From 549b09aacbe85bea8015b920fefad15af4372a9f Mon Sep 17 00:00:00 2001
From: Andrew Shell <andrew@andrewshell.org>
Date: Tue, 7 Apr 2026 06:59:11 -0500
Subject: [PATCH 1/2] Adding plugin-check-action for github actions

---
 .distignore                   | 45 +++++++++++++++++++++++++++++++++++
 .editorconfig                 | 22 +++++++++++++++++
 .github/workflows/testing.yml | 29 +++++++++++++++++++++-
 .gitignore                    |  2 ++
 4 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 .distignore
 create mode 100644 .editorconfig

diff --git a/.distignore b/.distignore
new file mode 100644
index 0000000..d542a53
--- /dev/null
+++ b/.distignore
@@ -0,0 +1,45 @@
+# A set of files you probably don't want in your WordPress.org distribution
+.babelrc
+.deployignore
+.distignore
+.editorconfig
+.eslintignore
+.eslintrc
+.git
+.gitignore
+.github
+.gitlab-ci.yml
+.travis.yml
+.DS_Store
+.*~
+Thumbs.db
+behat.yml
+bitbucket-pipelines.yml
+bin
+.circleci/config.yml
+composer.json
+composer.lock
+dependencies.yml
+Gruntfile.js
+package.json
+package-lock.json
+phpunit.xml
+phpunit.xml.dist
+multisite.xml
+multisite.xml.dist
+.phpcs.xml
+phpcs.xml
+.phpcs.xml.dist
+phpcs.xml.dist
+README.md
+webpack.config.js
+wp-cli.local.yml
+yarn.lock
+tests
+vendor
+node_modules
+*.sql
+*.tar.gz
+*.zip
+.wp-env.json
+.wp-env.test.json
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..79207a4
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,22 @@
+# This file is for unifying the coding style for different editors and IDEs
+# editorconfig.org
+
+# WordPress Coding Standards
+# https://make.wordpress.org/core/handbook/coding-standards/
+
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = tab
+indent_size = 4
+
+[{.jshintrc,*.json,*.yml}]
+indent_style = space
+indent_size = 2
+
+[{*.txt,wp-config-sample.php}]
+end_of_line = crlf
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 53ce5e6..1af561e 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -4,9 +4,36 @@ on:
   pull_request:
     branches:
       - main
-      - master
 
 jobs:
+  plugin-check:
+    name: Plugin check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out source code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: latest
+          coverage: none
+          tools: wp-cli
+
+      - name: Install latest version of dist-archive-command
+        run: wp package install wp-cli/dist-archive-command:v3.1.0
+
+      - name: Build plugin
+        run: |
+          wp dist-archive . ./rsscloud.zip --plugin-dirname=rsscloud
+          mkdir tmp-build
+          unzip rsscloud.zip -d tmp-build
+
+      - name: Run plugin check
+        uses: wordpress/plugin-check-action@v1
+        with:
+          build-dir: "./tmp-build/rsscloud"
+
   phpunit:
     name: Run tests
     runs-on: ubuntu-latest
diff --git a/.gitignore b/.gitignore
index 4ed3e25..61df3e3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 # Directories/files that may be generated by this project
 build
 build-module
+tmp-build
 build-style
 build-types
 build-wp
@@ -17,6 +18,7 @@ coverage
 # Directories/files that may appear in your environment
 .DS_Store
 *.log
+*.zip
 yarn.lock
 *.local.*
 results

From e70c53000984342c97fe35c405645d91e11b2167 Mon Sep 17 00:00:00 2001
From: Andrew Shell <andrew@andrewshell.org>
Date: Tue, 7 Apr 2026 09:11:37 -0500
Subject: [PATCH 2/2] Fixing concerns from plugin-check-action

---
 .gitignore                      |  1 +
 data-storage.php                |  4 ++++
 notification-request.php        | 19 +++++++++++++------
 package.json                    |  5 +++--
 readme.txt                      |  6 ++++--
 rsscloud.php                    | 22 +++++++++++-----------
 schedule-post-notifications.php |  3 +++
 send-post-notifications.php     |  4 ++++
 8 files changed, 43 insertions(+), 21 deletions(-)

diff --git a/.gitignore b/.gitignore
index 61df3e3..d5fbb0f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ coverage
 .phpunit.result.cache
 .reassure
 .dev-ready
+plugin-check-results.txt
 
