Skip to content

Harden block render output escaping and validate attributes before GitHub API calls #16

Description

@mathetos

While working on the plugin locally I walked through src/Block.php and noticed a few spots where output escaping and attribute handling could be tightened.

Most of the dynamic values coming back from the GitHub API are passed through esc_html_e(), which is meant for translatable literal strings, not for URLs, usernames, or repo names. A few places also echo API fields without an escaping wrapper at all. That means values like avatar URLs, repo links, and descriptions are not going through the right functions (esc_url(), esc_attr(), esc_html() as appropriate). The same file also builds GitHub request URLs from block attributes such as profileName and repoUrl without validating the shape of those strings first, which could be worth hardening if attributes are ever writable outside a fully trusted editor context.

There is also a small markup bug in the WP error branch where a closing </div tag is missing its >, and profile mode assumes the repos response is always an object with an items property even when the fetch path returns an error string.

I put together a focused hardening pass in #15.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions