Release#2848
Open
abaicus wants to merge 205 commits into
Open
Conversation
- Update NPM packages. - Update & extend E2E tests and unit tests - Update GitHub actions.
Co-authored-by: Soare-Robert-Daniel <17597852+Soare-Robert-Daniel@users.noreply.github.com>
Added ACF repeater field support
Contributor
Bundle Size Diff
|
Contributor
|
Plugin build for 8be769a is ready 🛎️!
|
Contributor
E2E TestsPlaywright Test Status: See serial and parallel matrix jobs Performance ResultsserverResponse: {"q25":481.1,"q50":510.35,"q75":515.7,"cnt":10}, firstPaint: {"q25":1405.1,"q50":1673.4,"q75":1686.6,"cnt":10}, domContentLoaded: {"q25":3856,"q50":3879.55,"q75":3899.3,"cnt":10}, loaded: {"q25":3857.9,"q50":3881.6,"q75":3901.2,"cnt":10}, firstContentfulPaint: {"q25":4377.7,"q50":4413.6,"q75":4430.6,"cnt":10}, firstBlock: {"q25":15237.7,"q50":15393.95,"q75":15466.8,"cnt":10}, type: {"q25":31.03,"q50":32.36,"q75":34.47,"cnt":10}, typeWithoutInspector: {"q25":24.28,"q50":28.2,"q75":34.1,"cnt":10}, typeWithTopToolbar: {"q25":37.7,"q50":39.8,"q75":45.46,"cnt":10}, typeContainer: {"q25":19.09,"q50":19.96,"q75":21.99,"cnt":10}, focus: {"q25":143.05,"q50":150.59,"q75":156.63,"cnt":10}, inserterOpen: {"q25":47.41,"q50":49.27,"q75":49.93,"cnt":10}, inserterSearch: {"q25":17.45,"q50":18.33,"q75":21.48,"cnt":10}, inserterHover: {"q25":5.79,"q50":6.62,"q75":6.97,"cnt":20}, loadPatterns: {"q25":1956.13,"q50":1986.51,"q75":2008.04,"cnt":10}, listViewOpen: {"q25":254.81,"q50":271.2,"q75":284.51,"cnt":10} |
Fixed button group global settings
- Add isset() check before accessing otterSearchQuery['cat'] - Store cat value in variable before using it - Add test case for missing cat key scenario - Fix PHPCS alignment issue Agent-Logs-Url: https://github.com/Codeinwp/otter-blocks/sessions/170e8ebd-3fea-4925-ada5-97d494c13734 Co-authored-by: abaicus <15010186+abaicus@users.noreply.github.com>
Co-authored-by: abaicus <15010186+abaicus@users.noreply.github.com>
…-editors [WIP] Fix duplicated editor areas in custom CSS panel
…-cat-warning Fix undefined array key 'cat' warning in Live Search
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
dashboard: route active pro users to pro support link
send_test_email() used the payload `to` address unsanitized in both wp_mail() and the From header, letting any edit_posts user relay mail to arbitrary addresses and smuggle header fragments. Wrap it in sanitize_email(), matching the sibling send_default_email(). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
save_file_from_field() decided whether to run the SVG sanitizer from the client-supplied metadata name, so an SVG uploaded under a lying non-.svg name skipped sanitization. Base the decision on the actual file being saved ($file_data name/type), which is what wp_handle_sideload stores it under. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The unauthenticated /otter/v1/dynamic endpoint accepted any `fallback` image path under WP_CONTENT_DIR and readfile()'d it, letting a caller read arbitrary images anywhere in wp-content (bypassing URL-level media access control). Extract the path check into get_safe_fallback_path() and narrow the allowed base from wp-content to the uploads directory, which is where library-chosen fallbacks always live. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Bulk actions per status view, read/unread row-action swap with the verified nonce, and the no-Pro form column linking to the source page anchor. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Provider fallback to recaptcha, the missing-keys warning gated on edit_posts, and provider-specific key checks (turnstile vs google options). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
A second lookup for the same slug is served from the 12h transient, and errors are not cached so retries can succeed. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Boxes show their semantic tag, text blocks their content, and a custom Rename-UI name wins over the tag label. Serial: flips the site-wide atomic-wind option. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Regression for the undefined-array-key 'cat' warning: a post-only search query with no category must render without PHP warnings or console errors. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Regression for Appearance/Letter Case being written to the wrong keys: the saved defaults must use fontStyle/textTransform, and a freshly inserted Button Group must inherit them down to the frontend CSS. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The PHPUnit suite reinstalls WordPress over the shared wp-env site and drops the permalink structure, which breaks REST discovery at /wp-json/. Restore it once and retry before failing. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The Integrations tab link built its URL from optionsPath, which is not localized on the dashboard page, producing wp-admin/undefined#ai. Switch tabs in place via setTab instead. Also opt SelectControl out of the flex row layout forced on base-control fields so its stacked label no longer wraps. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
