While working on the plugin locally I walked through src/Block.php and noticed a few spots where output escaping and attribute handling could be tightened.
Most of the dynamic values coming back from the GitHub API are passed through esc_html_e(), which is meant for translatable literal strings, not for URLs, usernames, or repo names. A few places also echo API fields without an escaping wrapper at all. That means values like avatar URLs, repo links, and descriptions are not going through the right functions (esc_url(), esc_attr(), esc_html() as appropriate). The same file also builds GitHub request URLs from block attributes such as profileName and repoUrl without validating the shape of those strings first, which could be worth hardening if attributes are ever writable outside a fully trusted editor context.
There is also a small markup bug in the WP error branch where a closing </div tag is missing its >, and profile mode assumes the repos response is always an object with an items property even when the fetch path returns an error string.
I put together a focused hardening pass in #15.
While working on the plugin locally I walked through
src/Block.phpand noticed a few spots where output escaping and attribute handling could be tightened.Most of the dynamic values coming back from the GitHub API are passed through
esc_html_e(), which is meant for translatable literal strings, not for URLs, usernames, or repo names. A few places also echo API fields without an escaping wrapper at all. That means values like avatar URLs, repo links, and descriptions are not going through the right functions (esc_url(),esc_attr(),esc_html()as appropriate). The same file also builds GitHub request URLs from block attributes such asprofileNameandrepoUrlwithout validating the shape of those strings first, which could be worth hardening if attributes are ever writable outside a fully trusted editor context.There is also a small markup bug in the WP error branch where a closing
</divtag is missing its>, and profile mode assumes the repos response is always an object with anitemsproperty even when the fetch path returns an error string.I put together a focused hardening pass in #15.