Merge branch 'develop' of github.com:10up/insecure-content-warning in…

…to develop
10up · Jan 30, 2024 · 0e7e4a0 · 0e7e4a0
2 parents dab1890 + faf0a5e
commit 0e7e4a0
Show file tree

Hide file tree

Showing 26 changed files with 9,306 additions and 4,280 deletions.
diff --git a/.distignore b/.distignore
@@ -6,16 +6,19 @@
 /node_modules
 /tests
 /src
+/vendor
 
 # Files
 .*
-babel.config.js
 CHANGELOG.md
 CODE_OF_CONDUCT.md
+composer.json
+compser.lock
 CONTRIBUTING.md
 CREDITS.md
 LICENSE.md
 package-lock.json
 package.json
-postcss.config.js
+phpcs.xml
 README.md
+webpack.config.js
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,5 +1,5 @@
-# These owners will be the default owners for everything in the repo. Unless a later match takes precedence, @10up/open-source-practice, as primary maintainers will be requested for review when someone opens a Pull Request.
-*                   @10up/open-source-practice
+# These owners will be the default owners for everything in the repo. Unless a later match takes precedence, @jeffpaul and @dkotter, as primary maintainers will be requested for review when someone opens a Pull Request.
+*                   @jeffpaul @dkotter
 
 # GitHub and WordPress.org specifics
 /.github/           @jeffpaul

diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml
@@ -44,7 +44,7 @@ jobs:
       matrix:
         core:
           - {name: 'WP latest', version: 'latest'}
-          - {name: 'WP minimum', version: 'WordPress/WordPress#5.7'}
+          - {name: 'WP minimum', version: 'WordPress/WordPress#5.8'}
           - {name: 'WP trunk', version: 'WordPress/WordPress#master'}
     steps:
     - name: Checkout
@@ -71,10 +71,19 @@ jobs:
     - run: npm ci
       if: ${{ steps.cache-node.outputs.cache-hit != 'true' }}
     - run: npm run build
-      if: ${{ steps.cache-build.outputs.cache-hit != 'true' }}
     - name: Set the core version
       run: ./tests/bin/set-core-version.js ${{ matrix.core.version }}
     - name: Set up WP environment
       run: npm run env:start
     - name: Test
       run: npm run cypress:run
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v3
+      if: failure()
+      with:
+        name: cypress-artifact-insecure-content-warning
+        retention-days: 2
+        path: |
+          ${{ github.workspace }}/tests/cypress/screenshots/
+          ${{ github.workspace }}/tests/cypress/videos/
+          ${{ github.workspace }}/tests/cypress/logs/
diff --git a/.github/workflows/dotorg-asset-readme-update.yml b/.github/workflows/dotorg-asset-readme-update.yml
@@ -4,15 +4,28 @@ on:
   push:
     branches:
     - trunk
-    
+
 jobs:
   trunk:
     name: Push to trunk
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup node version
+      uses: actions/setup-node@v4
+      with:
+        node-version-file: .nvmrc
+        cache: npm
+
+    - name: Build
+      run: |
+        npm install
+        npm run build
+
     - name: WordPress.org plugin asset/readme update
       uses: 10up/action-wordpress-plugin-asset-update@stable
       env:
         SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
-        SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
+        SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
diff --git a/.github/workflows/php-compatibility.yml b/.github/workflows/php-compatibility.yml
@@ -0,0 +1,36 @@
+name: PHP Compatibility
+
+on:
+  push:
+    branches:
+      - develop
+      - trunk
+  pull_request:
+    branches:
+      - develop
+
+jobs:
+  php-compatibility:
+    name: PHP minimum 7.4
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Set PHP version
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '7.4'
+          tools: composer:v2
+          coverage: none
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: Run PHP Compatibility on all files.
+        run: vendor/bin/phpcs includes --standard=PHPCompatibilityWP --extensions=php --runtime-set testVersion 7.4-
+
+      - name: Run PHP Compatibility on main file.
+        run: vendor/bin/phpcs insecure-content-warning.php --standard=PHPCompatibilityWP --extensions=php --runtime-set testVersion 5.6-
diff --git a/.github/workflows/repo-automator.yml b/.github/workflows/repo-automator.yml
@@ -0,0 +1,32 @@
+name: 'Repo Automator'
+on:
+  issues:
+    types:
+      - opened
+  push:
+    branches:
+      - develop
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - converted_to_draft
+      - ready_for_review
+    branches:
+      - develop
+
+jobs:
+  Validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: 10up/action-repo-automator@trunk
+        with:
+          fail-label: needs:feedback
+          pass-label: needs:code-review
+          conflict-label: needs:refresh
+          sync-pr-branch: true
+          reviewers: |
+            team:open-source-practice
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@ node_modules
 npm-debug.log
 dist/
 build/
+vendor
 
