4.7.1.1 Release

all_in_one_seo_pack.php

@@ -5,9 +5,10 @@
  * Description: SEO for WordPress. Features like XML Sitemaps, SEO for custom post types, SEO for blogs, business sites, ecommerce sites, and much more. More than 100 million downloads since 2007.
  * Author:      All in One SEO Team
  * Author URI:  https://aioseo.com/
- * Version:     4.7.0
+ * Version:     4.7.1.1
  * Text Domain: all-in-one-seo-pack
  * Domain Path: /languages
+ * License:     GPL-3.0+
  *
  * All in One SEO is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -25,8 +26,8 @@
  * @since     4.0.0
  * @author    All in One SEO Team
  * @package   AIOSEO\Plugin
- * @license   GPL-2.0+
- * @copyright Copyright (c) 2023, All in One SEO
+ * @license   GPL-3.0+
+ * @copyright Copyright © 2024, All in One SEO
  */
 
 // Exit if accessed directly.

app/AIOSEO.php

@@ -311,7 +311,7 @@ public function load() {
 			$this->sitemap            = $this->pro ? new Pro\Sitemap\Sitemap() : new Common\Sitemap\Sitemap();
 			$this->htmlSitemap        = new Common\Sitemap\Html\Sitemap();
 			$this->templates          = $this->pro ? new Pro\Utils\Templates() : new Common\Utils\Templates();
-			$this->categoryBase       = $this->pro ? new Pro\Main\CategoryBase() : null;
+			$this->categoryBase       = new Common\Main\CategoryBase();
 			$this->postSettings       = $this->pro ? new Pro\Admin\PostSettings() : new Lite\Admin\PostSettings();
 			$this->standalone         = new Common\Standalone\Standalone();
 			$this->searchStatistics   = $this->pro ? new Pro\SearchStatistics\SearchStatistics() : new Common\SearchStatistics\SearchStatistics();
@@ -334,33 +334,9 @@ public function load() {
 
 			$this->backwardsCompatibilityLoad();
 
-			if ( wp_doing_ajax() ) {
-				add_action( 'init', [ $this, 'loadAjaxInit' ], 999 );
-
-				return;
-			}
-
-			if ( wp_doing_cron() ) {
-				// We need to allow the auto-update cron job to check for updates.
-				$this->addons->registerUpdateCheck();
-
-				return;
-			}
-
 			add_action( 'init', [ $this, 'loadInit' ], 999 );
 		}
 
-		/**
-		 * Things that need to load after init, on AJAX requests.
-		 *
-		 * @since 4.2.4
-		 *
-		 * @return void
-		 */
-		public function loadAjaxInit() {
-			$this->addons->registerUpdateCheck();
-		}
-
 		/**
 		 * Things that need to load after init.
 		 *
@@ -377,12 +353,6 @@ public function loadInit() {
 
 			// We call this again to reset any post types/taxonomies that have not yet been set up.
 			$this->dynamicOptions->refresh();
-
-			if ( ! $this->pro ) {
-				return;
-			}
-
-			$this->addons->registerUpdateCheck();
 		}
 
 		/**

app/AIOSEOAbstract.php

@@ -349,9 +349,10 @@ abstract class AIOSEOAbstract {
 	/**
 	 * CategoryBase class instance.
 	 *
-	 * @since 4.2.7
+	 * @since   4.2.7
+	 * @version 4.7.1 Moved from Pro to Common.
 	 *
-	 * @var null|\AIOSEO\Plugin\Pro\Main\CategoryBase
+	 * @var null|\AIOSEO\Plugin\Common\Main\CategoryBase
 	 */
 	public $categoryBase = null;
 

app/Common/Admin/Admin.php

@@ -1150,11 +1150,11 @@ public function appendTrashedMessage( $messages ) {
 			return $messages;
 		}
 
-		if ( empty( $_GET['ids'] ) ) { // phpcs:ignore HM.Security.NonceVerification.Recommended
+		if ( empty( $_GET['ids'] ) ) { // phpcs:ignore HM.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Recommended	
 			return $messages;
 		}
 
