PD-91 vulnerability fix

[jamesros161]

PD-91
Resolves security vulnerability reports

[Copilot]

Pull Request Overview

This PR resolves security vulnerabilities by tightening path resolution, strengthening AJAX nonce checks, and cleaning up unused hooks.

• Removed an obsolete admin initialization hook.
• Refactored url_to_path to prevent directory traversal in uploads.
• Boosted AJAX endpoint security: combined nonce/referrer/user-capability checks and escaped remote URLs.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
includes/class-boldgrid-editor.php	Dropped the reset_editor_action on admin_init since it’s no longer needed.
includes/class-boldgrid-editor-crop.php	Replaced regex-based upload path logic with a stepwise normalization and safety checks.
includes/class-boldgrid-editor-ajax.php	Added check_ajax_referer, current_user_can, and switched to wp_safe_remote_head + esc_url_raw.

Comments suppressed due to low confidence (3)

includes/class-boldgrid-editor-crop.php:152

• [nitpick] The variable $real is ambiguous. Rename it to $realpath or similar to clarify that it holds the canonical path.

$real = realpath( $full );

includes/class-boldgrid-editor-crop.php:119

• Add unit tests for url_to_path to cover normal, encoded, and traversal edge cases (e.g., .., %2e%2e).

public function url_to_path( $url ) {

includes/class-boldgrid-editor-ajax.php:190

• [nitpick] The variable $valid holds the nonce validity but is generically named. Rename it to $valid_nonce to match $valid_referrer and improve readability.

$valid_referrer = check_ajax_referer( self::$nonces[ $name ], self::$nonces[ $name ], false );