Skip to content

Conversation

@rbcorrales
Copy link
Member

All Submissions:

Changes proposed in this Pull Request:

This PR addresses Collections Block feedback from previous PRs across security, functionality, and code quality:

  1. Remove 'See All' CTA functionality and all the related code for see-all CTAs, as it will no longer be used. Conversation in feat(collections): add Collections block #4166.
  2. Escape CTA values (label, url, type, class) in get_collection_ctas_for_rest() used in REST responses, to match what render_cta() does. Conversation in test(collections): add unit tests for collections block #4172.
  3. Improve attribute sanitization by using defaults for fallbacks instead of hardcoded values. Conversation in test(collections): add unit tests for collections block #4172.

How to test the changes in this Pull Request:

  1. Test removed 'See All' functionality:
    • Verify the Collections Block editor no longer shows see-all CTA options
  2. Test CTA escaping:
    • Create a collection with malicious CTA data (<script> tags, javascript: URLs). Might require updating the DB.
    • Check REST API response contains escaped values, no raw malicious content
  3. Test attribute sanitization:
    • Create Collections Block with invalid values (numberOfItems: 0, columns: 'invalid')
    • Verify block uses defaults from DEFAULT_ATTRIBUTES array

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@rbcorrales rbcorrales requested a review from a team as a code owner September 12, 2025 22:25
@rbcorrales rbcorrales added the [Status] Needs Review The issue or pull request needs to be reviewed label Sep 15, 2025
@dkoo dkoo requested a review from Copilot September 15, 2025 18:25
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses Collections Block feedback from previous PRs by removing the 'See All' CTA functionality, improving CTA security through proper escaping, and enhancing attribute sanitization to use defaults instead of hardcoded values.

  • Remove all 'See All' functionality including editor controls, rendering logic, and CSS styles
  • Add proper escaping for CTA values in REST API responses to prevent XSS vulnerabilities
  • Refactor attribute sanitization to use default values from DEFAULT_ATTRIBUTES instead of hardcoded minimums

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tests/unit-tests/collections/class-test-collections-block.php Remove see-all tests and enhance attribute sanitization testing
tests/unit-tests/collections/class-test-collection-meta.php Add security tests for CTA escaping in REST responses
src/blocks/collections/styles/_ctas.scss Remove see-all link CSS styles
src/blocks/collections/edit.jsx Remove see-all editor controls and RichText component
src/blocks/collections/components/InspectorPanel.jsx Remove see-all inspector panel controls
src/blocks/collections/class-collections-block.php Extract attribute sanitization logic and remove see-all rendering
src/blocks/collections/block.json Remove see-all attributes from block schema
includes/collections/class-template-helper.php Remove see-all attribute from template defaults
includes/collections/class-collection-meta.php Add CTA escaping in REST API responses

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Copy link
Contributor

@dkoo dkoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@github-actions github-actions bot added [Status] Approved The pull request has been reviewed and is ready to merge and removed [Status] Needs Review The issue or pull request needs to be reviewed labels Sep 15, 2025
@rbcorrales rbcorrales merged commit 0d0210c into trunk Sep 15, 2025
10 checks passed
@rbcorrales rbcorrales deleted the feat/collections-block-feedback branch September 15, 2025 21:01
@github-actions
Copy link

Hey @rbcorrales, good job getting this PR merged! 🎉

Now, the needs-changelog label has been added to it.

Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label.

If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label.

Thank you! ❤️

matticbot pushed a commit that referenced this pull request Sep 18, 2025
# [6.19.0-alpha.4](v6.19.0-alpha.3...v6.19.0-alpha.4) (2025-09-18)

### Features

* **collections:** add Collections block ([#4166](#4166)) ([ea0917b](ea0917b))
* **collections:** add logic for opening links in new tabs ([#4174](#4174)) ([ab71461](ab71461))
* **collections:** collections block feedback ([#4185](#4185)) ([2f203c1](2f203c1))
* **collections:** replace archive grid with collections block ([#4178](#4178)) ([d601445](d601445))
matticbot pushed a commit that referenced this pull request Sep 22, 2025
# [6.19.0](v6.18.3...v6.19.0) (2025-09-22)

