Fix/blueprint: Add SVG support and update landing page#21
Fix/blueprint: Add SVG support and update landing page#21firestar300 merged 1 commit intodevelopfrom
Conversation
- Adds an MU plugin to allow SVG and path tags in post content via the `wp_kses_allowed_html` filter. - Updates the landing page to redirect users directly to the post editor. - Refactors the demo page creation step.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| }, | ||
| { | ||
| "step": "runPHP", | ||
| "code": "<?php require_once '/wordpress/wp-load.php'; $page_content = '<?php require_once 'wordpress/wp-load.php'; $page_content = '<!-- wp:buttons -->\n<div class=\"wp-block-buttons\"><!-- wp:button {\"linkedModalId\":\"m-e16de3fe79f9\"} -->\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\">Open my modal window</a></div>\n<!-- /wp:button --></div>\n<!-- /wp:buttons -->\n\n<!-- wp:blockparty/modal {\"title\":\"My Modal\",\"modalId\":\"m-e16de3fe79f9\",\"displayIconOnly\":true,\"style\":{\"spacing\":{\"padding\":{\"top\":\"var:preset|spacing|40\",\"bottom\":\"var:preset|spacing|40\",\"left\":\"var:preset|spacing|40\",\"right\":\"var:preset|spacing|40\"}}}} -->\n<dialog class=\"wp-block-blockparty-modal\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\" id=\"modal-m-e16de3fe79f9\" aria-modal=\"true\" closedby=\"any\"><div class=\"wp-block-blockparty-modal__header\"><h2 class=\"wp-block-blockparty-modal__title\">My Modal</h2></div><div class=\"wp-block-blockparty-modal__content\"><!-- wp:paragraph -->\n<p>Blockparty Modal is a WordPress plugin that lets you add accessible modal dialogs to your content via the Gutenberg block editor. You define the modal content and behaviour in the editor; on the frontend, the modal is shown when the user activates a linked trigger (such as a button block).</p>\n<!-- /wp:paragraph --></div><button type=\"button\" class=\"wp-block-blockparty-modal__close-button\"><span class=\"sr-only\">Close this dialog window</span><svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" width=\"24\" height=\"24\" aria-hidden=\"true\"><path d=\"m13.06 12 6.47-6.47-1.06-1.06L12 10.94 5.53 4.47 4.47 5.53 10.94 12l-6.47 6.47 1.06 1.06L12 13.06l6.47 6.47 1.06-1.06L13.06 12Z\"></path></svg></button></dialog>\n<!-- /wp:blockparty/modal -->'; $page_id = wp_insert_post(array('post_title' => 'Blockparty Modal', 'post_content' => $page_content, 'post_status' => 'publish', 'post_type' => 'page')); echo 'Page created with ID: ' . $page_id; ?>'; $page_id = wp_insert_post(array('post_title' => 'Blockparty Modal', 'post_content' => $page_content, 'post_status' => 'publish', 'post_type' => 'page')); echo 'Page created with ID: ' . $page_id; ?>" |
There was a problem hiding this comment.
Broken PHP: duplicated script with unescaped quotes
High Severity
The runPHP code for creating the demo page contains the entire PHP script duplicated/nested inside itself. The $page_content string assignment wraps a second copy of the full script (including <?php, require_once, another $page_content assignment, wp_insert_post, and ?>). Since single quotes within the content aren't escaped, PHP will misparse the string boundaries, causing a parse error. The previous version correctly used base64_decode() to avoid this quoting problem. This completely breaks page creation, which in turn breaks the landingPage redirect to post=4.
| { | ||
| "$schema": "https://playground.wordpress.net/blueprint-schema.json", | ||
| "landingPage": "/blockparty-modal-demo/", | ||
| "landingPage": "/wp-admin/post.php?post=4&action=edit", |
There was a problem hiding this comment.
Hardcoded post ID 4 in landing page URL
Medium Severity
The landingPage hardcodes post=4 assuming the created page will receive that ID, but wp_insert_post doesn't specify a fixed ID. While a fresh WordPress install typically uses IDs 1–3 for default content, this assumption is fragile — any change to WordPress defaults or blueprint step ordering could assign a different ID, causing the landing page redirect to open the wrong post or a 404.
1 participant
wp_kses_allowed_htmlfilter.Note
Medium Risk
Adds a must-use plugin that relaxes
wp_kses_allowed_htmlforpostcontent to permitsvg/path, which can increase XSS risk if mis-scoped. Also changes Playground boot flow (landing URL and setup steps), which could break the demo if the hardcoded post ID or page-creation script is wrong.Overview
Updates the Playground
blueprint.jsonto land directly in the editor for a specific post (/wp-admin/post.php?post=4&action=edit) instead of the demo page URL.Adds a setup step that writes an MU plugin to
wp-content/mu-pluginsto allowsvgandpathtags/attributes inpostcontent via thewp_kses_allowed_htmlfilter, and refactors the demo content creation into a separaterunPHPstep (now inserting the modal page content with inline SVG).Written by Cursor Bugbot for commit 5389ac7. This will update automatically on new commits. Configure here.