Sanitize superglobal reads in AdminScreenResolver

lib/Strategies/AdminScreenResolver.php

@@ -41,30 +41,47 @@ public function getUrlForAction(string $slug, string $action, array $context = [
      */
     public function isCurrentScreen(string $slug): bool
     {
-        return $_REQUEST['page'] === $slug;
+        return $this->readRequestKey('page') === $slug;
     }
 
     /**
      * @inheritDoc
      */
     public function isCurrentAction(string $slug, string $action): bool
     {
-        return $this->isCurrentScreen($slug) && $_REQUEST[$this->actionKey] === $action;
+        return $this->isCurrentScreen($slug) && $this->readRequestKey($this->actionKey) === $action;
     }
 
     /**
      * @inheritDoc
      */
     public function getCurrentScreen(): ?string
     {
-        return $_REQUEST['page'] ?? null;
+        return $this->readRequestKey('page');
     }
 
     /**
      * @inheritDoc
      */
     public function getCurrentAction(): ?string
     {
-        return $_REQUEST[$this->actionKey] ?? null;
+        return $this->readRequestKey($this->actionKey);
+    }
+
+    /**
+     * Read a request key sanitized for screen/action comparisons.
+     *
+     * Screen slugs and action names are key-shaped values; sanitize_key()
+     * mirrors how WordPress core treats the `page` query arg and strips
+     * anything an attacker could smuggle through the raw superglobal.
+     */
+    protected function readRequestKey(string $key): ?string
+    {
+        if (!isset($_REQUEST[$key]) || !is_string($_REQUEST[$key])) {
+            return null;
+        }
+
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only comparison helpers; mutation handlers verify nonces at their own boundary.
+        return sanitize_key(wp_unslash($_REQUEST[$key]));
     }
 }