fix: WordPress.org review compliance - remove load_plugin_textdomain, fix sanitization warnings, fix release pipeline ZIP, remove dead frontend assets

Author: novincode

.github/workflows/release.yml

@@ -37,17 +37,17 @@ jobs:
         run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
-          files: dist/openfields-*.zip
+          files: dist/codeideal-open-fields-*.zip
           draft: false
           prerelease: false
           body: |
-            # OpenFields v${{ steps.get_version.outputs.version }}
+            # Codeideal Open Fields v${{ steps.get_version.outputs.version }}
 
             ## Installation
 
-            1. Download `openfields-${{ steps.get_version.outputs.version }}.zip` below
+            1. Download `codeideal-open-fields-${{ steps.get_version.outputs.version }}.zip` below
             2. Go to WordPress Admin → **Plugins** → **Add New**
             3. Click **Upload Plugin** and select the ZIP file
             4. Click **Install Now** and then **Activate Plugin**
@@ -58,7 +58,7 @@ jobs:
 
             ---
 
-            **OpenFields** - The free, open-source alternative to ACF for WordPress
+            **Codeideal Open Fields** - The free, open-source custom fields plugin for WordPress
             
             [Documentation](https://openfields.codeideal.com/docs) | [GitHub](https://github.com/novincode/openfields)
         env:

plugin/includes/admin/class-cof-meta-box.php

@@ -511,7 +511,7 @@ public function save_post( $post_id, $post, $update ) {
 					// Standard field save.
 					$field_name = $field->name;
 					$meta_key   = self::META_PREFIX . $field_name;
-					// phpcs:ignore WordPress.Security.NonceVerification.Missing
+					// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized via $this->sanitize_value() below.
 					$raw_value  = isset( $_POST[ $meta_key ] ) ? wp_unslash( $_POST[ $meta_key ] ) : '';
 
 
@@ -585,7 +585,7 @@ private function save_repeater_field( $post_id, $field, $sub_fields_map, $base_n
 				if ( $sub_field->type === 'repeater' ) {
 					$this->save_repeater_field( $post_id, $sub_field, $sub_fields_map, $full_name );
 				} else {
-					// phpcs:ignore WordPress.Security.NonceVerification.Missing
+					// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized via $this->sanitize_value() below.
 					$raw_value = isset( $_POST[ $full_name ] ) ? wp_unslash( $_POST[ $full_name ] ) : '';
 					$sanitized = $this->sanitize_value( $raw_value, $sub_field->type );
 					update_post_meta( $post_id, $full_name, $sanitized );
@@ -637,7 +637,7 @@ private function save_group_field( $post_id, $field, $sub_fields_map, $base_name
 				$this->save_group_field( $post_id, $sub_field, $sub_fields_map, $full_name );
 			} else {
 				// Standard sub-field save.
-				// phpcs:ignore WordPress.Security.NonceVerification.Missing
+				// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized via $this->sanitize_value() below.
 				$raw_value = isset( $_POST[ $full_name ] ) ? wp_unslash( $_POST[ $full_name ] ) : '';
 				$sanitized = $this->sanitize_value( $raw_value, $sub_field->type );
 				update_post_meta( $post_id, $full_name, $sanitized );
@@ -1077,7 +1077,7 @@ public function save_taxonomy_fields( $term_id, $tt_id ) {
 
 					// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified above.
 					if ( isset( $_POST[ $meta_key ] ) ) {
-						// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified above.
+						// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified above; sanitized via $this->sanitize_value().
 						$value = $this->sanitize_value( wp_unslash( $_POST[ $meta_key ] ), $field->type );
 						update_term_meta( $term_id, $meta_key, $value );
 					} else {
@@ -1131,7 +1131,7 @@ private function save_repeater_field_for_term( $term_id, $field, $sub_fields_map
 				if ( $sub_field->type === 'repeater' ) {
 					$this->save_repeater_field_for_term( $term_id, $sub_field, $sub_fields_map, $full_name );
 				} else {
-					// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified in save_taxonomy_fields.
+					// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified in save_taxonomy_fields; sanitized via $this->sanitize_value().
 					$raw_value = isset( $_POST[ $full_name ] ) ? wp_unslash( $_POST[ $full_name ] ) : '';
 					$sanitized = $this->sanitize_value( $raw_value, $sub_field->type );
 					update_term_meta( $term_id, $full_name, $sanitized );
@@ -1165,7 +1165,7 @@ private function save_group_field_for_term( $term_id, $field, $sub_fields_map, $
 			} elseif ( $sub_field->type === 'group' ) {
 				$this->save_group_field_for_term( $term_id, $sub_field, $sub_fields_map, $full_name );
 			} else {
-				// phpcs:ignore WordPress.Security.NonceVerification.Missing
+				// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified in save_taxonomy_fields; sanitized via $this->sanitize_value().
 				$raw_value = isset( $_POST[ $full_name ] ) ? wp_unslash( $_POST[ $full_name ] ) : '';
 				$sanitized = $this->sanitize_value( $raw_value, $sub_field->type );
 				update_term_meta( $term_id, $full_name, $sanitized );
@@ -1433,7 +1433,7 @@ public function save_user_fields( $user_id ) {
 
