magdev/wp-bootstrap
1
Fork 0
Code Issues Pull Requests Actions Releases 24 Activity

Security audit fixes: regex hardening, performance, and code quality (v1.1.2)
All checks were successful
Create Release Package / PHP Lint (push) Successful in 1m32s
Details
Create Release Package / PHPUnit Tests (push) Successful in 2m35s
Details
Create Release Package / Build Release (push) Successful in 2m36s
Details

Browse Source 
- WidgetRenderer: single regex for h2→h4 prevents mismatched tags
- ContextBuilder: O(n) comment tree with parent-indexed lookup map
- ContextBuilder: consolidated sidebar queries into single check
- ContextBuilder: transient caching for sidebar recent posts and tags
- functions.php: hex-to-RGB consolidation, type hints, ctype_xdigit validation
- Transient invalidation hooks for save_post and tag CRUD operations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-03-01 01:02:12 +01:00
parent ea2ccef5de
commit 17728e81d9
6 changed files with 110 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
CLAUDE.md
View File

@@ -34,7 +34,7 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w
**Note for AI Assistants:** Clean this section after the specific features are done or new releases are made. Effective changes are tracked in `CHANGELOG.md`. Do not add completed versions here - document them in the Session History section at the end of this file.
Current version is **v1.1.1**. See `PLAN.md` for details.
Current version is **v1.1.2**. See `PLAN.md` for details.
## Technical Stack
@@ -234,6 +234,26 @@ Build steps (in order):
## Session History
### Session 21 — v1.1.2 Security Audit & Performance Fixes (2026-03-01)
**Completed:** Cross-theme security audit with 12 findings, all fixed. Covers WidgetRenderer regex hardening, ContextBuilder performance (O(n) comment tree, sidebar query consolidation, transient caching), and hex-to-RGB code consolidation.
**What was changed:**
- **WidgetRenderer regex fix** (`inc/Block/WidgetRenderer.php`): Combined two `preg_replace` calls into single regex matching `<h2>` with `wp-block-heading` class, preventing mismatched tags.
- **O(n) comment tree** (`inc/Template/ContextBuilder.php`): Parent-indexed lookup map replaces full-scan recursion. Each level now iterates only direct children.
- **Sidebar query consolidation** (`inc/Template/ContextBuilder.php`): Three separate sidebar detection branches merged into single boolean + one `getSidebarData()` call.
- **Transient caching** (`inc/Template/ContextBuilder.php` + `functions.php`): `getSidebarRecentPosts()` and `getSidebarTags()` cached in 1-hour transients with hook-based invalidation (`save_post`, `create/edit/delete_post_tag`).
- **Hex-to-RGB consolidation** (`functions.php`): Eliminated duplicate hex parsing. Added `ctype_xdigit()` validation and type hints to all color utility functions.
**Files modified:**
- `inc/Block/WidgetRenderer.php` — single regex for h2→h4
- `inc/Template/ContextBuilder.php` — O(n) tree, sidebar consolidation, transient caching
- `functions.php` — hex-to-RGB consolidation, type hints, transient invalidation hooks
- `style.css` — version bump to 1.1.2
- `CHANGELOG.md`, `CLAUDE.md` — documentation
### Session 20 — v1.1.1 PHPUnit Test Suite (2026-02-28)
**Completed:** PHPUnit test suite with 64 unit tests and 107 assertions, CI integration, and build pipeline gating.