-		$ids = array_map( 'intval', explode( ',', wp_unslash( $_GET['ids'] ) ) ); // phpcs:ignore HM.Security.NonceVerification.Recommended, HM.Security.ValidatedSanitizedInput.InputNotSanitized
+		$ids = array_map( 'intval', explode( ',', sanitize_text_field( wp_unslash( $_GET['ids'] ) ) ) ); // phpcs:ignore HM.Security.NonceVerification.Recommended, HM.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Recommended, Generic.Files.LineLength.MaxExceeded
 
 		$posts = [];
 		foreach ( $ids as $id ) {
@@ -1280,7 +1280,7 @@ public function addActiveMenuTooltips() {
 		}
 
 		// If the user is activating the Author SEO addon, dismiss the tooltip.
-		if ( ! empty( $_GET['aioseo-action'] ) && 'activate-author-seo' === wp_unslash( $_GET['aioseo-action'] ) ) { // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized, HM.Security.NonceVerification.Recommended, Generic.Files.LineLength.MaxExceeded
+		if ( ! empty( $_GET['aioseo-action'] ) && 'activate-author-seo' === sanitize_text_field( wp_unslash( $_GET['aioseo-action'] ) ) ) { // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized, HM.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Recommended, Generic.Files.LineLength.MaxExceeded
 			update_user_meta( get_current_user_id(), "_aioseo-$pointer-dismissed", true );
 
 			return;
@@ -1319,6 +1319,10 @@ public function addActiveMenuTooltips() {
 						align : 'center'
 					},
 					pointerWidth : 420,
+					show: function(event, el) {
+						el.pointer.css({'position':'fixed'});
+						el.pointer.addClass('aioseo-wp-pointer');
+					},
 					close : function() {
 						isClosed = true;
 						jQuery.post(
@@ -1331,15 +1335,6 @@ public function addActiveMenuTooltips() {
 						);
 					}
 				} ).pointer('open');
-
-				// Reposition the pointer when the window is resized.
-				window.addEventListener( 'scroll', function() {
-					if ( isClosed ) {
-						return;
-					}
-
-					pointer.pointer( 'reposition' );
-				} );
 			} );
 		</script>
 		<?php

app/Common/Admin/Dashboard.php

@@ -55,7 +55,8 @@ public function addDashboardWidgets() {
 		if (
 			$this->canShowWidget( 'seoOverview' ) &&
 			apply_filters( 'aioseo_show_seo_overview', true ) &&
-			( aioseo()->access->isAdmin() || aioseo()->access->hasCapability( 'aioseo_page_analysis' ) )
+			( aioseo()->access->isAdmin() || aioseo()->access->hasCapability( 'aioseo_page_analysis' ) ) &&
+			aioseo()->options->advanced->truSeo
 		) {
 			wp_add_dashboard_widget(
 				'aioseo-overview',

app/Common/Admin/DeactivationSurvey.php

@@ -106,7 +106,7 @@ public function js() {
 
 		?>
 		<script type="text/javascript">
-		document.addEventListener("DOMContentLoaded", function() {
+		window.addEventListener("load", function() {
 			var deactivateLink = document.querySelector('#the-list [data-slug="<?php echo esc_html( $this->plugin ); ?>"] span.deactivate a') ||
 				document.querySelector('#deactivate-<?php echo esc_html( $this->plugin ); ?>'),
 				overlay = document.querySelector('#am-deactivate-survey-<?php echo esc_html( $this->plugin ); ?>'),
@@ -169,7 +169,7 @@ public function js() {
 					headers: { 'Content-Type': 'application/json' }
 				});
 
-				submitSurvey.then(function() {
+				submitSurvey.finally(function() {
 					window.location.href = deactivateLink.getAttribute('href');
 				});
 			});

app/Common/Admin/Notices/DeprecatedWordPress.php

@@ -87,7 +87,7 @@ public function showNotice() {
 						'<strong>',
 						'</strong>',
 						'AIOSEO',
-						date( 'Y' ),
+						gmdate( 'Y' ),
 						'<a href="https://aioseo.com/docs/update-wordpress/?utm_source=WordPress&utm_medium=' . $medium . '&utm_campaign=outdated-wordpress-notice" target="_blank" rel="noopener noreferrer">', // phpcs:ignore Generic.Files.LineLength.MaxExceeded
 						'</a>'
 					),
@@ -106,7 +106,7 @@ public function showNotice() {
 
 		<?php
 		// In case this is on plugin activation.
-		if ( isset( $_GET['activate'] ) ) { // phpcs:ignore HM.Security.NonceVerification.Recommended
+		if ( isset( $_GET['activate'] ) ) { // phpcs:ignore HM.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Recommended
 			unset( $_GET['activate'] );
 		}
 	}

app/Common/Admin/Notices/Review.php

@@ -295,8 +295,8 @@ public function dismissNotice() {
 		}
 
 		check_ajax_referer( 'aioseo-dismiss-review', 'nonce' );
-		$delay = isset( $_POST['delay'] ) ? 'true' === wp_unslash( $_POST['delay'] ) : false; // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized
-		$relay = isset( $_POST['relay'] ) ? 'true' === wp_unslash( $_POST['relay'] ) : false; // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized
+		$delay = isset( $_POST['delay'] ) ? 'true' === sanitize_text_field( wp_unslash( $_POST['delay'] ) ) : false;
+		$relay = isset( $_POST['relay'] ) ? 'true' === sanitize_text_field( wp_unslash( $_POST['relay'] ) ) : false;
 
 		if ( ! $delay ) {
 			update_user_meta( get_current_user_id(), '_aioseo_plugin_review_dismissed', $relay ? '4' : '3' );

app/Common/Admin/PostSettings.php

@@ -221,7 +221,7 @@ public function saveSettingsMetabox( $postId ) {
 		}
 
 		// Security check.
-		if ( ! isset( $_POST['PostSettingsNonce'] ) || ! wp_verify_nonce( $_POST['PostSettingsNonce'], 'aioseoPostSettingsNonce' ) ) {
+		if ( ! isset( $_POST['PostSettingsNonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['PostSettingsNonce'] ) ), 'aioseoPostSettingsNonce' ) ) {
 			return;
 		}
 
@@ -235,7 +235,7 @@ public function saveSettingsMetabox( $postId ) {
 			return;
 		}
 
-		$currentPost = json_decode( stripslashes( $_POST['aioseo-post-settings'] ), true ); // phpcs:ignore HM.Security.ValidatedSanitizedInput
+		$currentPost = json_decode( sanitize_text_field( wp_unslash( ( $_POST['aioseo-post-settings'] ) ) ), true );
 
 		// If there is no data, there likely was an error, e.g. if the hidden field wasn't populated on load and the user saved the post without making changes in the metabox.
 		// In that case we should return to prevent a complete reset of the data.
@@ -396,6 +396,32 @@ public function changeClausesToFilterPosts( $clauses, $query = null ) {
 		$clauses['join']  .= " LEFT JOIN {$prefix}aioseo_posts AS aioseo_p ON ({$postsTable}.ID = aioseo_p.post_id) ";
 		$clauses['where'] .= $whereClause;
 
+		add_action( 'wp', [ $this, 'filterPostsAfterChangingClauses' ] );
+
 		return $clauses;
 	}
+
+	/**
+	 * Filter the posts array to remove the ones that are not eligible for page analysis.
+	 * Hooked into `wp` action hook.
+	 *
+	 * @since 4.7.1
+	 *
+	 * @return void
+	 */
+	public function filterPostsAfterChangingClauses() {
+		remove_action( 'wp', [ $this, 'filterPostsAfterChangingClauses' ] );
+
+		global $wp_query;
+		if ( ! empty( $wp_query->posts ) && is_array( $wp_query->posts ) ) {
+			$wp_query->posts = array_filter( $wp_query->posts, function ( $post ) {
+				return aioseo()->helpers->isPageAnalysisEligible( $post->ID );
+			} );
+
+			// Update `post_count` for pagination.
+			if ( isset( $wp_query->post_count ) ) {
+				$wp_query->post_count = count( $wp_query->posts );
+			}
+		}
+	}
 }

app/Common/Api/Analyze.php

@@ -48,14 +48,14 @@ public static function analyzeSite( $request ) {
 			] );
 
