ben/upskill-event-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
upskill-event-manager/.gitignore
ben b19f1c8e79 security: Address code review findings for Zoho CRM integration 
1. OAuth CSRF Protection:
   - Added state parameter to OAuth authorization URL
   - Generate and store state in transient (10 min expiry)
   - Validate state on callback with timing-safe comparison

2. Debug Log Sanitization:
   - Added sanitize_log_message() to mask credentials in logs
   - Patterns mask client_id, client_secret, access_token, refresh_token
   - Error handlers only expose file paths in WP_DEBUG mode

3. Move Inline JS to External File:
   - Moved ~100 lines of inline JS to assets/js/zoho-admin.js
   - Added redirectUri and oauthUrl to wp_localize_script
   - Better CSP compliance and caching

4. Updated .gitignore to track includes/admin/ and includes/zoho/

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-16 14:59:11 -04:00

257 lines
No EOL
4.8 KiB
Text
Raw Blame History

# Ignore everything by default
# *
!.gitignore
!.gitattributes
# Development Environment - whitelist approach
!/wordpress-dev/
/wordpress-dev/*
# Scripts directory
!/scripts/
/scripts/*
!/scripts/*.sh
# Bin directory - Data seeding and testing scripts
!/bin/
/bin/*
!/bin/create-comprehensive-test-data.sh
!/bin/create-staging-test-data.sh
!/bin/create-complete-test-data.sh
!/bin/create-test-attendees.sh
!/bin/create-test-attendees-simple.sh
!/bin/enhance-test-data-revenue.sh
!/bin/fix-and-create-test-data.sh
!/bin/debug-attendee-data.sh
# Plugin files
!hvac-community-events.php
!/includes/
/includes/*
!/includes/admin/
!/includes/zoho/
!/includes/**/*.php
!/templates/
/templates/*
!/templates/**/*.php
!/assets/
/assets/*
!/assets/css/
/assets/css/*
!/assets/css/*.css
!/assets/js/
/assets/js/*
!/assets/js/*.js
!/assets/images/
/assets/images/*
!/assets/images/*.png
!/assets/images/*.jpg
!/assets/images/*.jpeg
!/assets/images/*.gif
!/assets/images/*.svg
!/assets/images/*.ico
!/wordpress-dev/tests/
/wordpress-dev/tests/*
!/wordpress-dev/tests/e2e/
/wordpress-dev/tests/e2e/*
!/wordpress-dev/tests/e2e/*.spec.ts
!/wordpress-dev/tests/e2e/*.test.ts
!/wordpress-dev/tests/e2e/pages/
!/wordpress-dev/tests/e2e/pages/*.ts
!/wordpress-dev/tests/e2e/utils/
!/wordpress-dev/tests/e2e/utils/*.ts
!/wordpress-dev/tests/e2e/data/
!/wordpress-dev/tests/e2e/data/*.ts
!/wordpress-dev/tests/e2e/global-setup.ts
!/wordpress-dev/tests/e2e/global-teardown.ts
!/wordpress-dev/includes/
!/wordpress-dev/bin/
/wordpress-dev/bin/*
!/wordpress-dev/bin/*.sh
!/wordpress-dev/bin/*.php
!/wordpress-dev/bin/*.json
!/wordpress-dev/bin/wp-tests-config-staging.php
/wordpress-dev/bin/backups/ # Explicitly ignore all backup directories
!/wordpress-dev/composer.json
!/wordpress-dev/composer.lock
!/wordpress-dev/package.json
!/wordpress-dev/package-lock.json
!/wordpress-dev/phpunit.xml.dist
!/wordpress-dev/playwright.config.ts
!/wordpress-dev/tsconfig.json
!/wordpress-dev/README.md