 
 # Directories/files that may appear in your environment
diff --git a/data-storage.php b/data-storage.php
index 5366200..0a042dd 100644
--- a/data-storage.php
+++ b/data-storage.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 if ( ! function_exists( 'rsscloud_get_hub_notifications' ) ) {
 	function rsscloud_get_hub_notifications() {
 		return get_option( 'rsscloud_hub_notifications' );
diff --git a/notification-request.php b/notification-request.php
index fbbf8b6..72797a0 100644
--- a/notification-request.php
+++ b/notification-request.php
@@ -1,5 +1,10 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 function rsscloud_hub_process_notification_request() {
+	// phpcs:disable WordPress.Security.NonceVerification.Missing -- Public RSSCloud hub endpoint, not a WP admin form.
 	// Get the current set of notifications
 	$notify = rsscloud_get_hub_notifications();
 	if ( empty( $notify ) ) {
@@ -13,7 +18,7 @@ function rsscloud_hub_process_notification_request() {
 
 	// Only support http-post
 	$protocol = 'http-post';
-	if ( ! empty( $_POST['protocol'] ) && strtolower( $_POST['protocol'] ) !== 'http-post' ) {
+	if ( ! empty( $_POST['protocol'] ) && strtolower( sanitize_text_field( wp_unslash( $_POST['protocol'] ) ) ) !== 'http-post' ) {
 		do_action( 'rsscloud_protocol_not_post' );
 		rsscloud_notify_result( 'false', 'Only http-post notifications are supported at this time.' );
 	}
@@ -29,7 +34,7 @@ function rsscloud_hub_process_notification_request() {
 		rsscloud_notify_result( 'false', 'No path provided.' );
 	}
 
-	$path = str_replace( '@', '', $_POST['path'] );
+	$path = str_replace( '@', '', sanitize_text_field( wp_unslash( $_POST['path'] ) ) );
 	if ( $path[0] != '/' ) {
 		$path = '/' . $path;
 	}
@@ -40,10 +45,11 @@ function rsscloud_hub_process_notification_request() {
 		$rss2_url = RSSCLOUD_FEED_URL;
 	}
 
-	$notify_url = $_SERVER['REMOTE_ADDR'] . ':' . $port . $path;
+	$remote_addr = isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : '';
+	$notify_url  = $remote_addr . ':' . $port . $path;
 
 	if ( ! empty( $_POST['domain'] ) ) {
-		$domain     = str_replace( '@', '', $_POST['domain'] );
+		$domain     = str_replace( '@', '', sanitize_text_field( wp_unslash( $_POST['domain'] ) ) );
 		$notify_url = $domain . ':' . $port . $path;
 		if ( false === strpos( $notify_url, 'http://' ) ) {
 			$notify_url = 'http://' . $notify_url;
@@ -52,7 +58,7 @@ function rsscloud_hub_process_notification_request() {
 		$challenge = rsscloud_generate_challenge();
 
 		$result = wp_safe_remote_get(
-			$notify_url . '?url=' . esc_url( $_POST['url1'] ) . '&challenge=' . $challenge,
+			$notify_url . '?url=' . esc_url( sanitize_url( wp_unslash( $_POST['url1'] ) ) ) . '&challenge=' . $challenge,
 			array(
 				'method'     => 'GET',
 				'timeout'    => RSSCLOUD_HTTP_TIMEOUT,
@@ -72,7 +78,7 @@ function rsscloud_hub_process_notification_request() {
 				'timeout'    => RSSCLOUD_HTTP_TIMEOUT,
 				'user-agent' => RSSCLOUD_USER_AGENT,
 				'port'       => $port,
-				'body'       => array( 'url' => $_POST['url1'] ),
+				'body'       => array( 'url' => sanitize_url( wp_unslash( $_POST['url1'] ) ) ),
 			)
 		);
 	}
@@ -114,4 +120,5 @@ function rsscloud_hub_process_notification_request() {
 
