From 1b91c4bcdb6eb609d11a87535433daa7657feb3a Mon Sep 17 00:00:00 2001
From: Akshay Urankar <akshayurankar@Akshays-Laptop.local>
Date: Fri, 18 Jul 2025 11:57:33 +0530
Subject: [PATCH 1/2] updated rules for phpcs security audit

---
 composer.json  |   3 +-
 composer.lock  | 188 ++++++++++++++++++++++++++++++-------------------
 phpcs.xml.dist |  94 +++++++++++++++++++++++++
 3 files changed, 210 insertions(+), 75 deletions(-)

diff --git a/composer.json b/composer.json
index 20781a538..73c3071d5 100644
--- a/composer.json
+++ b/composer.json
@@ -43,7 +43,8 @@
     "phpstan/phpstan": "^1.11",
     "php-stubs/generator": "^0.8.4",
     "php-stubs/wordpress-stubs": "^6.5",
-    "szepeviktor/phpstan-wordpress": "^1.3"
+    "szepeviktor/phpstan-wordpress": "^1.3",
+    "pheromone/phpcs-security-audit": "^2.0"
   },
   "scripts": {
     "format": "phpcbf",
diff --git a/composer.lock b/composer.lock
index d7b25211f..0991435ff 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "2c0aab509634d74988694d78dd71c46c",
+    "content-hash": "267110e8dfa6c9b562ca6b2ea30c9d5b",
     "packages": [
         {
             "name": "brainstormforce/astra-notices",
@@ -53,16 +53,16 @@
         },
         {
             "name": "brainstormforce/bsf-analytics",
-            "version": "1.1.15",
+            "version": "1.1.16",
             "source": {
                 "type": "git",
                 "url": "git@github.com:brainstormforce/bsf-analytics.git",
-                "reference": "2205746828d61e1d74d66e87bcff8314dcdc747f"
+                "reference": "82f94cf38b4dfef645e30595f060d66ff4098618"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/brainstormforce/bsf-analytics/zipball/2205746828d61e1d74d66e87bcff8314dcdc747f",
-                "reference": "2205746828d61e1d74d66e87bcff8314dcdc747f",
+                "url": "https://api.github.com/repos/brainstormforce/bsf-analytics/zipball/82f94cf38b4dfef645e30595f060d66ff4098618",
+                "reference": "82f94cf38b4dfef645e30595f060d66ff4098618",
                 "shasum": ""
             },
             "require-dev": {
@@ -96,23 +96,23 @@
             },
             "description": "Library to gather non sensitive analytics data to enhance bsf products.",
             "support": {
-                "source": "https://github.com/brainstormforce/bsf-analytics/tree/1.1.15",
+                "source": "https://github.com/brainstormforce/bsf-analytics/tree/1.1.16",
                 "issues": "https://github.com/brainstormforce/bsf-analytics/issues"
             },
-            "time": "2025-07-03T08:28:45+00:00"
+            "time": "2025-07-15T10:52:37+00:00"
         },
         {
             "name": "brainstormforce/nps-survey",
-            "version": "1.0.11",
+            "version": "1.0.12",
             "source": {
                 "type": "git",
                 "url": "git@github.com:brainstormforce/nps-survey.git",
-                "reference": "bfb5d127550281c3a788d0d05abf14cbc0d329ef"
+                "reference": "efaf3f92e9e17418014b7e3de5822811da82eebb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/brainstormforce/nps-survey/zipball/bfb5d127550281c3a788d0d05abf14cbc0d329ef",
-                "reference": "bfb5d127550281c3a788d0d05abf14cbc0d329ef",
+                "url": "https://api.github.com/repos/brainstormforce/nps-survey/zipball/efaf3f92e9e17418014b7e3de5822811da82eebb",
+                "reference": "efaf3f92e9e17418014b7e3de5822811da82eebb",
                 "shasum": ""
             },
             "require-dev": {
@@ -156,10 +156,10 @@
             },
             "description": "NPS Survey Plugin",
             "support": {
-                "source": "https://github.com/brainstormforce/nps-survey/tree/1.0.11",
+                "source": "https://github.com/brainstormforce/nps-survey/tree/1.0.12",
                 "issues": "https://github.com/brainstormforce/nps-survey/issues"
             },
-            "time": "2025-06-27T06:00:28+00:00"
+            "time": "2025-07-16T09:36:38+00:00"
         },
         {
             "name": "composer/installers",
@@ -495,6 +495,47 @@
             },
             "time": "2025-05-31T08:24:38+00:00"
         },
+        {
+            "name": "pheromone/phpcs-security-audit",
