Skip to content

fix: use wp_kses_post instead of esc_html to allow dynamic content #3620

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bfintal merged 1 commit into from
Oct 10, 2025
Merged

fix: use wp_kses_post instead of esc_html to allow dynamic content #3620

bfintal merged 1 commit into from
Oct 10, 2025

Conversation

@Arukuen
Copy link
Contributor

@Arukuen Arukuen commented Oct 9, 2025
edited by coderabbitai bot
Loading

fixes #3618

Summary by CodeRabbit

  • New Features
    • “Read More” text in stackable post items now supports basic HTML formatting (e.g., links, bold, italics). This allows richer customization of the link text while maintaining content safety through sanitization. Existing plain-text configurations continue to work without changes.

@coderabbitai
Copy link

coderabbitai bot commented Oct 9, 2025
edited
Loading

Walkthrough

Replaces esc_html(...) with wp_kses_post(...) for the Read More link text in the Posts block rendering, enabling sanitized HTML output in that specific field. No other logic or public interfaces are changed.

Changes

Cohort / File(s) Summary
Posts block rendering
src/block/posts/index.php		 Changed Read More link text sanitization from esc_html(...) to wp_kses_post(...) to allow limited HTML in dynamic content.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

I nibble code like clover leaves,
Swapped a guard where text weaves.
Now spans don’t shout, they softly sing—
KSES lets safe tags spring.
Hop! The Read More shines anew,
Clean and tidy, HTML-true.
Thump-thump—ship it through! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title succinctly summarizes the main change by stating the replacement of esc_html with wp_kses_post to support dynamic content, directly reflecting the code modification.
Linked Issues Check ✅ Passed The pull request implements the core fix from issue #3618 by swapping esc_html for wp_kses_post in the Read More Link rendering, which allows permitted HTML and ensures dynamic content displays without visible tags and with the correct value.
Out of Scope Changes Check ✅ Passed The only modification in this changeset is the escape function for the Read More Link text, and no other files or unrelated logic have been altered, so there are no out-of-scope changes.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/3618-dynamic-read-more

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Oct 9, 2025
edited
Loading

🤖 Pull request artifacts

file commit
pr3620-stackable-3620-merge.zip 28f870a

github-actions bot added a commit that referenced this pull request Oct 9, 2025
@github-actions
Upload pr3620-stackable-3620-merge.zip (6e614)
a133530 
Pull request: #3620
Commit: 6e6142a
@github-actions
Copy link

github-actions bot commented Oct 9, 2025

Try this Pull Request in the WordPress playground: https://playground.wordpress.net/?mode=seamless#{"landingPage":"/wp-admin/post-new.php?post_type=page","preferredVersions":{"php":"latest","wp":"latest"},"steps":[{"step":"login","username":"admin","password":"password"},{"step":"installPlugin","pluginZipFile":{"resource":"url","url":"https://raw.githubusercontent.com/gambitph/Stackable/artifacts/pr3620-stackable-3620-merge.zip"}}]}

coderabbitai[bot]
coderabbitai bot reviewed Oct 9, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 578783c and 6e6142a.

📒 Files selected for processing (1)
  • plugin.php (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: PHP 8.2 and WP 6.7.2
  • GitHub Check: PHP 8.2 and WP latest
  • GitHub Check: PHP 7.3 and WP 6.5.5
  • GitHub Check: PHP 7.3 and WP latest
  • GitHub Check: PHP 8.2 and WP 6.6.2
  • GitHub Check: PHP 8.2 and WP 6.5.5
  • GitHub Check: build

plugin.php Outdated

defined( 'STACKABLE_SHOW_PRO_NOTICES' ) || define( 'STACKABLE_SHOW_PRO_NOTICES', true );
defined( 'STACKABLE_BUILD' ) || define( 'STACKABLE_BUILD', 'free' );
defined( 'STACKABLE_BUILD' ) || define( 'STACKABLE_BUILD', 'premium' );
Copy link

@coderabbitai coderabbitai bot Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

CRITICAL: Wrong code change - doesn't match PR objectives.

The PR title and description state this should fix dynamic content rendering in the Read More Link by changing esc_html to wp_kses_post, but this change modifies the plugin build type from 'free' to 'premium'. This is a completely unrelated change that would:

  1. Enable Freemius SDK loading (line 257-259)
  2. Attempt to load premium-only features (line 324-332)
  3. Fundamentally alter the plugin's initialization and feature set
  4. Not address issue Posts block – Dynamic content in Read More Link displays tags and incorrect content #3618 at all

This appears to be either:

  • Code committed to the wrong branch
  • An accidental change that wasn't intended
  • A completely incorrect PR description

The actual fix for issue #3618 should be in the Posts block rendering code (likely in src/block/posts/ directory) where the Read More Link is output, not in the main plugin initialization file.

@Arukuen Arukuen force-pushed the fix/3618-dynamic-read-more branch from 6e6142a to 28f870a Compare October 9, 2025 01:46
github-actions bot added a commit that referenced this pull request Oct 9, 2025
@github-actions
Upload pr3620-stackable-3620-merge.zip (28f87)
e574b79 
Pull request: #3620
Commit: 28f870a
coderabbitai[bot]
coderabbitai bot reviewed Oct 9, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
src/block/posts/index.php (1)

57-61: Consider reviewing sanitization consistency for title replacement.

While reviewing the sanitization approach in this file, I noticed that the title replacement (line 61) doesn't apply any sanitization function before inserting $title into the template. For consistency and defense-in-depth, consider whether wp_kses_post() or esc_html() should be applied here as well, depending on whether titles should support HTML formatting.

Note: This is a broader consistency observation and not directly related to the current fix.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6e6142a and 28f870a.

📒 Files selected for processing (1)
  • src/block/posts/index.php (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
  • GitHub Check: PHP 8.2 and WP 6.5.5
  • GitHub Check: PHP 8.2 and WP 6.7.2
  • GitHub Check: PHP 8.2 and WP 6.6.2
  • GitHub Check: PHP 7.3 and WP 6.5.5
  • GitHub Check: PHP 8.2 and WP latest
  • GitHub Check: PHP 7.3 and WP latest
🔇 Additional comments (1)
src/block/posts/index.php (1)

135-135: Approve change: use wp_kses_post for Read More link
Using wp_kses_post() instead of esc_html() correctly allows safe HTML (e.g. <span>) in the Read More link while preserving sanitization and matching the excerpt handling.

@bfintal bfintal merged commit 612e761 into develop Oct 10, 2025
8 of 9 checks passed
@bfintal bfintal deleted the fix/3618-dynamic-read-more branch October 10, 2025 07:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Posts block – Dynamic content in Read More Link displays tags and incorrect content

3 participants

@Arukuen @bfintal