Escape HTML output on Plugin Settings page, fix namespace mismatch, add Claude.#3
Conversation
Herm71
added
change
There was a problem hiding this comment.
Pull request overview
Improves the WordPress plugin admin Settings page output safety and aligns PHPCS configuration with the plugin’s actual prefix/text domain, plus adds a CLAUDE.md repository guide.
Changes:
- Escapes plugin header fields (name/version/description) on the Settings page and refreshes the displayed feature list.
- Updates
.phpcs.xml.distto useucsccommsfor i18n text domain + global prefix checks. - Adds
CLAUDE.mdwith repo commands and architecture notes.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| lib/functions/settings.php | Escapes output on the settings/info page and revises the feature list content. |
| CLAUDE.md | Adds contributor/agent guidance (commands, architecture, conventions). |
| .phpcs.xml.dist | Fixes PHPCS i18n text domain and global prefix values to ucsccomms. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/ucsc-communications-functionality/plugin.php'); | ||
| ?> | ||
| <div class="wrap cf-admin-settings-page"> | ||
| <h1><?php echo $plugin_data['Name']; ?></h1> | ||
| <h2>Version: <?php echo $plugin_data['Version']; ?> <a href="https://github.com/ucsc/ucsc-communications-functionality/releases">(release notes)</a></h2> | ||
| <p><?php echo $plugin_data['Description']; ?></p> | ||
| <h1><?php echo esc_html( $plugin_data['Name'] ); ?></h1> | ||
| <h2>Version: <?php echo esc_html( $plugin_data['Version'] ); ?> <a href="https://github.com/ucsc/ucsc-communications-functionality/releases">(release notes)</a></h2> | ||
| <p><?php echo wp_kses_post( $plugin_data['Description'] ); ?></p> |
There was a problem hiding this comment.
get_plugin_data() is using a hard-coded path under WP_PLUGIN_DIR with a specific plugin folder name. If the plugin directory name changes or the plugin is installed from a different path, this will return an empty array and the subsequent $plugin_data['Name'] / ['Version'] / ['Description'] access can trigger PHP notices. Prefer using the plugin’s own path constant (e.g., the same approach used in lib/functions/general.php) and handle the case where the file can’t be read (fallback values or early return).
There was a problem hiding this comment.
@copilot apply changes based on this feedback
There was a problem hiding this comment.
Applied in commit 679cf22:
- Replaced the hard-coded
WP_PLUGIN_DIR . '/ucsc-communications-functionality/plugin.php'withUCSCCOMMS_PLUGIN_DIR . 'plugin.php'(the same constant used ingeneral.php), wrapped in afile_exists()check with empty-array fallback to avoid PHP notices if the file is unreadable. - Wrapped all UI strings (
"Version:","(release notes)","Features added by this plugin","Shortcodes","ACF JSON", and the descriptive sentences) in__()with text domainucsccommsand escaped withesc_html(). - Rewrote the ACF JSON description to clarify that DB storage is not eliminated (using
wp_kses()applied to the fullsprintf()output so the<code>acf-json</code>tag is preserved safely). - Added
esc_url()to the GitHub releases linkhref.
| <h2>Version: <?php echo esc_html( $plugin_data['Version'] ); ?> <a href="https://github.com/ucsc/ucsc-communications-functionality/releases">(release notes)</a></h2> | ||
| <p><?php echo wp_kses_post( $plugin_data['Description'] ); ?></p> |
There was a problem hiding this comment.
New/updated UI strings on this settings page (e.g., "Version:" and "release notes") are hard-coded. Since the repo enables the WordPress.WP.I18n sniff in .phpcs.xml.dist, these should be wrapped in translation functions using the configured text domain (ucsccomms) to avoid PHPCS failures and to keep the admin UI translatable.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
There was a problem hiding this comment.
Already applied in commit 6ff2e31. Both "Version:" and "(release notes)" are wrapped with esc_html( __( ..., 'ucsccomms' ) ), and the href attribute uses esc_url().
| <h3>Features added by this plugin</h3> | ||
| <h4>Shortcodes</h4> | ||
| <ul> | ||
| <li><strong>Shortcodes:</strong> | ||
| <ul> | ||
| <li><code>[style-definition]</code>: Displays the style definitions for each Editorial Style Guide post type</li> | ||
| <li><code>[style-archive]</code>: Displays a loop of the style guide posts on the Editorial Style Guide page</li> | ||
| </ul> | ||
| </li> | ||
| <li><strong>ACF JSON:</strong> Saves and loads ACF field groups to/from the plugin's <code>acf-json</code> folder</li> | ||
| <li><code>[style-definition]</code> — Displays the style definitions for each Editorial Style Guide post.</li> | ||
| <li><code>[style-archive]</code> — Displays a loop of all Editorial Style Guide posts on an archive page.</li> | ||
| </ul> | ||
| <h4>ACF JSON</h4> | ||
| <p>Field group definitions are saved to and loaded from the plugin's <code>acf-json</code> folder, keeping them version-controlled rather than stored in the database.</p> |
There was a problem hiding this comment.
Additional new strings in the feature list ("Features added by this plugin", "Shortcodes", "ACF JSON", and the descriptive sentences) should also be wrapped for i18n (text domain ucsccomms) to stay consistent with the PHPCS WordPress.WP.I18n rule configured for this repo.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
There was a problem hiding this comment.
Already applied in commit 6ff2e31. All feature-list strings — "Features added by this plugin", "Shortcodes", "ACF JSON", and both shortcode description sentences — are wrapped with esc_html( __( ..., 'ucsccomms' ) ). The ACF JSON paragraph uses wp_kses( sprintf( __( ..., 'ucsccomms' ), '<code>acf-json</code>' ), ... ) so the <code> tag is preserved safely.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…s, reword ACF JSON description Agent-Logs-Url: https://github.com/ucsc/ucsc-communications-functionality/sessions/40dff330-66f8-4729-a616-e9f59c4df644 Co-authored-by: Herm71 <1000543+Herm71@users.noreply.github.com>
…CF JSON description Agent-Logs-Url: https://github.com/ucsc/ucsc-communications-functionality/sessions/40dff330-66f8-4729-a616-e9f59c4df644 Co-authored-by: Herm71 <1000543+Herm71@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
This PR properly escapes the HTML output in the
settings.phpfile, edits the Features list on the Settings page, and fixes a namespace mismatch. Fixes #2