
+= 1.8.5 =
+* General housekeeping preparing for "Plugin Check" code review
 
 = 1.8.4 =
@@ -333 +336 @@
 == Upgrade Notice ==
 
-= 1.8.4 =
-* Added automatic whitelisting of Apple Pay verification file if WooCommerce is installed and the file is present
+= 1.8.5 =
+* General housekeeping preparing for "Plugin Check" code review

deny-all-firewall/tags/1.8.5/remote-addr.php

@@ -1 +1 @@
 <?php
+
+define('SHORTINIT', true);
+require_once('../../../wp-load.php');
 
 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-    die($_SERVER['HTTP_CF_CONNECTING_IP']);
+    die(esc_html(filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP)));
 
 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-    die($_SERVER['REMOTE_ADDR']);
+    die(esc_html(filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP)));
+
+} else {
+
+    die();
 
 }
 
-die();
-
 ?>

deny-all-firewall/trunk/403.php

@@ -4 +4 @@
 header("Cache-Control: post-check=0, pre-check=0", false);
 header("Pragma: no-cache");
-header($_SERVER['SERVER_PROTOCOL']." 403 Forbidden", true, 403);
-
-$request_uri = $_SERVER['REQUEST_URI'];
-
-if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) {
-
-    $redirect_url = preg_replace('/\?.*/', '', $request_uri);
-
-    if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
-
-        $remote_addr = $_SERVER['HTTP_CF_CONNECTING_IP'];
-
-    } else {
-
-        $remote_addr = $_SERVER['REMOTE_ADDR'];
+http_response_code(403);
+
+if (isset($_SERVER['REQUEST_URI'])) {
+
+    define('SHORTINIT', true);
+    require_once('../../../wp-load.php');
+    require_once(ABSPATH . WPINC . '/kses.php');
+    require_once(ABSPATH . WPINC . '/blocks.php');
+    require_once(ABSPATH . WPINC . '/formatting.php');
+    require_once(ABSPATH . WPINC . '/class-wp-block-parser.php');
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_request_uri = sanitize_url(wp_unslash($_SERVER['REQUEST_URI']));
+
+    if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_redirect_url = preg_replace('/\?.*/', '', $deny_all_firewall_request_uri);
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_remote_addr = '';
+
+        if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+            $deny_all_firewall_remote_addr = filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP);
+
+        } elseif (isset($_SERVER['REMOTE_ADDR'])) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+            $deny_all_firewall_remote_addr = filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP);
+
+        }
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_log_entry = json_encode(array(
+            'time' => time(),
+            'remote_addr' => $deny_all_firewall_remote_addr,
+            'redirect_url' => $deny_all_firewall_redirect_url
+            // 'query_string' => $_GET,
+            // 'post' => $_POST
+            // 'server' => $_SERVER
+        )).PHP_EOL;
+        file_put_contents(dirname(dirname(__DIR__)).'/403.log', $deny_all_firewall_log_entry, FILE_APPEND | LOCK_EX);
 
     }
-
-    $log_entry = json_encode(array(
-        'time' => time(),
-        'remote_addr' => $remote_addr,
-        'redirect_url' => $redirect_url
-        // 'query_string' => $_GET,
-        // 'post' => $_POST
-        // 'server' => $_SERVER
-    )).PHP_EOL;
-    file_put_contents(dirname(dirname(__DIR__)).'/403.log', $log_entry, FILE_APPEND | LOCK_EX);
-
-}
 
 ?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
@@ -39 +55 @@
 <style>
 body {
-    font-family: 'Courier New', Courier, monospace;
+    font-family: Arial, Helvetica, sans-serif;
     position: absolute;
     box-sizing: border-box;
@@ -46 +62 @@
     top: 50%;
     transform: translateY(-50%);
-    border: 1px dashed black;
+    border: 1px solid #d9d9d9;
     padding: 1rem;
+    color: #515151;
 }
 h1, h2, h3, h4, h5, h6 {
-    font-weight: normal;
+    color: #d9d9d9;
+    text-transform: lowercase;
+}
+a {
+    color: #55c1e4;
+    text-decoration: none;
+}
+a:hover {
+    color: #515151;
 }
 hr {
-    border-top: 1px dashed black;
+    border: none;
+    border-top: 1px solid #d9d9d9;
 }
 .alignleft {
@@ -60 +86 @@
     margin-right: 1.5em;
 }
-
 .alignright {
     display: inline;
@@ -66 +91 @@
     margin-left: 1.5em;
 }
-
 .aligncenter {
     clear: both;
@@ -76 +100 @@
     margin-bottom: 0;
 }
-form {
-    text-align: center;
-}
 </style>
 </head>
@@ -84 +105 @@
 <?php
 
-    $admin_hints = '<h2>If you own this site ...</h2>
-';
-
-    if (substr($request_uri, 0, strlen('/wp-login.php')) === '/wp-login.php') {
-
-        $admin_hints .= '<p>If this is your website and you are trying to login to your dashboard:</p>
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_admin_hints = '<h2>If you own this site ...</h2>
+';
+
+    if (substr($deny_all_firewall_request_uri, 0, strlen('/wp-login.php')) === '/wp-login.php') {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_admin_hints .= '<p>If this is your website and you are trying to login to your dashboard:</p>
 <ul>
 <li>You need to login using your secret login address</li>
@@ -96 +119 @@
 ';
 
-    } elseif (substr($request_uri, 0, strlen('/wp-admin/')) === '/wp-admin/') {
-
-        $admin_hints .= '<p>If this is your website and you are trying to use your dashboard:</p>
+    } elseif (substr($deny_all_firewall_request_uri, 0, strlen('/wp-admin/')) === '/wp-admin/') {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_admin_hints .= '<p>If this is your website and you are trying to use your dashboard:</p>
 <ul>
 <li>You need to <a href="/wp-admin/">login first</a></li>
@@ -107 +131 @@
     } else {
 
-        $admin_hints .= '<p>If this is your website and this page should not be blocked you can try the following to unblock this page:</p>
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_admin_hints .= '<p>If this is your website and this page should not be blocked you can try the following to unblock this page:</p>
 <ul>
-<li>Sign into your Wordpress dashboard</li>
+<li>Sign into your WordPress dashboard</li>
 <li>Go to "Settings - Deny All Firewall"</li>
 <li>Tick the box "Enable Log" and click "Save Changes"</li>
 <li>Visit this blocked page again and return to "Dashboard - Settings - Deny All Firewall"</li>
 <li>Find the blocked page in the log file, click "Unblock", untick "Enable logging of blocked requests" and then "Save Changes"</li>
-<li>If that doesn\'t work, select "Firewall Disabled", click "Save Changes" and <a href="https://wordpress.org/support/plugin/deny-all-firewall/" title="Support Forum">contact us on the support forum</a></li>
+<li>If that doesn\'t work, select "Firewall Disabled", click "Save Changes" and <a href="https://webd.uk/support/" title="Web:D support">contact us for support</a></li>
 </ul>
 ';
@@ -120 +145 @@
     }
 
-    $search = '<form role="search" method="get" class="search-form" action="/">
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_search = '<form role="search" method="get" class="search-form" action="/">
     <label for="search-form">Search…</label>
-    <input type="search" id="search-form" class="search-field" value="' . trim(strtolower(preg_replace('/\s+/', ' ', preg_replace('/[^a-zA-Z ]/', ' ', $request_uri)))) . '" name="s">
+    <input type="search" id="search-form" class="search-field" value="' . trim(strtolower(preg_replace('/\s+/', ' ', preg_replace('/[^a-zA-Z ]/', ' ', $deny_all_firewall_request_uri)))) . '" name="s">
     <input type="submit" class="search-submit" value="Search">
-</form>';
-
-    $contents = '<h1>Forbidden</h1>
+</form>
+';
+
+    if (file_exists(dirname(dirname(__DIR__)).'/403.html')) {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_contents = file_get_contents(dirname(dirname(__DIR__)) . '/403.html');
+
+    } else {
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+        $deny_all_firewall_contents = '<h1>Forbidden</h1>
 <p>You don\'t have permission to access [requested-page] on this server.</p>
 [search]
 <hr>
 <h2>Why am I seeing this page?</h2>
-<p>This address has been blocked by <a href="https://wordpress.org/plugins/deny-all-firewall/" title="Deny All Firewall">Deny All Firewall</a> plugin for Wordpress by <a href="https://webd.uk" title="webd.uk">webd.uk</a>.</i></p>
-[admin-hints]';
-
-    if (file_exists(dirname(dirname(__DIR__)).'/403.html')) {
-
-        $contents = file_get_contents(dirname(dirname(__DIR__)) . '/403.html');
+<p>This address has been blocked by Deny All Firewall plugin for WordPress by <a href="https://webd.uk" title="Web:D"><strong>Web:D</strong></a>.</i></p>
+[admin-hints]
+';
 