 # Mac OSX
 .DS_Store
@@ -17,3 +18,5 @@ Desktop.ini
 
 tests/cypress/screenshots/
 tests/cypress/videos/
+
+vendor
diff --git a/.stylelintrc b/.stylelintrc
diff --git a/.wordpress-org/blueprints/blueprint.json b/.wordpress-org/blueprints/blueprint.json
@@ -0,0 +1,36 @@
+{
+	"$schema": "https://playground.wordpress.net/blueprint-schema.json",
+	"landingPage": "\/wp-admin\/post.php?post=9&action=edit",
+	"preferredVersions": {
+		"php": "7.4",
+		"wp": "latest"
+	},
+	"phpExtensionBundles": ["kitchen-sink"],
+	"features": {
+		"networking": true
+	},
+	"steps": [
+		{
+			"step": "login",
+			"username": "admin",
+			"password": "password"
+		},
+		{
+			"step": "installPlugin",
+			"pluginZipFile": {
+				"resource": "wordpress.org\/plugins",
+				"slug": "insecure-content-warning"
+			},
+			"options": {
+				"activate": true
+			}
+		},
+		{
+			"step": "importFile",
+			"file": {
+				"resource": "url",
+				"url": "https:\/\/raw.githubusercontent.com\/10up\/insecure-content-warning\/6102837ca26c1d0b05ba15ef9d1b7d63f5201ff9\/.wordpress-org/blueprints\/demo-data.xml"
+			}
+		}
+	]
+}
diff --git a/.wordpress-org/blueprints/demo-data.xml b/.wordpress-org/blueprints/demo-data.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->
+<!-- It contains information about your site's posts, pages, comments, categories, and other content. -->
+<!-- You may use this file to transfer that content from one site to another. -->
+<!-- This file is not intended to serve as a complete backup of your site. -->
+
+<!-- To import this information into a WordPress site follow these steps: -->
+<!-- 1. Log in to that site as an administrator. -->
+<!-- 2. Go to Tools: Import in the WordPress admin panel. -->
+<!-- 3. Install the "WordPress" importer from the list. -->
+<!-- 4. Activate & Run Importer. -->
+<!-- 5. Upload this file using the form provided on that page. -->
+<!-- 6. You will first be asked to map the authors in this export file to users -->
+<!--    on the site. For each author, you may choose to map to an -->
+<!--    existing user on the site or to create a new user. -->
+<!-- 7. WordPress will then import each of the posts, pages, comments, categories, etc. -->
+<!--    contained in this file into your site. -->
+
+	<!-- generator="WordPress/6.4.2" created="2023-12-19 20:50" -->
+<rss version="2.0"
+	xmlns:excerpt="http://wordpress.org/export/1.2/excerpt/"
+	xmlns:content="http://purl.org/rss/1.0/modules/content/"
+	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
+	xmlns:dc="http://purl.org/dc/elements/1.1/"
+	xmlns:wp="http://wordpress.org/export/1.2/"
+>
+
+<channel>
+	<title>My WordPress Website</title>
+	<link>https://playground.wordpress.net/</link>
+	<description></description>
+	<pubDate>Tue, 19 Dec 2023 20:50:47 +0000</pubDate>
+	<language>en-US</language>
+	<wp:wxr_version>1.2</wp:wxr_version>
+	<wp:base_site_url>https://playground.wordpress.net/</wp:base_site_url>
+	<wp:base_blog_url>https://playground.wordpress.net/</wp:base_blog_url>
+
+		<wp:author><wp:author_id>1</wp:author_id><wp:author_login><![CDATA[admin]]></wp:author_login><wp:author_email><![CDATA[[email protected]]]></wp:author_email><wp:author_display_name><![CDATA[admin]]></wp:author_display_name><wp:author_first_name><![CDATA[]]></wp:author_first_name><wp:author_last_name><![CDATA[]]></wp:author_last_name></wp:author>
+
+
+	<generator>https://wordpress.org/?v=6.4.2</generator>
+
+		<item>
+		<title><![CDATA[Insecure content demo]]></title>
+		<link>https://playground.wordpress.net/?p=9</link>
+		<pubDate></pubDate>
+		<dc:creator><![CDATA[admin]]></dc:creator>
+		<guid isPermaLink="false">https://playground.wordpress.net/?p=9</guid>
+		<description></description>
+		<content:encoded><![CDATA[<!-- wp:paragraph -->
+<p>This post has an image that is using an insecure URL.</p>
+<!-- /wp:paragraph -->
+
+<!-- wp:paragraph -->
+<p>Try publishing this post to see this image get flagged.</p>
+<!-- /wp:paragraph -->
+
+<!-- wp:image {"sizeSlug":"large"} -->
+<figure class="wp-block-image size-large"><img src="http://upload.wikimedia.org/wikipedia/commons/7/7a/Basketball.png" alt=""/></figure>
+<!-- /wp:image -->]]></content:encoded>
+		<excerpt:encoded><![CDATA[]]></excerpt:encoded>
+		<wp:post_id>9</wp:post_id>
+		<wp:post_date><![CDATA[2023-12-19 20:50:38]]></wp:post_date>
