[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXbKdgn7__lfqDLB5D7JEFWDDr8b6XYTJt1tpTUIueRo":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":35,"analysis":139,"fingerprints":261},"gdpr-helper","GDPR Helper using CSP","1.2.1","bpassini","https:\u002F\u002Fprofiles.wordpress.org\u002Fbpassini\u002F","\u003Cp>Easily conform to the EU GDPR by blocking all 3rd party requests.\u003C\u002Fp>\n\u003Cp>The aim is to block all unwanted requests as simply as possible. This is made possible by setting the general content security policy.\u003C\u002Fp>\n\u003Cp>This plugin also supports some Elementor blocks:\u003Cbr \u002F>\n– block the Google Maps block until visitor excplicitly allows it\u003Cbr \u002F>\n– block the OpenStreetMap block until visitor excplicitly allows it\u003C\u002Fp>\n","This plugin allows easy addition of Content Security Policy",10,1048,0,"","6.0.11","4.7","7.0",[19,20,21,22,23],"content-security-policy","csp","dsgvo","gdpr","security","https:\u002F\u002Fgitlab.com\u002Fvaulteron\u002Fgdpr-helper","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgdpr-helper.1.2.1.zip",100,null,"2026-03-15T10:48:56.248Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},1,30,94,"2026-04-04T21:00:02.216Z",[36,61,81,103,121],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":46,"num_ratings":47,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":56,"download_link":57,"security_score":46,"vuln_count":58,"unpatched_count":13,"last_vuln_date":59,"fetched_at":60},"cookies-and-content-security-policy","Cookies and Content Security Policy","2.37","Johan Jonk Stenström","https:\u002F\u002Fprofiles.wordpress.org\u002Fjonkastonka\u002F","\u003Cp>\u003Cstrong>Be fully GDPR and CCPA compliant through Content Security Policy.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Block cookies and unwanted external content by setting Content Security Policy. A modal will be shown on the front end to let the visitor choose what kind of resources to accept. It also adds a layer of security for your site since iframes, scripts and images from unknown domains are blocked.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Multilingual\u003C\u002Fstrong> support through \u003Ca href=\"https:\u002F\u002Fwpml.org\u002F\" rel=\"nofollow ugc\">WPML\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fpolylang.pro\u002F\" rel=\"nofollow ugc\">Polylang\u003C\u002Fa> or probably any multilingual plugin out there since this plugin follows WordPress Coding Standards. See FAQ below on how to translate with WPML or Polylang.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Quickstart:\u003C\u002Fstrong> Choose common resources from a list that are automatically added to your Domains list. So, it’s even easier to set it up! Check, check, check and check!\u003Cbr \u002F>\nUpdated regularly.\u003C\u002Fp>\n\u003Ch3>Free stickers for translators!\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Since we want this plugin to be available in as many languages as possible, I will send you a handful of the new \u003Ca href=\"https:\u002F\u002Fplugins.followmedarling.se\u002F2022\u002F02\u002Fstickers-are-in-the-house\u002F\" rel=\"nofollow ugc\">super cool stickers\u003C\u002Fa> if you translate the plugin!\u003C\u002Fstrong>\u003Cbr \u002F>\nJust translate the plugin to your language, and when it is approved, \u003Ca href=\"https:\u002F\u002Fplugins.followmedarling.se\u002F2022\u002F02\u002Fstickers-are-in-the-house\u002F#respond\" rel=\"nofollow ugc\">comment this post\u003C\u002Fa> and I’ll send it to you, totally free!\u003Cbr \u002F>\nIf you have already translated the plugin and want stickers, of course that counts too! Just comment the post.