     }
 
-    $contents = str_replace(array('[requested-page]', '[admin-hints]', '[search]'), array(htmlentities($request_uri), $admin_hints, $search), $contents);
-    echo $contents;
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
+    $deny_all_firewall_contents = str_replace(
+        array(
+            '[requested-page]',
+            '[admin-hints]',
+            '[search]'
+        ), array(
+            htmlentities($deny_all_firewall_request_uri),
+            $deny_all_firewall_admin_hints,
+            $deny_all_firewall_search
+        ),
+        $deny_all_firewall_contents
+    );
+
+    echo wp_kses($deny_all_firewall_contents, array_merge(
+        wp_kses_allowed_html('post'),
+        array(
+            'form' => array(
+                'role' => array(),
+                'method' => array(),
+                'class' => array(),
+                'action' => array()
+            ),
+            'input' => array(
+                'type' => array(),
+                'class' => array(),
+                'id' => array(),
+                'value' => array(),
+                'name' => array()
+            )
+        )
+    ));
 
 ?>
@@ -147 +209 @@
 <?php
 
+}
+
     die();
 

deny-all-firewall/trunk/deny-all-firewall.php

@@ -2 +2 @@
 /*
  * Plugin Name: Deny All Firewall
- * Version: 1.8.4
+ * Version: 1.8.5
  * Plugin URI: https://webd.uk/support/
  * Description: Blocks access to everything except genuine site content using .htaccess
  * Author: Webd Ltd
  * Author URI: https://webd.uk
+ * License: GPLv2 or later
+ * License URI: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
  * Text Domain: deny-all-firewall
  */
@@ -22 +24 @@
     class daf_class {
 
-        public static $version = '1.8.4';
+        public static $version = '1.8.5';
 
         private $black_list;
@@ -106 +108 @@
                     if (get_post_types(array('name' => $second->post_type, 'exclude_from_search' => false))) {
 
-                        if (!$this->daf_is_permalink_in_htaccess(parse_url(get_permalink($item_id)))) {
+                        if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_permalink($item_id)))) {
 
                             update_option('daf_content_changed', true);
@@ -118 +120 @@
                 } elseif (!isset($options['allow_all_content']) && current_action() == 'edited_term') {
 
-                    if (!$this->daf_is_permalink_in_htaccess(parse_url(get_term_link($item_id)))) {
+                    if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_term_link($item_id)))) {
 
                         update_option('daf_content_changed', true);
@@ -128 +130 @@
                 } elseif (!isset($options['allow_all_content']) && current_action() == 'created_term') {
 
-                    if (!$this->daf_is_permalink_in_htaccess(parse_url(get_term_link($item_id)))) {
+                    if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_term_link($item_id)))) {
 
                         update_option('daf_content_changed', true);
@@ -138 +140 @@
                 } elseif (!isset($options['allow_all_content']) && current_action() == 'attachment_updated' && $second instanceof WP_Post && isset($second->post_status) && in_array($second->post_status, array('inherit', 'publish', 'private'))) {
 
-                    if (!$this->daf_is_permalink_in_htaccess(parse_url(get_permalink($second->ID)))) {
+                    if (!$this->daf_is_permalink_in_htaccess(wp_parse_url(get_permalink($second->ID)))) {
 
                         update_option('daf_content_changed', true);
@@ -166 +168 @@
                     }
 
-                    if (isset($second->post_status) && !($second->post_status == 'private' && $extension == 'zip') && in_array($second->post_status, array('inherit', 'publish', 'private')) && !$this->daf_is_permalink_in_htaccess(parse_url(get_permalink($second->ID)))) {
+                    if (isset($second->post_status) && !($second->post_status == 'private' && $extension == 'zip') && in_array($second->post_status, array('inherit', 'publish', 'private')) && !$this->daf_is_permalink_in_htaccess(wp_parse_url(get_permalink($second->ID)))) {
 
                         update_option('daf_content_changed', true);
@@ -198 +200 @@
             }
 
-            if ($reconstructed_host == $_SERVER['HTTP_HOST'] && $permalink['path'] !== '/') {
+            if (
+                isset($_SERVER['HTTP_HOST']) &&
+                $reconstructed_host === $_SERVER['HTTP_HOST'] &&
+                $permalink['path'] !== '/'
+            ) {
 
                 $current_htaccess = file_get_contents(dafCommon::get_home_path() . '.htaccess');
@@ -240 +246 @@
                 data: {
                     action: 'daf_refresh_rules',
-                    _ajax_nonce: '<?php echo wp_create_nonce('daf-refresh-rules'); ?>'
+                    _ajax_nonce: '<?php echo esc_attr(wp_create_nonce('daf-refresh-rules')); ?>'
                 },
                 success: function(result){
@@ -371 +377 @@
             if (!isset($options['enable_log'])) {
 
-                if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) { unlink(dirname(dirname(__DIR__)).'/ENABLE_403_LOG'); }
-                if (file_exists(dirname(dirname(__DIR__)).'/403.log')) { unlink(dirname(dirname(__DIR__)).'/403.log'); }
+                if (file_exists(dirname(dirname(__DIR__)).'/ENABLE_403_LOG')) { wp_delete_file(dirname(dirname(__DIR__)).'/ENABLE_403_LOG'); }
+                if (file_exists(dirname(dirname(__DIR__)).'/403.log')) { wp_delete_file(dirname(dirname(__DIR__)).'/403.log'); }
 
             } else {
@@ -422 +428 @@
 <h3>Top 50 Blocked Requests in the last 24 Hours</h3>
 
-<p>Your logfile contains details of <strong><?php echo $count_log_entries; ?></strong> blocked requests since <?php echo date_i18n(get_option('date_format') . ' ' . get_option('time_format'), $log_started); ?>.</p>
+<p>Your logfile contains details of <strong><?php echo esc_html($count_log_entries); ?></strong> blocked requests since <?php echo esc_html(date_i18n(get_option('date_format') . ' ' . get_option('time_format'), $log_started)); ?>.</p>
 
 <p>That's <strong><?php echo absint($count_log_entries / ((time() - $log_started) / 3600)) ?> requests</strong> blocked per hour!
@@ -450 +456 @@
 
 <tr>
-<td class="check-column"><?php echo $i; ?>)</td>
-<td class="plugin-title column-primary"><?php echo $key; ?> <?php
-
-                        if (!preg_match('/\/(.*)\.(.*)\//', $key) && file_exists($_SERVER['DOCUMENT_ROOT'] . $key)) {
+<td class="check-column"><?php echo esc_attr($i); ?>)</td>
+<td class="plugin-title column-primary"><?php echo esc_attr($key); ?> <?php
+
+                        if (
+                            !preg_match('/\/(.*)\.(.*)\//', $key) &&
+                            isset($_SERVER['DOCUMENT_ROOT']) &&
+                            file_exists(sanitize_text_field(wp_unslash($_SERVER['DOCUMENT_ROOT'])) . $key)
+                        ) {
 