### Bug Fixes

* **indesign-export:** remove feature flag ([#4180](#4180)) ([e3c5c7e](e3c5c7e))
* **my-account:** missing variable and template hook priority ([#4150](#4150)) ([9886618](9886618))
* **newspack-ui:** border radius and padding for buttons, modals, and segmented controls ([#4162](#4162)) ([be750ef](be750ef))
* register with empty name fields ([#4175](#4175)) ([7d6680c](7d6680c))

### Features

* **collections:** add Collections block ([#4166](#4166)) ([ea0917b](ea0917b))
* **collections:** add logic for opening links in new tabs ([#4174](#4174)) ([ab71461](ab71461))
* **collections:** collections block feedback ([#4185](#4185)) ([2f203c1](2f203c1))
* **collections:** replace archive grid with collections block ([#4178](#4178)) ([d601445](d601445))
* **newspack-ui:** add standalone dropdown button; reorganise dropdown box; add generic spacing ([#4169](#4169)) ([863da1e](863da1e))
* **woocommerce:** add custom currency symbol option ([#4155](#4155)) ([8811a7e](8811a7e))
matticbot pushed a commit that referenced this pull request Sep 25, 2025
# [6.20.0-alpha.1](v6.19.0...v6.20.0-alpha.1) (2025-09-25)

### Bug Fixes

* Improve help text for Guest Contributor checkbox ([#4187](#4187)) ([5790f3d](5790f3d))
* newspack-plugin delay ([#4184](#4184)) ([22e8dc2](22e8dc2))
* update download URL for db.php ([#4193](#4193)) ([4d363db](4d363db))

### Features

* **collections:** add Collections block ([#4166](#4166)) ([1185157](1185157))
* **collections:** add logic for opening links in new tabs ([#4174](#4174)) ([07a5545](07a5545))
* **collections:** collections block feedback ([#4185](#4185)) ([0d0210c](0d0210c))
* **collections:** remove feature flag ([#4195](#4195)) ([b1619ef](b1619ef))
* **collections:** replace archive grid with collections block ([#4178](#4178)) ([d0cbadd](d0cbadd))
* **content-gate:** add countdown block ([#4176](#4176)) ([f8fe757](f8fe757))
* **my-account:** subscription switch modal ([#4177](#4177)) ([28c26e7](28c26e7))
* subscription tier modal ([#4164](#4164)) ([4d6ebe2](4d6ebe2))
@matticbot
Copy link
Contributor

🎉 This PR is included in version 6.20.0-alpha.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

matticbot pushed a commit that referenced this pull request Oct 6, 2025
# [6.20.0](v6.19.0...v6.20.0) (2025-10-06)

### Bug Fixes

* ga4 events for gate interactions and tiered modal ([#4209](#4209)) ([2d35768](2d35768))
* Improve help text for Guest Contributor checkbox ([#4187](#4187)) ([5790f3d](5790f3d))
* newspack-plugin delay ([#4184](#4184)) ([22e8dc2](22e8dc2))
* remove content gate countdown block ([0204e58](0204e58))
* update download URL for db.php ([#4193](#4193)) ([4d363db](4d363db))

### Features

* **collections:** add archive link in settings page ([#4203](#4203)) ([42694ec](42694ec))
* **collections:** add Collections block ([#4166](#4166)) ([1185157](1185157))
* **collections:** add css classes to meta elements ([#4208](#4208)) ([7fbf7e9](7fbf7e9))
* **collections:** add logic for opening links in new tabs ([#4174](#4174)) ([07a5545](07a5545))
* **collections:** collections block feedback ([#4185](#4185)) ([0d0210c](0d0210c))
* **collections:** remove feature flag ([#4195](#4195)) ([b1619ef](b1619ef))
* **collections:** replace archive grid with collections block ([#4178](#4178)) ([d0cbadd](d0cbadd))
* **content-gate:** add countdown block ([#4176](#4176)) ([f8fe757](f8fe757))
* **my-account:** subscription switch modal ([#4177](#4177)) ([28c26e7](28c26e7))
* subscription tier modal ([#4164](#4164)) ([4d6ebe2](4d6ebe2))
@matticbot
Copy link
Contributor

🎉 This PR is included in version 6.20.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

released on @alpha released [Status] Approved The pull request has been reviewed and is ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants