Skip to content

fix(comments): add Customizer toggle for comment meta position#2691

Open
faisalahammad wants to merge 2 commits into
Automattic:trunkfrom
faisalahammad:fix/2310-comment-meta-position
Open

fix(comments): add Customizer toggle for comment meta position#2691
faisalahammad wants to merge 2 commits into
Automattic:trunkfrom
faisalahammad:fix/2310-comment-meta-position

Conversation

@faisalahammad
Copy link
Copy Markdown
Contributor

@faisalahammad faisalahammad commented May 6, 2026
edited
Loading

Summary

Adds a Customizer radio control so site editors can choose whether comment author meta (avatar, name, date) appears above or below the comment content. Defaults to above for backward compatibility.

Fixes #2310

Changes

classes/class-newspack-walker-comment.php

The walker now buffers the comment-meta footer and comment-content div into separate variables via output buffering, then emits them in the order determined by the new comment_meta_position theme mod.

inc/customizer.php

New comment_meta_position setting added to the existing Comments Settings section with a radio control: "Above comment content" / "Below comment content".

Testing

Test 1: Default (above)

  1. Activate theme, visit a post with comments
  2. Comment author info appears above the comment text ✓

Test 2: Switch to below

  1. Customize → Comments Settings → select "Below comment content"
  2. Publish, refresh post
  3. Comment author info now appears below the comment text ✓

Test 3: Switch back

  1. Customize → select "Above comment content"
  2. Publish, refresh
  3. Comment author info returns above the text ✓

@faisalahammad faisalahammad requested a review from a team as a code owner May 6, 2026 06:51
@laurelfulford laurelfulford added the [Status] Needs Review The issue or pull request needs to be reviewed label May 12, 2026
dkoo
dkoo requested changes May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dkoo dkoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@faisalahammad Thanks for the new comment meta position option! The new option works as described and passes in-browser testing. Before we can merge, please address feedback in the inline comments below:

Comment thread newspack-theme/inc/customizer.php Outdated
'comment_meta_position',
array(
'default' => 'above',
'sanitize_callback' => 'sanitize_text_field',
Copy link
Copy Markdown
Contributor

@dkoo dkoo May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Blocker: Sanitizer is too permissive for a radio setting

'sanitize_callback' => 'sanitize_text_field' accepts any string. Walker logic at class-newspack-walker-comment.php:105 is 'above' === $value ? … : (below), so any non-above value silently flips to "below" — weakens backward-compat.

Suggested fix: Use the existing newspack_sanitize_radio helper to sanitize values against the choices registered via wp_customize->add_control().

Comment thread newspack-theme/classes/class-newspack-walker-comment.php Outdated
Comment on lines +106 to +111
echo $comment_meta; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- already escaped above
echo $comment_content; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- already escaped above
} else {
echo $comment_content; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- already escaped above
echo $comment_meta; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- already escaped above
}
Copy link
Copy Markdown
Contributor

@dkoo dkoo May 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Blocker: phpcs:ignore is too eager

Since we're now directly echoing the entire buffered $comment_meta and $comment_content, these phpcs:ignore statements will silence the sniff for any future unsafe addition to the buffered region.

Suggested fix: wrap these in another wp_kses_post() to ensure safe output, or at the very least provide a more detailed comment indicating the potential security hole, e.g. ensure all buffered output is escaped above.

Comment thread newspack-theme/classes/class-newspack-walker-comment.php Outdated

$tag = ( 'div' === $args['style'] ) ? 'div' : 'li';

ob_start();
Copy link
Copy Markdown
Contributor

@dkoo dkoo May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Suggested fix: Exception-safe buffering

Wrap each ob_start/ob_get_clean pair in try { … } finally { … } so a throwing filter (comment_text, get_avatar, etc.) can't leave buffers stuck on the stack.

Comment thread newspack-theme/inc/customizer.php Outdated
'comment_meta_position',
array(
'type' => 'radio',
'label' => esc_html__( 'Comment Meta Position', 'newspack-theme' ),
Copy link
Copy Markdown
Contributor

@dkoo dkoo May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: prefer sentence casing over title casing for option labels.

Suggested change
'label' => esc_html__( 'Comment Meta Position', 'newspack-theme' ),
'label' => esc_html__( 'Comment meta position', 'newspack-theme' ),

@dkoo dkoo added [Status] Needs Changes or Feeback The issue or pull request needs action from the original creator and removed [Status] Needs Review The issue or pull request needs to be reviewed labels May 14, 2026
@faisalahammad
fix(comments): add Customizer toggle for comment meta position
36af006 
Allows site editors to choose whether comment author info (avatar,
name, date) appears above or below the comment content. Uses a radio
control in the existing Comments Settings panel.

The walker now buffers comment-meta and comment-content into
separate variables and outputs them in the configured order.

Fixes Automattic#2310
@faisalahammad
fix(comments): address review feedback for comment meta position
6baa546 
- Replace sanitize_text_field with newspack_sanitize_radio for choices validation
- Wrap buffered output in wp_kses_post() instead of phpcs:ignore
- Add try/finally with level tracking for ob_start/ob_get_clean cleanup
- Use sentence casing for control label
@faisalahammad faisalahammad force-pushed the fix/2310-comment-meta-position branch from d42e620 to 6baa546 Compare May 15, 2026 15:20
@faisalahammad
Copy link
Copy Markdown
Contributor Author

faisalahammad commented May 15, 2026

Thanks for the thorough review, @dkoo! I've addressed all four points:

  1. Sanitizer — Switched from sanitize_text_field to newspack_sanitize_radio so invalid values fall back to the default instead of silently flipping to "below."
  2. phpcs:ignore — Removed all four phpcs:ignore statements and wrapped the buffered output in wp_kses_post() instead.
  3. Exception-safe buffering — Added try/finally blocks with level tracking around both ob_start/ob_get_clean pairs to prevent buffer leaks if a filter throws.
  4. Label casing — Changed "Comment Meta Position" to "Comment meta position" for sentence casing.

dkoo
dkoo approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dkoo dkoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes, @faisalahammad! This is looking good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkoo dkoo dkoo approved these changes

Assignees

No one assigned

Labels

[Status] Needs Changes or Feeback The issue or pull request needs action from the original creator

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add toggle to allow commenters' names to be shown below comments, instead of above them

3 participants

@faisalahammad @dkoo @laurelfulford