wpallstars/wp-plugin-starter-template-for-ai-coding
Template
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: improve workflow names and fix CSS indentation consistency (#18)

Browse Source 
* fix: resolve plugin class loading reliability issues

* fix: address CodeRabbit XSS and accessibility findings from PR #18

- admin/js/admin-scripts.js: replace HTML string interpolation in showNotice
  with DOM API construction and .text() to prevent XSS; whitelist type values
- admin/js/update-source-selector.js: replace .html(message) with .text(message)
  in showMessage to prevent XSS from AJAX response content
- admin/templates/modal.php: add role=dialog, aria-modal=true, aria-labelledby
  for screen reader semantics; replace <span> close control with <button> for
  keyboard operability and proper ARIA role
This commit is contained in:
Marcus Quinn
2026-03-16 18:40:09 +00:00
committed by GitHub
parent 41724f72c0
commit 1c1980bb22
7 changed files with 50 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
admin/js/admin-scripts.js
View File

@@ -105,10 +105,16 @@
* @param {string} message Notice message
*/
showNotice: function (type, message) {
const $notice = $( '<div class="wpst-notice ' + type + '"><p>' + message + '</p></div>' );
const allowedTypes = [ 'success', 'error', 'warning' ];
const safeType = allowedTypes.includes( type ) ? type : 'error';
const $p = $( '<p>' );
const $notice = $( '<div>' ).addClass( 'wpst-notice ' + safeType ).append( $p );
// Set message as plain text to prevent XSS.
$p.text( message );
// Add notice to the page.
$( '.wpst-notices' ).html( $notice );
$( '.wpst-notices' ).empty().append( $notice );
// Automatically remove notice after 5 seconds.
setTimeout(

4
admin/js/update-source-selector.js
View File

@@ -153,8 +153,8 @@
showMessage: function (type, message) {
const $message = this.$modal.find( '.wpst-modal-message' );
// Set message content and type.
$message.html( message ).removeClass( 'success error' ).addClass( type ).show();
// Set message as plain text to prevent XSS, then apply type class.
$message.text( message ).removeClass( 'success error' ).addClass( type ).show();
// Hide message after a delay for success messages.
if (type === 'success') {