 	rsscloud_update_hub_notifications( $notify );
 	rsscloud_notify_result( 'true', 'Registration successful.' );
+	// phpcs:enable WordPress.Security.NonceVerification.Missing
 } // function rsscloud_hub_notify
diff --git a/package.json b/package.json
index 9ff2f49..b284433 100644
--- a/package.json
+++ b/package.json
@@ -13,9 +13,10 @@
     "npm-run-all": "^4.1.5"
   },
   "scripts": {
-    "preformat:php": "npm run other:update-packages:php",
+    "lint:php:setup": "wp-env start",
+    "preformat:php": "npm-run-all lint:php:setup other:update-packages:php",
     "format:php": "wp-env run --env-cwd='wp-content/plugins/rsscloud' cli composer run-script format",
-    "prelint:php": "npm run other:update-packages:php",
+    "prelint:php": "npm-run-all lint:php:setup other:update-packages:php",
     "lint:php": "wp-env run --env-cwd='wp-content/plugins/rsscloud' cli composer run-script lint",
     "other:update-packages:php": "wp-env run --env-cwd='wp-content/plugins/rsscloud' cli composer update --no-interaction",
     "test:php": "npm-run-all lint:php test:unit:php",
diff --git a/readme.txt b/readme.txt
index 673d80b..f3630ef 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,9 +1,11 @@
-=== Plugin Name ===
+=== RSS Cloud ===
 Contributors: josephscott, automattic
 Tags: rss
 Requires at least: 2.8
-Tested up to: 6.1.1
+Tested up to: 6.9
 Stable tag: 0.5.0
+License: GPL-2.0-or-later
+License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
 Adds RSSCloud ( http://rsscloud.co/ ) capabilities to your RSS feed.
 
diff --git a/rsscloud.php b/rsscloud.php
index d6e73e8..21006e1 100644
--- a/rsscloud.php
+++ b/rsscloud.php
@@ -6,8 +6,13 @@
 Version: 0.5.0
 Author: Joseph Scott
 Author URI: http://josephscott.org/
+License: GPL-2.0-or-later
  */
 
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 // Uncomment this to not use cron to send out notifications
 // define( 'RSSCLOUD_NOTIFICATIONS_INSTANT', true );
 
@@ -55,17 +60,12 @@ function rsscloud_parse_request( $wp ) {
 }
 
 function rsscloud_notify_result( $success, $msg ) {
-	$success = strip_tags( $success );
-	$success = ent2ncr( $success );
-	$success = esc_html( $success );
-
-	$msg = strip_tags( $msg );
-	$msg = ent2ncr( $msg );
-	$msg = esc_html( $msg );
+	$success = esc_attr( ent2ncr( wp_strip_all_tags( $success ) ) );
+	$msg     = esc_attr( ent2ncr( wp_strip_all_tags( $msg ) ) );
 
 	header( 'Content-Type: text/xml' );
 	echo "<?xml version='1.0'?>\n";
-	echo "<notifyResult success='{$success}' msg='{$msg}' />\n";
+	echo "<notifyResult success='" . esc_attr( $success ) . "' msg='" . esc_attr( $msg ) . "' />\n";
 	exit;
 }
 
@@ -86,8 +86,8 @@ function rsscloud_add_rss_cloud_element() {
 
 	$cloud['host'] = strtolower( $cloud['host'] );
 
-	echo "<cloud domain='{$cloud['host']}' port='{$cloud['port']}'";
-	echo " path='{$cloud['path']}' registerProcedure=''";
+	echo "<cloud domain='" . esc_attr( $cloud['host'] ) . "' port='" . esc_attr( $cloud['port'] ) . "'";
+	echo " path='" . esc_attr( $cloud['path'] ) . "' registerProcedure=''";
 	echo " protocol='http-post' />";
 	echo "\n";
 }
@@ -101,7 +101,7 @@ function rsscloud_generate_challenge( $length = 30 ) {
 		$string = bin2hex( openssl_random_pseudo_bytes( $length / 2 ) );
 	} else {
 		for ( $i = 0; $i < $length; $i++ ) {
-			$string .= $chars[ mt_rand( 0, $chars_length - 1 ) ];
+			$string .= $chars[ wp_rand( 0, $chars_length - 1 ) ];
 		}
 	}
 
diff --git a/schedule-post-notifications.php b/schedule-post-notifications.php
index b331651..8ce0019 100644
--- a/schedule-post-notifications.php
+++ b/schedule-post-notifications.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
 
 add_action( 'publish_post', 'rsscloud_schedule_post_notifications' );
 function rsscloud_schedule_post_notifications() {
diff --git a/send-post-notifications.php b/send-post-notifications.php
index eaeaa19..0ab4866 100644
--- a/send-post-notifications.php
+++ b/send-post-notifications.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 function rsscloud_send_post_notifications( $rss2_url = false ) {
 	if ( $rss2_url === false ) {
 		$rss2_url = get_bloginfo( 'rss2_url' );