Skip to content

Release#2848

Open
abaicus wants to merge 205 commits into
masterfrom
development
Open

Release#2848
abaicus wants to merge 205 commits into
masterfrom
development

Conversation

@abaicus

@abaicus abaicus commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Comment thread src/blocks/test/e2e/blocks/form.spec.js Fixed
Comment thread src/blocks/test/e2e/blocks/form.spec.js Fixed
Comment thread src/blocks/test/e2e/blocks/section.spec.js Fixed
Comment thread src/blocks/test/e2e/blocks/section.spec.js Fixed
@pirate-bot

pirate-bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Bundle Size Diff

Package Old Size New Size Diff
Animations 276.77 KB 178.27 KB -98.51 KB (-35.59%)
Blocks 1.55 MB 1.65 MB 100.51 KB (6.34%)
CSS 105.9 KB 7.87 KB -98.03 KB (-92.57%)
Dashboard 204.08 KB 172.5 KB -31.58 KB (-15.47%)
Onboarding 166.59 KB 68.14 KB -98.45 KB (-59.10%)
Export Import 102.86 KB 4.7 KB -98.16 KB (-95.43%)
Pro 412.66 KB 439.79 KB 27.13 KB (6.57%)

@pirate-bot

pirate-bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Plugin build for 8be769a is ready 🛎️!

@pirate-bot

pirate-bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

E2E Tests

Playwright Test Status: See serial and parallel matrix jobs

Performance Results serverResponse: {"q25":481.1,"q50":510.35,"q75":515.7,"cnt":10}, firstPaint: {"q25":1405.1,"q50":1673.4,"q75":1686.6,"cnt":10}, domContentLoaded: {"q25":3856,"q50":3879.55,"q75":3899.3,"cnt":10}, loaded: {"q25":3857.9,"q50":3881.6,"q75":3901.2,"cnt":10}, firstContentfulPaint: {"q25":4377.7,"q50":4413.6,"q75":4430.6,"cnt":10}, firstBlock: {"q25":15237.7,"q50":15393.95,"q75":15466.8,"cnt":10}, type: {"q25":31.03,"q50":32.36,"q75":34.47,"cnt":10}, typeWithoutInspector: {"q25":24.28,"q50":28.2,"q75":34.1,"cnt":10}, typeWithTopToolbar: {"q25":37.7,"q50":39.8,"q75":45.46,"cnt":10}, typeContainer: {"q25":19.09,"q50":19.96,"q75":21.99,"cnt":10}, focus: {"q25":143.05,"q50":150.59,"q75":156.63,"cnt":10}, inserterOpen: {"q25":47.41,"q50":49.27,"q75":49.93,"cnt":10}, inserterSearch: {"q25":17.45,"q50":18.33,"q75":21.48,"cnt":10}, inserterHover: {"q25":5.79,"q50":6.62,"q75":6.97,"cnt":20}, loadPatterns: {"q25":1956.13,"q50":1986.51,"q75":2008.04,"cnt":10}, listViewOpen: {"q25":254.81,"q50":271.2,"q75":284.51,"cnt":10}

abaicus and others added 14 commits June 4, 2026 14:05
Fixed button group global settings
- Add isset() check before accessing otterSearchQuery['cat']
- Store cat value in variable before using it
- Add test case for missing cat key scenario
- Fix PHPCS alignment issue

Agent-Logs-Url: https://github.com/Codeinwp/otter-blocks/sessions/170e8ebd-3fea-4925-ada5-97d494c13734

Co-authored-by: abaicus <15010186+abaicus@users.noreply.github.com>
Co-authored-by: abaicus <15010186+abaicus@users.noreply.github.com>
…-editors

[WIP] Fix duplicated editor areas in custom CSS panel
…-cat-warning

Fix undefined array key 'cat' warning in Live Search
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
dashboard: route active pro users to pro support link
Soare-Robert-Daniel and others added 29 commits July 2, 2026 12:59
send_test_email() used the payload `to` address unsanitized in both
wp_mail() and the From header, letting any edit_posts user relay mail
to arbitrary addresses and smuggle header fragments. Wrap it in
sanitize_email(), matching the sibling send_default_email().

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
save_file_from_field() decided whether to run the SVG sanitizer from
the client-supplied metadata name, so an SVG uploaded under a lying
non-.svg name skipped sanitization. Base the decision on the actual
file being saved ($file_data name/type), which is what wp_handle_sideload
stores it under.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The unauthenticated /otter/v1/dynamic endpoint accepted any `fallback`
image path under WP_CONTENT_DIR and readfile()'d it, letting a caller
read arbitrary images anywhere in wp-content (bypassing URL-level media
access control). Extract the path check into get_safe_fallback_path()
and narrow the allowed base from wp-content to the uploads directory,
which is where library-chosen fallbacks always live.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Bulk actions per status view, read/unread row-action swap with the verified
nonce, and the no-Pro form column linking to the source page anchor.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Provider fallback to recaptcha, the missing-keys warning gated on edit_posts,
and provider-specific key checks (turnstile vs google options).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
A second lookup for the same slug is served from the 12h transient, and
errors are not cached so retries can succeed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Boxes show their semantic tag, text blocks their content, and a custom
Rename-UI name wins over the tag label. Serial: flips the site-wide
atomic-wind option.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Regression for the undefined-array-key 'cat' warning: a post-only search
query with no category must render without PHP warnings or console errors.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Regression for Appearance/Letter Case being written to the wrong keys: the
saved defaults must use fontStyle/textTransform, and a freshly inserted
Button Group must inherit them down to the frontend CSS.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The PHPUnit suite reinstalls WordPress over the shared wp-env site and drops
the permalink structure, which breaks REST discovery at /wp-json/. Restore
it once and retry before failing.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The Integrations tab link built its URL from optionsPath, which is not
localized on the dashboard page, producing wp-admin/undefined#ai. Switch
tabs in place via setTab instead. Also opt SelectControl out of the flex
row layout forced on base-control fields so its stacked label no longer
wraps.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
get_client_ip() returned forwarded-header values verbatim, and the
result is concatenated into the outbound iphub geolocation URL. Take
the first entry of a comma-separated forwarded list and validate it
with FILTER_VALIDATE_IP, returning '' when it is not a valid IP.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
parse_query() applied the public o_post_type query var to every query
via the global query var, letting a visitor override post_type on
unrelated/secondary queries. Gate it to the main search query and read
the var from the query being parsed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
validate_source_and_get_name() fetched the source URL with
sslverify => false. Remove the flag so wp_remote_get verifies the
certificate (default).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
An empty-string or corrupt themeisle_blocks_settings_global_defaults option
json_decode()s to null, which was localized as-is and crashed every newly
inserted Otter block's Edit component (null[name] in addGlobalDefaults).

Guard both sides: the editor localization always hands out an object, and
addGlobalDefaults reads the per-block entry with optional chaining.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Poisons the option through REST, loads a fresh editor and inserts a Button
Group: the block must render instead of hitting the crash boundary.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Both the free and pro compilations defaulted to the webpackChunkotter_blocks
chunk-loading global, so on fresh production builds the two runtimes resolved
each other's numeric module IDs and crashed the whole editor when loaded
together. Give the pro output its own uniqueName.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The module-ID collision only crashes the editor on builds whose IDs happen
to mismatch, so specs can't catch a regression deterministically. Assert the
two bundles use distinct chunk-loading globals before the suite starts.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The plugin still declares PHP 5.6 support and phpcs flags the null
coalescing operator; is_object() is also stricter (scalar/array JSON).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The review comparison block echoed title, permalink, price, discounted,
description and feature titles pulled from a referenced review block's
attributes without escaping (line 116 above already escaped, these were
missed). Escape each at the sink (esc_html/esc_url/wp_kses_post).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The wordpress.org API author field was echoed unescaped while every
sibling field was escaped. Run it through wp_kses_post (preserves the
intended anchor markup, strips scripts/handlers).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The Stripe field block echoed the id/mappedName/fieldOptionName block
attributes and the Stripe product image/description/name into HTML with
no escaping. Escape the product sinks (esc_url/esc_attr/esc_html) and
extract the field attributes into get_field_attributes() with esc_attr.

Adds Test_Render_Escaping covering the review-comparison, plugin-card
and Stripe field escaping.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Follow-up to a coverage-gap analysis of the upcoming release (development vs master). Adds the missing tests around the new Form Records admin classes, the AI usage tracker, the form Reply-To feature (#2858), the reworked visibility conditions UI (#2857), the Form Records list table, the captcha block render, the Plugin Card cache, Atomic Wind List View labels, the Live Search 'cat' regression and the Button Group global-defaults fix.
fix(security): dynamic-content meta disclosure, test-email relay, SVG upload sanitization
Bumps [codeinwp/themeisle-sdk](https://github.com/Codeinwp/themeisle-sdk) from 3.3.52 to 3.3.54.
- [Release notes](https://github.com/Codeinwp/themeisle-sdk/releases)
- [Changelog](https://github.com/Codeinwp/themeisle-sdk/blob/v3.3.54/CHANGELOG.md)
- [Commits](Codeinwp/themeisle-sdk@v3.3.52...v3.3.54)

---
updated-dependencies:
- dependency-name: codeinwp/themeisle-sdk
  dependency-version: 3.3.54
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
)

Bumps [@automattic/babel-plugin-replace-textdomain](https://github.com/Automattic/babel-plugin-replace-textdomain) from 1.1.2 to 1.1.6.
- [Changelog](https://github.com/Automattic/babel-plugin-replace-textdomain/blob/trunk/CHANGELOG.md)
- [Commits](Automattic/babel-plugin-replace-textdomain@v1.1.2...v1.1.6)

---
updated-dependencies:
- dependency-name: "@automattic/babel-plugin-replace-textdomain"
  dependency-version: 1.1.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
const content = block.attributes?.content;

if ( 'string' === typeof tagName && HEADING_TAGS.has( tagName ) && 'string' === typeof content ) {
const text = content.replace( /<[^>]+>/g, '' ).trim();
@@ -0,0 +1,106 @@
const stripTags = ( html ) => html.replace( /<[^>]+>/g, '' ).trim();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants