Drag-and-drop follow-up: review fixes#261
Merged
Merged
Conversation
Contributor
✅ WordPress Plugin Check Report
📊 ReportAll checks passed! No errors or warnings found. 🤖 Generated by WordPress Plugin Check Action • Learn more about Plugin Check |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #260 (Drag and drop improvements). Five code-review items from a post-merge audit:
console.log→console.infoinsrc/drag/iframe-drop-targets.ts.no-consoleESLint config allowsinfo/warn/erroronly; this drops the inlineeslint-disableand uses the more semantically accurate level for the drag-start diagnostic.Mid-file imports in
src/desktop-files/layer.ts.buildBridgePayloadFromPlacementhad been inserted between two groups of imports, which would have trippedimport/first. Moved the function below all imports.Block
javascript:/data:/vbscript:URLs in the Gutenberg drop-receiver (src/gutenberg-drop-receiver.ts). Same-origin postMessage is the first line of defence; this is defence-in-depth so a hostile URL surviving into acore/filehref orcore/paragraphanchor can't become click-to-XSS. Returnsnull(silent no-op) for hostile URLs — same shape as "empty URL → no insert".Drop
site-editor.phpenqueue inincludes/render/assets.php. The FSE'score/block-editorstore isn't reliably available without an opened template in the canvas, so drops would silently time out at the receiver's 5 swaitForEditorpoll. Also added adesktop-mode-drop-failedpostMessage from the receiver → parent toast pipeline so any future "editor not ready" failure surfaces as user-visible feedback instead of just aconsole.error.Mapmutation duringforEachin theWINDOW_CLOSEDcleanup ofiframe-drop-targets.ts. Spec-safe but reads as a hazard; switched tofor…ofoverArray.from()snapshots for both_suppressedIframesand_activeRegistrations.Test plan
npm run lintcleannpm run typecheckcleannpm run test:js— 1485 passing (3 new vitests coverjavascript:/data:URL rejection across post / user / attachment payloads, plus the leading-whitespace + uppercase variants)npm run build:desktop+npm run build:gutenberg-drop-receiver— clean🤖 Generated with Claude Code