release: fixes

- Added title for Close button from the Popup block
- Fixed issue when form validation was not appearing when you click on the Submit button
- Fixed issue with Team Members Pattern having errors in the mobile preview
- Fixed issue with assets not being enqueued for block template parts
- Fixed issue where WP Enlarge on click option was not working when using Otter's animations
- Fixed Visibility conditions that were not applied to 767px and 768px screens
- Fixed tabs broken on mobile view
- Enhanced security

Author: vytisbulkevicius

.distignore

@@ -41,4 +41,5 @@ tsconfig.json
 /artifact
 /plugins
 /docs
-/build/pro/
+/build/pro/
+AGENTS.md

AGENTS.md

@@ -0,0 +1,122 @@
+# Agent Workflow 
+
+## Project Overview
+
+Otter Blocks is a WordPress Gutenberg blocks page builder plugin. It's a monorepo containing:
+- **Otter Blocks** (main free plugin) — `otter-blocks.php`
+- **Otter Pro** (premium extension) — `plugins/otter-pro/`
+- **Blocks Animation** — `plugins/blocks-animation/`
+- **Blocks CSS** — `plugins/blocks-css/`
+- **Blocks Export/Import** — `plugins/blocks-export-import/`
+
+Namespace: `ThemeIsle\GutenbergBlocks`. Requires WordPress 6.2+, PHP 7.4+ (platform target).
+
+## Build & Development Commands
+
+```bash
+# Setup
+npm ci && composer install
+
+# Development (watch mode)
+npm run start              # All configs with watch
+npm run dev:lite           # Watch lite blocks only
+npm run dev:pro            # Watch pro blocks only
+
+# Production build
+npm run build              # Full production build (all configs in parallel)
+npm run prod:lite          # Lite blocks only
+npm run prod:pro           # Pro blocks only
+npm run prod:grunt         # SASS compilation via Grunt
+
+# Sister plugins build
+npm run plugins            # Build blocks-animation, blocks-css, blocks-export-import
+```
+
+## Testing
+
+```bash
+# JavaScript unit tests (Jest)
+npm run test:unit
+npm run test:unit:watch
+
+# PHP unit tests (requires wp-env)
+npm run test:unit:php           # Starts wp-env + runs PHPUnit
+npm run test:unit:php:base      # PHPUnit only (if wp-env already running)
+npm run test:unit:php:multisite # Multisite PHPUnit tests
+
+# E2E tests (Playwright)
+npm run test:e2e:playwright
+npm run test:e2e:playwright-ui  # With UI
+
+# Performance tests
+npm run test:performance
+```
+
+PHPUnit config: `phpunit.xml` (single-site), `phpunit/multisite.xml`.
+Playwright config: `src/blocks/test/e2e/playwright.config.js`.
+
+## Linting & Formatting
+
+```bash
+# JavaScript
+npm run lint               # ESLint check
+npm run format             # ESLint autofix
+
+# PHP
+composer run lint          # PHPCS
+composer run format        # PHPCBF
+composer run phpstan       # PHPStan static analysis (uses phpstan.neon + baseline)
+```
+
+ESLint: WordPress preset with TypeScript (`.eslintrc`). PHPCS: WordPress-Core/Docs/Extra + VIP-Go (`phpcs.xml`).
+
+## Architecture
+
+### Webpack Build Pipeline
+
+Three webpack configs, all extending `@wordpress/scripts`:
+- `webpack.config.js` — Lite: dashboard, onboarding, animation frontend, and all free blocks
+- `webpack.config.pro.js` — Pro blocks and features
+- `webpack.config.plugins.js` — Sister plugins (animation, CSS, export-import)
+
+Grunt handles SASS compilation and version bumping (`Gruntfile.js`).
+
+### Block Metadata Registry
+
+`blocks.json` is the central manifest mapping every block to its `block.json` path and SCSS asset paths. Both webpack and Grunt read this file. Pro blocks are marked with `isPro: true`.
+
+### PHP Structure (`inc/`)
+
+- `class-main.php` — Singleton bootstrap, hooks, autoloading, SVG/MIME handling
+- `class-registration.php` — Block registration (WordPress native), asset enqueue, block categories (`themeisle-blocks`, `themeisle-woocommerce-blocks`), lazy-load dependencies
+- `class-pro.php` — Pro plugin loader
+- `class-patterns.php` — Pattern library
+- `css/` — CSS generation classes (`Block_Frontend`, `CSS_Handler`)
+- `plugins/` — Feature modules: Block_Conditions, Dynamic_Content, Dashboard, Stripe_API, Template_Cloud
+- `render/` — Dynamic block server-side renderers
+- `server/` — REST API endpoints
+- `integrations/` — Form provider integrations (email services)
+
+### JavaScript Structure (`src/`)
+
+- `src/blocks/blocks/` — Individual block implementations (edit.js, index.js, inspector.js, block.json)
+- `src/blocks/components/` — Shared React components
+- `src/blocks/frontend/` — Block frontend scripts (loaded on visitor-facing pages)
+- `src/blocks/plugins/` — Editor plugins (conditions, CSS, animations, copy-paste styles)
+- `src/blocks/helpers/` — Utility functions
+- `src/pro/` — Pro block implementations
+- `src/dashboard/` — Otter settings dashboard
+- `src/onboarding/` — Onboarding wizard
+- `src/animation/`, `src/css/`, `src/export-import/` — Sister plugin sources
+
+### Development Environment
+
+Uses `@wordpress/env` (wp-env). Config: `.wp-env.override.json`. Start with `npm run test:unit:php:setup` or `npx wp-env start`.
+
+## Key Conventions
+
+- Text domains: `otter-blocks`, `otter-pro`, `blocks-animation`, `blocks-css`, `blocks-export-import`
+- Tab indentation (JS and PHP), single quotes, semicolons required (JS)
+- Block namespace: `themeisle-blocks/<block-name>` (e.g., `themeisle-blocks/accordion`)
+- PHP autoloading follows class file naming: `class-<name>.php`
+- Distribution via `npm run dist` (runs `bin/dist.sh`, creates ZIP artifacts filtered by `.distignore`)

