magdev/wp-bootstrap
1
Fork 0
Code Issues Pull Requests Actions Releases 24 Activity
Files
02689f687f6cbae567568b991a2f0f3a54553d0f
wp-bootstrap/views/partials/comment-item.html.twig
magdev 89afa00678
All checks were successful
Create Release Package / PHP Lint (push) Successful in 1m8s
Details
Create Release Package / Build Release (push) Successful in 1m53s
Details
security: OWASP audit and hardening (v1.0.8) 
- Archive XSS: wrap get_the_archive_title/description with wp_kses_post()
  in ContextBuilder to sanitize Editor-editable term content rendered via |raw
- Comment fields: esc_html() on comment_author, esc_url() on comment_author_url
  at data source; template updated to output pre-escaped URL via |raw
- dark-mode.js: whitelist localStorage value against ['dark','light'] to
  prevent attribute injection from third-party script tampering
- TwigService: add is_safe=>html to esc_html/esc_attr/esc_url Twig functions
  to prevent double-encoding if autoescape is ever enabled
- Add .markdownlint.json (disable MD024 duplicate headings, MD013 line length)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-19 13:23:33 +01:00

41 lines
1.6 KiB
Twig
Raw Blame History

<div class="comment d-flex gap-3 mb-4{% if depth > 0 %} ms-5{% endif %}" id="comment-{{ comment.id }}">
<div class="flex-shrink-0">
<img src="{{ comment.avatar_url }}" alt="{{ comment.author }}"
class="rounded-circle" width="40" height="40" loading="lazy">
</div>
<div class="flex-grow-1">
<div class="d-flex align-items-center gap-2 mb-1">
<strong class="small">
{% if comment.author_url %}
{# author_url is pre-escaped with esc_url() in ContextBuilder #}
<a href="{{ comment.author_url|raw }}" class="text-decoration-none text-body" rel="nofollow">
{{ comment.author }}
</a>
{% else %}
{{ comment.author }}
{% endif %}
</strong>
<time class="text-body-secondary small" datetime="{{ comment.date_iso }}">
{{ comment.date }}
</time>
{% if comment.edit_url %}
<a href="{{ comment.edit_url }}" class="text-body-secondary small">{{ __('Edit') }}</a>
{% endif %}
</div>
<div class="comment-content small">
{{ comment.content|raw }}
</div>
{% if comment.reply_url %}
<div class="mt-1">
{{ comment.reply_url|raw }}
</div>
{% endif %}
{% if comment.children|length > 0 %}
{% for child in comment.children %}
{% include 'partials/comment-item.html.twig' with {'comment': child, 'depth': depth + 1} only %}
{% endfor %}
{% endif %}
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink