INS-2936: Fix all Plugin Checker issues

siteimprove/admin/class-siteimprove-admin.php

@@ -110,7 +110,8 @@ public function gutenberg_siteimprove_plugin() {
 			'gutenberg-siteimprove-plugin',
 			plugin_dir_url( __FILE__ ) . 'js/siteimprove-gutenberg.js',
 			array( 'wp-plugins', 'wp-edit-post', 'wp-element', 'siteimprove' ),
-			true
+			$this->version,
+			false
 		);
 		$si_js_args = array(
 			'token' => get_option( 'siteimprove_token' ),
@@ -188,6 +189,7 @@ private function siteimprove_add_js( $url, $type ) {
 		$file_name = get_option( 'siteimprove_overlayjs_file', 'overlay-v2-dev.js' );
 		$disabled_new_version = get_option( 'siteimprove_disable_new_version' );
 		$pattern = '/^[a-zA-Z_\d-]+.js/';
+		$nonce = wp_create_nonce( 'siteimprove_nonce' );
 
 		if ( ! empty( $file_name ) ) {
 			if ( preg_match( $pattern, $file_name ) ) {
@@ -202,7 +204,11 @@ private function siteimprove_add_js( $url, $type ) {
 				$overlay_path = Siteimprove::JS_LIBRARY_URL . 'overlay-v1.js';
 			}
 		}
-		if ( ! isset( $_GET['si_preview'] ) || '0' === $_GET['si_preview'] ) {
+
+		if ( isset( $_GET['si_preview_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['si_preview_nonce'] ) ), 'siteimprove_nonce' ) ) {
+			return;
+		}
+		else {	
 			wp_enqueue_script( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'js/siteimprove.js', array( 'jquery' ), $this->version, false );
 			wp_enqueue_script( 'siteimprove_overlay', $overlay_path, array(), $this->version, true );
 		}
@@ -221,6 +227,7 @@ private function siteimprove_add_js( $url, $type ) {
 			'url'   => $url,
 			'version' => $disabled_new_version,
 			'is_content_page' => $is_content_page,
+			'nonce' => $nonce,
 		);
 
 		wp_localize_script(

siteimprove/admin/js/siteimprove.js

@@ -5,12 +5,13 @@
 (function ($) {
   "use strict";
 
-  const getDom = async function (url) {
+  const getDom = async function (url, nonce) {
+    console.log(nonce);
     const iframeContainer = document.createElement("div");
     iframeContainer.setAttribute("id", "div_iframe");
     document.body.appendChild(iframeContainer);
     const separator = url.includes("?") ? "&" : "?";
-    iframeContainer.innerHTML = `<iframe id='domIframe' src=${url}${separator}si_preview=1 style='height:100vh; width:100%'></iframe>`;
+    iframeContainer.innerHTML = `<iframe id='domIframe' src=${url}${separator}si_preview_nonce=${nonce} style='height:100vh; width:100%'></iframe>`;
     const iframe = document.getElementById("domIframe");
     const promise = new Promise(function (resolve, reject) {
       iframe.addEventListener(
@@ -36,12 +37,13 @@
   };  
 
   window.siteimprove = {
-    input: function (url, token, version, is_content_page) {
+    input: function (url, token, version, is_content_page, nonce) {
       this.url = url;
       this.token = token;
       this.method = "input";
       this.version = version;
       this.is_content_page = is_content_page;
+      this.nonce = nonce;
       this.common(url);
     },
     domain: function (url, token) {
@@ -232,7 +234,7 @@
 
     // If exist siteimprove_input, call input Siteimprove method.
     if (typeof siteimprove_input !== "undefined") {
-      siteimprove.input(siteimprove_input.url, siteimprove_input.token, siteimprove_input.version, siteimprove_input.is_content_page);
+      siteimprove.input(siteimprove_input.url, siteimprove_input.token, siteimprove_input.version, siteimprove_input.is_content_page, siteimprove_input.nonce);
     }
 
