Skip to content

UR-4225 Fix - Triage snyk vulnerability report findings#1188

Merged
MILAN88888 merged 7 commits intodevelopfrom
UR-4225-fix/triage-snyk-vulnerability-report-findings
Apr 30, 2026
Merged

UR-4225 Fix - Triage snyk vulnerability report findings#1188
MILAN88888 merged 7 commits intodevelopfrom
UR-4225-fix/triage-snyk-vulnerability-report-findings

Conversation

@MILAN88888
Copy link
Copy Markdown
Contributor

@MILAN88888 MILAN88888 commented Feb 27, 2026

All Submissions:

Changes proposed in this Pull Request:

This PR fixes several security issues, including nonce handling, escaping, and sanitization improvements. Some medium-severity issues remain, but they can be safely ignored because they occur in the frontend JavaScript and the data involved is already sanitized on the backend.
For future JavaScript implementations, we should follow a detached DOM structure when appending HTML to ensure safer and more maintainable code.
`// ❌ BAD — appends to live DOM 100 times = 100 repaints $(plans).each(function(k, item) { urmg_container.append('

' + item.title + '
'); // browser redraws each time });

// ✅ GOOD — build everything in memory first, ONE append = ONE repaint var $wrapper = $('

'); // detached, in memory $(plans).each(function(k, item) { $wrapper.append($card); // no repaint, just memory operation }); urmg_container.append($wrapper); // ONE repaint at the end ✅`
[
snyk-report.html
](url)

How to test the changes in this Pull Request:

  1. Changes are done in many area so we have test all the functionalities.( login, settings, users, membership, email, email preview, form builder, admin notices, plugin updaters... etc)
  2. To get the report we have setup the snyk ai secutiry in local system
  3. npm install -g snyk
  4. synk auth
  5. synk monitor
  6. login and enable
image

Types of changes:

  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (modification of the currently available functionality)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you successfully ran tests with your changes locally?
  • Have you updated the documentation accordingly?

Changelog entry

UR-4225 Fix - Triage snyk vulnerability report findings.

@MILAN88888 MILAN88888 self-assigned this Feb 27, 2026
@MILAN88888 MILAN88888 added bug Needs Review Needs Tests Needs Extensive Test This PR needs has high impact so will need extensive testing labels Feb 27, 2026
MILAN88888 and others added 4 commits March 4, 2026 14:43
@MILAN88888
add: sync
f72d787
@MILAN88888
fix: ur get template security issue
30e0a70
@MILAN88888 @claude
merge: integrate develop branch, preserving security fixes
1a5c4b0 
Keep XSS-safe versions ($.parseHTML, .text(), wp_kses_post, esc_attr, sanitize_text_field) over develop's unescaped equivalents across all conflict files.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@MILAN88888
fix: return null instead of empty string in ur_load_form_field_class …
25d2c2a 
…function
@MILAN88888 MILAN88888 changed the base branch from master to develop April 29, 2026 03:40
@MILAN88888 MILAN88888 merged commit 7b9dec8 into develop Apr 30, 2026
1 of 3 checks passed
@MILAN88888 MILAN88888 added Approved Merged and removed Needs Review Needs Tests Needs Extensive Test This PR needs has high impact so will need extensive testing labels Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iamprazol iamprazol Awaiting requested review from iamprazol

@joshianup1 joshianup1 Awaiting requested review from joshianup1

Assignees

@MILAN88888 MILAN88888

Labels

Approved bug Merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MILAN88888