Changeset 3414766

Timestamp:

12/08/2025 10:40:07 PM (4 months ago)

Author:

coffee2code

Message:

Release v2.5.1:

Highlights:

A bugfix release to address the overzealous encoding of some valid CSS characters introduced in v2.5.

Details:

• Fix: Escape only the minimum of characters so that valid CSS characters don't get escaped. Props kevinvanrijn.
• Change: Note compatibility through WP 6.9+

Location:

add-admin-css

Files:

• tags/2.5.1 (copied) (copied from add-admin-css/trunk)
• tags/2.5.1/CHANGELOG.md (modified) (1 diff)
• tags/2.5.1/add-admin-css.php (modified) (5 diffs)
• tags/2.5.1/readme.txt (modified) (3 diffs)
• trunk/CHANGELOG.md (modified) (1 diff)
• trunk/add-admin-css.php (modified) (5 diffs)
• trunk/readme.txt (modified) (3 diffs)

add-admin-css/tags/2.5.1/CHANGELOG.md

@@ -1 +1 @@
 # Changelog
+
+## 2.5.1 _(2025-12-02)_
+
+### Highlights:
+
+A bugfix release to address the overzealous encoding of some valid CSS characters introduced in v2.5.
+
+### Details:
+
+* Fix: Escape only the minimum of characters so that valid CSS characters don't get escaped. Props kevinvanrijn.
+* New: Add `.gitattributes` file to exclude files from Github packaging. Props kevinvanrijn.
+* Change: Note compatibility through WP 6.9+
 
 ## 2.5 _(2025-03-29)_

add-admin-css/tags/2.5.1/add-admin-css.php

@@ -2 +2 @@
 /**
  * Plugin Name: Add Admin CSS
- * Version:     2.5
+ * Version:     2.5.1
  * Plugin URI:  https://coffee2code.com/wp-plugins/add-admin-css/
  * Author:      Scott Reilly
@@ -11 +11 @@
  * Description: Easily define additional CSS (inline and/or by URL) to be added to all administration pages.
  *
- * Compatible with WordPress 5.5+ through 6.8+, and PHP through at least 8.3+.
+ * Compatible with WordPress 5.5+ through 6.9+, and PHP through at least 8.3+.
  *
  * =>> Read the accompanying readme.txt file for instructions and documentation.
@@ -19 +19 @@
  * @package Add_Admin_CSS
  * @author  Scott Reilly
- * @version 2.5
+ * @version 2.5.1
  **/
 
@@ -104 +104 @@
      */
     protected function __construct() {
-        parent::__construct( '2.5', 'add-admin-css', 'c2c', __FILE__, array( 'settings_page' => 'themes' ) );
+        parent::__construct( '2.5.1', 'add-admin-css', 'c2c', __FILE__, array( 'settings_page' => 'themes' ) );
         register_activation_hook( __FILE__, array( __CLASS__, 'activation' ) );
 
@@ -619 +619 @@
          * @since 1.0
          *
-         * @param string $files CSS code (without `<style>` tag).
+         * @param string $files CSS styles (without `<style>` tag).
          */
         $css = trim( apply_filters( 'c2c_add_admin_css', $css ) );
 
-        if ( $css ) {
+        if ( $css && is_string( $css ) ) {
+            // Encode '<' to prevent tag injection.
+            $sanitized_css = str_replace( '<', '&lt;', wp_check_invalid_utf8( $css ) );
+            // Allow use of '<' in comparators.
+            $sanitized_css = str_replace( '&lt; ', '< ', $sanitized_css );
+            $sanitized_css = str_replace( '&lt;= ', '<= ', $sanitized_css );
+
             echo "<style>\n";
-            echo esc_html( $css ) . "\n";
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Sanitized above.
+            echo $sanitized_css . "\n";
             echo "</style>\n";
         }

add-admin-css/tags/2.5.1/readme.txt

@@ -6 +6 @@
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 Requires at least: 5.5
-Tested up to: 6.8
-Stable tag: 2.5
+Tested up to: 6.9
+Stable tag: 2.5.1
 