 			$responseCode[ $analyzeOrHomeUrl ] = wp_remote_retrieve_response_code( $response );
-			$responseBody[ $analyzeOrHomeUrl ] = json_decode( wp_remote_retrieve_body( $response ) );
+			$responseBody[ $analyzeOrHomeUrl ] = json_decode( wp_remote_retrieve_body( $response ), true );
 
 			aioseo()->core->cache->update( 'analyze_site_code', $responseCode, 10 * MINUTE_IN_SECONDS );
 			aioseo()->core->cache->update( 'analyze_site_body', $responseBody, 10 * MINUTE_IN_SECONDS );
 		}
 
-		if ( 200 !== $responseCode[ $analyzeOrHomeUrl ] || empty( $responseBody[ $analyzeOrHomeUrl ]->success ) || ! empty( $responseBody[ $analyzeOrHomeUrl ]->error ) ) {
-			if ( ! empty( $responseBody[ $analyzeOrHomeUrl ]->error ) && 'invalid-token' === $responseBody[ $analyzeOrHomeUrl ]->error ) {
+		if ( 200 !== $responseCode[ $analyzeOrHomeUrl ] || empty( $responseBody[ $analyzeOrHomeUrl ]['success'] ) || ! empty( $responseBody[ $analyzeOrHomeUrl ]['error'] ) ) {
+			if ( ! empty( $responseBody[ $analyzeOrHomeUrl ]['error'] ) && 'invalid-token' === $responseBody[ $analyzeOrHomeUrl ]['error'] ) {
 				aioseo()->internalOptions->internal->siteAnalysis->reset();
 			}
 

app/Common/Api/Sitemaps.php

@@ -152,8 +152,9 @@ public static function validateHtmlSitemapSlug( $request ) {
 	 * @return boolean       Whether the path exists.
 	 */
 	private static function pathExists( $path, $isUrl ) {
-		$path = trim( $path, '/' );
+		$path = trim( aioseo()->helpers->excludeHomePath( $path ), '/' );
 		$url  = $isUrl ? $path : trailingslashit( home_url() ) . $path;
+		$url  = user_trailingslashit( $url );
 
 		// Let's do another check here, just to be sure that the domain matches.
 		if ( ! aioseo()->helpers->isInternalUrl( $url ) ) {
@@ -162,6 +163,7 @@ private static function pathExists( $path, $isUrl ) {
 
 		$response = wp_safe_remote_head( $url );
 		$status   = wp_remote_retrieve_response_code( $response );
+
 		if ( ! $status ) {
 			// If there is no status code, we might be in a local environment with CURL misconfigured.
 			// In that case we can still check if a post exists for the path by quering the DB.

app/Common/Breadcrumbs/Block.php

@@ -60,15 +60,15 @@ public function register() {
 	 * @return string                  The output from the output buffering.
 	 */
 	public function render( $blockAttributes ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
-		// phpcs:disable HM.Security.ValidatedSanitizedInput.InputNotSanitized, HM.Security.NonceVerification.Recommended
-		$postId = ! empty( $_GET['post_id'] ) ? (int) wp_unslash( $_GET['post_id'] ) : false;
+		// phpcs:disable HM.Security.ValidatedSanitizedInput.InputNotSanitized, HM.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Recommended
+		$postId = ! empty( $_GET['post_id'] ) ? (int) sanitize_text_field( wp_unslash( $_GET['post_id'] ) ) : false;
 		// phpcs:enable
 
 		if ( ! empty( $blockAttributes['primaryTerm'] ) ) {
 			$this->primaryTerm = json_decode( $blockAttributes['primaryTerm'], true );
 		}
 
-		if ( aioseo()->blocks->isGBEditor() && ! empty( $postId ) ) {
+		if ( aioseo()->blocks->isRenderingBlockInEditor() && ! empty( $postId ) ) {
 			add_filter( 'aioseo_post_primary_term', [ $this, 'changePrimaryTerm' ], 10, 2 );
 			add_filter( 'get_object_terms', [ $this, 'temporarilyAddTerm' ], 10, 3 );
 			$breadcrumbs = aioseo()->breadcrumbs->frontend->sideDisplay( false, 'post' === get_post_type( $postId ) ? 'post' : 'single', get_post( $postId ) );

app/Common/Breadcrumbs/Tags.php

@@ -55,6 +55,13 @@ public function replaceTags( $string, $item, $stripPunctuation = false ) {
 			$string = aioseo()->helpers->stripPunctuation( $string );
 		}
 
+		// Remove any remaining tags from the title attribute.
+		$string = preg_replace_callback( '/title="([^"]*)"/i', function ( $matches ) {
+			$sanitizedTitle = wp_strip_all_tags( html_entity_decode( $matches[1] ) );
+
+			return 'title="' . esc_attr( $sanitizedTitle ) . '"';
+		}, html_entity_decode( $string ) );
+
 		return preg_replace(
 			'/>thisisjustarandomplaceholder<(?![a-zA-Z0-9_])/im',
 			aioseo()->helpers->decodeHtmlEntities( aioseo()->options->searchAppearance->global->separator ),

app/Common/Core/Core.php

@@ -141,24 +141,27 @@ public function uninstallDb( $force = false ) {
 
 		// Delete all our custom tables.
 		global $wpdb;
+
+		// phpcs:disable WordPress.DB.DirectDatabaseQuery
 		foreach ( $this->getDbTables() as $tableName ) {
-			$wpdb->query( 'DROP TABLE IF EXISTS ' . $tableName ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+			$wpdb->query( $wpdb->prepare( 'DROP TABLE IF EXISTS %s', $tableName ) );
 		}
 
 		// Delete all AIOSEO Locations and Location Categories.
-		$wpdb->query( "DELETE FROM {$wpdb->posts} WHERE post_type = 'aioseo-location'" );
-		$wpdb->query( "DELETE FROM {$wpdb->term_taxonomy} WHERE taxonomy = 'aioseo-location-category'" );
+		$wpdb->delete( $wpdb->posts, [ 'post_type' => 'aioseo-location' ], [ '%s' ] );
+		$wpdb->delete( $wpdb->term_taxonomy, [ 'taxonomy' => 'aioseo-location-category' ], [ '%s' ] );
 
 		// Delete all the plugin settings.
-		$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE 'aioseo\_%'" );
+		$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->options} WHERE option_name LIKE %s", 'aioseo\_%' ) );
 
 		// Remove any transients we've left behind.
-		$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_aioseo\_%'" );
-		$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE 'aioseo\_%'" );
+		$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->options} WHERE option_name LIKE %s", '\_aioseo\_%' ) );
+		$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->options} WHERE option_name LIKE %s", 'aioseo\_%' ) );
 
 		// Delete all entries from the action scheduler table.
-		$wpdb->query( "DELETE FROM {$wpdb->prefix}actionscheduler_actions WHERE hook LIKE 'aioseo\_%'" );
-		$wpdb->query( "DELETE FROM {$wpdb->prefix}actionscheduler_groups WHERE slug = 'aioseo'" );
+		$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}actionscheduler_actions WHERE hook LIKE %s", 'aioseo\_%' ) );
+		$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}actionscheduler_groups WHERE slug = %s", 'aioseo' ) );
+		// phpcs:enable
 	}
 
 	/**

app/Common/ImportExport/RankMath/GeneralSettings.php

@@ -89,7 +89,7 @@ private function migrateRedirectAttachments() {
 	 */
 	private function migrateStripCategoryBase() {
 		if ( isset( $this->options['strip_category_base'] ) ) {
-			aioseo()->options->searchAppearance->advanced->removeCatBase = 'on' === $this->options['strip_category_base'] ? true : false;
+			aioseo()->options->searchAppearance->advanced->removeCategoryBase = 'on' === $this->options['strip_category_base'] ? true : false;
 		}
 	}
 

app/Common/ImportExport/RankMath/PostMeta.php

@@ -162,7 +162,7 @@ public function importPostMeta() {
 						break;
 					case 'rank_math_advanced_robots':
 						$value = aioseo()->helpers->maybeUnserialize( $value );
-						if ( ! empty( $value['max-snippet'] ) && intval( $value['max-snippet'] ) ) {
+						if ( isset( $value['max-snippet'] ) && is_numeric( $value['max-snippet'] ) ) {
 							$meta['robots_max_snippet'] = intval( $value['max-snippet'] );
 						}
 						if ( isset( $value['max-video-preview'] ) && is_numeric( $value['max-video-preview'] ) ) {