+            "version": "2.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/FloeDesignTechnologies/phpcs-security-audit.git",
+                "reference": "68a6c53a57156a5efb2073b1eb3f2d79a46c9dc2"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/FloeDesignTechnologies/phpcs-security-audit/zipball/68a6c53a57156a5efb2073b1eb3f2d79a46c9dc2",
+                "reference": "68a6c53a57156a5efb2073b1eb3f2d79a46c9dc2",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.4",
+                "squizlabs/php_codesniffer": ">3.0"
+            },
+            "type": "phpcodesniffer-standard",
+            "autoload": {
+                "psr-4": {
+                    "PHPCS_SecurityAudit\\": "Security/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "GPL-3.0-or-later"
+            ],
+            "authors": [
+                {
+                    "name": "Jonathan Marcil",
+                    "homepage": "https://twitter.com/jonathanmarcil"
+                }
+            ],
+            "description": "phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code",
+            "support": {
+                "issues": "https://github.com/FloeDesignTechnologies/phpcs-security-audit/issues",
+                "source": "https://github.com/FloeDesignTechnologies/phpcs-security-audit/tree/master"
+            },
+            "time": "2019-08-05T19:34:55+00:00"
+        },
         {
             "name": "php-stubs/generator",
             "version": "v0.8.5",
@@ -554,16 +595,16 @@
         },
         {
             "name": "php-stubs/wordpress-stubs",
-            "version": "v6.8.1",
+            "version": "v6.8.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/php-stubs/wordpress-stubs.git",
-                "reference": "92e444847d94f7c30f88c60004648f507688acd5"
+                "reference": "9c8e22e437463197c1ec0d5eaa9ddd4a0eb6d7f8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/php-stubs/wordpress-stubs/zipball/92e444847d94f7c30f88c60004648f507688acd5",
-                "reference": "92e444847d94f7c30f88c60004648f507688acd5",
+                "url": "https://api.github.com/repos/php-stubs/wordpress-stubs/zipball/9c8e22e437463197c1ec0d5eaa9ddd4a0eb6d7f8",
+                "reference": "9c8e22e437463197c1ec0d5eaa9ddd4a0eb6d7f8",
                 "shasum": ""
             },
             "conflict": {
@@ -571,7 +612,7 @@
             },
             "require-dev": {
                 "dealerdirect/phpcodesniffer-composer-installer": "^1.0",
-                "nikic/php-parser": "^5.4",
+                "nikic/php-parser": "^5.5",
                 "php": "^7.4 || ^8.0",
                 "php-stubs/generator": "^0.8.3",
                 "phpdocumentor/reflection-docblock": "^5.4.1",
@@ -599,9 +640,9 @@
             ],
             "support": {
                 "issues": "https://github.com/php-stubs/wordpress-stubs/issues",
-                "source": "https://github.com/php-stubs/wordpress-stubs/tree/v6.8.1"
+                "source": "https://github.com/php-stubs/wordpress-stubs/tree/v6.8.2"
             },
-            "time": "2025-05-02T12:33:34+00:00"
+            "time": "2025-07-16T06:41:00+00:00"
         },
         {
             "name": "phpcompatibility/php-compatibility",
@@ -814,16 +855,16 @@
         },
         {
             "name": "phpstan/phpstan",
-            "version": "1.12.27",
+            "version": "1.12.28",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpstan/phpstan.git",
-                "reference": "3a6e423c076ab39dfedc307e2ac627ef579db162"
+                "reference": "fcf8b71aeab4e1a1131d1783cef97b23a51b87a9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/3a6e423c076ab39dfedc307e2ac627ef579db162",
-                "reference": "3a6e423c076ab39dfedc307e2ac627ef579db162",
+                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/fcf8b71aeab4e1a1131d1783cef97b23a51b87a9",
+                "reference": "fcf8b71aeab4e1a1131d1783cef97b23a51b87a9",
                 "shasum": ""
             },
             "require": {
@@ -868,7 +909,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-05-21T20:51:45+00:00"
+            "time": "2025-07-17T17:15:39+00:00"
         },
         {
             "name": "psr/container",
@@ -1066,47 +1107,47 @@
         },
         {
             "name": "symfony/console",
-            "version": "v7.3.1",
+            "version": "v6.4.23",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "9e27aecde8f506ba0fd1d9989620c04a87697101"
+                "reference": "9056771b8eca08d026cd3280deeec3cfd99c4d93"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/9e27aecde8f506ba0fd1d9989620c04a87697101",
-                "reference": "9e27aecde8f506ba0fd1d9989620c04a87697101",
+                "url": "https://api.github.com/repos/symfony/console/zipball/9056771b8eca08d026cd3280deeec3cfd99c4d93",
+                "reference": "9056771b8eca08d026cd3280deeec3cfd99c4d93",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.2",
+                "php": ">=8.1",
                 "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-mbstring": "~1.0",
                 "symfony/service-contracts": "^2.5|^3",
-                "symfony/string": "^7.2"
+                "symfony/string": "^5.4|^6.0|^7.0"
             },
             "conflict": {
-                "symfony/dependency-injection": "<6.4",
-                "symfony/dotenv": "<6.4",
-                "symfony/event-dispatcher": "<6.4",
-                "symfony/lock": "<6.4",
-                "symfony/process": "<6.4"
+                "symfony/dependency-injection": "<5.4",
+                "symfony/dotenv": "<5.4",
+                "symfony/event-dispatcher": "<5.4",
+                "symfony/lock": "<5.4",
+                "symfony/process": "<5.4"
             },
             "provide": {
                 "psr/log-implementation": "1.0|2.0|3.0"
             },
             "require-dev": {
                 "psr/log": "^1|^2|^3",
-                "symfony/config": "^6.4|^7.0",
-                "symfony/dependency-injection": "^6.4|^7.0",
-                "symfony/event-dispatcher": "^6.4|^7.0",
+                "symfony/config": "^5.4|^6.0|^7.0",
+                "symfony/dependency-injection": "^5.4|^6.0|^7.0",
+                "symfony/event-dispatcher": "^5.4|^6.0|^7.0",
                 "symfony/http-foundation": "^6.4|^7.0",
                 "symfony/http-kernel": "^6.4|^7.0",
-                "symfony/lock": "^6.4|^7.0",
-                "symfony/messenger": "^6.4|^7.0",
-                "symfony/process": "^6.4|^7.0",
-                "symfony/stopwatch": "^6.4|^7.0",
-                "symfony/var-dumper": "^6.4|^7.0"
+                "symfony/lock": "^5.4|^6.0|^7.0",
+                "symfony/messenger": "^5.4|^6.0|^7.0",
+                "symfony/process": "^5.4|^6.0|^7.0",
+                "symfony/stopwatch": "^5.4|^6.0|^7.0",
+                "symfony/var-dumper": "^5.4|^6.0|^7.0"
             },
             "type": "library",
             "autoload": {
@@ -1140,7 +1181,7 @@
                 "terminal"
             ],
             "support": {
-                "source": "https://github.com/symfony/console/tree/v7.3.1"
+                "source": "https://github.com/symfony/console/tree/v6.4.23"
             },
             "funding": [
                 {
@@ -1156,7 +1197,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-06-27T19:55:54+00:00"
+            "time": "2025-06-27T19:37:22+00:00"
         },
         {
             "name": "symfony/deprecation-contracts",
@@ -1227,25 +1268,25 @@
         },
         {
             "name": "symfony/filesystem",
-            "version": "v7.3.0",
+            "version": "v6.4.13",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "b8dce482de9d7c9fe2891155035a7248ab5c7fdb"
+                "reference": "4856c9cf585d5a0313d8d35afd681a526f038dd3"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/b8dce482de9d7c9fe2891155035a7248ab5c7fdb",
-                "reference": "b8dce482de9d7c9fe2891155035a7248ab5c7fdb",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/4856c9cf585d5a0313d8d35afd681a526f038dd3",
+                "reference": "4856c9cf585d5a0313d8d35afd681a526f038dd3",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.2",
+                "php": ">=8.1",
                 "symfony/polyfill-ctype": "~1.8",
                 "symfony/polyfill-mbstring": "~1.8"
             },
             "require-dev": {
-                "symfony/process": "^6.4|^7.0"
+                "symfony/process": "^5.4|^6.4|^7.0"
             },
             "type": "library",
             "autoload": {
