Skip to content

Fix security, bugs, and UX issues from PR #49 review#50

Merged
jdevalk merged 4 commits into
feature/merge-pro-into-freefrom
fix/pr49-review-issues
May 29, 2026
Merged

Fix security, bugs, and UX issues from PR #49 review#50
jdevalk merged 4 commits into
feature/merge-pro-into-freefrom
fix/pr49-review-issues

Conversation

@ilicfilip
Copy link
Copy Markdown
Contributor

@ilicfilip ilicfilip commented Mar 19, 2026

Summary

Fixes issues identified during code review of #49:

Security

  • Add manage_categories capability checks to all 4 AJAX handlers (merge, redirect, dismiss, get_just_deleted_term) — previously any authenticated user could call these
  • Fix XSS: escape $slug and $taxonomy with esc_attr() in HTML attributes and esc_js() in javascript: href contexts (class-helper.php)
  • Fix XSS: escape term names with esc_html() and URLs with esc_url() in AJAX response messages (class-admin-ajax.php)
  • Set allowHTML: false on all Choices.js instances to prevent HTML injection via term names

Bugs

  • Fix Redirection group option key mismatch: code was reading redirect_group but writing redirection_group, causing a new group to be created on every merge
  • Fix inverted condition (!empty || !is_intempty || !is_int) that also caused unnecessary group recreation
  • Fix get_term_link() called inside delete_term hook (term already deleted at that point, returns WP_Error); now captures permalink in pre_delete_term hook
  • Add merge row action to categories (category_row_actions) and custom taxonomies ({taxonomy}_row_actions), not just tags — matching the PR description's cross-taxonomy claim

UX / Performance

  • Scope "no redirect tool" admin notice to edit-tags screens only (was showing on every admin page)
  • Scope MutationObserver for element removal to #the-list instead of document.body
  • Use rest_base from taxonomy REST response for API endpoints (supports custom REST bases)
  • Fix typo: "cannnot" → "cannot"

Test plan

  • Verify merge action appears on tag, category, and custom taxonomy list screens
  • Verify merge creates redirect correctly (only one Redirection group, not a new one each time)
  • Verify delete-and-redirect notice shows correct permalink (not a WP_Error)
  • Verify redirect tool warning only appears on edit-tags screens
  • Verify a subscriber-role user cannot call AJAX endpoints (gets permission error)
  • composer check-cs passes
  • composer phpstan passes

🤖 Generated with Claude Code

@ilicfilip @claude
Fix security, bugs, and UX issues from PR #49 code review
784a6a2 
- Add capability checks (manage_categories) to all AJAX handlers
- Fix XSS: escape slug/taxonomy in HTML attributes and JS href contexts
- Fix XSS: escape term names and URLs in AJAX response messages
- Fix bug: Redirection group option key mismatch (redirect_group vs
  redirection_group) causing new group creation on every merge
- Fix bug: inverted condition always recreating Redirection group
- Fix bug: get_term_link called after term deletion; capture permalink
  in pre_delete_term hook instead
- Add merge action to categories and custom taxonomies, not just tags
- Scope redirect tool admin notice to edit-tags screens only
- Scope MutationObserver to #the-list instead of document.body
- Use rest_base from taxonomy object for REST API endpoints
- Set allowHTML: false on Choices.js instances
- Fix typo: cannnot -> cannot

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 19, 2026
edited
Loading

Test on Playground
Test this pull request on the Playground or download the zip

ilicfilip and others added 2 commits March 19, 2026 21:53
@ilicfilip @claude
Fix PHPCS: multi-item array formatting in get_taxonomies call
987367c 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ilicfilip @claude
Merge fewer_tags and fewer_tags_pro into a single array option
a52ad70 
Consolidate the two separate wp_options entries (fewer_tags scalar
and fewer_tags_pro array) into a single fewer_tags array option.
The Option singleton is now the single source of truth.

- Change Option class to use 'fewer_tags' instead of 'fewer_tags_pro'
- Remove Plugin::$option_name, read min_posts_count from Option singleton
- Expand migrate_option() to handle all upgrade scenarios idempotently
- Add sanitize_callback to preserve other array keys when saving settings
- Update settings field name/id for nested array structure
- Remove fewer_tags_pro cleanup from uninstall.php

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ilicfilip ilicfilip marked this pull request as ready for review March 20, 2026 15:35
@ilicfilip
link to plugins, target="_blank" rel="noopener noreferrer"
9ef7c94 
Signed-off-by: Filip Ilic <ilic.filip@gmail.com>
@ilicfilip ilicfilip requested a review from jdevalk March 21, 2026 14:33
@jdevalk jdevalk merged commit 50db2ab into feature/merge-pro-into-free May 29, 2026
16 checks passed
@jdevalk jdevalk deleted the fix/pr49-review-issues branch May 29, 2026 06:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdevalk jdevalk Awaiting requested review from jdevalk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ilicfilip @jdevalk