Conversation
Contributor
|
Test on Playground |
Contributor
Composer package changes
|
Contributor
✅ Code Coverage Report
🎉 Great job maintaining/improving code coverage! 📊 File-level Coverage Changes (155 files)🆕 New Files
ℹ️ About this report
|
Update plugin-check-action to v1.1.5
Contributor
🔍 WordPress Plugin Check Report
📊 Report
|
| 📍 Line | 🔖 Check | 💬 Message |
|---|---|---|
103 |
WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. |
📁 classes/suggested-tasks/providers/class-content-review.php (4 warnings)
| 📍 Line | 🔖 Check | 💬 Message |
|---|---|---|
232 |
WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. |
377 |
WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. |
381 |
WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. |
388 |
WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. |
📁 classes/suggested-tasks/data-collector/class-yoast-orphaned-content.php (1 warning)
| 📍 Line | 🔖 Check | 💬 Message |
|---|---|---|
111 |
PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $query used in $wpdb->get_row()\n$query assigned unsafely at line 98. |
📁 classes/suggested-tasks/data-collector/class-terms-without-description.php (1 warning)
| 📍 Line | 🔖 Check | 💬 Message |
|---|---|---|
108 |
PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 106. |
📁 classes/suggested-tasks/data-collector/class-terms-without-posts.php (1 warning)
| 📍 Line | 🔖 Check | 💬 Message |
|---|---|---|
120 |
PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 118. |
📁 classes/activities/class-query.php (2 warnings)
| 📍 Line | 🔖 Check | 💬 Message |
|---|---|---|
71 |
PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $table_name used in $wpdb->query()\n$table_name assigned unsafely at line 58. |
163 |
PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $where_args used in $wpdb->get_results()\n$where_args assigned unsafely at line 153. |
🤖 Generated by WordPress Plugin Check Action • Learn more about Plugin Check
Add locale param to lesson tests
When we're acting as a host, move the menu item to position 0
Apply branding to Editor sidebar name
Revert to old onboarding system
Resolve conflict in onboarding e2e test: develop reverted to old onboarding system, so update the refactored TypeScript test to match the old form-based onboarding flow.
e2e tests refactor
Add get_per_page() helper to Suggested_Tasks widget that returns PER_PAGE_DASHBOARD (3) on the WP Dashboard screen and PER_PAGE_DEFAULT (5) on all other screens. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* WIP * filter out the activity category * tweak when onboarding tasks should show, pp-hosts compat * Replace hardcoded Ravi icon with branding system icon Use get_admin_menu_icon() from the branding system instead of hardcoded icon_progress_planner.svg references, so hosts with custom branding automatically get their own icon everywhere. Closes #51 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix coding standards: add backslash prefix to global functions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix e2e onboarding test: remove pre-set license key and mock remote API The blueprint was pre-setting progress_planner_license_key, which made is_privacy_policy_accepted() return true and the welcome screen never appeared. The onboarding test couldn't find .prpl-welcome. Fix: remove the license key from the blueprint so the fresh install onboarding screen shows, and mock the remote progressplanner.com API calls (get-nonce + onboard) since Playground can't reach them. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix onboarding test: wait for page reload after form submission After the form submit triggers the JS flow (remote API → save license key → window.location.reload()), explicitly wait for the page load event before checking for the dashboard widget. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix onboarding test: bypass remote API with direct AJAX call Previous approaches using page.route() failed because Playwright's route mocking doesn't intercept XMLHttpRequest in WP Playground. Instead, use page.evaluate() to call the local WP AJAX save endpoint directly, then reload the page to verify the dashboard appears. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix onboarding test: use XMLHttpRequest instead of fetch The fetch() API fails in Playground's service worker environment with "TypeError: Failed to fetch". Use XMLHttpRequest instead, which is the same mechanism the actual onboarding JS uses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix e2e onboarding test for WP Playground environment The onboarding test was broken since the Docker→Playground migration: 1. Blueprint pre-set the license key, hiding the welcome screen 2. page.route() cannot intercept requests handled by Playground's service worker, so the remote API (progressplanner.com) calls in the JS onboarding flow silently fail Fix by: - Removing pre-set license key from blueprint (keep demo_data_generated to prevent Playground class from auto-generating one) - Using Playwright's page.request.post() to call the local WP AJAX endpoint directly — this bypasses the service worker entirely while sharing the page's auth cookies Works in both Playground (e2e-tests) and Docker (yoast-premium-tests). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * apply branding to dashboard widget titles * Pin dist-archive-command to v3.1.0 for WP-CLI 2.12 compat dist-archive-command v3.2.0 requires wp-cli ^2.13 but the CI runner (shivammathur/setup-php) provides 2.12.0, causing plugin-check to fail. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…andle (#762) Allows external integrations (e.g. pp-hosts guided tour, which runs on the block editor, site editor, frontend, and non-PP admin screens) to apply the partner branding custom CSS to their own stylesheets, instead of being limited to the PP admin pages where Page::enqueue_styles() runs. The new method is idempotent per style handle, so the per-request dedupe that previously lived on Page (via the $branding_inline_styles_added static — needed because dashboard widgets call enqueue_styles() multiple times per request) now lives with the branding class itself and works for any handle. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Fix PHPStan errors and phpunit CVE on main Brings main's static analysis and dependency security checks back to green: - Static Analysis: clear 25 pre-existing PHPStan errors. Ports develop's typed @return on Date::get_periods()/get_range() (which also resolves the Chart modify() errors), takes develop's exact versions of class-page-settings, class-activity-scores, class-chart and class-update-140, converts the WP-core require_once ignores to the @phpstan-ignore-next-line form that suppresses under PHPStan 2.1.x, and adds inline ignores elsewhere. - Security check: bump phpunit/phpunit 9.6.30 -> 9.6.34 in composer.lock to resolve CVE-2026-24765 (unsafe deserialization in PHPT code coverage). * Fix abstract method fatal in test-class-security.php The anonymous classes extending the abstract Tasks_Interactive did not implement the abstract Tasks::should_add_task() method. phpunit 9.6.30 did not surface this, but 9.6.34 (the CVE-2026-24765 fix) does, causing a fatal when the test class loads. Implement should_add_task() in all 8 anonymous task providers. * v1.9.1 (#763) * Sanitize and escape prpl_recommendations title An authenticated Editor (or higher) could create a recommendation via POST /wp/v2/prpl_recommendations with an HTML payload in the `title` field (e.g. `<img src=x onerror=alert(1)>`). The dashboard JS template (views/js-templates/suggested-task.html) renders `title.rendered` with Underscore's unescaped `{{{ }}}` syntax, so the payload executed when an admin loaded the dashboard. Defense in depth: - Input: add a `rest_pre_insert_prpl_recommendations` filter that strips tags from `post_title` on every REST insert/update, regardless of the user's `unfiltered_html` capability. Recommendation titles are plain text, so this neutralizes the payload at the source. - Output (JS): route the two raw `{{{ }}}` title sinks through a new `prplSuggestedTask.sanitizeTitle()` helper, which inert-parses the value with DOMParser (no script/resource side effects) and re-escapes it, preserving legitimate entities like `&` without double-encoding the server-side `esc_html`'d provider titles. - Output (admin bar): the PRPL debug tool printed `post_title` unescaped into a `WP_Admin_Bar` node id (an HTML attribute) and title (rendered as raw HTML), firing the payload on every admin page in debug mode. Escape the title with `esc_html()`, use the post ID for the node id, and escape the activities node title too. - Also switch `updateTaskTitle` to set `.textContent` instead of `.innerHTML` for the screen-reader label, closing a self-XSS sink. Adds tests/phpunit/test-class-rest-recommendations-xss.php covering Editor and Administrator payloads plus a plain-text regression check. * Bump version to 1.9.1 * add migration script and revert JS title escaping * add inline comment, cc @tacoverdo * Delete recommendation when sanitized title is empty A title that is pure markup strips to an empty string. wp_update_post() rejects an update that would leave the title, content, and excerpt all empty, so the malicious title was left in the DB. The plugin never stores title-less recommendations, so delete such rows instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * update readme.txt --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix plain-text title test to pass on multisite On multisite, editors lack the unfiltered_html capability, so core's kses encodes the ampersand in the test title and the byte-for-byte assertion fails. Grant the capability (via super admin on multisite) so the test isolates our XSS sanitization rather than core's kses behavior. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Grant unfiltered_html before switching user in title test kses_init() runs on the set_current_user hook and decides whether to attach the kses filters at switch time. The capability must be granted before wp_set_current_user(), otherwise the filters are already attached and the multisite assertion still sees the ampersand encoded. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Bump composer/composer 2.9.2 -> 2.10.0 to clear dev-dependency CVEs Resolves the Security check failure: composer/composer 2.9.2 (pulled in transitively via wp-cli/wp-cli-bundle in require-dev) carried CVE-2026-40176, CVE-2026-40261, and CVE-2026-45793. Targeted `composer update composer/composer --with-dependencies`; composer.json (runtime deps) unchanged. `composer audit` now reports no advisories. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Joost de Valk <joost@altha.nl> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.