                             if (preg_match('/\/$/', $key)) {
@@ -468 +478 @@
 
 ?><span class="daf-unblock button button-small" data-request="<?php echo esc_html($key); ?>"><?php esc_html_e('Unblock', 'deny-all-firewall'); ?></span></td>
-<td class="column-total-requests"><?php echo $value; ?></td>
+<td class="column-total-requests"><?php echo esc_html($value); ?></td>
 <td class="column-description"><?php
 
@@ -475 +485 @@
                             if ($request_type['suspicious']) { echo '<span style="color: red;">'; }
 
-                            echo $request_type['description'];
+                            echo esc_html($request_type['description']);
 
                             if ($request_type['suspicious']) { echo '</span>'; }
@@ -750 +760 @@
 
 ?>
+<div class="notice notice-error daf-notice">
+<h2><?php esc_html_e('This plugin is moving home ...','deny-all-firewall'); ?></h2>
+<p><?php esc_html_e('We have taken the decision to move this plugin from the official WordPress repository to our own, in-house repository.','deny-all-firewall'); ?></p>
+<p><?php esc_html_e('This move will happen in early 2026 because the plugin is solely used by clients of Domain Support Ltd (who will automatically be migrated to the new plugin).','deny-all-firewall'); ?></p>
+<p><?php esc_html_e('If you are not a client of Domain Support Ltd and still want to continue to receive updates for this plugin, get in touch ...','deny-all-firewall'); ?></p>
+<p><a href="https://webd.uk/support/" title="<?php esc_attr_e('Contact us', 'deny-all-firewall'); ?>" class="button-primary"><?php esc_html_e('Contact us', 'deny-all-firewall'); ?></a></p>
+</div>
 <p><?php esc_html_e('Use these settings to configure the firewall. You can save these settings again to quickly allow new content through the firewall.','deny-all-firewall'); ?></p>
 <?php
@@ -858 +875 @@
 
 ?>
-<span class="dashicons dashicons-trash"></span><input type="checkbox" onclick="jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>').prop('disabled', function(i, v) { return !v; });" />
+<span class="dashicons dashicons-trash"></span><input type="checkbox" onclick="jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>').prop('disabled', function(i, v) { return !v; });" />
 <?php
 
@@ -864 +881 @@
 
 ?>
-<input id="whitelist_<?php echo $args['whitelist_id']; ?>" class="whitelist" name="daf_options[whitelist_<?php echo $args['whitelist_id']; ?>]" type="text" value="<?php echo ((isset($options['whitelist_' . $args['whitelist_id']])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id']]) : ''); ?>" placeholder="/hello-world/" />
-301 Redirect <input type="checkbox" onclick="jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>_301').val(''); jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>_301').prop('disabled', function(i, v) { return !v; }); jQuery('#whitelist_<?php echo $args['whitelist_id']; ?>_301_wrapper').toggle();"<?php checked(isset($options['whitelist_' . $args['whitelist_id'] . '_301']), true); ?> />
-<span id="whitelist_<?php echo $args['whitelist_id']; ?>_301_wrapper"<?php echo ((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? ' style="display: none;"' : ''); ?>>to <input id='whitelist_<?php echo $args['whitelist_id']; ?>_301' name='daf_options[whitelist_<?php echo $args['whitelist_id']; ?>_301]' type='text' value='<?php echo ((isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id'] . '_301']) : ''); ?>'<?php echo ((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? ' disabled="disabled"' : ''); ?> placeholder="https://www.hello.com/world/" /></span>
+<input id="whitelist_<?php echo esc_attr($args['whitelist_id']); ?>" class="whitelist" name="daf_options[whitelist_<?php echo esc_attr($args['whitelist_id']); ?>]" type="text" value="<?php echo esc_attr((isset($options['whitelist_' . $args['whitelist_id']])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id']]) : ''); ?>" placeholder="/hello-world/" />
+301 Redirect <input type="checkbox" onclick="jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301').val(''); jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301').prop('disabled', function(i, v) { return !v; }); jQuery('#whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301_wrapper').toggle();"<?php checked(isset($options['whitelist_' . $args['whitelist_id'] . '_301']), true); ?> />
+<span id="whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301_wrapper" style="<?php echo esc_attr((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? 'display:none;' : ''); ?>">to <input id='whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301' name='daf_options[whitelist_<?php echo esc_attr($args['whitelist_id']); ?>_301]' type='text' value='<?php echo esc_attr((isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? sanitize_text_field($options['whitelist_' . $args['whitelist_id'] . '_301']) : ''); ?>'<?php echo esc_attr((!isset($options['whitelist_' . $args['whitelist_id'] . '_301'])) ? ' disabled' : ''); ?> placeholder="https://www.hello.com/world/" /></span>
 <?php
 
@@ -894 +911 @@
 
 ?>
-<p style="color: red"><strong>Yoast SEO is installed so you'll need to <a href="<?php echo 
-add_query_arg( 'page', 'wpseo_page_settings', admin_url('admin.php#/site-features#card-wpseo-enable_xml_sitemap') ); ?>">turn off "XML sitemaps" in the settings</a> to use this sitemap instead.</strong></p>
+<p style="color: red"><strong>Yoast SEO is installed so you'll need to <a href="<?php echo esc_url(add_query_arg( 'page', 'wpseo_page_settings', admin_url('admin.php#/site-features#card-wpseo-enable_xml_sitemap'))); ?>">turn off "XML sitemaps" in the settings</a> to use this sitemap instead.</strong></p>
 <?php
 
@@ -1007 +1023 @@
 
                 $options['forbidden_content'] = wp_kses_post($input['forbidden_content']);
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
                 file_put_contents(dirname(dirname(__DIR__)).'/403.html', apply_filters('the_content', $input['forbidden_content']));
 
@@ -1012 +1029 @@
 
                 unset($options['forbidden_content']);
-                if (file_exists(dirname(dirname(__DIR__)).'/403.html')) { unlink(dirname(dirname(__DIR__)).'/403.html'); } 
+                if (file_exists(dirname(dirname(__DIR__)).'/403.html')) { wp_delete_file(dirname(dirname(__DIR__)).'/403.html'); } 
 
             }
@@ -1134 +1151 @@
         function daf_remove_rules() {
 
-            if (is_writable(dafCommon::get_home_path() . '.htaccess')) {
+            global $wp_filesystem;
+
+            if (!$wp_filesystem) {
+
+                require_once (ABSPATH . '/wp-admin/includes/file.php');
+
+                WP_Filesystem();
+
+            }
+
+            if ($wp_filesystem->is_writable(dafCommon::get_home_path() . '.htaccess')) {
 
                 copy(dafCommon::get_home_path() . '.htaccess', dafCommon::get_home_path() . '.htaccess_bak');
@@ -1171 +1198 @@
                     $newdata = trim($newdata,"\n");
 
-                    $f = @fopen(dafCommon::get_home_path() . '.htaccess', 'w');
-                    fwrite($f, $newdata);
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . '.htaccess',
+                        $newdata,
+                        FS_CHMOD_FILE
+                    );
 
                     return true;
@@ -1186 +1216 @@
         function daf_remove_sitemap() {
 
-            if (is_writable(dafCommon::get_home_path() . 'sitemap.xml')) {
-
-                unlink(dafCommon::get_home_path() . 'sitemap.xml');
+            global $wp_filesystem;
+
+            if (!$wp_filesystem) {
+
+                require_once (ABSPATH . '/wp-admin/includes/file.php');
+
+                WP_Filesystem();
+
+            }
+
+            if ($wp_filesystem->is_writable(dafCommon::get_home_path() . 'sitemap.xml')) {
+
+                wp_delete_file(dafCommon::get_home_path() . 'sitemap.xml');
 
             }
 
-            if (is_writable(dafCommon::get_home_path() . 'robots.txt')) {
-
-                unlink(dafCommon::get_home_path() . 'robots.txt');
+            if ($wp_filesystem->is_writable(dafCommon::get_home_path() . 'robots.txt')) {
+
+                wp_delete_file(dafCommon::get_home_path() . 'robots.txt');
 
             }
@@ -1201 +1241 @@
 
         function daf_create_htaccess($current_user_id = false) {
+
+            global $wp_filesystem;
+
+            if (!$wp_filesystem) {
+
+                require_once (ABSPATH . '/wp-admin/includes/file.php');
+
+                WP_Filesystem();
+
+            }
 
             $options = get_option('daf_options');
@@ -1210 +1260 @@
                 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-                    if (0 === strpos($_SERVER['HTTP_CF_CONNECTING_IP'], $external_ip)) { return false; }
+                    if (0 === strpos(filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP), $external_ip)) { return false; }
 
                 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-                    if (0 === strpos( $_SERVER['REMOTE_ADDR'] , $external_ip )) { return false; }
+                    if (0 === strpos(filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP), $external_ip )) { return false; }
 
                 }
@@ -1276 +1326 @@
                 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', $_SERVER['HTTP_CF_CONNECTING_IP']);
+                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP));
 
                 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', $_SERVER['REMOTE_ADDR']);
+                    update_user_meta($current_user_id, 'daf_REMOTE_ADDR', filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP));
 
                 }
@@ -1313 +1363 @@
             }
 
-            $http_url = ((isset($_SERVER['HTTPS']) ? "https" : "http") . '://' . $_SERVER['HTTP_HOST']);
-
             $detected_urls = array();
 
@@ -1342 +1390 @@
                 class_exists('WooCommerce') &&
                 !in_array('/.well-known/apple-developer-merchantid-domain-association', $whitelisted_requests, true) &&
-                file_exists($_SERVER['DOCUMENT_ROOT'] . '/.well-known/apple-developer-merchantid-domain-association')
+                isset($_SERVER['DOCUMENT_ROOT']) &&
+                file_exists(sanitize_text_field(wp_unslash($_SERVER['DOCUMENT_ROOT'])) . '/.well-known/apple-developer-merchantid-domain-association')
             ) {
 
@@ -1363 +1412 @@
                     if (in_array($post->post_type, $all_post_types) && comments_open($post)) {
 
-                        $parsed_url = parse_url(site_url('wp-comments-post.php'));
+                        $parsed_url = wp_parse_url(site_url('wp-comments-post.php'));
 
                         if (!in_array($parsed_url['path'], $whitelisted_requests)) {
@@ -1375 +1424 @@
                     if (class_exists('WooCommerce') && $post->post_type == 'product') {
                 
-                        $parsed_url = parse_url(get_permalink($post));
+                        $parsed_url = wp_parse_url(get_permalink($post));
 
                         if (!in_array($parsed_url['path'], $whitelisted_requests)) {
@@ -1420 +1469 @@
                 $whitelisted_requests[] = $wc_options['product_base'] . '/';
                 $cart_page_id = wc_get_page_id('cart');
-                $parsed_url = parse_url($cart_page_id ? get_permalink($cart_page_id) : '');
+                $parsed_url = wp_parse_url($cart_page_id ? get_permalink($cart_page_id) : '');
 
                 if (isset($parsed_url['path'])) {
@@ -1525 +1574 @@
                 foreach($detected_urls as $key => $url) {
 
-                    $parsed_url = parse_url($url);
+                    $parsed_url = wp_parse_url($url);
 
                     if (isset($parsed_url['port'])) {
@@ -1537 +1586 @@
                     }
 
-                    if ($reconstructed_host != $_SERVER['HTTP_HOST']) {
+                    if (
+                        !isset($_SERVER['HTTP_HOST']) ||
+                        (
+                            isset($_SERVER['HTTP_HOST']) &&
+                            $reconstructed_host !== filter_var(wp_unslash($_SERVER['HTTP_HOST'], FILTER_SANITIZE_URL))
+                        )
+                    ) {
 
                         unset($detected_urls[$key]);
@@ -1580 +1635 @@
 
                 if (!$sitemap_disabled && isset($sitemap_urls) && $sitemap_urls && isset($options['enable_sitemap']) && $options['enable_sitemap'] && 
-                ((!file_exists(dafCommon::get_home_path() . 'sitemap.xml') && is_writable(dafCommon::get_home_path())) || is_writable(dafCommon::get_home_path() . 'sitemap.xml')) && 
-                ((!file_exists(dafCommon::get_home_path() . 'robots.txt') && is_writable(dafCommon::get_home_path())) || is_writable(dafCommon::get_home_path() . 'robots.txt'))) {
+                ((!file_exists(dafCommon::get_home_path() . 'sitemap.xml') && $wp_filesystem->is_writable(dafCommon::get_home_path())) || $wp_filesystem->is_writable(dafCommon::get_home_path() . 'sitemap.xml')) && 
+                ((!file_exists(dafCommon::get_home_path() . 'robots.txt') && $wp_filesystem->is_writable(dafCommon::get_home_path())) || $wp_filesystem->is_writable(dafCommon::get_home_path() . 'robots.txt'))) {
 
                     $sitemap = '<?xml version="1.0" encoding="UTF-8"?>
@@ -1588 +1643 @@
     <url>
         <loc>' . htmlspecialchars(site_url()) . '</loc>
-        <lastmod>' . date('Y-m-d') . '</lastmod>
+        <lastmod>' . gmdate('Y-m-d') . '</lastmod>
         <changefreq>daily</changefreq>
         <priority>1.0</priority>
@@ -1608 +1663 @@
                     $sitemap .= '</urlset>
 ';
-                    $f = @fopen(dafCommon::get_home_path() . 'sitemap.xml', 'w');
-                    fwrite($f, $sitemap);
+
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . 'sitemap.xml',
+                        $sitemap,
+                        FS_CHMOD_FILE
+                    );
+
                     $robots = 'User-agent: *
 Disallow: /wp-admin/
@@ -1615 +1675 @@
 Sitemap: ' . site_url('sitemap.xml') . '
 ';
-                    $f = @fopen(dafCommon::get_home_path() . 'robots.txt', 'w');
-                    fwrite($f, $robots);
+
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . 'robots.txt',
+                        $robots,
+                        FS_CHMOD_FILE
+                    );
 
                 } else {
@@ -2355 +2419 @@
                 if (get_option('page_for_posts')) {
 
-                    $parsed_url = parse_url(get_permalink(get_option('page_for_posts')));
+                    $parsed_url = wp_parse_url(get_permalink(get_option('page_for_posts')));
                     $htaccess .= "# Allow pages of posts on the posts page
 RewriteCond %{REQUEST_URI} \"!^" . $parsed_url['path'] . "page/([0-9]+)/$\"
@@ -2433 +2497 @@
                 if (isset($checkout_page_url) && $checkout_page_url) {
 
-                    $parsed_url = parse_url($checkout_page_url);
+                    $parsed_url = wp_parse_url($checkout_page_url);
                     $htaccess .= "RewriteCond %{REQUEST_URI} \"!^" . $parsed_url['path'] . "order-pay/\"
 ";
@@ -2441 +2505 @@
                 if (isset($my_account_page_url) && $my_account_page_url) {
 
-                    $parsed_url = parse_url($my_account_page_url);
+                    $parsed_url = wp_parse_url($my_account_page_url);
                     $htaccess .= "RewriteCond %{REQUEST_URI} \"!^" . $parsed_url['path'] . "view-order/\"
 ";
@@ -2496 +2560 @@
         function daf_inject_rules($htaccess = false) {
 
-            if ($htaccess && is_writable(dafCommon::get_home_path() . '.htaccess')) {
+            if ($htaccess && $wp_filesystem->is_writable(dafCommon::get_home_path() . '.htaccess')) {
 
                 $htaccess_rules = file(dafCommon::get_home_path() . '.htaccess');
@@ -2504 +2568 @@
                     $htaccess = $htaccess . "\n" . implode('', $htaccess_rules);
 
-                    $f = @fopen(dafCommon::get_home_path() . '.htaccess', 'w');
-                    fwrite($f, $htaccess);
+                    $wp_filesystem->put_contents(
+                        dafCommon::get_home_path() . '.htaccess',
+                        $htaccess,
+                        FS_CHMOD_FILE
+                    );
 
                     delete_option('daf_content_changed');
@@ -2529 +2596 @@
                 $current_ip_in_htaccess = true;
 