get_client_ip() returned forwarded-header values verbatim, and the result is concatenated into the outbound iphub geolocation URL. Take the first entry of a comma-separated forwarded list and validate it with FILTER_VALIDATE_IP, returning '' when it is not a valid IP. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
parse_query() applied the public o_post_type query var to every query via the global query var, letting a visitor override post_type on unrelated/secondary queries. Gate it to the main search query and read the var from the query being parsed. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
validate_source_and_get_name() fetched the source URL with sslverify => false. Remove the flag so wp_remote_get verifies the certificate (default). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
An empty-string or corrupt themeisle_blocks_settings_global_defaults option json_decode()s to null, which was localized as-is and crashed every newly inserted Otter block's Edit component (null[name] in addGlobalDefaults). Guard both sides: the editor localization always hands out an object, and addGlobalDefaults reads the per-block entry with optional chaining. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Poisons the option through REST, loads a fresh editor and inserts a Button Group: the block must render instead of hitting the crash boundary. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Both the free and pro compilations defaulted to the webpackChunkotter_blocks chunk-loading global, so on fresh production builds the two runtimes resolved each other's numeric module IDs and crashed the whole editor when loaded together. Give the pro output its own uniqueName. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The module-ID collision only crashes the editor on builds whose IDs happen to mismatch, so specs can't catch a regression deterministically. Assert the two bundles use distinct chunk-loading globals before the suite starts. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The plugin still declares PHP 5.6 support and phpcs flags the null coalescing operator; is_object() is also stricter (scalar/array JSON). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The review comparison block echoed title, permalink, price, discounted, description and feature titles pulled from a referenced review block's attributes without escaping (line 116 above already escaped, these were missed). Escape each at the sink (esc_html/esc_url/wp_kses_post). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The wordpress.org API author field was echoed unescaped while every sibling field was escaped. Run it through wp_kses_post (preserves the intended anchor markup, strips scripts/handlers). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The Stripe field block echoed the id/mappedName/fieldOptionName block attributes and the Stripe product image/description/name into HTML with no escaping. Escape the product sinks (esc_url/esc_attr/esc_html) and extract the field attributes into get_field_attributes() with esc_attr. Adds Test_Render_Escaping covering the review-comparison, plugin-card and Stripe field escaping. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Follow-up to a coverage-gap analysis of the upcoming release (development vs master). Adds the missing tests around the new Form Records admin classes, the AI usage tracker, the form Reply-To feature (#2858), the reworked visibility conditions UI (#2857), the Form Records list table, the captcha block render, the Plugin Card cache, Atomic Wind List View labels, the Live Search 'cat' regression and the Button Group global-defaults fix.
fix(security): dynamic-content meta disclosure, test-email relay, SVG upload sanitization
Bumps [codeinwp/themeisle-sdk](https://github.com/Codeinwp/themeisle-sdk) from 3.3.52 to 3.3.54. - [Release notes](https://github.com/Codeinwp/themeisle-sdk/releases) - [Changelog](https://github.com/Codeinwp/themeisle-sdk/blob/v3.3.54/CHANGELOG.md) - [Commits](Codeinwp/themeisle-sdk@v3.3.52...v3.3.54) --- updated-dependencies: - dependency-name: codeinwp/themeisle-sdk dependency-version: 3.3.54 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [@automattic/babel-plugin-replace-textdomain](https://github.com/Automattic/babel-plugin-replace-textdomain) from 1.1.2 to 1.1.6. - [Changelog](https://github.com/Automattic/babel-plugin-replace-textdomain/blob/trunk/CHANGELOG.md) - [Commits](Automattic/babel-plugin-replace-textdomain@v1.1.2...v1.1.6) --- updated-dependencies: - dependency-name: "@automattic/babel-plugin-replace-textdomain" dependency-version: 1.1.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
feat: modal & ai actions
| const content = block.attributes?.content; | ||
|
|
||
| if ( 'string' === typeof tagName && HEADING_TAGS.has( tagName ) && 'string' === typeof content ) { | ||
| const text = content.replace( /<[^>]+>/g, '' ).trim(); |
| @@ -0,0 +1,106 @@ | |||
| const stripTags = ( html ) => html.replace( /<[^>]+>/g, '' ).trim(); | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.