Zoho CRM sync appeared connected but silently failed to write data due to
unvalidated API responses. Sync methods now validate Zoho responses before
updating hashes, ensuring failed records re-sync on next run. Also fixes
staging detection to use wp_parse_url hostname parsing instead of fragile
strpos matching, adds admin UI for resetting sync hashes, and bumps
HVAC_PLUGIN_VERSION to 2.2.11 to bust browser cache for updated JS.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. OAuth CSRF Protection:
- Added state parameter to OAuth authorization URL
- Generate and store state in transient (10 min expiry)
- Validate state on callback with timing-safe comparison
2. Debug Log Sanitization:
- Added sanitize_log_message() to mask credentials in logs
- Patterns mask client_id, client_secret, access_token, refresh_token
- Error handlers only expose file paths in WP_DEBUG mode
3. Move Inline JS to External File:
- Moved ~100 lines of inline JS to assets/js/zoho-admin.js
- Added redirectUri and oauthUrl to wp_localize_script
- Better CSP compliance and caching
4. Updated .gitignore to track includes/admin/ and includes/zoho/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