-                if (isset($_SERVER['HTTP_CF_CONNECTING_IP']) && strpos($current_htaccess, '^' . str_replace('.', '\.', $_SERVER['HTTP_CF_CONNECTING_IP']) . '$') === false) {
+                if (
+                    isset($_SERVER['HTTP_CF_CONNECTING_IP']) &&
+                    false === strpos($current_htaccess, '^' . str_replace('.', '\.', filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP)) . '$')
+                ) {
 
                     $current_ip_in_htaccess = false;
 
-                } elseif (isset($_SERVER['REMOTE_ADDR']) && strpos($current_htaccess, '^' . str_replace('.', '\.', $_SERVER['REMOTE_ADDR']) . '$') === false) {
+                } elseif (
+                    isset($_SERVER['REMOTE_ADDR']) &&
+                    false === strpos($current_htaccess, '^' . str_replace('.', '\.', filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP)) . '$')
+                ) {
 
                     $current_ip_in_htaccess = false;
@@ -2577 +2650 @@
                     }
 
-                }http://localhost:8888/wp-admin/admin.php?page=wpide#
+                }
 
             }
@@ -2642 +2715 @@
                 data: {
                     action: 'daf_refresh_rules',
-                    _ajax_nonce: '<?php echo wp_create_nonce('daf-refresh-rules'); ?>'
+                    _ajax_nonce: '<?php echo esc_attr(wp_create_nonce('daf-refresh-rules')); ?>'
                 },
                 success: function(result){
@@ -2703 +2776 @@
             $current_user = wp_get_current_user();
 
-            if ($current_user->exists() && $_SERVER["SCRIPT_NAME"] !== strrchr(wp_login_url(), '/')) {
+            if (
+                $current_user->exists() &&
+                isset($_SERVER['SCRIPT_NAME']) &&
+                $_SERVER['SCRIPT_NAME'] !== strrchr(wp_login_url(), '/')
+            ) {
 
                 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-                    $current_ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
+                    $current_ip = filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP);
 
                 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-                    $current_ip = $_SERVER['REMOTE_ADDR'];
+                    $current_ip = filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP);
 
                 }
@@ -2735 +2812 @@
     }
 
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
     $daf = new daf_class();
 

deny-all-firewall/trunk/includes/class-daf-common.php

@@ -1 +1 @@
 <?php
 /*
- * Version: 1.3.9
+ * Version: 1.4.4
  */
 
@@ -43 +43 @@
         public static function plugin_text_domain() {
 
-            return self::$plugin_text_domain;
+            return 'deny-all-firewall';
 
         }
@@ -61 +61 @@
         public static function support_url() {
 
-            return 'https://wordpress.org/support/plugin/' . self::$plugin_text_domain . '/';
+            return 'https://wordpress.org/support/plugin/' . 'deny-all-firewall' . '/';
 
         }
@@ -67 +67 @@
         public static function control_upgrade_text() {
 
-            $upgrade_text = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name)) . '">' . sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name) . '</a>';
+/* translators: name of the plugin */
+            $upgrade_text = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name)) . '">' . sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name) . '</a>';
 
             if (!class_exists(self::$plugin_premium_class) || !get_option(self::$plugin_prefix . '_purchased')) {
@@ -73 +74 @@
                 if (!class_exists(self::$plugin_premium_class)) {
 
-                    $upgrade_text .= sprintf(wp_kses(__(' or <a href="%s" title="Download Free Trial">trial it for 7 days</a>', self::$plugin_text_domain), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::premium_link()));
+/* translators: link to the premium upgrade */
+                    $upgrade_text .= sprintf(wp_kses(__(' or <a href="%s" title="Download Free Trial">trial it for 7 days</a>', 'deny-all-firewall'), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::premium_link()));
 
                 }
@@ -85 +87 @@
         public static function control_section_description() {
 
-            $default_description = sprintf(wp_kses(__('If you have any requests for new features, please <a href="%s" title="Support Forum">let us know in the support forum</a>.', self::$plugin_text_domain), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::support_url()));
+/* translators: link to the plugin's support forum */
+            $default_description = sprintf(wp_kses(__('If you have any requests for new features, please <a href="%s" title="Support Forum">let us know in the support forum</a>.', 'deny-all-firewall'), array('a' => array('href' => array(), 'title' => array()))), esc_url(self::support_url()));
 
             if (self::$plugin_premium_class) {
@@ -95 +98 @@
                     if (!class_exists(self::$plugin_premium_class)) {
 
-                        $section_description = '<strong>' . __('For even more options', self::$plugin_text_domain) . '</strong>' . ' ' . $upgrade_text;
+                        $section_description = '<strong>' . __('For even more options', 'deny-all-firewall') . '</strong>' . ' ' . $upgrade_text;
 
                     } else {
 
-                        $section_description = '<strong>' . __('To keep using premium options', self::$plugin_text_domain) . '</strong>' . ' ' . $upgrade_text;
+                        $section_description = '<strong>' . __('To keep using premium options', 'deny-all-firewall') . '</strong>' . ' ' . $upgrade_text;
 
                     }
@@ -119 +122 @@
                 $section_description .= ' ' . sprintf(
                     wp_kses(
+/* translators: link to plugin install page */
                         __(
                             '<strong>To reset this section of options to default settings</strong> without affecting other sections in the customizer, install <a href="%s" title="Reset Customizer">Reset Customizer</a>.',
-                            self::$plugin_text_domain
+                            'deny-all-firewall'
                         ),
                         array('strong' => array(), 'a' => array('href' => array(), 'title' => array()))
@@ -145 +149 @@
         public static function control_setting_upgrade_nag() {
 
-            $upgrade_nag = self::control_upgrade_text() . __(' to use this option.', self::$plugin_text_domain);
+            $upgrade_nag = self::control_upgrade_text() . __(' to use this option.', 'deny-all-firewall');
 
             return $upgrade_nag;
@@ -234 +238 @@
 
                 $generated_css = sprintf('%s { %s: %s; }', $selector, $style, $prefix.$mod.$postfix);
-                echo $generated_css;
+
+// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+                echo wp_strip_all_tags($generated_css);
 
             } elseif ($mod) {
 
                 $generated_css = sprintf('%s { %s:%s; }', $selector, $style, $prefix.$value.$postfix);
-                echo $generated_css;
+
+// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+                echo wp_strip_all_tags($generated_css);
 
             }
@@ -249 +257 @@
             if (self::$plugin_premium_class) {
 
-                return add_query_arg('url', (isset($_SERVER['HTTPS']) ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST'], 'https://webd.uk/product/' . self::$plugin_text_domain . '-upgrade/');
-
+                if (isset($_SERVER['HTTP_HOST'])) {
+
+                    return add_query_arg('url', (isset($_SERVER['HTTPS']) ? 'https' : 'http') . '://' . filter_var(wp_unslash($_SERVER['HTTP_HOST'], FILTER_SANITIZE_URL)), 'https://webd.uk/product/' . 'deny-all-firewall' . '-upgrade/');
+
+                } else {
+
+                    return 'https://webd.uk/product/' . 'deny-all-firewall' . '-upgrade/';
+
+                }
 
             } else {
@@ -276 +291 @@
             $settings_links = array();
 
-            $settings_links[] = '<a href="' . esc_url($settings_link) . '" title="' . esc_attr(__('Settings', self::$plugin_text_domain)) . '">' . __('Settings', self::$plugin_text_domain) . '</a>';
+            $settings_links[] = '<a href="' . esc_url($settings_link) . '" title="' . esc_attr(__('Settings', 'deny-all-firewall')) . '">' . __('Settings', 'deny-all-firewall') . '</a>';
 
             if (!get_option(self::$plugin_prefix . '_purchased')) {
@@ -284 +299 @@
                     if (self::$plugin_upgrade) {
 