+		<wp:post_date_gmt><![CDATA[0000-00-00 00:00:00]]></wp:post_date_gmt>
+		<wp:post_modified><![CDATA[2023-12-19 20:50:38]]></wp:post_modified>
+		<wp:post_modified_gmt><![CDATA[2023-12-19 20:50:38]]></wp:post_modified_gmt>
+		<wp:comment_status><![CDATA[open]]></wp:comment_status>
+		<wp:ping_status><![CDATA[open]]></wp:ping_status>
+		<wp:post_name><![CDATA[]]></wp:post_name>
+		<wp:status><![CDATA[draft]]></wp:status>
+		<wp:post_parent>0</wp:post_parent>
+		<wp:menu_order>0</wp:menu_order>
+		<wp:post_type><![CDATA[post]]></wp:post_type>
+		<wp:post_password><![CDATA[]]></wp:post_password>
+		<wp:is_sticky>0</wp:is_sticky>
+										<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
+						</item>
+				</channel>
+</rss>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,29 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [1.2.0] - 2023-10-16
+**Note that this release bumps the WordPress minimum version from 5.7 to 5.8.**
+
+### Added
+- Ensure that saving using the keyboard shortcut `Ctrl|Command + S` triggers the insecure content check (props [@Sidsector9](https://github.com/Sidsector9), [@dinhtungdu](https://github.com/dinhtungdu), [@jeffpaul](https://github.com/jeffpaul), [@faisal-alvi](https://github.com/faisal-alvi) via [#56](https://github.com/10up/insecure-content-warning/pull/56)).
+- New admin screen to bulk fix insecure content (props [@kmgalanakis](https://github.com/kmgalanakis), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#112](https://github.com/10up/insecure-content-warning/pull/112)).
+- Composer, with PHPCBF and PHPCS to aid with coding standards (props [@cameronterry](https://github.com/cameronterry), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#127](https://github.com/10up/insecure-content-warning/pull/127)).
+- Check for minimum required PHP version before loading the plugin (props [@kmgalanakis](https://github.com/kmgalanakis), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#135](https://github.com/10up/insecure-content-warning/pull/135)).
+- Repo Automater GitHub Action added to automate common repo operations (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul) via [#142](https://github.com/10up/insecure-content-warning/pull/142)).
+
+### Changed
+- Bump WordPress "tested up to" version to 6.3 (props [@kmgalanakis](https://github.com/kmgalanakis), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#140](https://github.com/10up/insecure-content-warning/pull/140), [#144](https://github.com/10up/insecure-content-warning/pull/144)).
+- Bump WordPress minimum supported version from 5.7 to 5.8 (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#145](https://github.com/10up/insecure-content-warning/pull/145)).
+
+### Fixed
+- Properly handle fixing of multiple different instances of insecure content (props [@kmgalanakis](https://github.com/kmgalanakis), [@iamdharmesh](https://github.com/iamdharmesh) via [#139](https://github.com/10up/insecure-content-warning/pull/139)).
+- Ensure all Cypress E2E tests pass when running on WordPress 6.3 (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#145](https://github.com/10up/insecure-content-warning/pull/145)).
+
+### Security
+- Bump `stylelint` from 9.10.1 to 15.10.1 (props [@dependabot](https://github.com/apps/dependabot), [@ravinderk](https://github.com/ravinderk) via [#126](https://github.com/10up/insecure-content-warning/pull/126)).
+- Bump `cypress` from 11.2.0 to 13.2.0, `@10up/cypress-wp-utils` from 0.1.0 to 0.2.0 and `@wordpress/env` from 5.8.0 to 8.7.0 (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#145](https://github.com/10up/insecure-content-warning/pull/145)).
+- Bump `postcss` from 8.4.27 to 8.4.31 (props [@dependabot](https://github.com/apps/dependabot), [@Sidsector9](https://github.com/Sidsector9) via [#147](https://github.com/10up/insecure-content-warning/pull/147)).
+
 ## [1.1.0] - 2023-06-21
 ### Added
 - `View element` link to highlight and auto-scroll to the insecure element (props [@cadic](https://github.com/cadic), [@peterwilsoncc](https://github.com/peterwilsoncc), [@psorensen](https://github.com/psorensen), [@adamsilverstein](https://github.com/adamsilverstein), [@dkotter](https://github.com/dkotter) via [#73](https://github.com/10up/insecure-content-warning/pull/73)).
@@ -70,6 +93,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Initial public release! 🎉
 
