Security: wp_register_script(‘wp-preferences’) replaced with wp_deregister_script() — no longer re-registering WordPress core script handles
Security: Enhanced XXE protection on sensitive template files
Maintenance: IDE helper files excluded from production ZIP build
Compliance: Conformité WordPress.org optimization and code quality improvements
Status: Remains at version 1.3.26 — internal maintenance release
1.0.3.25
Security: Ajax_Handlers – added current_user_can(‘manage_options’) to pdf_builder_test_roles handler; added check_ajax_referer() to pdf_builder_verify_canvas_settings_consistency handler; defined missing pdf_builder_get_allowed_roles_ajax_handler function with nonce and capability checks (was registered but never defined – would cause fatal PHP error)
Security: Unified_Ajax_Handler – added check_ajax_referer(‘pdf_builder_ajax’, ‘nonce’) to handle_generate_pdf(), handle_generate_image(), and handle_get_preview_html() (had capability checks but no nonce verification)
Security: Frontend PDF GET URL (PDFBuilderContent.tsx) – added nonce parameter to direct PDF generation URL; webpack rebuild
Security: Nonce_Manager – sanitize_text_field + wp_unslash on nonce input before verification
Security: Sanitized all remaining $_GET / $_REQUEST / $_POST inputs across 34 files (wp_unslash + sanitize_text_field / absint / sanitize_key as appropriate)
Compliance: Remaining phpcs:ignore removed from the cron test AJAX handler; nonce validation now uses check_ajax_referer()
Compliance: templates/admin/settings-loader.php now uses admin_enqueue_scripts instead of wp_enqueue_scripts
Compliance: React editor bundle now depends on wp-element; empty react / react-dom sources removed
Compliance: PDFIB_PLUGIN_FILE is defined once in advanced-pdf-invoice-builder.php; loader/constants use that single source of truth
Compliance: release ZIP now includes sources/js/ and sources/css/, matching the documented source mappings for compiled JS and CSS assets
Compliance: external services and opt-in feedback collection remain documented below in the dedicated sections for WP.org transparency
Security: Sanitized $_POST array deep-accesses across 16 files
Compliance: esc_attr() applied on 15 output points in settings-developpeur template; absint() on license ID parameter; wp_send_json_success return values normalized
Compliance: Added ABSPATH direct-access guard to 43 PHP files missing the standard protection
Compliance: all $wpdb DirectDatabaseQuery and PreparedSQL calls reviewed (100+ occurrences)
Compliance: ~335 static HTML echo statements reviewed (no user input, no XSS risk)
Compliance: Renamed option key pdfb_free_pdf_slots → pdf_builder_free_pdf_slots to comply with WP.org prefix requirements
Compliance: TransientDebugger – all debug output now gated behind WP_DEBUG constant
Compliance: PHP filesystem functions used with justification in 10 files
Compliance: ZIP build script – excluded test files, IDE helper files, and development-only files from plugin archive
Audit: Full security scan – 0 errors remaining for EscapeOutput, NonceVerification, ValidatedSanitizedInput sniffs across all 178 PHP files
WordPress.org Pass 1 (security): sanitize all inputs (map_deep + wp_kses_post), remove debug $_POST logs, fix wp_verify_nonce wrapping, sanitize_file_name for uploads
WordPress.org Pass 2 (escape): esc_html on translated format strings, esc_js for hook variable, sanitize CSS values in generate_theme_css(), wp_kses_post for render_step_content()
WordPress.org Pass 3 (prefix): rename post type pdf_template → pdf_builder_template across 7 files; prefix global constants ELEMENT_PROPERTY_RESTRICTIONS / ELEMENT_TYPE_MAPPING (→ PDF_BUILDER_); prefix global functions isPropertyAllowed / getPropertyDefault / validateProperty / fixInvalidProperty (→ pdf_builder_); rename class PDF_Template_Status_Manager → PDF_Builder_Template_Status_Manager; rename AJAX actions pdf_editor_* → pdf_builder_editor_*
WordPress.org Pass 4 (discouraged functions): remove UTF-8 BOM from 8 files; replace shell_exec(“php -l”) with token_get_all() (Health Monitor); replace exec(‘tar’) x3 with ZipArchive (Backup Recovery); remove hardcoded Gmail credentials and XOR/base64 decode_pass() (Deactivation Feedback) – replaced with wp_mail(); urlencode() → rawurlencode() in licence settings; legitimate AES-256-CBC base64 usage retained with justification
WordPress.org compliance: removed httpbin.org external HTTP test call in PDF_Builder_Test_Suite – replaced with home_url() local self-request
WordPress.org compliance: replaced hardcoded WP_CONTENT_DIR / ABSPATH / WP_LANG_DIR constants with proper WP API functions (wp_upload_dir(), plugin_dir_path(), load_plugin_textdomain())
WordPress.org compliance: stripped external URLs from html2canvas.min.js license comment header (local bundled library, no remote call)
WordPress.org compliance: privacy policy and terms of service URLs updated to hub.threeaxe.fr across readme and settings pages
Architecture: removed PDF_Builder_Cache_Manager – cache system (400+ lines, cron, 4 AJAX handlers, admin UI) completely withdrawn; plugin operates identically without it
Compliance: local PHP filesystem functions used with justification in 11 additional files (file_get_contents, file_put_contents on local paths – wp_remote_get() is not appropriate)
Compliance: WordPress.PHP.StrictInArray – added true as strict third argument to all in_array() and array_search() calls across 51 files (116+ occurrences) – prevents type-coercion bypass
Compliance: PHPCBF auto-fixed 450 formatting violations in 86 files (==→===, !=→!==, line endings, indentation, string quoting, spacing)
Fix: removed UTF-8 BOM accidentally introduced by batch processing script – all 51 affected files cleaned
Audit: 0 errors remaining for EscapeOutput, NonceVerification, ValidatedSanitizedInput, ByteOrderMark, PHP Syntax, ValidHookName, Capabilities, NoSilencedErrors, StrictInArray, AlternativeFunctions across 178 PHP files
Fix: canvas margins not saving – JS now sends ‘0’ for unchecked single checkboxes; PHP validation added patterns for _show_ (boolean) and _margin_ (intval clamped 0-500)
Fix: template modal DPI list showed all DPIs instead of only active ones – PDF_Builder_Templates_Ajax now reads pdf_builder_canvas_dpi CSV instead of legacy pdf_builder_available_dpi
Fix: only last DPI value saved when multiple checked – removed name.slice(0,-2) stripping in FormData loop; [] suffix now preserved so PHP receives an array
Fix: DPI overwritten to ‘0’ after saving main settings form – excluded pdf_builder_canvas_dpi, pdf_builder_canvas_formats, pdf_builder_canvas_orientations from save_content_settings() foreach; removed duplicate canvas_dpi from $general_settings
Fix: 403 error on PNG/JPG generation in WooCommerce order metabox – handle_generate_image() now accepts both pdf_builder_ajax and pdf_builder_order_actions nonces; added manage_options fallback in permission check
Compliance: deactivation feedback email now sent to plugin author via apply_filters(‘pdf_builder_feedback_email’, …) instead of site admin email; disclosed in readme (wp.org data collection transparency)
1.0.3.24
Code quality: fixed 630 PHPStan errors (level 5) to 0 – complete static analysis now passes cleanly