Changeset 3495399

Security, Bug Fixes & Improvements

🔒 Security

• Fixed SQL injection vulnerabilities in analytics queries (impressions, clicks, CTR trends)
• Fixed SQL injection in the legacy importer controller
• Fixed XSS in banner rendering: added proper escaping for image src, alt, title, link href, and target attributes
• Fixed XSS in text banner rendering: added escaping for width/height style attributes
• Fixed stored XSS risk: sanitized IP address and User-Agent before saving to the database
• Fixed SSRF in image size detection: replaced raw cURL and getimagesize() with wp_remote_get()
• Fixed SSRF in remote image validation: replaced raw cURL with wp_remote_head()
• Hardened options update endpoint with schema validation, key whitelist, and sanitize_file_name() for template paths
• Hardened wp_loaded banner endpoint: added post type check, ID validation, null safety, and wp_kses_post() output filtering
• Removed full plugin options exposure from public frontend: only impressions/clicks enabled and nonce are now output
• Removed unnecessary options dump from analytics admin page script localization
• Used wp_json_encode() for all inline script output to prevent script injection

🐛 Bug Fixes

• Fixed Gutenberg block not filtering by campaign: campaigns attribute was not passed to the render function
• Fixed banner layout always forced to vertical regardless of the layout parameter
• Fixed banner preview meta box not appearing in the editor due to deprecated registerMetaBoxCallback
• Fixed analytics data (impressions and clicks) not deleted when a banner is permanently removed
• Fixed cron cleanup events not cleared when tracking is disabled or plugin is deactivated
• Fixed N+1 query issue: banner click/impression counts with value 0 no longer trigger unnecessary COUNT queries
• Fixed undefined variable warning in wp_bannerize_pro_sanitize_mysql_datetime()
• Fixed resetOptions calling a non-existent AJAX action
• Fixed DataTable crash when a banner has no campaigns assigned (null campaigns field)
• Fixed manage_analytics permission check using .length on a boolean value
• Fixed CSV export using incorrect escape sequence (\") instead of RFC 4180 standard ("")

🚀 Improvements

• Replaced remove_all_filters('parse_query') with explicit suppress_filters in banner query methods
• Replaced deprecated get_terms() positional arguments with array syntax
• Replaced date() with gmdate() throughout analytics trait for WordPress coding standards
• Aligned all SQL queries in analytics trait to use %i placeholder for table identifiers
• Removed redundant esc_attr() wrapping on values already cast with absint()
• Removed duplicate wp_set_script_translations registration
• Removed all debug error_log() calls and console.log() statements from production code
• Migrated CPT meta box registration from deprecated registerMetaBoxCallback to registerMetaBoxes()