\u003C\u002Fp>\n","Be fully GDPR and CCPA compliant through Content Security Policy. Blocks cookies and unwanted external content.",10000,469239,98,67,"2026-02-17T12:58:00.000Z","6.9.4","5.0","7.4",[53,19,54,55,22],"ccpa","cookie-bar","cookies","https:\u002F\u002Fplugins.followmedarling.se\u002Fcookies-and-content-security-policy\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcookies-and-content-security-policy.2.37.zip",2,"2026-01-05 00:00:00","2026-03-15T15:16:48.613Z",{"slug":62,"name":63,"version":6,"author":64,"author_profile":65,"description":66,"short_description":67,"active_installs":68,"downloaded":69,"rating":70,"num_ratings":71,"last_updated":72,"tested_up_to":73,"requires_at_least":74,"requires_php":75,"tags":76,"homepage":14,"download_link":79,"security_score":80,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":60},"csp-manager","Content Security Policy Manager","Patrick Sletvold","https:\u002F\u002Fprofiles.wordpress.org\u002F16patsle\u002F","\u003Cp>\u003Cstrong>Content Security Policy Manager\u003C\u002Fstrong> is a WordPress plugin that allows you to easily configure \u003Ca href=\"https:\u002F\u002Fdeveloper.mozilla.org\u002Fen-US\u002Fdocs\u002FWeb\u002FHTTP\u002FCSP\" rel=\"nofollow ugc\">Content Security Policy headers\u003C\u002Fa> for your site. You can have different CSP headers for the admin interface, the frontend for logged in users, and the frontend for regular visitors. The CSP directives can be individually enabled, and each policy can be set to enforce, report or be disabled.\u003C\u002Fp>\n\u003Cp>Please note that this plugin offers limited help in figuring out what the contents of the policy should be. It only lets you configure the CSP in a easy to use interface.\u003C\u002Fp>\n","Plugin for configuring Content Security Policy headers for your site. Allows different CSP headers for admin, logged inn frontend and regular visitors",2000,33739,86,6,"2022-08-09T17:33:00.000Z","6.1.10","4.6","7.2",[19,20,23,77,78],"security-headers","xss","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsp-manager.1.2.1.zip",85,{"slug":82,"name":83,"version":84,"author":85,"author_profile":86,"description":87,"short_description":88,"active_installs":89,"downloaded":90,"rating":91,"num_ratings":92,"last_updated":93,"tested_up_to":94,"requires_at_least":95,"requires_php":51,"tags":96,"homepage":99,"download_link":100,"security_score":101,"vuln_count":58,"unpatched_count":13,"last_vuln_date":102,"fetched_at":60},"gd-security-headers","GD Security Headers","1.8","Milan Petrovic","https:\u002F\u002Fprofiles.wordpress.org\u002Fgdragon\u002F","\u003Cp>Configure various security-related HTTP headers, including Content Security Policy, Feature Policy, Referrer Policy and more. For CSP and XSS plugin supports report logging with 2 additional database tables to store reports from browsers.\u003C\u002Fp>\n\u003Ch4>Supported security headers\u003C\u002Fh4>\n\u003Cp>The plugin has support for the following HTTP headers:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Content Security Policy (CSP) – with reporting\u003C\u002Fli>\n\u003Cli>XSS Protection (XXP) – with reporting\u003C\u002Fli>\n\u003Cli>Feature Policy (Permissions Policy)\u003C\u002Fli>\n\u003Cli>Content Type – No Sniff Policy\u003C\u002Fli>\n\u003Cli>Strict Transport Security\u003C\u002Fli>\n\u003Cli>Referrer Policy\u003C\u002Fli>\n\u003Cli>Frame Options\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For CSP, the plugin allows you to set rules for all currently supported directives, additional settings including setting the policy in Report or Live mode. The plugin also includes special extensions that can automatically fill CSP rules for popular Google services you might be using on your website (Fonts, Maps, Adsense, Analytics, TagManager and more) and other popular services (Gravatar, Instagram, PayPal Vimeo and more).\u003C\u002Fp>\n\u003Cp>And, for Feature Policy (or Permissions Policy), the plugin allows you to set rules for all currently supported rules (over 25 rules, supported by different browsers).\u003C\u002Fp>\n\u003Ch4>FLoC \u002F Browsing Topics\u003C\u002Fh4>\n\u003Cp>Permissions Policy rules list includes ‘browsing-topics’ rule that can be used to disable Google’s new tracking method ‘Browsing Topics API’ (which replaced ‘Federated Learning of Cohorts’ or ‘FLoC’).\u003C\u002Fp>\n\u003Ch4>Methods for adding headers\u003C\u002Fh4>\n\u003Cp>The plugin can add all the generated headers into HTACCESS file (for Apache web servers), and they will be applied to all files, not just WordPress generated content. If your website is not using Apache (or .HTACCESS), all rules are generated with each page request and will work with any server type.\u003C\u002Fp>\n\u003Cp>And, if you don’t use Apache web server, the plugin has a panel where it displays generated headers for most popular servers: Apache, Nginx and IIS, and you can copy generated headers to add to server configuration files.\u003C\u002Fp>\n\u003Ch4>About the plugin\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>More information about \u003Ca href=\"https:\u002F\u002Fplugins.dev4press.com\u002Fgd-security-headers\u002F\" rel=\"nofollow ugc\">GD Security Headers\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Support and Knowledge Base for \u003Ca href=\"https:\u002F\u002Fsupport.dev4press.com\u002Fkb\u002Fproduct\u002Fgd-security-headers\u002F\" rel=\"nofollow ugc\">GD Security Headers\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Configure various security-related HTTP headers, including CSP, XSS, Referrer Policy and more.",1000,30187,80,8,"2024-06-07T08:16:00.000Z","6.6.5","5.5",[19,20,97,98,23],"dev4press","permission-policy","https:\u002F\u002Fplugins.dev4press.com\u002Fgd-security-headers\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgd-security-headers.zip",91,"2023-10-29 00:00:00",{"slug":104,"name":105,"version":106,"author":107,"author_profile":108,"description":109,"short_description":110,"active_installs":111,"downloaded":112,"rating":26,"num_ratings":113,"last_updated":114,"tested_up_to":49,"requires_at_least":115,"requires_php":51,"tags":116,"homepage":119,"download_link":120,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":60},"no-unsafe-inline","No unsafe-inline","1.3.0","Giuseppe","https:\u002F\u002Fprofiles.wordpress.org\u002Fmociofiletto\u002F","\u003Cp>Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.\u003Cbr \u002F>\nCross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications.\u003Cbr \u002F>\nXSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.\u003Cbr \u002F>\nA cross-site scripting vulnerability may be used by attackers to bypass access controls like the same-origin policy.\u003Cbr \u002F>\nLooking at National Vulnerability Database run by US NIST, \u003Cem>more than 1100 (November 2025) vulnerabilities\u003C\u002Fem> are reported as \u003Ca href=\"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fsearch#\u002Fnvd\u002Fhome?vulnRevisionStatusList=published&keyword=XSS%20Wordpress&resultType=records\" rel=\"nofollow ugc\">XSS for WordPress’ plugins and themes\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cem>Keeping your site up-to-date\u003C\u002Fem> with the latest versions of plugins and themes is the \u003Cstrong>first\u003C\u002Fstrong> line of defense to ensure your site’s security.\u003C\u002Fp>\n\u003Cp>The second thing to do, is to \u003Cstrong>deploy a strict Content Security Policy\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>The main problem\u003C\u002Fh3>\n\u003Cp>The main problem with Content Security Policies implemented in the real world is that \u003Ca href=\"https:\u002F\u002Fresearch.google\u002Fpubs\u002Fpub45542\u002F\" rel=\"nofollow ugc\">they are too weak to really protect your site\u003C\u002Fa> and that many of them can be trivially bypassed by an attacker.\u003C\u002Fp>\n\u003Ch3>The proposed solution\u003C\u002Fh3>\n\u003Cp>Google researchers recommend, instead of whole host whitelisting, to activate individual scripts via a CSP nonces approach.\u003Cbr \u002F>\nIn addition, in order to facilitate the adoption of nonce-based CSP, they proposed the ’strict-dynamic’ keyword.\u003C\u002Fp>\n\u003Ch3>The problem(s) with CSP in WordPress\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>Manual creation of a policy\u003C\u002Fp>\n\u003Cp>Usually, a WordPress project is a mix of code written by different authors who contributed to the Core and or wrote plugins and themes.\u003Cbr \u002F>\nIf it is possible to whitelist every external script loaded from a \u003Ccode>\u003Cscript src=\"\">\u003C\u002Fcode>, the real truth is that in a WordPress project you can have dozens of those scripts included with your plugins and calculate a cryptographic hash for each of them to be included in your CSP header can be a frustrating job. However, there are many browser extensions and WordPress’ plugins that can help you in this job.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Inline scripts\u003C\u002Fp>\n\u003Cp>WordPress core, and plugins, use inline scripts. For these scripts, you can compute hashes to be inserted manually into your policy, only if these scripts do not change at any page load. Unfortunately, this is not very common, as it is frequent to include variable values calculated server side in inline scripts. And it means that your inline scripts change too frequently to manually add their hashes to your policy.