Fix Plugin Check warnings: scope PHPCS, escape shortcode output#19
Open
faisalahammad wants to merge 1 commit into
Open
Fix Plugin Check warnings: scope PHPCS, escape shortcode output#19faisalahammad wants to merge 1 commit into
faisalahammad wants to merge 1 commit into
Conversation
…P < 5.5 fallback
phpcs.ruleset.xml: exclude vendored libraries, test coverage, and build/dev
artifacts from linting. Vendored barn2-lib, setup-wizard, and wptrt/admin-notices
ship with their own text domains and PHPCS settings; scanning them produced
~140 false-positive TextDomainMismatch and OutputNotEscaped flags. Keep
tests/ linted so test bugs still surface.
src/Admin/Settings.php: remove the function_exists('add_allowed_options')
fallback in both filter_allowed_options() and allowed_options(). The plugin
requires WP 6.1+ and add_allowed_options has existed since WP 5.5, so the
whitelist_options / add_option_whitelist branches were dead code and triggered
the Plugin Check deprecation warnings.
src/Admin/Settings_Tab/Search.php: add the missing translators comment
above the __() call that uses a %s placeholder.
src/Document_Library_Shortcode.php: wrap the table header and body echoes
in wp_kses_post(). The get_attributes() output is pre-escaped in
Simple_Document_Library::get_attributes() and is annotated with a scoped
phpcs:ignore. The get_headers() and get_table('html') outputs are cell
content from get_row_content() which is filterable via
document_library_table_row_data_format, so wp_kses_post is the safe escape
at the echo site.
.distignore: new file. Excludes tests/, .env.example, .wp-env.json, build
configs, and dev artifacts from the built plugin zip. Mirrors and extends
.gitattributes export-ignore.
The deprecated load_plugin_textdomain( $domain, false, $path ) call in
dependencies/barn2/barn2-lib/src/Plugin/I18n.php:48 is left untouched:
composer scoper regenerates dependencies/ on every run, so a manual patch
would be wiped. The deprecation needs an upstream fix in barn2-lib.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clears ~140 of ~150 Plugin Check warnings by scoping PHPCS to plugin source, and patches the remaining real bugs in own code (shortcode output escape, deprecated
add_option_whitelist, missing translators comment).The vendored libraries under
dependencies/(barn2-lib, setup-wizard, wptrt/admin-notices) ship with their own text domains and PHPCS settings, and were producing false-positiveTextDomainMismatchandOutputNotEscapedflags. The remaining flags in test infra and dev config files were picked up from the built zip and are now excluded via.distignore.Changes
phpcs.ruleset.xmlAdd
<exclude-pattern>entries fordependencies/,vendor/,vendor-bin/,bin/,tests/coverage/, and dev configs.Why: vendored libraries use their own text domains and PHPCS rules; scanning them generates noise unrelated to this plugin. Test source stays linted so test bugs still surface.
src/Document_Library_Shortcode.phpWrap
get_headers()andget_table('html')echoes inwp_kses_post(). Annotateget_attributes()echo with scopedphpcs:ignoresince the attribute string is pre-escaped insideSimple_Document_Library::get_attributes().Before:
After:
Why: cell content from
get_row_content()is filterable viadocument_library_table_row_data_formatand is not pre-escaped.wp_kses_post()is the safe escape at the echo site; it allows the table HTML to render while stripping unsafe attributes/tags.src/Admin/Settings.phpRemove the
function_exists( 'add_allowed_options' )fallback in bothfilter_allowed_options()andallowed_options(). The plugin requires WP 6.1+ andadd_allowed_optionsexists since WP 5.5, so thewhitelist_options/add_option_whitelistbranches were dead code.Why:
add_option_whitelist()has been deprecated since WP 5.5. Plugin Check flagged both call sites.src/Admin/Settings_Tab/Search.phpAdd
/* translators: %s: global search link. */comment above the__()call that uses a%splaceholder.Why: the placeholder was undocumented, so translators could not safely reorder the sentence.
.distignore(new)Exclude
tests/,.env.example,.wp-env.json, build configs, and dev artifacts from the built plugin zip.Why:
yarn plugin-zipships whatever is not in.distignoreor.gitattributesexport-ignore. Test infra files were triggeringdirect_file_access_protection,hidden_files, andPluginDirectoryWriteflags in the built zip. Fixing at the build level rather than patching test source.Skipped on purpose
dependencies/barn2/barn2-lib/src/Plugin/I18n.php:48—load_plugin_textdomain( $domain, false, $path )second arg is deprecated. Patching it works locally butcomposer scoperregeneratesdependencies/from upstream and clobbers the edit. Needs an upstream barn2-lib fix.dependencies/wptrt/admin-notices/src/Dismiss.php:77heredoc flag — vendor code.dependencies/barn2/barn2-lib/src/Plugin/Admin/Plugin_Updater.phpplugin_updater_detected— informational; the commercial update checker ships with the lib intentionally.Testing
Test 1: Plugin Check report cleared
yarn buildyarn plugin-zipResult: only the informational
plugin_updater_detectedflag from vendored barn2-lib remains, which is expected.Test 2: shortcode still renders
[doc_library]on a page.Result: table renders with same HTML as before; cell links and images still work.
Test 3: Settings page still saves
Result: form submits and persists without
add_allowed_optionswarnings.Test 4: built zip no longer ships dev artifacts
yarn plugin-zipunzip -l document-library-lite.zip | grep -E '(tests/|\.env|\.wp-env)'Result: no matches.
Build artifacts
No new files outside the source tree.
.distignoreis a build config, not a runtime file.