From 5b9e9778d791e61f847ec71cb1c4362747b6d787 Mon Sep 17 00:00:00 2001
From: "skllzrmy.tez" <joe@poundfit.com>
Date: Sat, 21 Oct 2023 22:42:31 -0700
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20fix(a11y-init.js):=20prevent=20d?=
 =?UTF-8?q?efault=20event=20to=20avoid=20page=20reload=20when=20running=20?=
 =?UTF-8?q?a11y=20tests=20=E2=9C=A8=20feat(a11y-init.js):=20add=20security?=
 =?UTF-8?q?=20nonce=20to=20the=20request=20body=20to=20ensure=20secure=20A?=
 =?UTF-8?q?JAX=20request=20=F0=9F=90=9B=20fix(a11y-tester.php):=20enqueue?=
 =?UTF-8?q?=20'jquery'=20as=20a=20dependency=20for=20'a11y-init'=20script?=
 =?UTF-8?q?=20to=20ensure=20it=20is=20loaded=20before=20=E2=9C=A8=20feat(a?=
 =?UTF-8?q?11y-tester.php):=20add=20nonce=20to=20wpData=20object=20to=20be?=
 =?UTF-8?q?=20used=20in=20AJAX=20request=20for=20security=20validation=20?=
 =?UTF-8?q?=E2=9C=A8=20feat(a11y-tester.php):=20add=20capability=20check?=
 =?UTF-8?q?=20and=20nonce=20validation=20to=20'run=5Fa11y=5Ftest=5Ffunctio?=
 =?UTF-8?q?n'=20to=20ensure=20secure=20AJAX=20request=20=E2=9C=A8=20feat(a?=
 =?UTF-8?q?11y-tester.php):=20add=20sanitization=20and=20validation=20for?=
 =?UTF-8?q?=20post=20ID=20in=20'run=5Fa11y=5Ftest=5Ffunction'=20to=20preve?=
 =?UTF-8?q?nt=20invalid=20or=20malicious=20input=20=E2=9C=A8=20feat(a11y-t?=
 =?UTF-8?q?ester.php):=20add=20support=20for=20adding=20'a11y=5Fmeta=5Fbox?=
 =?UTF-8?q?'=20to=20all=20public=20post=20types=20dynamically=20=E2=9C=A8?=
 =?UTF-8?q?=20feat(a11y-tester.php):=20add=20custom=20plugin=20links=20for?=
 =?UTF-8?q?=20source=20code=20and=20support=20in=20plugin=20meta=20row?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 a11y-init.js    |  6 +++++-
 a11y-tester.php | 50 ++++++++++++++++++++++++++++++++++++-------------
 2 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/a11y-init.js b/a11y-init.js
index 0a89f92..f0511f6 100644
--- a/a11y-init.js
+++ b/a11y-init.js
@@ -8,13 +8,14 @@ window.addEventListener("DOMContentLoaded", function () {
     }
 
     const runA11yTests = async () => {
+        event.preventDefault();
         const postID = document.querySelector("input#post_ID").value;
         const requestData = {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
             },
-            body: `action=run_ally_test&post_id=${postID}`,
+            body: `action=run_a11y_test&post_id=${postID}&security=${wpData.nonce}`,
         };
 
         const response = await fetch(wpData.ajax_url, requestData);
@@ -34,6 +35,7 @@ window.addEventListener("DOMContentLoaded", function () {
             results.violations.forEach((violation) => {
                 const section = document.createElement("div");
                 const button = document.createElement("button");
+                button.type = "button";
                 const content = document.createElement("div");
 
                 button.innerHTML = `${violation.id} - ${violation.impact}`;
@@ -84,12 +86,14 @@ window.addEventListener("DOMContentLoaded", function () {
         }
 
         const btn = document.createElement("button");
+        btn.type = "button";
         btn.id = "run-a11y-test-button";
         btn.textContent = "Run A11y Test";
         btn.addEventListener("click", runA11yTests);
         metaBoxInsideDiv.appendChild(btn);
 
         const clrBtn = document.createElement("button");
+        clrBtn.type = "button";
         clrBtn.id = "clear-a11y-test-button";
         clrBtn.textContent = "Clear A11y Test";
         clrBtn.addEventListener("click", () => {
diff --git a/a11y-tester.php b/a11y-tester.php
index cb49186..2ae6707 100644
--- a/a11y-tester.php
+++ b/a11y-tester.php
@@ -3,17 +3,20 @@
 /**
  * Plugin Name: A11y Tester
  * Description: A plugin to test accessibility of any page or post.
- * Version: 1.0
+ * Version: 1.0.1
  * Author: Joe Peterson
  * Author URI: https://joepeterson.work
  */
 