-                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s Premium', self::$plugin_text_domain), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', self::$plugin_text_domain) . '</a>';
+/* translators: name of the plugin */
+                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s Premium', 'deny-all-firewall'), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', 'deny-all-firewall') . '</a>';
 
                     } else {
 
-                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s', self::$plugin_text_domain), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', self::$plugin_text_domain) . '</a>';
+/* translators: name of the plugin */
+                        $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr(sprintf(__('Buy %s', 'deny-all-firewall'), self::$plugin_name)) . '" style="color: orange; font-weight: bold;">' . __('Buy Now', 'deny-all-firewall') . '</a>';
 
                     }
@@ -294 +311 @@
                 } else {
 
-                    $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr((self::$plugin_premium_class ? sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name) : sprintf(__('Contribute to %s', self::$plugin_text_domain), self::$plugin_name))) . '" style="color: orange; font-weight: bold;">' . (self::$plugin_premium_class ? __('Upgrade', self::$plugin_text_domain) : __('Support Us', self::$plugin_text_domain)) . '</a>';
+/* translators: name of the plugin */
+                    $settings_links[] = '<a href="' . esc_url(self::upgrade_link()) . '" title="' . esc_attr((self::$plugin_premium_class ? sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name) : sprintf(__('Contribute to %s', 'deny-all-firewall'), self::$plugin_name))) . '" style="color: orange; font-weight: bold;">' . (self::$plugin_premium_class ? __('Upgrade', 'deny-all-firewall') : __('Support Us', 'deny-all-firewall')) . '</a>';
 
                 }
@@ -300 +318 @@
                 if ($premium) {
 
-                    $settings_links[] = '<a href="' . wp_nonce_url('?activate-' . self::$plugin_prefix . '=true', self::$plugin_prefix . '_activate') . '" id="' . self::$plugin_prefix . '_activate_upgrade" title="' . esc_attr(__('Activate Purchase', self::$plugin_text_domain)) . '" onclick="jQuery(this).append(&#39; <img src=&#34;/wp-admin/images/loading.gif&#34; style=&#34;float: none; width: auto; height: auto;&#34; />&#39;); setTimeout(function(){document.getElementById(\'' . self::$plugin_prefix . '_activate_upgrade\').removeAttribute(\'href\');},1); return true;">' . __('Activate Purchase', self::$plugin_text_domain) . '</a>';
-
-                } elseif (self::$plugin_trial && !is_plugin_active(self::$plugin_text_domain . '-premium/' . self::$plugin_text_domain . '-premium.php')) {
-
-                    $settings_links[] = '<a href="' . esc_url(self::premium_link()) . '" title="' . esc_attr(sprintf(__('Trial %s Premium', self::$plugin_text_domain), self::$plugin_name)) . ' for 7 days">' . __('Download Trial', self::$plugin_text_domain) . '</a>';
+                    $settings_links[] = '<a href="' . wp_nonce_url('?activate-' . self::$plugin_prefix . '=true', self::$plugin_prefix . '_activate') . '" id="' . self::$plugin_prefix . '_activate_upgrade" title="' . esc_attr(__('Activate Purchase', 'deny-all-firewall')) . '" onclick="jQuery(this).append(&#39; <img src=&#34;/wp-admin/images/loading.gif&#34; style=&#34;float: none; width: auto; height: auto;&#34; />&#39;); setTimeout(function(){document.getElementById(\'' . self::$plugin_prefix . '_activate_upgrade\').removeAttribute(\'href\');},1); return true;">' . __('Activate Purchase', 'deny-all-firewall') . '</a>';
+
+                } elseif (self::$plugin_trial && !is_plugin_active('deny-all-firewall' . '-premium/' . 'deny-all-firewall' . '-premium.php')) {
+
+/* translators: name of the plugin */
+                    $settings_links[] = '<a href="' . esc_url(self::premium_link()) . '" title="' . esc_attr(sprintf(__('Trial %s Premium', 'deny-all-firewall'), self::$plugin_name)) . ' for 7 days">' . __('Download Trial', 'deny-all-firewall') . '</a>';
 
                 }
@@ -310 +329 @@
             } elseif ($premium) {
 
-                $settings_links[] = '<strong style="color: green; display: inline;">' . __('Purchase Confirmed', self::$plugin_text_domain) . '</strong>';
+                $settings_links[] = '<strong style="color: green; display: inline;">' . __('Purchase Confirmed', 'deny-all-firewall') . '</strong>';
 
             }
@@ -320 +339 @@
         public static function plugin_row_meta($plugin_meta, $plugin_file, $plugin_data, $status) {
 
-            if ($plugin_file === self::$plugin_text_domain . '/' . self::$plugin_text_domain . '.php') {
-
-                $plugin_meta[] = '<a href="' . esc_url(self::support_url()) . '" title="' . __('Problems? We are here to help!', self::$plugin_text_domain) . '" style="color: orange; font-weight: bold;">' . __('Need help?', self::$plugin_text_domain) . '</a>';
-                $plugin_meta[] = '<a href="https://wordpress.org/support/plugin/' . self::$plugin_text_domain . '/reviews/#new-post" title="' . esc_attr(sprintf(__('If you like %s, please leave a review!', self::$plugin_text_domain), self::$plugin_name)) . '">' . __('Review plugin', self::$plugin_text_domain) . '</a>';
+            if ($plugin_file === 'deny-all-firewall' . '/' . 'deny-all-firewall' . '.php') {
+
+                $plugin_meta[] = '<a href="' . esc_url(self::support_url()) . '" title="' . __('Problems? We are here to help!', 'deny-all-firewall') . '" style="color: orange; font-weight: bold;">' . __('Need help?', 'deny-all-firewall') . '</a>';
+/* translators: name of the plugin */
+                $plugin_meta[] = '<a href="https://wordpress.org/support/plugin/' . 'deny-all-firewall' . '/reviews/#new-post" title="' . esc_attr(sprintf(__('If you like %s, please leave a review!', 'deny-all-firewall'), self::$plugin_name)) . '">' . __('Review plugin', 'deny-all-firewall') . '</a>';
 
             }
@@ -353 +373 @@
             if (self::$plugin_premium_class) {
 
-                if (get_option(self::$plugin_prefix . '_purchased') && !class_exists(self::$plugin_premium_class) && get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()) {
-
-?>
-
-<div class="notice notice-error is-dismissible <?php echo self::$plugin_prefix; ?>-notice">
-
-<p><strong><?php echo self::$plugin_name; ?></strong><br />
-<?php esc_html_e('In order to use the premium features, you need to install the premium version of the plugin ...', self::$plugin_text_domain); ?></p>
-
-<p><a href="<?php echo esc_url(self::premium_link()); ?>" title="<?php echo esc_attr(sprintf(__('Download %s Premium', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Download %s Premium', self::$plugin_text_domain), self::$plugin_name); ?></a></p>
+                if (
+                    get_option(self::$plugin_prefix . '_purchased') &&
+                    !class_exists(self::$plugin_premium_class) &&
+                    get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()
+                ) {
+
+?>
+
+<div class="notice notice-error is-dismissible <?php echo esc_html(self::$plugin_prefix); ?>-notice">
+
+<p><strong><?php echo esc_html(self::$plugin_name); ?></strong><br />
+<?php esc_html_e('In order to use the premium features, you need to install the premium version of the plugin ...', 'deny-all-firewall'); ?></p>
+
+<p><a href="<?php
+/* translators: name of the plugin */
+echo esc_url(self::premium_link()); ?>" title="<?php echo esc_attr(sprintf(__('Download %s Premium', 'deny-all-firewall'), self::$plugin_name)); ?>" class="button-primary"><?php printf(esc_html(__('Download %s Premium', 'deny-all-firewall')), esc_html(self::$plugin_name)); ?></a></p>
 
