Skip to content

Fix Plugin Check warnings: scope PHPCS, escape shortcode output#19

Open
faisalahammad wants to merge 1 commit into
barn2plugins:mainfrom
faisalahammad:fix/plugin-check-scoping
Open

Fix Plugin Check warnings: scope PHPCS, escape shortcode output#19
faisalahammad wants to merge 1 commit into
barn2plugins:mainfrom
faisalahammad:fix/plugin-check-scoping

Conversation

@faisalahammad

Copy link
Copy Markdown

Summary

Clears ~140 of ~150 Plugin Check warnings by scoping PHPCS to plugin source, and patches the remaining real bugs in own code (shortcode output escape, deprecated add_option_whitelist, missing translators comment).

The vendored libraries under dependencies/ (barn2-lib, setup-wizard, wptrt/admin-notices) ship with their own text domains and PHPCS settings, and were producing false-positive TextDomainMismatch and OutputNotEscaped flags. The remaining flags in test infra and dev config files were picked up from the built zip and are now excluded via .distignore.

Changes

phpcs.ruleset.xml

Add <exclude-pattern> entries for dependencies/, vendor/, vendor-bin/, bin/, tests/coverage/, and dev configs.

Why: vendored libraries use their own text domains and PHPCS rules; scanning them generates noise unrelated to this plugin. Test source stays linted so test bugs still surface.

src/Document_Library_Shortcode.php

Wrap get_headers() and get_table('html') echoes in wp_kses_post(). Annotate get_attributes() echo with scoped phpcs:ignore since the attribute string is pre-escaped inside Simple_Document_Library::get_attributes().

Before:

<table <?php echo $table->get_attributes(); ?>>
    <?php echo $table->get_headers(); ?>
    <tbody>
        <?php if ( ! $table->args['lazy_load'] ) {
            echo $table->get_table( 'html' );
        } ?>
    </tbody>
</table>

After:

<table <?php echo $table->get_attributes(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- attribute string is pre-escaped in Simple_Document_Library::get_attributes() ?>>
    <?php echo wp_kses_post( $table->get_headers(); ); ?>
    <tbody>
        <?php if ( ! $table->args['lazy_load'] ) {
            echo wp_kses_post( $table->get_table( 'html' ) );
        } ?>
    </tbody>
</table>

Why: cell content from get_row_content() is filterable via document_library_table_row_data_format and is not pre-escaped. wp_kses_post() is the safe escape at the echo site; it allows the table HTML to render while stripping unsafe attributes/tags.

src/Admin/Settings.php

Remove the function_exists( 'add_allowed_options' ) fallback in both filter_allowed_options() and allowed_options(). The plugin requires WP 6.1+ and add_allowed_options exists since WP 5.5, so the whitelist_options / add_option_whitelist branches were dead code.

Why: add_option_whitelist() has been deprecated since WP 5.5. Plugin Check flagged both call sites.

src/Admin/Settings_Tab/Search.php

Add /* translators: %s: global search link. */ comment above the __() call that uses a %s placeholder.

Why: the placeholder was undocumented, so translators could not safely reorder the sentence.

.distignore (new)

Exclude tests/, .env.example, .wp-env.json, build configs, and dev artifacts from the built plugin zip.

Why: yarn plugin-zip ships whatever is not in .distignore or .gitattributes export-ignore. Test infra files were triggering direct_file_access_protection, hidden_files, and PluginDirectoryWrite flags in the built zip. Fixing at the build level rather than patching test source.

Skipped on purpose

  • dependencies/barn2/barn2-lib/src/Plugin/I18n.php:48load_plugin_textdomain( $domain, false, $path ) second arg is deprecated. Patching it works locally but composer scoper regenerates dependencies/ from upstream and clobbers the edit. Needs an upstream barn2-lib fix.
  • dependencies/wptrt/admin-notices/src/Dismiss.php:77 heredoc flag — vendor code.
  • dependencies/barn2/barn2-lib/src/Plugin/Admin/Plugin_Updater.php plugin_updater_detected — informational; the commercial update checker ships with the lib intentionally.

Testing

Test 1: Plugin Check report cleared

  1. yarn build
  2. yarn plugin-zip
  3. Run Plugin Check against the built zip.
    Result: only the informational plugin_updater_detected flag from vendored barn2-lib remains, which is expected.

Test 2: shortcode still renders

  1. Insert [doc_library] on a page.
  2. View the page on the frontend.
    Result: table renders with same HTML as before; cell links and images still work.

Test 3: Settings page still saves

  1. Open Documents > Settings in admin.
  2. Save any tab.
    Result: form submits and persists without add_allowed_options warnings.

Test 4: built zip no longer ships dev artifacts

  1. yarn plugin-zip
  2. unzip -l document-library-lite.zip | grep -E '(tests/|\.env|\.wp-env)'
    Result: no matches.

Build artifacts

No new files outside the source tree. .distignore is a build config, not a runtime file.

…P < 5.5 fallback

phpcs.ruleset.xml: exclude vendored libraries, test coverage, and build/dev
artifacts from linting. Vendored barn2-lib, setup-wizard, and wptrt/admin-notices
ship with their own text domains and PHPCS settings; scanning them produced
~140 false-positive TextDomainMismatch and OutputNotEscaped flags. Keep
tests/ linted so test bugs still surface.

src/Admin/Settings.php: remove the function_exists('add_allowed_options')
fallback in both filter_allowed_options() and allowed_options(). The plugin
requires WP 6.1+ and add_allowed_options has existed since WP 5.5, so the
whitelist_options / add_option_whitelist branches were dead code and triggered
the Plugin Check deprecation warnings.

src/Admin/Settings_Tab/Search.php: add the missing translators comment
above the __() call that uses a %s placeholder.

src/Document_Library_Shortcode.php: wrap the table header and body echoes
in wp_kses_post(). The get_attributes() output is pre-escaped in
Simple_Document_Library::get_attributes() and is annotated with a scoped
phpcs:ignore. The get_headers() and get_table('html') outputs are cell
content from get_row_content() which is filterable via
document_library_table_row_data_format, so wp_kses_post is the safe escape
at the echo site.

.distignore: new file. Excludes tests/, .env.example, .wp-env.json, build
configs, and dev artifacts from the built plugin zip. Mirrors and extends
.gitattributes export-ignore.

The deprecated load_plugin_textdomain( $domain, false, $path ) call in
dependencies/barn2/barn2-lib/src/Plugin/I18n.php:48 is left untouched:
composer scoper regenerates dependencies/ on every run, so a manual patch
would be wiped. The deprecation needs an upstream fix in barn2-lib.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant