Fix 1.6.0 Plugin Check blockers

readme.txt

@@ -1,9 +1,9 @@
-=== Perform – Performance Optimization for WordPress ===
+=== Perform - Optimize Performance ===
 Contributors: performwp, mehul0810, ankur0812
 Tags: performance, caching, cdn, assets, optimize
 Donate link: https://www.buymeacoffee.com/mehulgohil
 Requires at least: 4.8
-Tested up to: 6.9
+Tested up to: 7.0
 Requires PHP: 7.4
 Stable tag: 1.6.0
 License: GPLv3

src/Admin/Actions.php

@@ -52,7 +52,7 @@ public function registerAssets() {
 		wp_register_style( 'perform-admin', PERFORM_PLUGIN_URL . 'assets/dist/css/admin.css', '', PERFORM_VERSION );
 		wp_enqueue_style( 'perform-admin' );
 
-		wp_register_script( 'perform-admin', PERFORM_PLUGIN_URL . 'assets/dist/js/admin.min.js', [ 'wp-element', 'wp-components', 'wp-i18n' ], PERFORM_VERSION );
+		wp_register_script( 'perform-admin', PERFORM_PLUGIN_URL . 'assets/dist/js/admin.min.js', [ 'wp-element', 'wp-components', 'wp-i18n' ], PERFORM_VERSION, true );
 		wp_enqueue_script( 'perform-admin' );
 
 			wp_localize_script(
@@ -88,7 +88,9 @@ public function add_to_admin_bar( $wp_admin_bar ) {
 			return;
 		}
 
-		if ( ! isset( $_GET['perform'] ) ) {
+		$is_assets_manager_open = isset( $_GET['perform'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only display toggle.
+
+		if ( ! $is_assets_manager_open ) {
 			$href      = add_query_arg( 'perform', '1' );
 			$menu_text = esc_html__( 'Assets Manager', 'perform' );
 		} else {

src/Admin/Filters.php

@@ -10,6 +10,11 @@
 
 namespace Perform\Admin;
 
+// Bailout, if accessed directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 class Filters {
 
 	/**
@@ -48,8 +53,8 @@ public function add_admin_footer_text( $footer_text ) {
 			'%1$s <strong>%2$s</strong> <a href="%4$s" target="_blank" rel="noopener noreferrer" class="perform-rating-link">%3$s</a> %5$s',
 			esc_html__( 'If you love using', 'perform' ),
 			esc_html__( 'Perform WordPress Plugin', 'perform' ),
-			esc_html__( 'please leave us a rating', 'perform' ),
-			esc_url( 'https://wordpress.org/support/plugin/perform/reviews/?filter=5#postform' ),
+			esc_html__( 'please leave us a review', 'perform' ),
+			esc_url( 'https://wordpress.org/support/plugin/perform/reviews/' ),
 			esc_html__( '. It takes a minute and helps a lot. Thanks in advance!', 'perform' ),
 		);
 

src/Admin/Settings/Api.php

@@ -54,6 +54,7 @@ public function render_action() {
 			</div>
 		</div>
 		<?php
+		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Static action markup is escaped before buffering.
 		echo ob_get_clean();
 	}
 
@@ -81,17 +82,23 @@ public function render_fields( $all_fields = [] ) {
 		<form id="perform-admin-settings-form" method="POST">
 			<table class="form-table" role="presentation">
 				<tbody>
-					<?php foreach ( $fields as $field ) : ?>
-						<tr>
-							<th scope="row">
-								<?php echo esc_html( $field['name'] ); ?>
-								<?php echo $this->render_help_link( $field['help_link'] ); ?>
-							</th>
-							<td>
-								<?php echo $this->render_field( $field ); ?>
-							</td>
-						</tr>
-					<?php endforeach; ?>
+				<?php foreach ( $fields as $field ) : ?>
+					<tr>
+						<th scope="row">
+							<?php echo esc_html( $field['name'] ); ?>
+							<?php
+							// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- render_help_link() escapes URL and title attributes before returning markup.
+							echo $this->render_help_link( $field['help_link'] );
+							?>
+						</th>
+						<td>
+							<?php
+							// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Field renderers escape every dynamic attribute and text value before returning markup.
+							echo $this->render_field( $field );
+							?>
+						</td>
+					</tr>
+				<?php endforeach; ?>
 				</tbody>
 			</table>
 			<?php $this->render_action(); ?>
@@ -107,7 +114,7 @@ public function render_fields( $all_fields = [] ) {
 	 * @return string
 	 */
 	private function render_field( $field ) {
-		$type = $field['type'] ?? 'text';
+		$type   = $field['type'] ?? 'text';
 		$method = "render_{$type}_field";
 
 		if ( method_exists( $this, $method ) ) {

src/Admin/Settings/Menu.php

@@ -85,7 +85,8 @@ public function save_settings() {
 		}
 
 		// Verify nonce for the AJAX request.
-		if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( wp_unslash( $_POST['nonce'] ), 'perform_save_settings' ) ) {
+		$nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : '';
+		if ( ! wp_verify_nonce( $nonce, 'perform_save_settings' ) ) {
 			wp_send_json_error(
 				[
 					'type'    => 'error',
@@ -97,16 +98,16 @@ public function save_settings() {
 		// If the JS sent a JSON payload in `data`, decode it. Otherwise fall back to regular POST fields.
 		$posted_data = [];
 		if ( isset( $_POST['data'] ) ) {
-			$raw     = wp_unslash( $_POST['data'] );
+			$raw     = sanitize_textarea_field( wp_unslash( $_POST['data'] ) );
 			$decoded = json_decode( $raw, true );
 			if ( is_array( $decoded ) ) {
 				$posted_data = $decoded;
 			} else {
 				// Fallback: clean the entire $_POST array.
-				$posted_data = Helpers::clean( $_POST );
+				$posted_data = Helpers::clean( wp_unslash( $_POST ) );
 			}
 		} else {
-			$posted_data = Helpers::clean( $_POST );
+			$posted_data = Helpers::clean( wp_unslash( $_POST ) );
 		}
 		$settings = Helpers::get_settings();
 

src/Includes/Actions.php

@@ -12,6 +12,11 @@
 
 use Perform\Includes\Helpers;
 
+// Bailout, if accessed directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 class Actions {
 
 	/**