@@ -1273,7 +1314,7 @@
             "description": "Provides basic utilities for the filesystem",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v7.3.0"
+                "source": "https://github.com/symfony/filesystem/tree/v6.4.13"
             },
             "funding": [
                 {
@@ -1289,27 +1330,27 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-10-25T15:15:23+00:00"
+            "time": "2024-10-25T15:07:50+00:00"
         },
         {
             "name": "symfony/finder",
-            "version": "v7.3.0",
+            "version": "v6.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/finder.git",
-                "reference": "ec2344cf77a48253bbca6939aa3d2477773ea63d"
+                "reference": "1d0e8266248c5d9ab6a87e3789e6dc482af3c9c7"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/finder/zipball/ec2344cf77a48253bbca6939aa3d2477773ea63d",
-                "reference": "ec2344cf77a48253bbca6939aa3d2477773ea63d",
+                "url": "https://api.github.com/repos/symfony/finder/zipball/1d0e8266248c5d9ab6a87e3789e6dc482af3c9c7",
+                "reference": "1d0e8266248c5d9ab6a87e3789e6dc482af3c9c7",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.2"
+                "php": ">=8.1"
             },
             "require-dev": {
-                "symfony/filesystem": "^6.4|^7.0"
+                "symfony/filesystem": "^6.0|^7.0"
             },
             "type": "library",
             "autoload": {
@@ -1337,7 +1378,7 @@
             "description": "Finds files and directories via an intuitive fluent interface",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/finder/tree/v7.3.0"
+                "source": "https://github.com/symfony/finder/tree/v6.4.17"
             },
             "funding": [
                 {
@@ -1353,7 +1394,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-12-30T19:00:26+00:00"
+            "time": "2024-12-29T13:51:37+00:00"
         },
         {
             "name": "symfony/polyfill-ctype",
@@ -1835,20 +1876,20 @@
         },
         {
             "name": "symfony/string",
-            "version": "v7.3.0",
+            "version": "v6.4.21",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/string.git",
-                "reference": "f3570b8c61ca887a9e2938e85cb6458515d2b125"
+                "reference": "73e2c6966a5aef1d4892873ed5322245295370c6"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/f3570b8c61ca887a9e2938e85cb6458515d2b125",
-                "reference": "f3570b8c61ca887a9e2938e85cb6458515d2b125",
+                "url": "https://api.github.com/repos/symfony/string/zipball/73e2c6966a5aef1d4892873ed5322245295370c6",
+                "reference": "73e2c6966a5aef1d4892873ed5322245295370c6",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.2",
+                "php": ">=8.1",
                 "symfony/polyfill-ctype": "~1.8",
                 "symfony/polyfill-intl-grapheme": "~1.0",
                 "symfony/polyfill-intl-normalizer": "~1.0",
@@ -1858,12 +1899,11 @@
                 "symfony/translation-contracts": "<2.5"
             },
             "require-dev": {
-                "symfony/emoji": "^7.1",
-                "symfony/error-handler": "^6.4|^7.0",
-                "symfony/http-client": "^6.4|^7.0",
-                "symfony/intl": "^6.4|^7.0",
+                "symfony/error-handler": "^5.4|^6.0|^7.0",
+                "symfony/http-client": "^5.4|^6.0|^7.0",
+                "symfony/intl": "^6.2|^7.0",
                 "symfony/translation-contracts": "^2.5|^3.0",
-                "symfony/var-exporter": "^6.4|^7.0"
+                "symfony/var-exporter": "^5.4|^6.0|^7.0"
             },
             "type": "library",
             "autoload": {
@@ -1902,7 +1942,7 @@
                 "utf8"
             ],
             "support": {
-                "source": "https://github.com/symfony/string/tree/v7.3.0"
+                "source": "https://github.com/symfony/string/tree/v6.4.21"
             },
             "funding": [
                 {
@@ -1918,7 +1958,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-04-20T20:19:01+00:00"
+            "time": "2025-04-18T15:23:29+00:00"
         },
         {
             "name": "szepeviktor/phpstan-wordpress",
diff --git a/phpcs.xml.dist b/phpcs.xml.dist