 					// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified above.
 					if ( isset( $_POST[ $meta_key ] ) ) {
-						// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified above.
+						// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified above; sanitized via $this->sanitize_value().
 						$value = $this->sanitize_value( wp_unslash( $_POST[ $meta_key ] ), $field->type );
 						update_user_meta( $user_id, $meta_key, $value );
 					} else {
@@ -1487,7 +1487,7 @@ private function save_repeater_field_for_user( $user_id, $field, $sub_fields_map
 				if ( $sub_field->type === 'repeater' ) {
 					$this->save_repeater_field_for_user( $user_id, $sub_field, $sub_fields_map, $full_name );
 				} else {
-					// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified in save_user_fields.
+					// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified in save_user_fields; sanitized via $this->sanitize_value().
 					$raw_value = isset( $_POST[ $full_name ] ) ? wp_unslash( $_POST[ $full_name ] ) : '';
 					$sanitized = $this->sanitize_value( $raw_value, $sub_field->type );
 					update_user_meta( $user_id, $full_name, $sanitized );
@@ -1521,7 +1521,7 @@ private function save_group_field_for_user( $user_id, $field, $sub_fields_map, $
 			} elseif ( $sub_field->type === 'group' ) {
 				$this->save_group_field_for_user( $user_id, $sub_field, $sub_fields_map, $full_name );
 			} else {
-				// phpcs:ignore WordPress.Security.NonceVerification.Missing
+				// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified in save_user_fields; sanitized via $this->sanitize_value().
 				$raw_value = isset( $_POST[ $full_name ] ) ? wp_unslash( $_POST[ $full_name ] ) : '';
 				$sanitized = $this->sanitize_value( $raw_value, $sub_field->type );
 				update_user_meta( $user_id, $full_name, $sanitized );

plugin/includes/class-cof-assets.php

@@ -102,25 +102,20 @@ public function admin_scripts( $hook ) {
 	 * @since 1.0.0
 	 */
 	public function frontend_scripts() {
-		// Only load if needed.
+		// Only load if needed — currently no frontend assets are required.
 		if ( ! $this->should_load_frontend_assets() ) {
 			return;
 		}
 
-		wp_enqueue_script(
-			'cof-frontend',
-			COF_PLUGIN_URL . 'assets/public/js/frontend.js',
-			array(),
-			COF_VERSION,
-			true
-		);
-
-		wp_enqueue_style(
-			'cof-frontend',
-			COF_PLUGIN_URL . 'assets/public/css/frontend.css',
-			array(),
-			COF_VERSION
-		);
+		/**
+		 * Fires when frontend assets should be loaded.
+		 *
+		 * Developers can use the 'cof/load_frontend_assets' filter to
+		 * trigger this, then enqueue their own styles/scripts here.
+		 *
+		 * @since 1.0.0
+		 */
+		do_action( 'cof/frontend_enqueue_scripts' );
 	}
 
 	/**
@@ -169,18 +164,21 @@ public function meta_box_scripts( $hook ) {
 			COF_VERSION
 		);
 
-		// Localize script data.
-		wp_localize_script(
-			'cof-fields',
-			'cofMetaBox',
-			array(
-				'i18n' => array(
-					'selectImage' => __( 'Select Image', 'codeideal-open-fields' ),
-					'useImage'    => __( 'Use this image', 'codeideal-open-fields' ),
-					'selectFile'  => __( 'Select File', 'codeideal-open-fields' ),
-					'useFile'     => __( 'Use this file', 'codeideal-open-fields' ),
-				),
-			)
+		// Localize meta box data for field renderers.
+		wp_add_inline_script(
+			'wp-color-picker',
+			sprintf(
+				'var cofMetaBox = %s;',
+				wp_json_encode( array(
+					'i18n' => array(
+						'selectImage' => __( 'Select Image', 'codeideal-open-fields' ),
+						'useImage'    => __( 'Use this image', 'codeideal-open-fields' ),
+						'selectFile'  => __( 'Select File', 'codeideal-open-fields' ),
+						'useFile'     => __( 'Use this file', 'codeideal-open-fields' ),
+					),
+				) )
+			),
+			'before'
 		);
 	}
 

plugin/includes/class-cof.php

@@ -102,13 +102,6 @@ private function init_hooks() {
 	 * @since 1.0.0
 	 */
 	public function init() {
-		// Load plugin text domain for translations.
-		load_plugin_textdomain(
-			'codeideal-open-fields',
-			false,
-			dirname( COF_PLUGIN_BASENAME ) . '/languages'
-		);
-
 		// Initialize components.
 		COF_Assets::instance();
 		COF_Field_Registry::instance();