-function enqueue_a11y_scripts()
+// Enqueue scripts
+function enqueue_a11y_scripts($hook)
 {
-    if (is_admin()) {
+    if ('post.php' === $hook || 'post-new.php' === $hook) {
         wp_enqueue_script('axe-core', 'https://cdnjs.cloudflare.com/ajax/libs/axe-core/4.8.2/axe.min.js', array(), '4.8.2', true);
-        wp_enqueue_script('a11y-init', plugin_dir_url(__FILE__) . 'a11y-init.js', array('axe-core'), '1.0', true);
-        wp_localize_script('a11y-init', 'wpData', array('ajax_url' => admin_url('admin-ajax.php')));
+        wp_enqueue_script('a11y-init', plugin_dir_url(__FILE__) . 'a11y-init.js', array('axe-core', 'jquery'), '1.0', true);
+
+        $nonce = wp_create_nonce('a11y_nonce');
+        wp_localize_script('a11y-init', 'wpData', array('ajax_url' => admin_url('admin-ajax.php'), 'nonce' => $nonce));
         wp_enqueue_style('a11y-style', plugin_dir_url(__FILE__) . 'a11y-styles.css', array(), '1.0');
     }
 }
@@ -22,10 +25,21 @@ function enqueue_a11y_scripts()
 // Add meta box
 function add_a11y_meta_box()
 {
-    add_meta_box('a11y_meta_box', 'Accessibility Tester', 'a11y_meta_box_content', array('post', 'page'), 'normal', 'high');
+    // Fetch all public post types
+    $args = array(
+        'public'   => true,
+    );
+
+    $post_types = get_post_types($args);
+
+    // Loop through each post type and add the meta box
+    foreach ($post_types as $post_type) {
+        add_meta_box('a11y_meta_box', 'Accessibility Tester', 'a11y_meta_box_content', $post_type, 'normal', 'high');
+    }
 }
 add_action('add_meta_boxes', 'add_a11y_meta_box');
 
+
 // Meta box content
 function a11y_meta_box_content()
 {
@@ -37,24 +51,34 @@ function a11y_meta_box_content()
 
 function run_a11y_test_function()
 {
-    $post_id = $_POST['post_id'];
+    // Check the nonce and capability
+    check_ajax_referer('a11y_nonce', 'security');
+    if (!current_user_can('edit_posts')) {
+        wp_send_json_error('You do not have the necessary permissions.');
+        wp_die();
+    }
+
+    // Check and sanitize the post ID
+    $post_id = intval($_POST['post_id']);
+    if ($post_id <= 0) {
+        wp_send_json_error('Invalid post ID');
+        wp_die();
+    }
+    $post_id = absint($post_id); // Sanitizing the input
+
     $url = get_permalink($post_id);
-    wp_send_json(array('url' => $url));
+    wp_send_json_success(array('url' => $url));
     wp_die();
 }
 
+// Add custom links
 function a11y_custom_plugin_links($links, $file)
 {
-
-    // Check if this is your plugin. If not, return the default links array.
     if (plugin_basename(__FILE__) === $file) {
-        // You can make the links open in a new tab by adding target='_blank' to the anchor tags.
         $row_meta = array(
             'source' => '<a href="/skullzarmy/a11y-tester-wordpress-plugin" target="_blank" rel="nofollow noopener">Source Code</a>',
             'support' => '<a href="/skullzarmy/a11y-tester-wordpress-plugin/issues" target="_blank" rel="nofollow noopener">Support</a>',
         );
-
-        // Merge our new links with the default links.
         return array_merge($links, $row_meta);
     }