index 7e1a592c6..8231077fd 100644
--- a/phpcs.xml.dist
+++ b/phpcs.xml.dist
@@ -22,6 +22,100 @@
 		<exclude name="Squiz.Commenting.FunctionComment.InvalidNoReturn" />
 		<exclude name="WordPress.WP.I18n.MissingTranslatorsComment" />
 	</rule>
+	<rule ref="Generic.PHP.ForbiddenFunctions">
+    <properties>
+        <property name="forbiddenFunctions" type="array">
+            <element key="eval" value="Avoid using eval() — it allows execution of arbitrary PHP code and leads to remote code execution (RCE). Consider refactoring your logic to avoid dynamic evaluation."/>
+            <element key="assert" value="Avoid using assert() — behaves like eval() when given a string and can lead to RCE. Use conditional checks directly."/>
+            <element key="create_function" value="Avoid using create_function() — internally uses eval(), which is dangerous. Use anonymous functions instead."/>
+            <element key="preg_replace" value="Avoid using preg_replace() with the /e modifier — it allows execution of arbitrary PHP code and leads to critical security vulnerabilities such as RCE. Use preg_replace_callback() instead."/>
+            <!--             <element key="include" value="Avoid using include with untrusted input — may lead to Local or Remote File Inclusion (LFI/RFI). Validate and sanitize paths or use autoloaders."/>-->
+            <!--             <element key="include_once" value="Avoid using include_once with untrusted input — may lead to LFI/RFI. Use autoloaders or validated paths."/>-->
+            <!--             <element key="require" value="Avoid using require with untrusted input — may lead to LFI/RFI. Validate file paths strictly."/>-->
+            <!--             <element key="require_once" value="Avoid using require_once with untrusted input — may lead to LFI/RFI. Use autoloaders or strict path validation."/>-->
+            <!--             <element key="unserialize" value="Avoid using unserialize() on untrusted data — it leads to PHP Object Injection. Use json_decode() with trusted JSON instead."/>-->
+            <!--             <element key="maybe_unserialize" value="Avoid using maybe_unserialize() with untrusted input — subject to the same vulnerabilities as unserialize()."/>-->
+            <!--             <element key="base64_decode" value="Avoid using base64_decode() to hide or obfuscate data — it may be used to bypass filters. Prefer explicit and transparent encoding/decoding."/>-->
+            <element key="exec" value="Avoid using exec() — executes shell commands and leads to command injection vulnerabilities. Use process control functions with strict sanitization only if necessary."/>
+            <element key="shell_exec" value="Avoid using shell_exec() — exposes your application to command injection risks. Use safer alternatives or escape all inputs thoroughly."/>
+            <element key="system" value="Avoid using system() — can execute arbitrary system commands. Very dangerous if used with user input."/>
+            <element key="passthru" value="Avoid using passthru() — runs system-level commands and can be exploited for command injection."/>
+            <element key="popen" value="Avoid using popen() — opens a process pipe which can be exploited. Use proc_open() with caution if absolutely necessary."/>
+            <element key="proc_open" value="Avoid using proc_open() — complex function that can lead to RCE or command injection if mishandled."/>
+            <element key="proc_close" value="Avoid using proc_close() — related to proc_open(), which is dangerous if user input is involved."/>
+            <element key="proc_nice" value="Avoid using proc_nice() — changes process priority and could be abused."/>
+            <element key="proc_terminate" value="Avoid using proc_terminate() — interacts with system processes. Use only if trusted input and context are ensured."/>
+            <element key="pcntl_exec" value="Avoid using pcntl_exec() — forks and replaces the process; risky for production environments."/>
+            <element key="fsockopen" value="Avoid using fsockopen() with user input — can be used to perform SSRF attacks."/>
+            <element key="pfsockopen" value="Avoid using pfsockopen() — similar to fsockopen(), risky with user-controlled hosts or ports."/>
