ROBOTSTXT/robotstxt-documentation-markdown
ROBOTSTXT/robotstxt-documentation-markdown
1
0
Fork 0
Code Issues Pull requests Releases 3 Activity
3 releases 3 tags
  • 1.1.1 693e5ae2e6

    v1.1.1 Stable

    javier released this 2026-06-08 12:53:31 +00:00 | 0 commits to main since this release

    1.1.1

    Release date: 2026-06-08

    Highlights

    • Security hardening: CommonMark raw HTML passthrough disabled, encrypted token no longer autoloaded, HMAC now uses wp_json_encode() instead of serialize()
    • Bug fix: admin notices now visible for all operations (sync, create, update, delete, errors)
    • Infrastructure: full dev tooling added (PHPCS, PHPStan, PHPUnit, deploy script)
    • Real PHP minimum corrected to 8.0 (confirmed by PHPCompatibility 10.x scan)

    Security

    • CommonMark: disabled raw HTML passthrough (html_input: strip, allow_unsafe_links: false) — prevents stored XSS if an upstream repository is compromised
    • Settings option now stored with autoload = false — encrypted GitHub token no longer loaded on every WordPress request (defense in depth)
    • Replaced serialize() with wp_json_encode() in updater HMAC cache (eliminates PHPCS object-injection warning)
    • Added strict base64 length validation before IV extraction in robotstxt_docmd_decrypt_token()
    • Added base64_decode() strict return-value check in robotstxt_docmd_get_file_content()

    Fixed

    • Admin notices now display results for all operations: mapping created, mapping updated, mapping deleted, sync complete, and error messages — previously only "Settings saved" was shown
    • wp_update_post() return value now checked during sync — silent post-update failures were previously reported as success
    • Wrong textdomain 'robotstxt-smtp' in updater class corrected to 'robotstxt-documentation-markdown'

    Changed

    • robotstxt-updater.php renamed to class-robotstxt-updater.php (WordPress file-naming convention)
    • Minimum PHP version header corrected from 8.2 to 8.0 (real minimum confirmed by PHPCompatibility 10.0.0-alpha2 scan — union types, str_starts_with(), str_contains(), and mixed type are the binding constraints)

    Developer

    • Added composer.json with full require-dev tooling (PHPCS, PHPStan 2.x, PHPUnit 9.6, PHPCompatibility 10.0.0-alpha2, wp-compat, yoast/phpunit-polyfills)
    • Added phpstan.neon (level 9), .phpcs.xml (WordPress-Core/Docs/Extra), bin/deploy.sh, phpunit.xml.dist
    • PHPUnit: 17 plugin header tests added (tests/PluginHeadersTest.php)
    • Added docs/known-issues.md and docs/db-migrations.md
    • class-robotstxt-updater.php: PHPCS 0 errors, PHPStan level 9 0 errors (full compliance)

    Compatibility

    • WordPress: 6.7 - 7.1
    • PHP: 8.0 - 8.5
    • MariaDB: 11.4 or newer

    Tests

    • PHP Coding Standards: PHPCS 3.x with WordPress-Core, WordPress-Docs, WordPress-Extra — 0 errors, 0 warnings
    • WordPress Coding Standards: WPCS 3.3.0
    • PHPStan: level 9, 0 errors (szepeviktor/phpstan-wordpress 2.0.3)
    • PHPCompatibility: 10.0.0-alpha2 — PHP 8.0-8.5 validated
    • PHPUnit: 17/17 tests pass (plugin header tests)
    • Manual testing: WordPress 7.0, 7.1
    Downloads
  • 1.1.0 92d56fe84d

    v1.1.0 Stable

    javier released this 2026-03-28 15:38:49 +00:00 | 2 commits to main since this release

    1.1.0

    Release date: 2026-03-28

    Highlights

    • Editor-level access: editors can now manage documentation mappings without administrator privileges
    • Full PHPStan level 9 compliance — zero errors across all plugin files
    • Security patch for two CVEs in league/commonmark
    • target_order (menu_order) field fully implemented end-to-end

    Security

    • Patched CVE-2026-33347 and CVE-2026-30838 by upgrading league/commonmark to 2.8.2

    Changed

    • Access level changed from manage_options (administrator) to edit_pages (editor) across all admin pages, form handlers, and debug functions
    • robotstxt_docmd_debug_run_cron() now has a typed int $mapping_id parameter

    Fixed

    • PHPStan level 9: replaced all implicit mixed casts with proper type-narrowing via is_string(), is_int(), and is_numeric() guards
    • New robotstxt_docmd_input_string() and robotstxt_docmd_input_int() helpers used for all superglobal ($_POST, $_GET) access
    • MappingData and MappingInput global type aliases defined in phpstan.neon — file-level @phpstan-type aliases do not propagate between files in PHPStan 2.x procedural code
    • target_order field was rendered in the form UI but never saved to post meta or applied during sync — now fully implemented
    • openssl_decrypt() false return properly handled in token decryption
    • get_edit_post_link() null return handled safely in debug run-cron output
    • Redundant isset() guards removed on statically-typed array shapes
    • Uninstall handler narrows get_option() mixed return before array access
    • size_format() false return handled in discover-page file list
    • Settings and debug functions use is_array() narrowing on get_option() before accessing keys
    • json_decode() results in GitHub debug functions fully type-narrowed before key access