 Easily define additional CSS (inline and/or by URL) to be added to all administration pages.
@@ -94 +94 @@
 
 == Changelog ==
+
+= 2.5.1 (2025-12-02) =
+Highlights:
+
+A bugfix release to address the overzealous encoding of some valid CSS characters introduced in v2.5.
+
+Details:
+
+* Fix: Escape only the minimum of characters so that valid CSS characters don't get escaped. Props kevinvanrijn.
+* Change: Note compatibility through WP 6.9+
 
 = 2.5 (2025-03-29) =
@@ -186 +196 @@
 * New: Add new string (from plugin framework) for translation
 
-= 2.0 (2021-05-12) =
-
-Highlights:
-
-This recommended minor release updates the plugin framework, restructures unit test files, notes compatibility through 5.7+, and incorporates numerous minor behind-the-scenes tweaks.
-
-Details:
-
-* Change: Outright support HTML5 rather than check for theme support of HTML5, since that isn't relevant to admin
-* Change: Update plugin framework to 062
-    * 062:
-    * Change: Update `is_plugin_admin_page()` to use `get_current_screen()` when available
-    * Change: Actually prevent object cloning and unserialization by throwing an error
-    * Change: Check that there is a current screen before attempting to access its property
-    * Change: Remove 'type' attribute from `style` tag
-    * Change: Incorporate commonly defined styling for inline_textarea
-    * 061:
-    * Fix bug preventing settings from getting saved
-    * 060:
-    * Rename class from `c2c_{PluginName}_Plugin_051` to `c2c_Plugin_060`
-    * Move string translation handling into inheriting class making the plugin framework code plugin-agnostic
-        * Add abstract function `get_c2c_string()` as a getter for translated strings
-        * Replace all existing string usage with calls to `get_c2c_string()`
-    * Handle WordPress's deprecation of the use of the term "whitelist"
-        * Change: Rename `whitelist_options()` to `allowed_options()`
-        * Change: Use `add_allowed_options()` instead of deprecated `add_option_whitelist()` for WP 5.5+
-        * Change: Hook `allowed_options` filter instead of deprecated `whitelist_options` for WP 5.5+
-    * New: Add initial unit tests (currently just covering `is_wp_version_cmp()` and `get_c2c_string()`)
-    * Add `is_wp_version_cmp()` as a utility to compare current WP version against a given WP version
-    * Refactor `contextual_help()` to be easier to read, and correct function docblocks
-    * Don't translate urlencoded donation email body text
-    * Add inline comments for translators to clarify purpose of placeholders
-    * Change PHP package name (make it singular)
-    * Tweak inline function description
-    * Note compatibility through WP 5.7+
-    * Update copyright date (2021)
-    * 051:
-    * Allow setting integer input value to include commas
-    * Use `number_format_i18n()` to format integer value within input field
-    * Update link to coffee2code.com to be HTTPS
-    * Update `readme_url()` to refer to plugin's readme.txt on plugins.svn.wordpress.org
-    * Remove defunct line of code
-* Change: Use plugin framework's `is_plugin_admin_page()` instead of reinventing it
-* New: Add a recommendation for Add Admin JavaScript plugin to settings page
-* Change: Output the multiple tips on the settings page as a list instead of multiple paragraphs
-* Change: Prevent appending newline to value of setting passed to filter unless an actual value was configured
-* Change: Move translation of all parent class strings into main plugin file
-* Change: Tweak conditional checks to be more succinct
-* Change: Ensure there's a current screen before attempting to get one of its properties
-* Change: Omit inline styles for settings now that plugin framework defines them
-* Change: Output newlines after paragraph tags in settings page
-* Change: Note compatibility through WP 5.7+
-* Change: Update copyright date (2021)
-* Change: Change plugin's short description
-* Change: Tweak some readme.txt documentation
-* Change: Tweak some inline function and parameter documentation
-* Unit tests:
-    * New: Add tests for JS files getting registered and enqueued
-    * New: Add tests for `add_codemirror()`
-    * New: Add help function `get_css_files()`
-    * Change: Restructure unit test directories and files into `tests/` top-level directory
-    * Change: Remove 'test-' prefix from unit test files
-    * Change: In bootstrap, store path to plugin file constant so its value can be used within that file and in test file
-
 _Full changelog is available in [CHANGELOG.md](https://github.com/coffee2code/add-admin-css/blob/master/CHANGELOG.md)._
 
 
 == Upgrade Notice ==
+
+= 2.5.1 =
+Recommended bugfix update: Addressed the overzealous encoding of some valid CSS characters introduced in v2.5 and noted compatibility through WP 6.9+.
 