+            <element key="phpinfo" value="Avoid using phpinfo() in production — exposes sensitive server configuration information."/>
+            <element key="extract" value="Avoid using extract() — overwrites existing variables and leads to security issues. Use associative arrays instead."/>
+            <element key="parse_str" value="Avoid using parse_str() — can overwrite variables in the current symbol table. Use parse_url() and parse_str() into a separate array."/>
+            <element key="ini_set" value="Avoid using ini_set() to modify runtime settings unsafely. Changes may weaken security mechanisms."/>
+            <element key="ini_alter" value="Avoid using ini_alter() — modifies php.ini settings and can reduce protection if misused."/>
+            <element key="putenv" value="Avoid using putenv() — changes environment variables at runtime and can affect system behavior."/>
+            <!--             <element key="mail" value="Avoid using mail() — prone to email header injection. Use a well-maintained library like PHPMailer or Symfony Mailer."/>-->
+            <!--             <element key="$wpdb->query" value="Avoid using raw $wpdb->query with dynamic SQL — leads to SQL injection. Use $wpdb->prepare() or abstraction layers."/>-->
+            <!-- POSIX -->
+            <element key="getmyuid" value="Avoid using getmyuid() — exposes user identity info, rarely needed in secure apps."/>
+            <element key="leak" value="Avoid using leak() — deprecated and dangerous. Leads to memory leaks."/>
+            <element key="listen" value="Avoid using listen() — may be part of vulnerable network socket code."/>
+            <element key="diskfreespace" value="Avoid using diskfreespace() — reveals server storage info."/>
+            <element key="tmpfile" value="Avoid using tmpfile() without cleanup — may leak sensitive data to disk."/>
+            <element key="link" value="Avoid using link() — may create unexpected hard links; dangerous with user input."/>
+            <element key="dl" value="Avoid using dl() — enables dynamic loading of extensions at runtime and is dangerous."/>
+            <element key="highlight_file" value="Avoid using highlight_file() — reveals code, leading to information disclosure."/>
+            <element key="source" value="Avoid using source — not a valid PHP function; possibly a typo."/>
+            <element key="show_source" value="Avoid using show_source() — exposes raw source code to the browser."/>
+            <element key="fpassthru" value="Avoid using fpassthru() — used to dump file contents; dangerous with user-controlled paths."/>
+            <element key="virtual" value="Avoid using virtual() — used in Apache for server-side includes, may execute unintended logic."/>
+            <element key="posix_ctermid" value="Avoid using posix_ctermid() — reveals terminal device paths."/>
+            <element key="posix_getcwd" value="Avoid using posix_getcwd() — reveals current directory path."/>
+            <element key="posix_getegid" value="Avoid using posix_getegid() — exposes process group IDs."/>
+            <element key="posix_geteuid" value="Avoid using posix_geteuid() — exposes user IDs."/>
+            <element key="posix_getgid" value="Avoid using posix_getgid() — exposes group IDs."/>
+            <element key="posix_getgrgid" value="Avoid using posix_getgrgid() — exposes system group info."/>
+            <element key="posix_getgrnam" value="Avoid using posix_getgrnam() — exposes system group info."/>
+            <element key="posix_getgroups" value="Avoid using posix_getgroups() — reveals system group memberships."/>
+            <element key="posix_getlogin" value="Avoid using posix_getlogin() — exposes the current login name."/>
+            <element key="posix_getpgid" value="Avoid using posix_getpgid() — exposes process IDs."/>
+            <element key="posix_getpgrp" value="Avoid using posix_getpgrp() — exposes process group IDs."/>
+            <element key="posix_getpid" value="Avoid using posix_getpid() — reveals process IDs."/>
+            <element key="posix_getppid" value="Avoid using posix_getppid() — reveals parent process IDs."/>
+            <element key="posix_getpwuid" value="Avoid using posix_getpwuid() — reveals user info."/>
