wpallstars/wp-plugin-starter-template-for-ai-coding
Template
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: improve workflow names and fix CSS indentation consistency (#18)

Browse Source 
* fix: resolve plugin class loading reliability issues

* fix: address CodeRabbit XSS and accessibility findings from PR #18

- admin/js/admin-scripts.js: replace HTML string interpolation in showNotice
  with DOM API construction and .text() to prevent XSS; whitelist type values
- admin/js/update-source-selector.js: replace .html(message) with .text(message)
  in showMessage to prevent XSS from AJAX response content
- admin/templates/modal.php: add role=dialog, aria-modal=true, aria-labelledby
  for screen reader semantics; replace <span> close control with <button> for
  keyboard operability and proper ARIA role
This commit is contained in:
Marcus Quinn
2026-03-16 18:40:09 +00:00
committed by GitHub
parent 41724f72c0
commit 1c1980bb22
7 changed files with 50 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
admin/js/admin-scripts.js
View File

@@ -105,10 +105,16 @@
* @param {string} message Notice message
*/
showNotice: function (type, message) {
const $notice = $( '<div class="wpst-notice ' + type + '"><p>' + message + '</p></div>' );
const allowedTypes = [ 'success', 'error', 'warning' ];
const safeType = allowedTypes.includes( type ) ? type : 'error';
const $p = $( '<p>' );
const $notice = $( '<div>' ).addClass( 'wpst-notice ' + safeType ).append( $p );
// Set message as plain text to prevent XSS.
$p.text( message );
// Add notice to the page.
$( '.wpst-notices' ).html( $notice );
$( '.wpst-notices' ).empty().append( $notice );
// Automatically remove notice after 5 seconds.
setTimeout(

4
admin/js/update-source-selector.js
View File

@@ -153,8 +153,8 @@
showMessage: function (type, message) {
const $message = this.$modal.find( '.wpst-modal-message' );
// Set message content and type.
$message.html( message ).removeClass( 'success error' ).addClass( type ).show();
// Set message as plain text to prevent XSS, then apply type class.
$message.text( message ).removeClass( 'success error' ).addClass( type ).show();
// Hide message after a delay for success messages.
if (type === 'success') {

6
admin/templates/modal.php
View File

@@ -12,11 +12,11 @@ if ( ! defined( 'ABSPATH' ) ) {
?>
<!-- Update Source Modal -->
<div id="wpst-update-source-modal" class="wpst-modal">
<div id="wpst-update-source-modal" class="wpst-modal" role="dialog" aria-modal="true" aria-labelledby="wpst-modal-title">
<div class="wpst-modal-content">
<div class="wpst-modal-header">
<h2 class="wpst-modal-title"><?php esc_html_e( 'Select Update Source', 'wp-plugin-starter-template' ); ?></h2>
<span class="wpst-modal-close">&times;</span>
<h2 id="wpst-modal-title" class="wpst-modal-title"><?php esc_html_e( 'Select Update Source', 'wp-plugin-starter-template' ); ?></h2>
<button type="button" class="wpst-modal-close" aria-label="<?php esc_attr_e( 'Close', 'wp-plugin-starter-template' ); ?>">&times;</button>
</div>
<div class="wpst-modal-body">