Conversation
Release 1.0.6
- Adds an MU plugin to allow SVG and path tags in post content via the `wp_kses_allowed_html` filter. - Updates the landing page to redirect users directly to the post editor. - Refactors the demo page creation step.
Updates the spacing and formatting in index.js to align with WordPress-specific linting rules, including padding inside parentheses and brackets.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| }, | ||
| { | ||
| "step": "runPHP", | ||
| "code": "<?php require_once '/wordpress/wp-load.php'; $page_content = '<?php require_once 'wordpress/wp-load.php'; $page_content = '<!-- wp:buttons -->\n<div class=\"wp-block-buttons\"><!-- wp:button {\"linkedModalId\":\"m-e16de3fe79f9\"} -->\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\">Open my modal window</a></div>\n<!-- /wp:button --></div>\n<!-- /wp:buttons -->\n\n<!-- wp:blockparty/modal {\"title\":\"My Modal\",\"modalId\":\"m-e16de3fe79f9\",\"displayIconOnly\":true,\"style\":{\"spacing\":{\"padding\":{\"top\":\"var:preset|spacing|40\",\"bottom\":\"var:preset|spacing|40\",\"left\":\"var:preset|spacing|40\",\"right\":\"var:preset|spacing|40\"}}}} -->\n<dialog class=\"wp-block-blockparty-modal\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\" id=\"modal-m-e16de3fe79f9\" aria-modal=\"true\" closedby=\"any\"><div class=\"wp-block-blockparty-modal__header\"><h2 class=\"wp-block-blockparty-modal__title\">My Modal</h2></div><div class=\"wp-block-blockparty-modal__content\"><!-- wp:paragraph -->\n<p>Blockparty Modal is a WordPress plugin that lets you add accessible modal dialogs to your content via the Gutenberg block editor. You define the modal content and behaviour in the editor; on the frontend, the modal is shown when the user activates a linked trigger (such as a button block).</p>\n<!-- /wp:paragraph --></div><button type=\"button\" class=\"wp-block-blockparty-modal__close-button\"><span class=\"sr-only\">Close this dialog window</span><svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" width=\"24\" height=\"24\" aria-hidden=\"true\"><path d=\"m13.06 12 6.47-6.47-1.06-1.06L12 10.94 5.53 4.47 4.47 5.53 10.94 12l-6.47 6.47 1.06 1.06L12 13.06l6.47 6.47 1.06-1.06L13.06 12Z\"></path></svg></button></dialog>\n<!-- /wp:blockparty/modal -->'; $page_id = wp_insert_post(array('post_title' => 'Blockparty Modal', 'post_content' => $page_content, 'post_status' => 'publish', 'post_type' => 'page')); echo 'Page created with ID: ' . $page_id; ?>'; $page_id = wp_insert_post(array('post_title' => 'Blockparty Modal', 'post_content' => $page_content, 'post_status' => 'publish', 'post_type' => 'page')); echo 'Page created with ID: ' . $page_id; ?>" |
There was a problem hiding this comment.
Corrupted PHP code with duplicated nested script
High Severity
The second runPHP step's code value contains a corrupted PHP script. The entire PHP script is accidentally duplicated/nested inside itself as the $page_content assignment value. This creates broken single-quote string delimiters — $page_content = '<?php require_once 'wordpress/wp-load.php' — where the quote before wordpress prematurely terminates the string, causing a PHP parse error. The wp_insert_post call and its arguments also appear duplicated at the end. The previous version correctly used base64_decode() to avoid quoting issues; this replacement inlines the content but fails to escape quotes and includes the wrapping script code inside itself.
| { | ||
| "$schema": "https://playground.wordpress.net/blueprint-schema.json", | ||
| "landingPage": "/blockparty-modal-demo/", | ||
| "landingPage": "/wp-admin/post.php?post=4&action=edit", |
There was a problem hiding this comment.
Landing page hardcodes fragile post ID assumption
Medium Severity
The landingPage is now /wp-admin/post.php?post=4&action=edit, which hardcodes the assumption that the created page will have post ID 4. The previous version used the post slug (/blockparty-modal-demo/) and explicitly set post_name. The new runPHP step doesn't set post_name, and the resulting post ID depends on WordPress's internal auto-increment state, which isn't guaranteed to be 4.
1 participant
Note
Low Risk
Mostly updates the WordPress Playground
blueprint.jsondemo setup; production plugin logic is unchanged aside from JS formatting. Low risk, though the blueprint now installs a mu-plugin that relaxes KSES to allow SVG in post content.Overview
Updates
blueprint.jsonto land directly on the WP admin editor for the demo page and changes the setup steps to install a small mu-plugin that permitssvg/pathtags via KSES for post content (so the modal’s inline SVG icon isn’t stripped).The blueprint’s demo page creation step is reworked accordingly, while
src/blockparty-modal/index.jsonly receives formatting/whitespace changes with no functional behavior changes.Written by Cursor Bugbot for commit fd14041. This will update automatically on new commits. Configure here.