+            <element key="posix_getrlimit" value="Avoid using posix_getrlimit() — reveals system resource limits."/>
+            <element key="posix_getsid" value="Avoid using posix_getsid() — exposes session IDs."/>
+            <element key="posix_getuid" value="Avoid using posix_getuid() — exposes user IDs."/>
+            <element key="posix_isatty" value="Avoid using posix_isatty() — limited use, potentially risky."/>
+            <element key="posix_kill" value="Avoid using posix_kill() — sends signals to processes. Dangerous if misused."/>
+            <element key="posix_mkfifo" value="Avoid using posix_mkfifo() — creates named pipes; can be abused."/>
+            <element key="posix_setegid" value="Avoid using posix_setegid() — changes effective group ID; risky."/>
+            <element key="posix_seteuid" value="Avoid using posix_seteuid() — changes effective user ID; risky."/>
+            <element key="posix_setgid" value="Avoid using posix_setgid() — changes group ID; rarely safe."/>
+            <element key="posix_setpgid" value="Avoid using posix_setpgid() — manipulates process groups."/>
+            <element key="posix_setsid" value="Avoid using posix_setsid() — creates new session; rarely needed."/>
+            <element key="posix_setuid" value="Avoid using posix_setuid() — changes user ID; major security risk."/>
+            <element key="posix_times" value="Avoid using posix_times() — returns process times; rarely relevant."/>
+            <element key="posix_ttyname" value="Avoid using posix_ttyname() — reveals terminal device names."/>
+            <element key="posix_uname" value="Avoid using posix_uname() — exposes system-level details."/>
+            <element key="socket_accept" value="Avoid using socket_accept() — dangerous with custom TCP/IP logic."/>
+            <element key="socket_bind" value="Avoid using socket_bind() — binds to ports and may expose services."/>
+            <element key="socket_clear_error" value="Avoid using socket_clear_error() — low-level socket call."/>
+            <element key="socket_close" value="Avoid using socket_close() — low-level function, rarely needed."/>
+            <element key="socket_connect" value="Avoid using socket_connect() — potentially dangerous if remote host is user-controlled."/>
+            <element key="symlink" value="Avoid using symlink() — can create filesystem links in unsafe locations."/>
+            <element key="socket_listen" value="Avoid using socket_listen() — opens services that may be exploited."/>
+            <element key="socket_create_listen" value="Avoid using socket_create_listen() — creates open listening ports."/>
+            <element key="socket_read" value="Avoid using socket_read() — risky if improperly validated."/>
+            <element key="socket_create_pair" value="Avoid using socket_create_pair() — rarely needed in web apps."/>
+            <element key="stream_socket_server" value="Avoid using stream_socket_server() — opens custom servers and may be exploited."/>
+            <element key="set_time_limit" value="Avoid using set_time_limit() — may override execution limits."/>
+            <element key="ignore_user_abort" value="Avoid using ignore_user_abort() — continues execution even if client disconnects; risky for long-running scripts."/>
+            <element key="escapeshellcmd" value="Avoid using escapeshellcmd() — may offer false sense of security. Better to avoid shell commands entirely."/>
+        </property>
+    </properties>
+</rule>
+
 
 	<rule ref="Generic.Arrays.DisallowLongArraySyntax.Found">
 		<type>warning</type>

From 11821cbdbf79afb3e4562ef67a4ccdcb3de35ca5 Mon Sep 17 00:00:00 2001
From: Akshay Urankar <akshayurankar@Akshays-Laptop.local>
Date: Fri, 18 Jul 2025 18:13:20 +0530
Subject: [PATCH 2/2] added phpcs rules for security purposes

---
 inc/class-hfe-settings-page.php              | 12 ++++++------
 inc/widgets-manager/class-widgets-loader.php | 13 +++++++++++--
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/inc/class-hfe-settings-page.php b/inc/class-hfe-settings-page.php
index c4ed465b5..7df780b15 100644
--- a/inc/class-hfe-settings-page.php
+++ b/inc/class-hfe-settings-page.php
@@ -1556,24 +1556,24 @@ public function sanitize_svg( $original_content ) {
 		}
 
 		// Strip php tags.