 </div>
 
 <script type="text/javascript">
-    jQuery(document).on('click', '.<?php echo self::$plugin_prefix; ?>-notice .notice-dismiss', function() {
+    jQuery(document).on('click', '.<?php echo esc_attr(self::$plugin_prefix); ?>-notice .notice-dismiss', function() {
         jQuery.ajax({
             url: ajaxurl,
             data: {
-                action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
-                _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
+                _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
             }
         });
@@ -380 +406 @@
 <?php
 
-                } elseif (!class_exists(self::$plugin_premium_class) && time() > (strtotime('+1 hour', filectime(__DIR__))) && get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()) {
-
-?>
-
-<div class="notice notice-info is-dismissible <?php echo self::$plugin_prefix; ?>-notice">
-
-<p><strong><?php printf(__('Thank you for using %s plugin', self::$plugin_text_domain), self::$plugin_name); ?></strong><br />
+                } elseif (
+                    !class_exists(self::$plugin_premium_class) &&
+                    time() > (strtotime('+1 hour', filectime(__DIR__))) &&
+                    get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version()
+                ) {
+
+?>
+
+<div class="notice notice-info is-dismissible <?php echo esc_attr(self::$plugin_prefix); ?>-notice">
+
+    <p style="font-size:15px;"><strong><?php
+/* translators: name of the plugin */
+printf(esc_html(__('Thank you for using %s plugin', 'deny-all-firewall')), esc_html(self::$plugin_name)); ?></strong></p>
 <?php
 
                     if (self::$plugin_trial == true) {
 
-                        _e('Would you like to try even more features? Download your 7 day free trial now!', self::$plugin_text_domain); 
+?>
+
+    <p><?php echo esc_html(__('Would you like to try even more features? Download your 7 day free trial now!', 'deny-all-firewall')); ?></p>
+<?php
 
                     } else {
 
-                        echo sprintf(__('Upgrade now to %s Premium to enable more options and features and contribute to the further development of this plugin.', self::$plugin_text_domain), self::$plugin_name);
+?>
+
+    <p>
+        <?php
+/* translators: name of the plugin */
+                        echo esc_html(sprintf(__('Upgrade now to %s Premium to enable more options and features and contribute to the further development of this plugin.', 'deny-all-firewall'), self::$plugin_name)); ?>
+    </p>
+<?php
 
                     }
 
-?></p>
-
-<p><?php
+?>
+
+    <p><?php
 
                     if (self::$plugin_trial == true) {
@@ -407 +449 @@
 ?>
 
-<a href="<?php echo esc_url(self::premium_link()); ?>" title="<?php echo esc_attr(sprintf(__('Try %s Premium', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Trial %s Premium for 7 days', self::$plugin_text_domain), self::$plugin_name); ?></a>
-
+        <a href="<?php echo esc_url(self::premium_link()); ?>" 
+           title="<?php
+/* translators: name of the plugin */
+echo esc_attr(sprintf(__('Try %s Premium', 'deny-all-firewall'), self::$plugin_name)); ?>" 
+           class="button-secondary">
+           <?php echo esc_html(__('Try premium plugin free for 7 days', 'deny-all-firewall')); ?>
+        </a>
 <?php
 
@@ -414 +461 @@
 
 ?>
-<a href="<?php echo esc_url(self::upgrade_link()); ?>" title="<?php echo esc_attr(sprintf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Upgrade now to %s Premium', self::$plugin_text_domain), self::$plugin_name); ?></a></p>
+
+        <a href="<?php echo esc_url(self::upgrade_link()); ?>" 
+           title="<?php
+/* translators: name of the plugin */
+echo esc_attr(sprintf(__('Upgrade now to %s Premium', 'deny-all-firewall'), self::$plugin_name)); ?>" 
+           class="button-primary">
+           <?php echo esc_html(__('Upgrade now to premium plugin', 'deny-all-firewall')); ?>
+        </a>
+
+    </p>
+
+    <hr style="margin:12px 0;">
+
+    <p>
+        <strong>✨ Need help with your WordPress site?</strong>
+        🚀 Slow, want new features, or need a glow-up?
+        <a href="https://webd.uk/services/?utm_campaign=notice&utm_term=deny-all-firewall" class="button-secondary" style="margin-left:6px; vertical-align: middle;">Explore our services</a>
+    </p>
 
 </div>
 
 <script type="text/javascript">
-    jQuery(document).on('click', '.<?php echo self::$plugin_prefix; ?>-notice .notice-dismiss', function() {
+    jQuery(document).on('click', '.<?php echo esc_attr(self::$plugin_prefix); ?>-notice .notice-dismiss', function() {
         jQuery.ajax({
             url: ajaxurl,
             data: {
-                action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
-                _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
+                _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
             }
         });
@@ -434 +498 @@
                 }
 
-            } elseif (time() > (strtotime('+1 hour', filectime(__DIR__))) && get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version() && !get_option(self::$plugin_prefix . '_donated')) {
-
-?>
-
-<div class="notice notice-info is-dismissible <?php echo self::$plugin_prefix; ?>-notice">
-<p><strong><?php printf(__('Thank you for using %s plugin', self::$plugin_text_domain), self::$plugin_name); ?></strong></p>
-<?php
-
+            } elseif (
+                time() > (strtotime('+1 hour', filectime(__DIR__))) &&
+                get_user_meta(get_current_user_id(), self::$plugin_prefix . '-notice-dismissed', true) != self::plugin_version() &&
+                !get_option(self::$plugin_prefix . '_donated')
+            ) {
+
+?>
+
+<div class="notice notice-info is-dismissible <?php echo esc_attr(self::$plugin_prefix); ?>-notice">
+
+    <p><strong><?php
+/* translators: name of the plugin */
+printf(esc_html(__('Thank you for using %s plugin', 'deny-all-firewall')), esc_html(self::$plugin_name)); ?></strong></p>
+<?php
+
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound
                 do_action(self::$plugin_prefix . '_admin_notice_donate');
 
 ?>
-<p><?php esc_html_e('Funding plugins like this one with small financial contributions is essential to pay the developers to continue to do what they do. Please take a moment to give a small amount ...', self::$plugin_text_domain); ?></p>
-<p><a href="<?php echo esc_url(self::upgrade_link()); ?>" title="<?php echo esc_attr(sprintf(__('Contribute to %s', self::$plugin_text_domain), self::$plugin_name)); ?>" class="button-primary"><?php printf(__('Contribute to %s', self::$plugin_text_domain), self::$plugin_name); ?></a> <a href="#" id="<?php echo self::$plugin_prefix; ?>-already-paid" title="<?php echo esc_attr(__('Aleady Contributed!', self::$plugin_text_domain)); ?>" class="button-primary"><?php esc_html_e('Aleady Contributed!', self::$plugin_text_domain); ?></a></p>
+
+    <p><?php esc_html_e('Funding plugins like this one with small financial contributions is essential to pay the developers to continue to do what they do. Please take a moment to give a small amount ...', 'deny-all-firewall'); ?></p>
+
+    <p><a href="<?php echo esc_url(self::upgrade_link()); ?>" title="<?php
+/* translators: name of the plugin */
+echo esc_attr(sprintf(__('Contribute to %s', 'deny-all-firewall'), self::$plugin_name)); ?>" class="button-primary"><?php echo esc_html(__('Buy us a coffee ☕️', 'deny-all-firewall')); ?></a> <a href="#" id="<?php echo esc_attr(self::$plugin_prefix); ?>-already-paid" title="<?php echo esc_attr(__('Aleady Contributed!', 'deny-all-firewall')); ?>" class="button-secondary"><?php esc_html_e('Aleady Contributed!', 'deny-all-firewall'); ?></a></p>
+
+    <hr style="margin:12px 0;">
+
+    <p>
+        <strong>✨ Need help with your WordPress site?</strong>
+        🚀 Slow, want new features, or need a glow-up?
+        <a href="https://webd.uk/services/?utm_campaign=notice&utm_term=deny-all-firewall" class="button-secondary" style="margin-left:6px; vertical-align: middle;">Explore our services</a>
+    </p>
+
 </div>
 