 = 2.5 =

add-admin-css/trunk/CHANGELOG.md

@@ -1 +1 @@
 # Changelog
+
+## 2.5.1 _(2025-12-02)_
+
+### Highlights:
+
+A bugfix release to address the overzealous encoding of some valid CSS characters introduced in v2.5.
+
+### Details:
+
+* Fix: Escape only the minimum of characters so that valid CSS characters don't get escaped. Props kevinvanrijn.
+* New: Add `.gitattributes` file to exclude files from Github packaging. Props kevinvanrijn.
+* Change: Note compatibility through WP 6.9+
 
 ## 2.5 _(2025-03-29)_

add-admin-css/trunk/add-admin-css.php

@@ -2 +2 @@
 /**
  * Plugin Name: Add Admin CSS
- * Version:     2.5
+ * Version:     2.5.1
  * Plugin URI:  https://coffee2code.com/wp-plugins/add-admin-css/
  * Author:      Scott Reilly
@@ -11 +11 @@
  * Description: Easily define additional CSS (inline and/or by URL) to be added to all administration pages.
  *
- * Compatible with WordPress 5.5+ through 6.8+, and PHP through at least 8.3+.
+ * Compatible with WordPress 5.5+ through 6.9+, and PHP through at least 8.3+.
  *
  * =>> Read the accompanying readme.txt file for instructions and documentation.
@@ -19 +19 @@
  * @package Add_Admin_CSS
  * @author  Scott Reilly
- * @version 2.5
+ * @version 2.5.1
  **/
 
@@ -104 +104 @@
      */
     protected function __construct() {
-        parent::__construct( '2.5', 'add-admin-css', 'c2c', __FILE__, array( 'settings_page' => 'themes' ) );
+        parent::__construct( '2.5.1', 'add-admin-css', 'c2c', __FILE__, array( 'settings_page' => 'themes' ) );
         register_activation_hook( __FILE__, array( __CLASS__, 'activation' ) );
 
@@ -619 +619 @@
          * @since 1.0
          *
-         * @param string $files CSS code (without `<style>` tag).
+         * @param string $files CSS styles (without `<style>` tag).
          */
         $css = trim( apply_filters( 'c2c_add_admin_css', $css ) );
 
-        if ( $css ) {
+        if ( $css && is_string( $css ) ) {
+            // Encode '<' to prevent tag injection.
+            $sanitized_css = str_replace( '<', '&lt;', wp_check_invalid_utf8( $css ) );
+            // Allow use of '<' in comparators.
+            $sanitized_css = str_replace( '&lt; ', '< ', $sanitized_css );
+            $sanitized_css = str_replace( '&lt;= ', '<= ', $sanitized_css );
+
             echo "<style>\n";
-            echo esc_html( $css ) . "\n";
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Sanitized above.
+            echo $sanitized_css . "\n";
             echo "</style>\n";
         }

add-admin-css/trunk/readme.txt

@@ -6 +6 @@
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 Requires at least: 5.5
-Tested up to: 6.8
-Stable tag: 2.5
+Tested up to: 6.9
+Stable tag: 2.5.1
 
 Easily define additional CSS (inline and/or by URL) to be added to all administration pages.
@@ -94 +94 @@
 
 == Changelog ==
+
+= 2.5.1 (2025-12-02) =
+Highlights:
+
+A bugfix release to address the overzealous encoding of some valid CSS characters introduced in v2.5.
+
+Details:
+
+* Fix: Escape only the minimum of characters so that valid CSS characters don't get escaped. Props kevinvanrijn.
+* Change: Note compatibility through WP 6.9+
 