 [Unreleased]: https://github.com/10up/insecure-content-warning/compare/trunk...develop
+[1.2.0]: https://github.com/10up/insecure-content-warning/compare/1.1.0...1.2.0
 [1.1.0]: https://github.com/10up/insecure-content-warning/compare/1.0.3...1.1.0
 [1.0.3]: https://github.com/10up/insecure-content-warning/compare/1.0.2...1.0.3
 [1.0.2]: https://github.com/10up/insecure-content-warning/compare/1.0.1...1.0.2

diff --git a/CREDITS.md b/CREDITS.md
@@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Peter Sorensen (@psorensen)](https://github.com/psorensen), [Curtis Loisel (@csloisel)](https://github.com/csloisel), [David Green (@davidrgreen)](https://github.com/davidrgreen), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Helen Hou-Sandi (@helen)](https://github.com/helen), [Zachary Brown (@TheLastCicada)](https://github.com/TheLastCicada), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [Cassi Goozen (@cgoozen)](https://profiles.wordpress.org/cgoozen/), [Mohit Dadhich (@mohitwp)](https://github.com/mohitwp), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Max Lyuchin (@cadic)](https://github.com/cadic), [Nate Conley (@nateconley)](https://github.com/nateconley), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot).
+[Peter Sorensen (@psorensen)](https://github.com/psorensen), [Curtis Loisel (@csloisel)](https://github.com/csloisel), [David Green (@davidrgreen)](https://github.com/davidrgreen), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Helen Hou-Sandi (@helen)](https://github.com/helen), [Zachary Brown (@TheLastCicada)](https://github.com/TheLastCicada), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [Cassi Goozen (@cgoozen)](https://profiles.wordpress.org/cgoozen/), [Mohit Dadhich (@mohitwp)](https://github.com/mohitwp), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Max Lyuchin (@cadic)](https://github.com/cadic), [Nate Conley (@nateconley)](https://github.com/nateconley), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Cameron Terry (@cameronterry)](https://github.com/cameronterry), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk).
 
 ## Libraries
 

diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ Compatible with both the block and classic editors.
 ## Requirements
 
 * PHP 7.4+.
-* WordPress 5.7+.
+* WordPress 5.8+.
 * A secure / SSL (HTTPS) website, front and back end.
 
 ## Installation

diff --git a/composer.json b/composer.json
@@ -0,0 +1,30 @@
+{
+    "name": "10up/insecure-content-warning",
+    "description": "Prevent editors from adding insecure content in the editor.",
+    "type": "wordpress-plugin",
+    "license": "GPL-2.0-or-later",
+    "authors": [
+      {
+        "name": "10up",
+        "email": "[email protected]",
+        "homepage": "https://10up.com/",
+        "role": "Developer"
+      }
+    ],
+    "require": {
+      "php": ">=7.4"
+    },
+    "require-dev": {
+        "10up/phpcs-composer": "dev-master"
+    },
+    "scripts": {
+      "lint": "./vendor/bin/phpcs . -p -s",
+      "lint-fix": "./vendor/bin/phpcbf .",
+      "phpcs:compat": "./vendor/bin/phpcs includes -p --standard=PHPCompatibilityWP --extensions=php --runtime-set testVersion 7.4- && ./vendor/bin/phpcs insecure-content-warning.php -p --standard=PHPCompatibilityWP --extensions=php --runtime-set testVersion 5.6-"
+    },
+    "config": {
+        "allow-plugins": {
+            "dealerdirect/phpcodesniffer-composer-installer": true
+        }
+    }
+}