From aedc59c68125d9623a7bb5db677b1b28a04f3052 Mon Sep 17 00:00:00 2001
From: Valerii Vasyliev <info@gratta.pro>
Date: Thu, 4 Jun 2026 13:12:46 +0200
Subject: [PATCH 1/2] Add plugin security guidance for escaping and AJAX

---
 .../references/security.md                    | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/skills/wp-plugin-development/references/security.md b/skills/wp-plugin-development/references/security.md
index c3c68fe..7dd23c1 100644
--- a/skills/wp-plugin-development/references/security.md
+++ b/skills/wp-plugin-development/references/security.md
@@ -23,7 +23,24 @@ Practical rules:
 - use `wp_unslash()` before sanitizing when needed
 - use prepared statements for SQL; avoid interpolating user input into queries
 
-Common review guidance:
+## Output escaping contexts
+
+Escape at output, using the function that matches the context:
+
+* HTML text: `esc_html()`
+* HTML attribute: `esc_attr()`
+* URL: `esc_url()`
+* textarea: `esc_textarea()`
+* JSON/script data: `wp_json_encode()`
+* allowed HTML: `wp_kses_post()` or `wp_kses()`
 
-- https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/
+## AJAX handlers
+
+* For `wp_ajax_*`, verify nonce and check capabilities.
+* For `wp_ajax_nopriv_*`, assume unauthenticated attacker-controlled traffic.
+* Return JSON with `wp_send_json_success()` or `wp_send_json_error()`.
+* Do not expose private data from AJAX responses.
+
+Common review guidance:
 
+- https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/
\ No newline at end of file

From 71fb2beafc71dc08e034460e68f43705b5ba7eb2 Mon Sep 17 00:00:00 2001
From: Valerii Vasyliev <info@gratta.pro>
Date: Thu, 4 Jun 2026 13:19:00 +0200
Subject: [PATCH 2/2] patched the issue in PR

---
 skills/wp-plugin-development/references/security.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/skills/wp-plugin-development/references/security.md b/skills/wp-plugin-development/references/security.md
index 7dd23c1..b63afb2 100644
--- a/skills/wp-plugin-development/references/security.md
+++ b/skills/wp-plugin-development/references/security.md
@@ -31,8 +31,11 @@ Escape at output, using the function that matches the context:
 * HTML attribute: `esc_attr()`
 * URL: `esc_url()`
 * textarea: `esc_textarea()`
-* JSON/script data: `wp_json_encode()`
-* allowed HTML: `wp_kses_post()` or `wp_kses()`
+* JavaScript strings: `esc_js()`
+
+For JSON data, prefer `wp_json_encode()` and pass data through WordPress script APIs such as `wp_add_inline_script()` or `wp_localize_script()`.
+
+For user-provided HTML, restrict allowed markup with `wp_kses_post()` or `wp_kses()` before output.
 
 ## AJAX handlers