Data sanitaization and validation

includes/class-paybutton-admin.php

@@ -74,7 +74,7 @@ public function handle_save_settings() {
         if (
             isset( $_POST['paybutton_paywall_save_settings'] ) &&
             isset( $_POST['paybutton_settings_nonce'] ) &&
-            wp_verify_nonce( $_POST['paybutton_settings_nonce'], 'paybutton_paywall_settings' ) &&
+            wp_verify_nonce( sanitize_text_field( wp_unslash($_POST['paybutton_settings_nonce'])), 'paybutton_paywall_settings' ) &&
             current_user_can( 'manage_options' )
         ) {
             $this->save_settings();

includes/class-paybutton-state.php

@@ -23,9 +23,21 @@ private static function hmac( $message ) {
      * Build a fingerprint string from client headers
     */
     private static function fingerprint() {
-        $ua   = $_SERVER['HTTP_USER_AGENT']      ?? '';
-        $ip   = $_SERVER['REMOTE_ADDR']          ?? '';
-        $lang = $_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? '';
+        // Get and sanitize User-Agent
+        $ua_raw   = $_SERVER['HTTP_USER_AGENT']      ?? '';
+        $ua       = sanitize_text_field( wp_unslash( $ua_raw ) );
+
+        // Get and validate IP address (support IPv4 and IPv6)
+        $ip_raw = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '';
+        // Handle multiple IPs in X-Forwarded-For
+        $ip_raw = trim(explode(',', $ip_raw)[0]); // Trim after selecting first IP
+        $ip = filter_var($ip_raw, FILTER_VALIDATE_IP) ? $ip_raw : '';
+
+        // Get and sanitize Accept-Language
+        $lang_raw = $_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? '';
+        $lang_clean = sanitize_text_field(wp_unslash($lang_raw));
+        $lang = preg_match('/^[a-zA-Z]{1,3}(?:-[a-zA-Z]{1,3})?(?:,[a-zA-Z]{1,3}(?:-[a-zA-Z]{1,3})?)*$/i', $lang_clean) ? $lang_clean : '';
+
         return "{$ua}|{$ip}|{$lang}";
     }
 
@@ -42,6 +54,8 @@ private static function make_cookie_value( $payload ) {
      * Verify the cookie structure, HMAC, and fingerprint
     */
     private static function verify_and_extract( $cookie, &$out_payload ) {
+        //Sanitaize the cookie value
+        $cookie = sanitize_text_field( wp_unslash( $cookie ) );
         //Split the stored cookie into three parts
         list( $payload, $fpHash, $mac ) = explode( '|', $cookie, 3 ) + [ '', '', '' ];
         // 1) verify HMAC
@@ -105,7 +119,10 @@ public static function get_address() {
         if ( empty( $_COOKIE[ self::COOKIE_USER_ADDR ] ) ) {
             return '';
         }
-        if ( ! self::verify_and_extract( $_COOKIE[ self::COOKIE_USER_ADDR ], $addr ) ) {
+        // Sanitize the cookie value before verify_and_extract
+        $cookie = sanitize_text_field( wp_unslash( $_COOKIE[ self::COOKIE_USER_ADDR ] ) );
+
+        if ( ! self::verify_and_extract( $cookie, $addr ) ) {
             return '';
         }
         return $addr;
@@ -195,7 +212,11 @@ public static function get_articles() {
         if ( empty( $_COOKIE[ self::COOKIE_CONTENT ] ) ) {
             return [];
         }
-        if ( ! self::verify_and_extract( $_COOKIE[ self::COOKIE_CONTENT ], $payload ) ) {
+
+        // Sanitize the cookie value before verify_and_extract
+        $cookie = sanitize_text_field( wp_unslash( $_COOKIE[ self::COOKIE_CONTENT ] ) );
+
+        if ( ! self::verify_and_extract( $cookie, $payload ) ) {
             return [];
         }
         $json = base64_decode( $payload );