     // If exist siteimprove_domain, call domain Siteimprove method.
@@ -262,20 +264,23 @@
       var result = {
         url: window.location.href,
         token: "",
+        nonce: "",
       };
 
       if (typeof siteimprove_input !== "undefined") {
         if (typeof siteimprove_input.url !== "undefined") {
           result.url = siteimprove_input.url;
         }
         result.token = siteimprove_input.token;
+        result.nonce = siteimprove_input.nonce;
       }
 
       if (typeof siteimprove_domain !== "undefined") {
         if (typeof siteimprove_domain.url !== "undefined") {
           result.url = siteimprove_domain.url;
         }
         result.token = siteimprove_domain.token;
+        result.nonce = siteimprove_domain.nonce;
       }
       return result;
     };
@@ -286,7 +291,8 @@
         var si_prepublish_data = siGetCurrentUrlAndToken();
         evt.preventDefault();
         $("body").append('<div class="si-overlay"></div>');
-        var dom = await getDom(si_prepublish_data.url);
+        console.log(si_prepublish_data);
+        var dom = await getDom(si_prepublish_data.url, si_prepublish_data.nonce);
         siteimprove.contentcheck_flatdom(
           dom,
           si_prepublish_data.url,

siteimprove/admin/partials/class-siteimprove-admin-settings.php

@@ -107,7 +107,7 @@ public function register_section() {
 		);
 
 		// Register a new section in the siteimprove page.
-		if ( isset( $_GET['devmode'] ) ) {
+		if ( isset( $_GET['devmode'] ) && wp_verify_nonce( sanitize_key( $_REQUEST['_wpnonce'] ), 'siteimprove-options' ) ) {
 			add_settings_section(
 				'siteimprove_dev_mode_section',
 				__( 'Dev Mode', 'siteimprove' ),

siteimprove/includes/class-siteimprove.php

@@ -146,16 +146,14 @@ private function define_admin_hooks() {
 		$this->loader->add_action( 'siteimprove_before_settings_form', $plugin_admin, 'siteimprove_before_settings_form' );
 
 		// Siteimprove Actions.
-		if ( ! isset( $_GET['si_preview'] ) || '0' === $_GET['si_preview'] ) {
-			$this->loader->add_action( 'admin_init', $plugin_admin, 'siteimprove_init' );
-			$this->loader->add_action( 'publish_page', $plugin_admin, 'siteimprove_save_session_url_post' );
-			$this->loader->add_action( 'publish_post', $plugin_admin, 'siteimprove_save_session_url_post' );
-			$this->loader->add_action( 'edit_term', $plugin_admin, 'siteimprove_save_session_url_term', 10, 3 );
-			$this->loader->add_action( 'create_term', $plugin_admin, 'siteimprove_save_session_url_term', 10, 3 );
-			$this->loader->add_action( 'transition_post_status', $plugin_admin, 'siteimprove_save_session_url_product', 10, 3 );
-			$this->loader->add_action( 'wp_head', $plugin_admin, 'siteimprove_wp_head' );
-			$this->loader->add_action( 'admin_bar_menu', $plugin_admin, 'add_prepublish_toolbar_item', 500, 1 );
-		}
+		$this->loader->add_action( 'admin_init', $plugin_admin, 'siteimprove_init', $nonce );
+		$this->loader->add_action( 'publish_page', $plugin_admin, 'siteimprove_save_session_url_post' );
+		$this->loader->add_action( 'publish_post', $plugin_admin, 'siteimprove_save_session_url_post' );
+		$this->loader->add_action( 'edit_term', $plugin_admin, 'siteimprove_save_session_url_term', 10, 3 );
+		$this->loader->add_action( 'create_term', $plugin_admin, 'siteimprove_save_session_url_term', 10, 3 );
+		$this->loader->add_action( 'transition_post_status', $plugin_admin, 'siteimprove_save_session_url_product', 10, 3 );
+		$this->loader->add_action( 'wp_head', $plugin_admin, 'siteimprove_wp_head' );
+		$this->loader->add_action( 'admin_bar_menu', $plugin_admin, 'add_prepublish_toolbar_item', 500, 1 );
 	}
 
 	/**