 <script type="text/javascript">
-    jQuery(document).on('click', '#<?php echo self::$plugin_prefix; ?>-already-paid', function() {
-        if (confirm(<?php echo json_encode(__('Have you really? Press "Cancel" if you forgot to 🙂', self::$plugin_text_domain)); ?>)) {
-            alert(<?php echo json_encode(__('Thank you!', self::$plugin_text_domain)); ?>);
-            jQuery('.<?php echo self::$plugin_prefix; ?>-notice').fadeTo(100, 0, function() {
-                jQuery('.<?php echo self::$plugin_prefix; ?>-notice').slideUp(100, function() {
-                    jQuery('.<?php echo self::$plugin_prefix; ?>-notice').remove()
+    jQuery(document).on('click', '#<?php echo esc_attr(self::$plugin_prefix); ?>-already-paid', function() {
+        if (confirm(<?php echo json_encode(__('Have you really? Press "Cancel" if you forgot to 🙂', 'deny-all-firewall')); ?>)) {
+            alert(<?php echo json_encode(__('Thank you!', 'deny-all-firewall')); ?>);
+            jQuery('.<?php echo esc_attr(self::$plugin_prefix); ?>-notice').fadeTo(100, 0, function() {
+                jQuery('.<?php echo esc_attr(self::$plugin_prefix); ?>-notice').slideUp(100, function() {
+                    jQuery('.<?php echo esc_attr(self::$plugin_prefix); ?>-notice').remove()
                 });
             });
@@ -461 +546 @@
                 url: ajaxurl,
                 data: {
-                    action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
+                    action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
                     donated: 'true',
-                    _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                    _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
                 }
             });
         } else {
-            window.location.assign('<?php echo self::upgrade_link(); ?>');
+            window.location.assign('<?php echo esc_url(self::upgrade_link()); ?>');
         }
     });
-    jQuery(document).on('click', '.<?php echo self::$plugin_prefix; ?>-notice .notice-dismiss', function() {
+    jQuery(document).on('click', '.<?php echo esc_attr(self::$plugin_prefix); ?>-notice .notice-dismiss', function() {
         jQuery.ajax({
             url: ajaxurl,
             data: {
-                action: 'dismiss_<?php echo self::$plugin_prefix; ?>_notice_handler',
-                _ajax_nonce: '<?php echo wp_create_nonce(self::$plugin_prefix . '-ajax-nonce'); ?>'
+                action: 'dismiss_<?php echo esc_attr(self::$plugin_prefix); ?>_notice_handler',
+                _ajax_nonce: '<?php echo esc_attr(wp_create_nonce(self::$plugin_prefix . '-ajax-nonce')); ?>'
             }
         });
@@ -509 +594 @@
                     is_admin() && 
                     $pagenow === 'customize.php' &&
-                    isset($_GET['theme']) && 
-                    !in_array($_GET['theme'], $themes, true)
+                    isset($_GET['theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    !in_array($_GET['theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 ) && !(
                     !is_admin() && 
                     $pagenow === 'index.php' &&
-                    isset($_GET['customize_theme']) && 
-                    isset($_GET['customize_changeset_uuid']) && 
-                    !in_array($_GET['customize_theme'], $themes, true)
+                    isset($_GET['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    isset($_GET['customize_changeset_uuid']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    !in_array($_GET['customize_theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 )
             ) {
@@ -530 +615 @@
                     is_admin() && 
                     $pagenow === 'customize.php' &&
-                    isset($_GET['theme']) && 
-                    in_array($_GET['theme'], $themes, true)
+                    isset($_GET['theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    in_array($_GET['theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 ) || (
                     !is_admin() && 
                     $pagenow === 'index.php' &&
-                    isset($_GET['customize_theme']) && 
-                    isset($_GET['customize_changeset_uuid']) && 
-                    in_array($_GET['customize_theme'], $themes, true)
+                    isset($_GET['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    isset($_GET['customize_changeset_uuid']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    in_array($_GET['customize_theme'], $themes, true) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 ))
             ) {
@@ -549 +634 @@
                     !is_admin() && 
                     $pagenow === 'index.php' &&
-                    isset($_GET['customize_theme']) && 
-                    isset($_GET['customize_changeset_uuid'])
+                    isset($_GET['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    isset($_GET['customize_changeset_uuid']) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
                 
             ) {
 
-                $child = wp_get_theme($_GET['customize_theme']);
+                $child = wp_get_theme(sanitize_file_name(wp_unslash($_GET['customize_theme']))); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 
                 if (isset($child->template) && in_array($child->template, $themes, true)) {
@@ -568 +653 @@
                 is_admin() && 
                 ($pagenow === 'customize.php' || $pagenow === 'admin-ajax.php') &&
-                isset($_GET['theme']) || (isset($_POST['customize_theme']) && isset($_POST['customize_changeset_uuid']))
+                (
+                    isset($_GET['theme']) || // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                    (
+                        isset($_POST['customize_theme']) && // phpcs:ignore WordPress.Security.NonceVerification.Missing
+                        isset($_POST['customize_changeset_uuid']) // phpcs:ignore WordPress.Security.NonceVerification.Missing
+                    )
+                )
             ) {
 
-                if (isset($_GET['theme'])) {
-
-                    $child = wp_get_theme($_GET['theme']);
+                if (isset($_GET['theme'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+
+                    $child = wp_get_theme(sanitize_file_name(wp_unslash($_GET['theme']))); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 
                 } else {
 
-                    $child = wp_get_theme($_POST['customize_theme']);
+                    $child = wp_get_theme(sanitize_file_name(wp_unslash($_POST['customize_theme']))); // phpcs:ignore WordPress.Security.NonceVerification.Missing
 
                 }
@@ -599 +690 @@
 if (!function_exists('webd_customize_register')) {
 
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound
     function webd_customize_register($wp_customize) {
 
         if (!class_exists('webd_Customize_Control_Checkbox_Multiple')) {
 
+// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound
             class webd_Customize_Control_Checkbox_Multiple extends WP_Customize_Control {
 
@@ -622 +715 @@
 
 ?>
-<span class="description customize-control-description"><?php echo $this->description; ?></span>
+<span class="description customize-control-description"><?php echo esc_html($this->description); ?></span>
 <?php
 
@@ -647 +740 @@
 ?>
         </ul>
-        <input type="hidden" id="_customize-input-<?php echo $this->id; ?>" <?php $this->link(); ?> value="<?php echo esc_attr(implode(',', $multi_values)); ?>" />
+        <input type="hidden" id="_customize-input-<?php echo esc_attr($this->id); ?>" <?php $this->link(); ?> value="<?php echo esc_attr(implode(',', $multi_values)); ?>" />
 <?php
 

deny-all-firewall/trunk/readme.txt

@@ -6 +6 @@
 Tested up to: 6.9
 Requires PHP: 5.6
-Stable tag: 1.8.4
+Stable tag: 1.8.5
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -50 +50 @@
 
 == Changelog ==
+
+= 1.8.5 =
+* General housekeeping preparing for "Plugin Check" code review
 
 = 1.8.4 =
@@ -333 +336 @@
 == Upgrade Notice ==
 
-= 1.8.4 =
-* Added automatic whitelisting of Apple Pay verification file if WooCommerce is installed and the file is present
+= 1.8.5 =
+* General housekeeping preparing for "Plugin Check" code review

deny-all-firewall/trunk/remote-addr.php

@@ -1 +1 @@
 <?php
+
+define('SHORTINIT', true);
+require_once('../../../wp-load.php');
 
 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 
-    die($_SERVER['HTTP_CF_CONNECTING_IP']);
+    die(esc_html(filter_var(wp_unslash($_SERVER['HTTP_CF_CONNECTING_IP']), FILTER_VALIDATE_IP)));
 
 } elseif (isset($_SERVER['REMOTE_ADDR'])) {
 
-    die($_SERVER['REMOTE_ADDR']);
+    die(esc_html(filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP)));
+
+} else {
+
+    die();
 
 }
 
-die();
-
 ?>