fix: posts endpoint by allowlisting query args

[girishpanchal30]

Summary

Harden public nv/v1/posts endpoint by allow listing query args.

Check before Pull Request is ready:

• I have written a test and included it in this PR
• I have run all tests and they pass
• The code passes when running the PHP CodeSniffer
• Code meets WordPress Coding Standards for PHP, HTML, CSS and JS
• Security and Sanitization requirements have been followed
• I have assigned a reviewer or two to review this PR (if you're not sure who to assign, we can do this step for you)

Closes https://github.com/Codeinwp/neve-pro-addon/issues/3140.

[pirate-bot]

Plugin build for 721d2ad is ready 🛎️!

• Download build

[Copilot]

Pull request overview

This PR hardens the public nv/v1/posts REST endpoint used by infinite scroll by restricting/sanitizing client-provided query arguments to reduce query manipulation and potential abuse.

Changes:

• Adds a hard cap for page_number requests and ensures it’s treated as an integer.
• Introduces a strict allowlist-based sanitization method for WP_Query args coming from the request body.
• Sanitizes the lang parameter before using it with Polylang/WPML behaviors.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

$sanitized['order'] is passed through strtoupper() without ensuring it’s a string. A crafted JSON body can send order as an array/object, which can trigger a PHP 8 TypeError and 500 the endpoint. Add an is_string() (or is_scalar() + cast) guard before strtoupper(), and consider normalizing the stored value to ASC/DESC after validation.

Suggested change

	$sanitized['order'] = in_array( strtoupper( $sanitized['order'] ), array( 'ASC', 'DESC' ), true ) ? $sanitized['order'] : 'DESC';
	if ( is_scalar( $sanitized['order'] ) ) {
	$order = strtoupper( (string) $sanitized['order'] );
	$sanitized['order'] = in_array( $order, array( 'ASC', 'DESC' ), true ) ? $order : 'DESC';
	} else {
	$sanitized['order'] = 'DESC';
	}

[Copilot]

The allowlist for orderby includes rand, which in WP_Query generally results in expensive queries and can be abused for DoS on a public endpoint (contradicting the hardening goal noted in the docblock). Consider removing rand from the allowed list, or only allowing it for authenticated/privileged requests.

Suggested change

	$safe_orderby = array( 'date', 'title', 'author', 'modified', 'comment_count', 'rand' );
	$safe_orderby = array( 'date', 'title', 'author', 'modified', 'comment_count' );

[Copilot]

Capping page_number at 100 can desync with the client-side maxPages value (localized from $wp_query->max_num_pages). On sites with >100 pages, infinite scroll will keep requesting pages 101..maxPages and receive empty responses, causing unnecessary repeated requests. Consider also capping the localized maxPages to 100 (or returning a signal the JS can use to stop requesting).

Suggested change

	if ( $page_number > 100 ) {
	return new \WP_REST_Response( '' );
	}

[Copilot]

post_type is taken directly from the decoded JSON body and passed to get_post_type_object()/returned in $sanitized without type normalization. If an attacker supplies a non-string (e.g., array), this can raise warnings (array-to-string conversion) and makes the sanitization less robust. Ensure post_type is a string (e.g., is_string + sanitize_key) before using it, otherwise fall back to 'post'.