\u003Cbr \u002F>\nThis commonly happens when scripts are \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWordPress\u002FWordPress\u002Fblob\u002Fa793be201b9c23dbe8b90a6ecd53ab52336f0f91\u002Fwp-includes\u002Fscript-loader.php#L636\" rel=\"nofollow ugc\">“localized”\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>WordPress has no API to implement nonces for CSP\u003C\u002Fp>\n\u003Cp>Even if it is easy to generate a nonce for each page view, this nonce has to be inserted in every script tag used to embed inline scripts in your page as\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Cscript nonce=\"rAnd0m\">\n    doWhatever();\n\u003C\u002Fscript>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>and in your script-src directive:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>script-src 'nonce-rAnd0m';\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>And, of course, a nonce must be unique for each HTTP response.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Unsafe hashes \u002F Inline styles\u003C\u002Fp>\n\u003Cp>Sometimes, HTML elements as images or buttons use HTML Event Attributes (onclick, onsubmit…) to let events trigger actions in a browser.\u003Cbr \u002F>\nYou cannot use hashes or nonces for script included in event attributes and, adopting a strict CSP, requires refactoring those patterns into safer alternatives or to use ‘unsafe-hashes’.\u003Cbr \u002F>\nYou got a similar problem when inline styles are used in HTML tags:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Ch1 style=\"color:blue;text-align:center;\">This is a heading\u003C\u002Fh1>\n\u003Cp style=\"color:red;\">This is a paragraph.\u003C\u002Fp>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>CSP Level 2 browsers may be ok with just putting the hash in your style-src directive. However, to allow hashes in the style attribute on inline CSS on browsers that support CSP Level 3, you may get an error like this\u003C\u002Fp>\n\u003Cpre>\u003Ccode>    Refused to apply inline style because it violates the following Content Security Policy directive: \"style-src 'self' 'sha256-nMxMqdZhkHxz5vAuW\u002FPAoLvECzzsmeAxD\u002FBNwG15HuA='\". Either the 'unsafe-inline' keyword, a hash ('sha256-nMxMqdZhkHxz5vAuW\u002FPAoLvECzzsmeAxD\u002FBNwG15HuA='), or a nonce ('nonce-...') is required to enable inline execution.\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To allow inline styles you need to use ‘unsafe-hashes’ in your style-src directive (that is, in facts, unsafe).\u003Cbr \u002F>\n^\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>This plugin approach\u003C\u002Fh3>\n\u003Cp>This plugin affords those problems in this way:\u003C\u002Fp>\n\u003Col>\n\u003Cli>During a capture phase, it detects the scripts, styles and other embedded content present in the pages of your site and stores them in the database.\u003C\u002Fli>\n\u003Cli>Then you have to whitelist these contents from plugin admin.\u003C\u002Fli>\n\u003Cli>The plugin uses machine learning to cluster inline scripts trying to aggregate scripts generated by the same server side (PHP) code. So, you can authorize one script example to authorize all scripts that the classifier predicts to label as whitelisted clusters.\u003C\u002Fli>\n\u003Cli>You can choose to use hashes to authorize external scripts (and the plugin will allow you to include Subresource Integrity in your \u003Ccode>\u003Cscript>\u003C\u002Fcode> and \u003Ccode>\u003Clink>\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>You can use hashes or nonces to authorize inline scripts.\u003C\u002Fli>\n\u003Cli>You can ask the plugin to refactor your page to not use event attributes (converted in a inline script) and inline styles (converted in an internal CSS).\u003C\u002Fli>\n\u003Cli>You can set one or more violations’ report endpoints.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>The plugin supports multisite installations and has (too) many options documented in inline help.\u003C\u002Fp>\n\u003Ch3>Creating a Content Security Policy\u003C\u002Fh3>\n\u003Cp>After plugin activation, go to Settings menu and search for CSP Settings submenu.