 = 2.5 (2025-03-29) =
@@ -186 +196 @@
 * New: Add new string (from plugin framework) for translation
 
-= 2.0 (2021-05-12) =
-
-Highlights:
-
-This recommended minor release updates the plugin framework, restructures unit test files, notes compatibility through 5.7+, and incorporates numerous minor behind-the-scenes tweaks.
-
-Details:
-
-* Change: Outright support HTML5 rather than check for theme support of HTML5, since that isn't relevant to admin
-* Change: Update plugin framework to 062
-    * 062:
-    * Change: Update `is_plugin_admin_page()` to use `get_current_screen()` when available
-    * Change: Actually prevent object cloning and unserialization by throwing an error
-    * Change: Check that there is a current screen before attempting to access its property
-    * Change: Remove 'type' attribute from `style` tag
-    * Change: Incorporate commonly defined styling for inline_textarea
-    * 061:
-    * Fix bug preventing settings from getting saved
-    * 060:
-    * Rename class from `c2c_{PluginName}_Plugin_051` to `c2c_Plugin_060`
-    * Move string translation handling into inheriting class making the plugin framework code plugin-agnostic
-        * Add abstract function `get_c2c_string()` as a getter for translated strings
-        * Replace all existing string usage with calls to `get_c2c_string()`
-    * Handle WordPress's deprecation of the use of the term "whitelist"
-        * Change: Rename `whitelist_options()` to `allowed_options()`
-        * Change: Use `add_allowed_options()` instead of deprecated `add_option_whitelist()` for WP 5.5+
-        * Change: Hook `allowed_options` filter instead of deprecated `whitelist_options` for WP 5.5+
-    * New: Add initial unit tests (currently just covering `is_wp_version_cmp()` and `get_c2c_string()`)
-    * Add `is_wp_version_cmp()` as a utility to compare current WP version against a given WP version
-    * Refactor `contextual_help()` to be easier to read, and correct function docblocks
-    * Don't translate urlencoded donation email body text
-    * Add inline comments for translators to clarify purpose of placeholders
-    * Change PHP package name (make it singular)
-    * Tweak inline function description
-    * Note compatibility through WP 5.7+
-    * Update copyright date (2021)
-    * 051:
-    * Allow setting integer input value to include commas
-    * Use `number_format_i18n()` to format integer value within input field
-    * Update link to coffee2code.com to be HTTPS
-    * Update `readme_url()` to refer to plugin's readme.txt on plugins.svn.wordpress.org
-    * Remove defunct line of code
-* Change: Use plugin framework's `is_plugin_admin_page()` instead of reinventing it
-* New: Add a recommendation for Add Admin JavaScript plugin to settings page
-* Change: Output the multiple tips on the settings page as a list instead of multiple paragraphs
-* Change: Prevent appending newline to value of setting passed to filter unless an actual value was configured
-* Change: Move translation of all parent class strings into main plugin file
-* Change: Tweak conditional checks to be more succinct
-* Change: Ensure there's a current screen before attempting to get one of its properties
-* Change: Omit inline styles for settings now that plugin framework defines them
-* Change: Output newlines after paragraph tags in settings page
-* Change: Note compatibility through WP 5.7+
-* Change: Update copyright date (2021)
-* Change: Change plugin's short description
-* Change: Tweak some readme.txt documentation
-* Change: Tweak some inline function and parameter documentation
-* Unit tests:
-    * New: Add tests for JS files getting registered and enqueued
-    * New: Add tests for `add_codemirror()`
-    * New: Add help function `get_css_files()`
-    * Change: Restructure unit test directories and files into `tests/` top-level directory
-    * Change: Remove 'test-' prefix from unit test files
-    * Change: In bootstrap, store path to plugin file constant so its value can be used within that file and in test file
-
 _Full changelog is available in [CHANGELOG.md](https://github.com/coffee2code/add-admin-css/blob/master/CHANGELOG.md)._
 
 
 == Upgrade Notice ==
+
+= 2.5.1 =
+Recommended bugfix update: Addressed the overzealous encoding of some valid CSS characters introduced in v2.5 and noted compatibility through WP 6.9+.
 
 = 2.5 =