    Developer Features

    • PHPStan level 9: 0 errors (down from 104 in v1.0.0)
    • phpstan.neon now includes global MappingData and MappingInput type aliases
    • robotstxt-updater.php moved to bootstrapFiles in PHPStan config to avoid strict analysis of shared utility
    • $default parameter renamed to $fallback in helpers (reserved keyword warning)
    • Short ternary (?:) replaced with explicit false !== check (PHPCS rule)

    Compatibility

    • WordPress: 6.7 - 7.0
    • PHP: 8.2 - 8.4 (verified on PHP 8.4.x)
    • MariaDB: 10.6 or newer

    Dependencies

    • league/commonmark: 2.8.0 → 2.8.2 (security patch)
    • eduardovillao/wp-since: 1.3.0 → 1.4.0
    • phpunit/phpunit held at ^10.5 (v13.x available; pending test suite migration)
    • squizlabs/php_codesniffer held at ^3.13 (v4.x available; pending WPCS 4.x confirmation)

    Tests

    • PHP Coding Standards: PHPCS 3.x with WordPress-Extra ruleset — 0 errors, 0 warnings
    • WordPress Coding Standards: WPCS 3.3
    • PHPStan: level 9, 0 errors (szepeviktor/phpstan-wordpress extension)
    • PHPCompatibility: PHP 8.2 - 8.4 validated
    • Manual testing: WordPress 6.8, 7.0
    Downloads
  • 1.0.0 443dceb8ca

    v1.0.0 Stable

    javier released this 2026-01-30 18:51:44 +00:00 | 3 commits to main since this release

    1.0.0

    Release date: 2026-01-26

    Highlights

    • Initial release of Documentation Markdown plugin
    • Automatic synchronization of Markdown files from GitHub to WordPress
    • Full support for GitHub Flavored Markdown
    • Encrypted GitHub token storage
    • Flexible mapping system for multiple repositories

    Added

    • Core synchronization functionality between GitHub and WordPress
    • Automatic scheduled sync (hourly, twice daily, daily)
    • Manual on-demand sync via admin interface
    • Markdown to HTML conversion using CommonMark (league/commonmark)
    • Flexible file-to-content mapping system
    • Custom Post Type (robotstxt_map) for mapping management
    • Encrypted GitHub token storage (AES-256-CBC)
    • Full internationalization support (i18n/l10n ready)
    • Multi-repository support
    • Clean admin interface with status badges
    • Support for pages, posts, and custom post types as sync targets
    • Configurable post author and parent page
    • Page order (menu_order) support
    • Debug tools for troubleshooting (visible when WP_DEBUG enabled)
    • Cron job management and repair tools
    • Clean uninstall with optional data deletion
    • Settings page for GitHub configuration
    • Mappings management interface (list, add, edit, delete)
    • Sync status monitoring with timestamps
    • Rate limiting awareness for GitHub API
    • Cache system using WordPress Transients API

    Security

    • All user input sanitized using WordPress functions
    • All output escaped (esc_html, esc_attr, esc_url)
    • Nonce verification on all forms and actions
    • Capability checks for all admin actions (manage_options)
    • Prepared statements for all database queries
    • GitHub tokens encrypted at rest using AES-256-CBC
    • OWASP Top 10 mitigation implemented
    • Direct access prevention on all PHP files
    • CSRF protection on all state-changing operations
    • XSS prevention through proper escaping
    • SQL injection prevention through prepared statements

    Developer Features

    • Procedural PHP architecture following KISS principles
    • PHP 8.2+ modern features (typed parameters, match expressions)
    • Complete PHPDoc documentation on all functions
    • WordPress Coding Standards (WPCS) compliant
    • PHPCS/WPBF validated (0 errors, 0 warnings)
    • Extensible architecture with WordPress hooks
    • Clean, well-documented codebase
    • Composer-based dependency management
    • Production-optimized deployment script (bin/deploy.sh)

    Compatibility

    • WordPress: 6.7 - 6.9
    • PHP: 8.2 - 8.5
    • MariaDB: 10.6 or newer

    Tests

    • PHP Coding Standards: PHPCS 3.x with WordPress-Extra ruleset
    • WordPress Coding Standards: WPCS 3.3
    • PHPCompatibility: PHP 8.2 - 8.5 validated
    • Security Audit: Complete OWASP Top 10 coverage
    • Manual testing: WordPress 6.7, 6.8, 6.9
    Downloads