\u003Cbr \u002F>\nThe steps you are supposed to do are the following.\u003C\u002Fp>\n\u003Col>\n\u003Cli>From the Tools tab, activate the capture of the tags and use your site by visiting all the pages or having your users visit them for a long time long period based on the use of your site (hours or days).\u003C\u002Fli>\n\u003Cli>From the Tools tab, perform the data clustering in the database (it can use many server resources).\u003C\u002Fli>\n\u003Cli>Go to the Base rules tab and include in the CSP directives the desired values ​​(help you with the table at the bottom of the page).\u003C\u002Fli>\n\u003Cli>Go to the external scripts tab, inline scripts tab and scripts invoked by event handlers tab and authorize the execution of all the legitimate scripts present on the pages of your site.\u003C\u002Fli>\n\u003Cli>Leaving the tag capture active, activate the policy test (at this stage the plugin will generate some violations of the temporary policy used to record additional values to be included in the directives of your “content security policy”).\u003C\u002Fli>\n\u003Cli>After visiting again your site pages, disable the capture of the tags and repeat the previous steps 2, 3 and 4.\u003C\u002Fli>\n\u003Cli>Enable site protection.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>N.B. When you update plugins or themes, if something doesn’t work properly on your site pages, temporarily deactivate the protection and repeat steps 1 to 7.\u003C\u002Fp>\n\u003Ch3>Plugin hooks\u003C\u002Fh3>\n\u003Ch4>Filters\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\u002Fblob\u002Fd068711d56c2d7b228b524f640f5e13af3327097\u002Fpublic\u002Fclass-no-unsafe-inline-public.php#L419\" rel=\"nofollow ugc\">nunil_output_csp_headers_header_csp\u003C\u002Fa>\u003Cbr \u002F>\nnunil_output_csp_headers_header_csp is available since version 1.2.3 and can be used to modify the Content-Security-Policy header before it is sent to browser\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\u002Fblob\u002Fd068711d56c2d7b228b524f640f5e13af3327097\u002Fsrc\u002FNunil_Manipulate_DOM.php#L930\" rel=\"nofollow ugc\">no_unsafe_inline_not_sri_sources\u003C\u002Fa>\u003Cbr \u002F>\nno_unsafe_inline_not_sri_sources can be used to modify the list of external resources that do not support SRI (Subresource Integrity)\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\u002Fblob\u002Fd068711d56c2d7b228b524f640f5e13af3327097\u002Fmu-plugin\u002Fno-unsafe-inline-output-buffering.php#L100\" rel=\"nofollow ugc\">no_unsafe_inline_final_output\u003C\u002Fa>\u003Cbr \u002F>\nno_unsafe_inline_final_output is an internal filter used to manipulate the output of the WordPress process just before the output is sent to the browser.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\u002Fblob\u002Fd068711d56c2d7b228b524f640f5e13af3327097\u002Fmu-plugin\u002Fno-unsafe-inline-output-buffering.php#L107\" rel=\"nofollow ugc\">no_unsafe_inline_meta_injector\u003C\u002Fa>\u003Cbr \u002F>\nno_unsafe_inline_meta_injector is an internal filter hook used to inject meta http-equiv=”Content-Security-Policy” if variable is set\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Actions\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\u002Fblob\u002Fd068711d56c2d7b228b524f640f5e13af3327097\u002Fincludes\u002Fclass-no-unsafe-inline.php#L213-L217\" rel=\"nofollow ugc\">nunil_upgrade\u003C\u002Fa> Functions hooked on nunil_upgrade will run when the plugin is upgraded\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\u002Fblob\u002Fd068711d56c2d7b228b524f640f5e13af3327097\u002Fincludes\u002Fclass-no-unsafe-inline.php#L254\" rel=\"nofollow ugc\">nunil_output_csp_headers\u003C\u002Fa> Functions hooked to nunil_output_csp_headers will run when the plugin output the CSP HTTP response header\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Code and libraries\u003C\u002Fh3>\n\u003Cp>This version of the plugin uses:\u003Cbr \u002F>\n* to parse HTML:\u003Cbr \u002F>\n  * \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fivopetkov\u002Fhtml5-dom-document-php\" rel=\"nofollow ugc\">ivopetkov\u002FHTML5DOMDocument\u003C\u002Fa> on PHP\u003C8.4 and libxml\u003C=2.13.09\u003Cbr \u002F>\n  * \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMasterminds\u002Fhtml5-php\" rel=\"nofollow ugc\">Masterminds\\HTML5\u003C\u002Fa> on