Prepare for publication#5
Open
martijndebruijncredenco wants to merge 3 commits intomainfrom
Open
Conversation
- Rewrite readme.txt with real plugin metadata and external-services disclosure. - Replace PHP sessions with a cookie-scoped token + WP transient store (new src/openid4vp-session.php); drop every session_start / $_SESSION site. - Add nonce verification and input sanitization on both AJAX handlers; send the nonce from pollStatus.js and submitPresentationRequest.js. - Escape output in render.php files; switch json_encode to wp_json_encode; wrap error HTML in wp_kses_post; escape API-supplied detail strings. - Remove error_log() calls that dumped verified presentation bodies. - Drop the bogus root register_block_type(__DIR__, ...) init hook. - Delete placeholder status.php and login.php (unused, generic prefixes). - Bump Requires PHP to 7.3 (needed for setcookie options array / SameSite). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wp_kses_post() stripped the data: scheme from the QR image src and esc_url() stripped wallet URL schemes (openid4vp://, etc.), so the block rendered an empty link and a broken image. Escape per-part instead of via wp_kses_post(), and pass the wallet schemes as allowed protocols to esc_url(). Also drop the duplicate data: prefix - qr_uri from the API already includes it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add ABSPATH guards to all render.php files - Unify text domain to universal-openid4vp across plugin header, admin settings, block.json files, and render/edit sources - Bump Tested up to 6.9 and Requires PHP 7.4 in readme.txt and plugin header - Escape render.php output per-part; document the two phpcs:ignore cases where get_block_wrapper_attributes() is echoed (core-sanitized) - Switch wp_redirect() to wp_safe_redirect() on logout - Add version + in_footer to wp_enqueue_script calls using a new UNIVERSAL_OPENID4VP_PLUGIN_VERSION constant - Rename the misnamed wp_enqueue_script custom hook to a prefixed universal_openid4vp_enqueue_personal_wallet_scripts_action; drop the unused submitPresentationRequest do_action call - Document nonce verification on $_POST['walletUrl'] (verified upstream in the AJAX handler) with phpcs:ignore - Strip commented-out scaffold from pollStatus.js; only poll again when the response has no successUrl - Accessible org-wallet form: label, type="url", required; mirror in edit.js (also swap invalid <p> wrapper for <div>) - Drop the dead auth-header/token override path in org-wallet render - Rename "organizational wallet" to "business wallet" in block title/description and readme prose - Add .distignore so the plugin zip excludes .git, .idea, src, node_modules, package*.json, tests, local artifacts Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
eklaver
reviewed
Apr 22, 2026
eklaver
reviewed
Apr 22, 2026
| <form id="org-wallet-form"> | ||
| <input type="text" id="org-wallet-url" name="walletUrl" placeholder="Enter wallet URL" /> | ||
| <button type="button" id="org-wallet-submit">Connect to wallet</button> | ||
| <label htmlFor="org-wallet-url">{ __( 'Wallet URL', 'universal-openid4vp' ) }</label> |
Contributor
There was a problem hiding this comment.
Hier staat opeens een extra label
Collaborator
Author
There was a problem hiding this comment.
Dit is de editor-weergave (Gutenberg) die de frontend spiegelt — zonder dit label zou de preview in de block editor afwijken van wat render.php nu rendert. Zelfde reden als bij de render.php-wijziging: accessibility / Plugin Check vereist een gekoppeld label.
eklaver
reviewed
Apr 22, 2026
|
|
||
| $qr_content = $attributes['qrCodeEnabled'] ? '<img id="openid4vp_qrImage" src="data:' . $result->qr_uri . '"></>or ' : ''; | ||
| $block_content = '<div ' . get_block_wrapper_attributes() . '>' . $qr_content . 'click <a href="' . $result->request_uri . '">link</a></div>'; | ||
| $allowed_protocols = array( 'http', 'https', 'openid4vp', 'haip', 'mdoc-openid4vp', 'eudi-openid4vp' ); |
Collaborator
Author
There was a problem hiding this comment.
Zelfde reden als bij de org-wallet variant: de personal-wallet form had ook geen <label> op het URL-veld, alleen een placeholder. Toegevoegd in commit 9a3b42f om de Plugin Check / WCAG-vereisten te halen vóór publicatie op wordpress.org.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Prepare for publication