Conversation
…cessibility - Standardize headings in issue and pull request templates. - Remove unnecessary comments and streamline instructions for better user experience.
- Removed the `makepot` task from Gruntfile.js as it is no longer needed. - Updated the `build:i18n` script in package.json to use WP-CLI for generating translation files. - Added text domain and domain path in polldaddy.php for better localization support. - Updated the locale/polldaddy.pot file with new headers and translation strings.
Changed the domain path from `/locale` to `/languages` to match the default path. There's no reason to deviate from this.
Eliminated the call to `load_plugin_textdomain()` as it is no longer necessary after WP 4.6. WP core will now load plugin text domains just in time.
- Add composer.json with Yoast WP Test Utils for WordPress testing - Add phpunit.xml configuration for unit and integration test suites - Add phpunit-unit.xml for standalone testing without WordPress - Add tests/bootstrap.php for WordPress test environment - Add tests/TestCase.php base class with PSR-4 namespace - Add SampleTest.php to verify framework functionality - Include PHPUnit test scripts and coverage reporting 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add trailing newline to tests/bootstrap.php - Ensures all test files follow proper file ending conventions - Addresses Gary's review feedback on PR #133 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Merge PHPCS configuration from PR #132 with PHPUnit testing setup - Combine both testing and coding standards dependencies - Remove unnecessary dealerdirect/phpcodesniffer-composer-installer dependency - Add phpcs.xml configuration for WordPress coding standards - Update .gitignore for PHPCS cache - Fix support URLs to use correct repository paths This resolves the potential conflict between PR #132 (PHPCS) and PR #133 (PHPUnit) by combining both functionalities into a single comprehensive configuration. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove duplicate phpunit-unit.xml file (only need one config) - Rename phpunit.xml to phpunit.xml.dist for distributed version - Update PHPUnit schema from 9.5 to 9.6 - Remove test:standalone script that referenced deleted config - Update .gitignore to ignore phpunit.xml (allows custom local configs) Addresses Gary's review feedback on PR #133 about PHPUnit configuration. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
Co-authored-by: Gary Jones <gary.jones@automattic.com>
- Add declare(strict_types = 1) to all test files - Add namespace to tests/bootstrap.php - Implement conditional WordPress loading (only for integration tests) - Use modern PHP syntax with closures and proper typing - Bootstrap now checks for --testsuite integration argument - Unit tests run without WordPress dependency Addresses Gary's review feedback about separating unit tests from WordPress and using modern PHP practices with strict typing. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add PHP CodeSniffer with WordPress coding standards to improve code quality and ensure consistent coding practices across the project. Changes: - Add composer.json with WPCS dependencies and scripts - Add phpcs.xml with WordPress-Extra rules and project-specific configuration - Update .gitignore to exclude PHPCS cache files The configuration includes: - WordPress-Extra coding standards (includes WordPress-Core) - PHP 5.6+ compatibility - Text domain validation for 'polldaddy' - Proper prefixes for global functions/variables - Parallel processing for faster execution - Caching for improved performance Usage: - composer install # Install dependencies - composer phpcs # Check coding standards - composer phpcbf # Fix auto-fixable issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…y.com - Applied core fix from PR 109: static.polldaddy.com → secure.polldaddy.com - Added poll.fm URL example as requested - Fixed both shortcode and URL-based poll conversion - Removed static domain references from JavaScript validation - Simple focused fix without version bumps or test complexity Fixes poll shortcode 404 JavaScript errors by using the working domain. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit provides a comprehensive fix for the CSRF vulnerability (CVE-2024-43338), implementing multi-layered security measures to prevent unauthorized access to media upload functionality. Security Issues Addressed: - CVE-2024-43338: CSRF vulnerability in polls media upload functionality - Unauthorized Filter Registration: Prevents malicious registration of media upload filters - Cross-User Attack Prevention: User-specific nonces prevent cross-user CSRF attacks Changes Made: Frontend Security (js/polldaddy.js): - Minimal nonce integration preserving original minified structure - Only 3 vulnerable URL constructions modified - Graceful degradation if pollsMediaSecurity.nonce is unavailable - Proper encoding using encodeURIComponent() Backend Security (popups.php): - Admin context verification with is_admin() - User capability checks requiring edit_posts capability - User-specific nonce verification using helper function - Early return pattern for secure failure handling Helper Function (polldaddy.php): - Added get_polls_media_nonce() helper for consistent nonce action generation - User-specific nonces generated per user to prevent cross-user attacks - Scoped generation only for poll edit/create pages - JavaScript localization via pollsMediaSecurity object Test Coverage (tests/Unit/CSRFSecurityTest.php): - Comprehensive test suite with 9 test methods - Security validation for all failure conditions - Attack simulation and CSRF attack prevention tests - User-specific nonce generation and consistency tests Security Design: 1. Admin Context Check: is_admin() verification 2. Capability Check: current_user_can('edit_posts') verification 3. CSRF Protection: User-specific nonce verification 4. Parameter Validation: Required parameter presence checks This fix prevents: - CSRF Attacks: User-specific nonces prevent cross-site request forgery - Unauthorized Access: Capability checks ensure only authorized users can access - Cross-User Attacks: User-bound nonces prevent attacks between authenticated users - Non-Admin Context Abuse: Admin context verification prevents frontend exploitation
Address Gary's feedback: - Move CSRFSecurityTest from Unit to Integration directory (PSR-4 aligned) - Add declare(strict_types=1) to test file - Add proper namespace (Automattic\Crowdsignal\Tests\Integration) - Add return type declarations to all test methods - Create bin/install-wp-tests.sh for pulling down WP core and test suite These are integration tests as they use WordPress testing functions like set_current_screen() and wp_set_current_user() which come from the WP testing package.
… tests - Updated phpunit.xml.dist to include the 'partials' directory for test exclusions. This stops code coverage HTML from leaking into the CLI output. - Refactored tests/bootstrap.php to improve integration test handling, including checks for the `--testsuite` argument. - Moved integration TestCase into tests/Integration directory. - Updated Composer test script to run both testsuites. Tests can be run with: `wp-env start --xdeub=coverage` `wp-env run tests-cli --env-cwd=wp-content/plugins/crowdsignal-plugin composer test`
- Introduced a new CONTRIBUTING.md file to provide clear guidelines for contributors, including setup instructions, development workflow, code standards, testing procedures, and pull request submission guidelines. - Removed the outdated DEVELOPMENT.md file to streamline documentation and avoid redundancy. - Update out of date info in package.json.
GaryJones
force-pushed
the
release/3.1.3
branch
from
5410ef1 to
c0b35d0
Compare
GaryJones
force-pushed
the
release/3.1.3
branch
from
c0b35d0 to
4aae37a
Compare
donnchawp
approved these changes
Oct 7, 2025
Contributor
donnchawp
left a comment
donnchawp
left a comment
There was a problem hiding this comment.
Since there's a security fix in this we should get it out ASAP but Plugin Check is still showing issues, especially with translation issues.
I only tested that the website loaded when I tried this branch. I expect all the separate PRs were tested properly.
- Removed the outdated phpcs.ruleset.xml file and replaced it with phpcs.xml.dist to follow best practices. - Updated Gruntfile.js to exclude the new phpcs.xml.dist file from processing.
GaryJones
force-pushed
the
release/3.1.3
branch
from
4aae37a to
8f84ab4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Although primarily a security fix release, this release also addresses a handful of other bugs.
poll.fmURL detection for shortcodes.There were some improvements for strings and i18n/l10n too:
And a handful of development/contributing items for the repository as well:
Once this PR is approved and merged into
main, then the merge commit onmaincan be tagged with3.1.3.A new PR that then merges
mainintodevelop(to capture the changes made on this release branch) is also needed afterwards.