PHP\u003C8.4 and libxml>2.13.09\u003Cbr \u002F>\n  * \u003Ca href=\"https:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Fmigration84.new-features.php#migration84.new-features.dom\" rel=\"nofollow ugc\">\\Dom\\HTMLDocument\u003C\u002Fa>: The new ext-dom features with HTML5 support on PHP>8.4\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Frubixml.com\u002F\" rel=\"nofollow ugc\">RubixML\u003C\u002Fa> for machine learning \u003Cstrong>\u003Cem>from version 1.1.0\u003C\u002Fem>\u003C\u002Fstrong> – \u003Cem>\u003Ca href=\"https:\u002F\u002Fphp-ml.readthedocs.io\u002Fen\u002Flatest\u002F\" rel=\"nofollow ugc\">PHP-ML\u003C\u002Fa> was used in versions 1.0.x\u003C\u002Fem>;\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fopctim\u002Fphp-nilsimsa\" rel=\"nofollow ugc\">opctim\u002Fphp-nilsimsa\u003C\u002Fa> to calculate and compare Nilsimsa digests.\u003C\u002Fp>\n\u003Cp>The log functions have been taken from\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fperfectyorg\u002Fperfecty-push-wp\" rel=\"nofollow ugc\">perfectyorg\u002Fperfecty-push-wp\u003C\u002Fa>, \u003Cstrong>\u003Cem>something you should \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fperfecty-push-notifications\u002F\" rel=\"ugc\">really try\u003C\u002Fa> if you want to implement web Push notifications in your site.\u003C\u002Fem>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The \u003Cstrong>complete list of dependencies\u003C\u002Fstrong> used in this plugin can be seen in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\u002Fnetwork\u002Fdependencies\" rel=\"nofollow ugc\">dependency graph\u003C\u002Fa> on GitHub.\u003C\u002Fp>\n\u003Ch3>Contributions, Issues, Bugs\u003C\u002Fh3>\n\u003Cp>Plugin code is hosted on a public repository on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>.\u003Cbr \u002F>\nReach me over there to help and suggest.\u003C\u002Fp>\n","No unsafe-inline helps you to build a Content Security Policy avoiding to use 'unsafe-inline' and 'unsafe-hashes'.",200,11184,5,"2025-12-04T21:50:00.000Z","5.9",[19,20,117,23,118],"multisite","unsafe-inline","https:\u002F\u002Fgithub.com\u002FMocioF\u002FNo-unsafe-inline","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fno-unsafe-inline.1.3.0.zip",{"slug":122,"name":123,"version":124,"author":125,"author_profile":126,"description":127,"short_description":128,"active_installs":26,"downloaded":129,"rating":130,"num_ratings":131,"last_updated":132,"tested_up_to":49,"requires_at_least":115,"requires_php":133,"tags":134,"homepage":137,"download_link":138,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":60},"csp-antsst","CSP Friendly Security","1.5.2","Pascal CESCATO","https:\u002F\u002Fprofiles.wordpress.org\u002Fpcescato\u002F","\u003Cp>Adds a CSP header compatible with most WP plugins without breaking styles.\u003C\u002Fp>\n","Adds a CSP header compatible with most WP plugins without breaking styles.",2755,70,4,"2026-01-01T13:42:00.000Z","7.3",[19,20,135,77,136],"nonces","sha256-hashes","https:\u002F\u002Ftsw.ovh\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsp-antsst.1.5.2.zip",{"attackSurface":140,"codeSignals":180,"taintFlows":227,"riskAssessment":255,"analyzedAt":260},{"hooks":141,"ajaxHandlers":176,"restRoutes":177,"shortcodes":178,"cronEvents":179,"entryPointCount":13,"unprotectedCount":13},[142,148,152,156,160,164,168,171,174],{"type":143,"name":144,"callback":145,"file":146,"line":147},"action","admin_init","gdprhelper__register_settings","includes\\backendPage.php",12,{"type":143,"name":149,"callback":150,"file":146,"line":151},"admin_menu","gdprhelper__register_admin_menu",13,{"type":143,"name":153,"callback":154,"file":146,"line":155},"admin_enqueue_scripts","gdprhelper__enqueue_scripts",14,{"type":143,"name":157,"callback":158,"priority":11,"file":159,"line":11},"elementor\u002Fwidget\u002Frender_content","gdprhelper__map_handler__elementor_widget_render_content","includes\\elementor\\mapHandler.php",{"type":143,"name":161,"callback":162,"file":163,"line":151},"elementor\u002Fwidgets\u002Fregister","register_new_widgets","includes\\elementor\\widgetShortcode.php",{"type":143,"name":165,"callback":166,"file":167,"line":151},"init","gdprhelper__load_language_domain","includes\\ghMain.php",{"type":143,"name":165,"callback":169,"file":167,"line":170},"gdprhelper__set_cookies",15,{"type":143,"name":165,"callback":172,"file":167,"line":173},"gdprhelper__load_in_init",27,{"type":143,"name":165,"callback":175,"file":167,"line":32},"gdprhelper__setHeader",[],[],[],[],{"dangerousFunctions":181,"sqlUsage":182,"outputEscaping":184,"fileOperations":13,"externalRequests":13,"nonceChecks":31,"capabilityChecks":13,"bundledLibraries":226},[],{"prepared":13,"raw":13,"locations":183},[],{"escaped":185,"rawEcho":186,"locations":187},20,24,[188,191,192,194,195,197,198,199,201,202,204,205,206,208,209,211,212,213,215,216,218,220,222,224],{"file":146,"line":189,"context":190},378,"raw output",{"file":146,"line":189,"context":190},{"file":146,"line":193,"context":190},380,{"file":146,"line":193,"context":190},{"file":146,"line":196,"context":190},393,{"file":146,"line":196,"context":190},{"file":146,"line":196,"context":190},{"file":146,"line":200,"context":190},395,{"file":146,"line":200,"context":190},{"file":146,"line":203,"context":190},408,{"file":146,"line":203,"context":190},{"file":146,"line":203,"context":190},{"file":146,"line":207,"context":190},410,{"file":146,"line":207,"context":190},{"file":146,"line":210,"context":190},431,{"file":146,"line":210,"context":190},{"file":146,"line":210,"context":190},{"file":146,"line":214,"context":190},432,{"file":146,"line":214,"context":190},{"file":146,"line":217,"context":190},436,{"file":146,"line":219,"context":190},438,{"file":146,"line":221,"context":190},443,{"file":163,"line":223,"context":190},168,{"file":163,"line":225,"context":190},170,[],[228,247],{"entryPoint":229,"graph":230,"unsanitizedCount":13,"severity":246},"gdprhelper__set_cookies (includes\\ghMain.php:49)",{"nodes":231,"edges":243},[232,237],{"id":233,"type":234,"label":235,"file":167,"line":236},"n0","source","$_GET",52,{"id":238,"type":239,"label":240,"file":167,"line":241,"wp_function":242},"n1","sink","wp_redirect() [Open Redirect]",61,"wp_redirect",[244],{"from":233,"to":238,"sanitized":245},true,"low",{"entryPoint":248,"graph":249,"unsanitizedCount":13,"severity":246},"\u003CghMain> (includes\\ghMain.php:0)",{"nodes":250,"edges":253},[251,252],{"id":233,"type":234,"label":235,"file":167,"line":236},{"id":238,"type":239,"label":240,"file":167,"line":241,"wp_function":242},[254],{"from":233,"to":238,"sanitized":245},{"summary":256,"deductions":257},"The \"gdpr-helper\" plugin version 1.2.1 exhibits a generally strong security posture based on the provided static analysis.  The plugin demonstrates good practices by having no identified attack surface points (AJAX, REST API, shortcodes, cron events) that are exposed without authentication or proper permission checks.  Furthermore, the absence of dangerous functions, file operations, and external HTTP requests, coupled with 100% of SQL queries utilizing prepared statements, are significant strengths. The single nonce check is a positive indicator. However, a concerning aspect is the output escaping, with only 45% of outputs properly escaped. This could potentially lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is not sufficiently sanitized before being displayed to the user.\n\nThe vulnerability history shows no recorded CVEs, which is an excellent sign and suggests a lack of previously exploited or publicly disclosed security flaws. This, combined with the clean taint analysis (no unsanitized paths or critical\u002Fhigh severity flows), further reinforces the idea that the plugin has been developed with security in mind.  Despite the positive history, the moderate output escaping rate remains a notable weakness that warrants attention and potential remediation to ensure a more robust security profile.",[258],{"reason":259,"points":113},"Insufficient output escaping","2026-03-16T23:11:49.102Z",{"wat":262,"direct":271},{"assetPaths":263,"generatorPatterns":266,"scriptPaths":267,"versionParams":268},[264,265],"\u002Fwp-content\u002Fplugins\u002Fgdpr-helper\u002Fcss\u002Fbackend_style.css","\u002Fwp-content\u002Fplugins\u002Fgdpr-helper\u002Fjs\u002Fbackend_script.js",[],[265],[269,270],"gdpr-helper\u002Fcss\u002Fbackend_style.css?ver=","gdpr-helper\u002Fjs\u002Fbackend_script.js?ver=",{"cssClasses":272,"htmlComments":273,"htmlAttributes":274,"restEndpoints":275,"jsGlobals":276,"shortcodeOutput":278},[],[],[],[],[277],"GH__PLUGIN_URL",[]]