Skip to content

Fix WordPress.org compliance issues#4

Open
bwstefano wants to merge 5 commits intocodex/i18n-string-reviewfrom
codex/wporg-policy-remediation-pr
Open

Fix WordPress.org compliance issues#4
bwstefano wants to merge 5 commits intocodex/i18n-string-reviewfrom
codex/wporg-policy-remediation-pr

Conversation

@bwstefano
Copy link
Copy Markdown
Owner

@bwstefano bwstefano commented Mar 23, 2026

Summary

  • document third-party and external services for WordPress.org review
  • tighten escaping, sanitization, and embed rendering paths
  • remove avoidable remote asset dependencies and add compliance regression checks
  • restore editor behaviors affected during the compliance pass, including search UX, legends, embeds, and translations

Context

This PR is intentionally stacked on top of codex/i18n-string-review and should be reviewed after that PR.

The goal here is to address the WordPress.org review concerns around:

  • undocumented use of third-party or external services
  • variables and options that must be escaped when echoed
  • avoiding direct cURL usage and preventing regressions in transport/compliance rules

What Changed

Third-party services and privacy

  • added a dedicated third-party services section to the plugin readme
  • added privacy policy content for services used by the plugin
  • clarified admin-facing disclosures for Mapbox and Nominatim usage

Remote dependencies and compliance hardening

  • removed avoidable remote glyph and marker asset dependencies
  • replaced editor marker assets with local plugin assets
  • kept user-configurable typography/logo URLs while documenting and sanitizing them appropriately
  • added automated compliance checks for banned patterns and required documentation
  • added a post-build compliance patch step for generated assets

Escaping, sanitization, and rendering

  • tightened contextual escaping in settings, embeds, and map rendering
  • normalized settings sanitization for typed values and asset URLs
  • hardened embed output and logo sizing for large images

Geocoding and editor behavior

  • changed Nominatim lookups to explicit user-triggered search behavior
  • added caching on the geocoder side
  • fixed repeated search behavior without saving
  • fixed search field/button alignment issues in storymaps and post geolocation
  • restored Enter-triggered address search
  • prevented premature “no results” messaging

Legends and translations

  • restored legend rendering for incomplete/legacy legend metadata paths
  • aligned legend script registration with editor and frontend dependencies
  • normalized Discovery so the action remains Embed in both Portuguese and Spanish, while keeping translated wording in other contexts
  • updated new and edited strings in pt_BR and es_CO

Validation

  • npm run check:env
  • npm run build
  • npm run build:report
  • npm run test:unit
  • composer validate --no-check-publish
  • vendor/bin/phpcs --standard=phpcs.xml.dist
  • php scripts/check-php-compat.php
  • WordPress smoke test on WordPress 6.9.4 with PHP 8.4

Notes

  • local wp-cli still emits deprecation warnings during i18n:json, but the build completes successfully and the warnings come from the toolchain, not plugin runtime
  • the mapBlocks bundle budget was updated to reflect the current stable CKEditor footprint used by the storymap editor

@bwstefano bwstefano force-pushed the codex/wporg-policy-remediation-pr branch from 8302279 to 705e1c1 Compare March 23, 2026 05:10
bwstefano and others added 5 commits March 23, 2026 17:45
@bwstefano @codex
Fix WordPress.org compliance and editor regressions
18f42ab 
Document third-party services, tighten escaping and settings sanitization, and remove avoidable remote asset dependencies for the WordPress.org review path.

This also restores editor behavior that regressed during the compliance pass, including geolocation search UX, storymap search alignment, legend rendering, embed logo sizing, and translation consistency for Discovery embed actions.

Co-authored-by: Codex <codex@openai.com>
@bwstefano @codex
ci: gate stable WordPress.org releases on Plugin Check
355650a 
Run the release workflow only for stable tags, stage the built src tree as jeowp for Plugin Check, and block WordPress.org deployment until that validation passes.

Document the new release gate in the README so the stable tagging expectations stay aligned with the CI pipeline.

Co-authored-by: Codex <codex@openai.com>
@bwstefano @codex
Finalize WordPress.org compliance and editor stability
0c34ceb 
Bring the WordPress.org remediation work to a shippable state by documenting third-party services, hardening escaping and settings handling, and restoring the editor and Discovery flows that regressed during the compliance pass.

This updates map and storymap editing, Discovery layer loading, legend rendering, embed output, geocoding search UX, translations, REST helpers, and package metadata so the plugin is ready for the stacked PR review.

Co-authored-by: Codex <codex@openai.com>
@bwstefano @codex
Align readme for Plugin Check validation
756cbe4 
Co-authored-by: Codex <codex@openai.com>
@bwstefano @codex
Stabilize map interactions and responsive layouts
fb20d0a 
- harden Related Posts loading, clustering, and runtime compatibility across Mapbox and MapLibre
- make Discovery pagination, hover behavior, and story deduplication more predictable
- fix storymap navigation edge cases and improve aligned map block behavior in editor and frontend
- keep map overlays responsive on smaller screens and add regression helpers/tests for REST query serialization

Co-authored-by: Codex <codex@openai.com>
@bwstefano bwstefano force-pushed the codex/wporg-policy-remediation-pr branch from ae5000c to fb20d0a Compare March 23, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bwstefano