!/wordpress-dev/MIGRATION_GUIDE.md
!/wordpress-dev/ZOHO-INTEGRATION-SUMMARY.md
!/wordpress-dev/ZOHO-STAGING-TEST-RESULTS.md
!/wordpress-dev/ZOHO-OAUTH-SETUP.md
!/wordpress-dev/WORDPRESS-ADMIN-ACCESS.md
# HVAC Community Events Plugin
!/wordpress-dev/wordpress/
/wordpress-dev/wordpress/*
!/wordpress-dev/wordpress/wp-content/
/wordpress-dev/wordpress/wp-content/*
!/wordpress-dev/wordpress/wp-content/plugins/
/wordpress-dev/wordpress/wp-content/plugins/*
!/wordpress-dev/wordpress/wp-content/plugins/hvac-community-events/
!/wordpress-dev/wordpress/wp-content/plugins/hvac-community-events/**
# Test files
# **/test-results/
# **/playwright-report/
# **/.phpunit.result.cache
# **/node_modules/
# **/vendor/
# **/screenshots/
# **/videos/
# **/traces/
# Documentation
!/docs/
/docs/*
!/docs/*.md
!/docs/00_*.md
/docs/scraped/
/docs/archive/
# Root-level documentation and reports
!*_TEST_REPORT.md
!*_SUMMARY.md
!*_GUIDE.md
!*_RESULTS.md
!*_INSTRUCTIONS.md
!*_AUDIT*.md
!*DEPLOYMENT*.md
!*COVERAGE*.md
!*CRITICAL*.md
!*FINAL*.md
!*SECURITY*.md
!*MONITORING*.md
!*MOBILE*.md
!*CROSS-BROWSER*.md
!*CSS-ANALYSIS*.md
!*ROADMAP*.md
!WORKFLOW*.md
!TRANSITION*.md
!POWERMAPPER*.md
# Development and Debug Files
!test-*.js
!verify-*.js
!debug-*.js
!mobile-*.js
!comprehensive-*.js
!fix-*.js
!enhanced-*.js
!*-analysis.js
!debug-*.php
!test-*.php
!enhanced-*.php
!manual-*.php
!*-analysis.php
!check-*.sh
!verify-*.sh
!fix-*.sh
!update-*.sh
!migrate-*.sh
!create-*.sh
!manual-*.sh
!debug-*.sh
!*-analysis.sh
# Tests directory
!/tests/
/tests/*
!/tests/**/*.js
!/tests/**/*.php
!/tests/**/*.yml
!/tests/**/*.md
!/tests/**/*.json
!/tests/**/*.config.*
# Data Files
!*.csv
!CSV_*.csv
# WordPress
!/wp-content/
/wp-content/*
!/wp-content/plugins/
# Security - Sensitive Files (CRITICAL SECURITY)
# .env
.env.*
# *.env
# **/.env
# **/.env.*
.auth/
# **/.auth/
# **/zoho-config.php
# **/wp-config.php
# **/wp-tests-config*.php
memory-bank/mcpServers.md
# **/*config*.php
# **/*secret*
# **/*password*
# **/*credential*
# **/*.key
# **/*.pem
# **/*.p12
# **/*.pfx
# Security Framework - Sensitive Runtime Data
security-audit.log
auth-state-*.json
session-*.json
test-results/
test-screenshots/
# *.har
coverage/
# Allow security framework files but not sensitive data
!lib/
!lib/security/
!lib/security/*.js
!.env.template
!SECURITY-MIGRATION-GUIDE.md
!test-secure-example.js
# Claude Code Files (temporary)
!.claude/
!.claude/settings.local.json
!.claude/agents/
!.claude/agents/*.md
!CLAUDE.md
.mcp.json # MCP configuration contains JWT tokens
# Forgejo Actions CI/CD
!.forgejo/
!.forgejo/workflows/
!.forgejo/workflows/*.yml
# Temporary test files (exclude from commits)
test-actual-*.js
test-missing-*.js
direct-*.php
# *-temp.js
# *-temp.php
# Common ignores
.DS_Store
Thumbs.db
# *.log
# *.zip
# *.tar
# *.tar.gz
node_modules/
vendor/
.idea/
.vscode/
# *.swp
# *.swo
# GEMINI Config
!GEMINI.md
!.agent/
!.agent/workflows/
!.agent/workflows/*.md
Reference in a new issue View git blame Copy permalink