Skip to content

fix: escape title output to prevent XSS#3669

Merged
bfintal merged 2 commits intodevelopfrom
fix/post-title-xss
Jan 12, 2026
Merged

fix: escape title output to prevent XSS#3669
bfintal merged 2 commits intodevelopfrom
fix/post-title-xss

Conversation

@Arukuen
Copy link
Contributor

@Arukuen Arukuen commented Jan 5, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Bug Fixes
    • Post outputs (title, category links, meta separator, date/time, comments count) are now properly escaped for safer rendering.
    • Empty post titles now display as "(Untitled)".

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Jan 5, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Escaped multiple outputs in post rendering to prevent XSS: title, category link hrefs and labels, meta separator, datetime attributes and displayed dates, and comments count. No control-flow or public API changes; changes are output-escaping only.

Changes

Cohort / File(s) Summary
Security: Output escaping
src/block/posts/index.php		 Escaped post title (with default "(Untitled)"), category link href and label, meta separator, <time> datetime attribute and displayed date, and comments count using appropriate esc_* functions. No logic/flow changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I nibbled through the post’s bright day,
Found sly scripts that crept to play,
I wrapped each string in safe, warm wool —
esc_* stitched seams to mend the hole. 🥕✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title correctly identifies the primary change (escaping title output for XSS prevention), though the actual changeset includes broader XSS fixes beyond just the title.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6da2f00 and 5ba1f58.

📒 Files selected for processing (1)
  • src/block/posts/index.php
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/block/posts/index.php
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: build
  • GitHub Check: PHP 8.2 and WP 6.7.2
  • GitHub Check: PHP 7.3 and WP latest
  • GitHub Check: PHP 8.2 and WP 6.5.5
  • GitHub Check: PHP 8.2 and WP latest
  • GitHub Check: PHP 8.2 and WP 6.6.2
  • GitHub Check: PHP 7.3 and WP 6.5.5

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

github-actions bot added a commit that referenced this pull request Jan 5, 2026
@github-actions
Upload pr3669-stackable-3669-merge.zip (6da2f)
0ea9476 
Pull request: #3669
Commit: 6da2f00
@github-actions
Copy link

github-actions bot commented Jan 5, 2026
edited
Loading

🤖 Pull request artifacts

file commit
pr3669-stackable-3669-merge.zip 5ba1f58

@github-actions
Copy link

github-actions bot commented Jan 5, 2026

Try this Pull Request in the WordPress playground: https://playground.wordpress.net/?mode=seamless#{"landingPage":"/wp-admin/post-new.php?post_type=page","preferredVersions":{"php":"latest","wp":"latest"},"steps":[{"step":"login","username":"admin","password":"password"},{"step":"installPlugin","pluginZipFile":{"resource":"url","url":"https://raw.githubusercontent.com/gambitph/Stackable/artifacts/pr3669-stackable-3669-merge.zip"}}]}

@Arukuen Arukuen self-assigned this Jan 5, 2026
github-actions bot added a commit that referenced this pull request Jan 8, 2026
@github-actions
Upload pr3669-stackable-3669-merge.zip (5ba1f)
fd23cfa 
Pull request: #3669
Commit: 5ba1f58
@bfintal bfintal merged commit 7ffd155 into develop Jan 12, 2026
8 of 9 checks passed
@bfintal bfintal deleted the fix/post-title-xss branch January 12, 2026 05:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Arukuen Arukuen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Arukuen @bfintal