Adds allow-list validation for the 'type' parameter in showMessage()
to prevent class injection vulnerabilities. The type is now checked
against ['success', 'error'] before being passed to addClass(), with
a safe fallback to 'error' for any unexpected values.
Addresses review feedback from PR #47 (gemini-code-assist finding).
Closes#76
- Convert tab indentation to 4 spaces in admin/css/admin-styles.css
and admin/css/update-source-selector.css per project coding standards
- Add stylelint and stylelint-config-standard to devDependencies
- Add lint:css npm script to enable CSS quality checking
- Update quality script to include CSS linting
The playground/multisite.html CSS rule-empty-line-before fix was already
applied in commit 3ca2fe5. This PR formally closes the quality-debt
tracking issue by verifying the fix and adding CSS linting tooling to
prevent similar regressions.
Closes#38
* fix: resolve plugin class loading reliability issues
* fix: address CodeRabbit XSS and accessibility findings from PR #18
- admin/js/admin-scripts.js: replace HTML string interpolation in showNotice
with DOM API construction and .text() to prevent XSS; whitelist type values
- admin/js/update-source-selector.js: replace .html(message) with .text(message)
in showMessage to prevent XSS from AJAX response content
- admin/templates/modal.php: add role=dialog, aria-modal=true, aria-labelledby
for screen reader semantics; replace <span> close control with <button> for
keyboard operability and proper ARIA role
- Fixed method names to use snake_case as required by WordPress coding standards
- Added proper spacing in filter_input function call
- Added periods at the end of inline comments
- Fixed parameter documentation in Plugin class
- Updated CSS media query to use context notation
