fix: added escaping

[sapayth]

fixes #109 , fixes #111

added js escaping along with the sanitization before.
vulnerable to Cross Site Scripting (XSS). [c885***]

Summary by CodeRabbit

• Bug Fixes

  • Properly escape ReCAPTCHA keys and theme values in output to improve security.
  • Update ReCAPTCHA resource URLs and verification endpoints to use HTTPS.

• Chores

  • Minor whitespace and text link updates for referenced ReCAPTCHA help/info pages.

[coderabbitai]

Walkthrough

Replaces unsafe raw outputs and HTTP endpoints with escaped values and HTTPS URLs across ReCAPTCHA-related PHP files, altering generated JavaScript/HTML and network endpoints without changing public function signatures.

Changes

Cohort / File(s)	Summary
NoCAPTCHA JS escaping inc/class-wp_recaptcha_nocaptcha.php	Replaces raw sitekey and theme echoes with esc_js(...) in grecaptcha.render and related JS; updates ajaxComplete responseText check to use the escaped sitekey.
ReCAPTCHA HTML attribute escaping & HTTPS inc/class-wp_recaptcha_recaptcha.php	Replaces raw public key output with esc_attr($public_key) in script src and noscript iframe src; switches external resource URLs from http to https; minor whitespace edits.
API endpoint HTTPS updates inc/class-wp_recaptcha.php	Changes reCAPTCHA public/verification endpoints from http to https in test_public_key and test_private_key network requests.
Admin message HTTPS update inc/class-wp_recaptcha_options.php	Updates admin_settings_error help URL from http to https.
Legacy lib HTTPS and small cleanups inc/recaptchalib.php	Switches RECAPTCHA_API_SERVER and Mailhide URLs from http to https; updates related public/help strings and URL constructions; whitespace tweaks only.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Verify correct escaping context: esc_js for JS string insertion and esc_attr for HTML attributes; consider json_encode() for complex JS objects.
• Confirm AJAX response matching still functions with escaped output.
• Ensure HTTPS endpoint changes preserve required query parameters and expected responses (test_public_key/test_private_key).
• Review recaptchalib.php Mailhide/API constant changes for any external callers or compatibility expectations.

Possibly related PRs

• Version 1.2.6 #106 — Applies esc_js/esc_attr escaping to ReCAPTCHA JS/HTML output in inc/class-wp_recaptcha_recaptcha.php (strong overlap).
• Security improvement #105 — Security/escaping fixes touching inc/class-wp_recaptcha_options.php (related changes to admin URLs and messaging).
• fix: added sanitization #112 — Addresses XSS by adding input sanitization for stored keys; complements this PR's output-escaping changes.

Suggested reviewers

• iftakharul-islam

Poem

🐰
A little hop to fix the keys,
I wrapped them safe from sneaky breeze.
HTTPS trails where links once ran,
esc_js and esc_attr — my plan.
Now cookies nap and widgets play, hurrah today! 🎉

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	The pull request includes changes beyond the specific requirement to fix the XSS vulnerability mentioned in issue #109. In addition to the output escaping fixes that directly address the security issue, the PR systematically replaces HTTP with HTTPS URLs across multiple files (class-wp_recaptcha.php, class-wp_recaptcha_recaptcha.php, class-wp_recaptcha_options.php, and recaptchalib.php). While HTTPS migration is a legitimate security practice, it is not mentioned in the linked issue, which specifically concerns a stored XSS vulnerability, making these changes out-of-scope for the stated objective.	Consider separating the HTTP-to-HTTPS migration changes into a distinct pull request or clarify whether these changes are required as part of the security fix. If HTTPS migration should be included as complementary security hardening, update the linked issue description to explicitly mention this requirement. If these changes are optional improvements, they should be split from the core XSS vulnerability fix to maintain focused, scope-controlled pull requests.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix: added escaping" is related to the main changes in the pull request. The primary modifications involve adding esc_js() and esc_attr() escaping functions to prevent cross-site scripting (XSS) attacks on ReCAPTCHA parameters across multiple files. While the title is somewhat generic and doesn't specify which components are affected or the security context, it accurately indicates that escaping functionality was added to address a security issue. The title is not unrelated to the changeset, nor is it vague to the point of being uninformative like "misc updates."
Linked Issues Check	✅ Passed	The pull request directly addresses the primary objective stated in linked issue #109, which is to fix a stored cross-site scripting (XSS) vulnerability in the WP ReCaptcha Integration plugin. The changes add proper output escaping through esc_js() and esc_attr() functions to sanitize ReCAPTCHA parameters like site keys and themes, which is the appropriate and standard approach to prevent XSS attacks. These modifications protect against the authenticated administrator stored XSS vulnerability referenced in the Wordfence advisory cited in the issue.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1c6b983 and e27af55.

📒 Files selected for processing (4)

• inc/class-wp_recaptcha.php (2 hunks)
• inc/class-wp_recaptcha_options.php (1 hunks)
• inc/class-wp_recaptcha_recaptcha.php (7 hunks)
• inc/recaptchalib.php (6 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• inc/class-wp_recaptcha_recaptcha.php

🔇 Additional comments (6)

inc/recaptchalib.php (4)

38-38: LGTM: HTTPS migration for API server constant.

The change from HTTP to HTTPS for the RECAPTCHA_API_SERVER constant improves security by preventing man-in-the-middle attacks.

---

109-109: LGTM: HTTPS migration for user-facing error messages.

Updated error messages now reference HTTPS endpoints, consistent with the API server changes.

Also applies to: 155-155

---

203-203: LGTM: HTTPS migration for mailhide URLs.

All mailhide-related URLs have been appropriately updated to use HTTPS, including signup URLs and API documentation references.

Also applies to: 233-233, 240-240

---

265-265: LGTM: HTTPS migration for documentation comment.

Documentation comment updated to reference the secure HTTPS endpoint.

inc/class-wp_recaptcha_options.php (1)

355-355: LGTM: HTTPS migration for settings error message.

The help URL in the settings error message has been appropriately updated to use HTTPS, consistent with the broader security improvements in this PR.

inc/class-wp_recaptcha.php (1)

540-540: LGTM: HTTPS migration for API key verification endpoints.

Both test_public_key() and test_private_key() methods now use HTTPS endpoints for verifying API keys with Google's reCAPTCHA service. This prevents potential man-in-the-middle attacks during key verification.

Also applies to: 554-554

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

inc/class-wp_recaptcha_recaptcha.php (1)

188-188: Fix the malformed sprintf call.

The sprintf format string is missing a %s placeholder, causing the translated text to be ignored.

Apply this diff:

-			$return .= sprintf('<div><a href="javascript:Recaptcha.reload()"></a></div>',__('Get another CAPTCHA','wp-recaptcha-integration'));
+			$return .= sprintf('<div><a href="javascript:Recaptcha.reload()">%s</a></div>',__('Get another CAPTCHA','wp-recaptcha-integration'));

inc/class-wp_recaptcha_nocaptcha.php (1)

246-266: Add proper URL encoding for the sitekey in noscript fallback.

The data-sitekey attribute value is concatenated directly into the iframe URL without URL encoding (line 250). While line 243 applies esc_attr() to attributes in the main <div>, the noscript fallback embeds $attr['data-sitekey'] directly into a URL, which should use URL encoding to prevent injection.

Apply this diff to properly escape the URL parameter:

 		if ( WP_reCaptcha::instance()->get_option('recaptcha_noscript') ) {
 			$return .= '<div style="width: 302px; height: 462px;">' .
 							'<div style="width: 302px; height: 422px; position: relative;">' .
 								'<div style="width: 302px; height: 422px; position: absolute;">' .
-									'<iframe src="https://www.google.com/recaptcha/api/fallback?k='.$attr['data-sitekey'].'"' .
+									'<iframe src="https://www.google.com/recaptcha/api/fallback?k='.rawurlencode($attr['data-sitekey']).'"' .
 											' frameborder="0" scrolling="no"' .
 											' style="width: 302px; height:422px; border-style: none;">' .
 									'</iframe>' .

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a81ab61 and 1c6b983.

📒 Files selected for processing (2)

• inc/class-wp_recaptcha_nocaptcha.php (2 hunks)
• inc/class-wp_recaptcha_recaptcha.php (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

inc/class-wp_recaptcha_nocaptcha.php (1)

inc/class-wp_recaptcha.php (3)

• WP_reCaptcha (6-682)
• instance (25-29)
• get_option (484-504)

🔇 Additional comments (2)

inc/class-wp_recaptcha_nocaptcha.php (2)

189-190: Good security fix: XSS prevention in JavaScript context.

The use of esc_js() correctly prevents XSS when embedding the sitekey and theme values into JavaScript strings. This properly addresses the stored XSS vulnerability.

---

208-208: I need to view the actual content around line 208 to verify the original concern:

Let me check the actual content of line 208 in the file:

Based on my verification process, I cannot locate the specific code referenced in the original review comment. The script output shows that both esc_js() and esc_attr() escape the same special characters: < > & " ' and single quotes, and by default there is no difference between esc_html() and esc_attr(), with different filters applied.

However, the critical issue is that the shell script execution did not reveal the actual code at line 208 of the file. The search results show that both functions use _wp_specialchars() as their underlying implementation. For reCAPTCHA sitekeys, which are constrained to alphanumeric characters, underscores, and dashes, both escaping functions would produce identical output since neither function transforms these safe characters.

The provided code snippet lacks the actual context needed to verify the concern, and the file search did not confirm the problematic code pattern exists on line 208. The existing codebase shows esc_attr() is properly applied at HTML output time (line 243), where attribute values are escaped before rendering.

Likely an incorrect or invalid review comment.

[iftakharul-islam]

Working Nicely.