-		$content = preg_replace( '/<\?(=|php)(.+?)\?>/i', '', $original_content );
-		$content = preg_replace( '/<\?(.*)\?>/Us', '', $content );
-		$content = preg_replace( '/<\%(.*)\%>/Us', '', $content );
+		$content = preg_replace_callback( '/<\?(=|php)(.+?)\?>/i', function() { return ''; }, $original_content );
+		$content = preg_replace_callback( '/<\?(.*)\?>/Us', function() { return ''; }, $content );
+		$content = preg_replace_callback( '/<\%(.*)\%>/Us', function() { return ''; }, $content );
 
 		if ( ( false !== strpos( $content, '<?' ) ) || ( false !== strpos( $content, '<%' ) ) ) {
 			return '';
 		}
 
 		// Strip comments.
-		$content = preg_replace( '/<!--(.*)-->/Us', '', $content );
-		$content = preg_replace( '/\/\*(.*)\*\//Us', '', $content );
+		$content = preg_replace_callback( '/<!--(.*)-->/Us', function() { return ''; }, $content );
+		$content = preg_replace_callback( '/\/\*(.*)\*\//Us', function() { return ''; }, $content );
 
 		if ( ( false !== strpos( $content, '<!--' ) ) || ( false !== strpos( $content, '/*' ) ) ) {
 			return '';
 		}
 
 		// Strip line breaks.
-		$content = preg_replace( '/\r|\n/', '', $content );
+		$content = preg_replace_callback( '/\r|\n/', function() { return ''; }, $content );
 
 		// Find the start and end tags so we can cut out miscellaneous garbage.
 		$start = strpos( $content, '<svg' );
diff --git a/inc/widgets-manager/class-widgets-loader.php b/inc/widgets-manager/class-widgets-loader.php
index bdafdca8b..dd09b2a52 100644
--- a/inc/widgets-manager/class-widgets-loader.php
+++ b/inc/widgets-manager/class-widgets-loader.php
@@ -90,9 +90,18 @@ public function autoload( $class ) {
 
 		if ( ! class_exists( $class_to_load ) && ! class_exists( $class ) ) {
 			$filename = strtolower(
-				preg_replace(
+				preg_replace_callback(
 					[ '/([a-z])([A-Z])/', '/_/', '/\\\/' ],
-					[ '$1-$2', '-', DIRECTORY_SEPARATOR ],
+					function( $matches ) {
+						if ( isset( $matches[1] ) && isset( $matches[2] ) ) {
+							return $matches[1] . '-' . $matches[2];
+						} elseif ( $matches[0] === '_' ) {
+							return '-';
+						} elseif ( $matches[0] === '\\' ) {
+							return DIRECTORY_SEPARATOR;
+						}
+						return $matches[0];
+					},
 					$class_to_load
 				)
 			);