inc/class-registration.php

@@ -386,7 +386,7 @@ function ( $content ) {
 
 		}
 
-		if ( function_exists( 'get_block_templates' ) && function_exists( 'wp_is_block_theme' ) && wp_is_block_theme() && current_theme_supports( 'block-templates' ) ) {
+		if ( function_exists( 'get_block_templates' ) && ( current_theme_supports( 'block-templates' ) || current_theme_supports( 'block-template-parts' ) ) ) {
 			$this->enqueue_dependencies( 'block-templates' );
 		}
 	}
@@ -406,25 +406,42 @@ public function enqueue_dependencies( $post = null ) {
 		} elseif ( 'block-templates' === $post ) {
 			global $_wp_current_template_content;
 
-			$slugs           = array();
-			$template_blocks = parse_blocks( $_wp_current_template_content );
-
-			foreach ( $template_blocks as $template_block ) {
-				if ( 'core/template-part' === $template_block['blockName'] ) {
-					$slugs[] = $template_block['attrs']['slug'];
+			$content = '';
+			$slugs   = array();
+
+			// If we have template content (full block templates), extract template part slugs.
+			if ( ! empty( $_wp_current_template_content ) ) {
+				$template_blocks = parse_blocks( $_wp_current_template_content );
+				
+				foreach ( $template_blocks as $template_block ) {
+					if ( 'core/template-part' === $template_block['blockName'] && isset( $template_block['attrs']['slug'] ) ) {
+						$slugs[] = $template_block['attrs']['slug'];
+					}
 				}
-			}
-
-			$templates_parts = get_block_templates( array( 'slugs__in' => $slugs ), 'wp_template_part' );
-
-			foreach ( $templates_parts as $templates_part ) {
-				if ( ! empty( $templates_part->content ) && ! empty( $templates_part->slug ) && in_array( $templates_part->slug, $slugs ) ) {
-					$content .= $templates_part->content;
+				
+				// Get the specific template parts referenced in the template.
+				$templates_parts = get_block_templates( array( 'slug__in' => $slugs ), 'wp_template_part' );
+				
+				foreach ( $templates_parts as $templates_part ) {
+					if ( ! empty( $templates_part->content ) && ! empty( $templates_part->slug ) && in_array( $templates_part->slug, $slugs ) ) {
+						$content .= $templates_part->content;
+					}
+				}
+				
+				$content .= $_wp_current_template_content;
+			} else {
+				// Fallback for classic themes with block-template-parts only.
+				// Get all template parts since we can't determine which ones are used.
+				$templates_parts = get_block_templates( array(), 'wp_template_part' );
+				
+				foreach ( $templates_parts as $templates_part ) {
+					if ( ! empty( $templates_part->content ) ) {
+						$content .= $templates_part->content;
+					}
 				}
 			}
 
-			$content .= $_wp_current_template_content;
-			$post     = $content;
+			$post = $content;
 		} else {
 			$content = get_the_content( null, false, $post );
 		}
@@ -1065,7 +1082,7 @@ public function load_condition_hide_on_styles( $block_content, $block ) {
 	 * @access public
 	 */
 	public static function condition_hide_on_style() {
-		echo '<style id="o-condition-hide-inline-css">@media (max-width:768px){.o-hide-on-mobile{display:none!important}}@media (min-width:767px) and (max-width:1024px){.o-hide-on-tablet{display:none!important}}@media (min-width:1023px){.o-hide-on-desktop{display:none!important}}</style>';
+		echo '<style id="o-condition-hide-inline-css">@media (max-width:768px){.o-hide-on-mobile{display:none!important}}@media (min-width:769px) and (max-width:1024px){.o-hide-on-tablet{display:none!important}}@media (min-width:1025px){.o-hide-on-desktop{display:none!important}}</style>';
 	}
 
 	/**

inc/css/class-block-frontend.php

@@ -577,32 +577,47 @@ public function enqueue_widgets_css() {
 	 * @access  public
 	 */
 	public function enqueue_fse_css() {
-		if ( ! ( function_exists( 'get_block_templates' ) && function_exists( 'wp_is_block_theme' ) && wp_is_block_theme() && current_theme_supports( 'block-templates' ) ) ) {
+		if ( ! ( function_exists( 'get_block_templates' ) && ( current_theme_supports( 'block-templates' ) || current_theme_supports( 'block-template-parts' ) ) ) ) {
 			return;
 		}
 
 		global $_wp_current_template_content;
 
-		$content         = '';
-		$slugs           = array();
-		$template_blocks = parse_blocks( $_wp_current_template_content );
+		$content = '';
+		$slugs   = array();
 
-		foreach ( $template_blocks as $template_block ) {
-			if ( 'core/template-part' === $template_block['blockName'] ) {
-				$slugs[] = $template_block['attrs']['slug'];
+		// If we have template content (full block templates), extract template part slugs.
+		if ( ! empty( $_wp_current_template_content ) ) {
+			$template_blocks = parse_blocks( $_wp_current_template_content );
+			
+			foreach ( $template_blocks as $template_block ) {
+				if ( 'core/template-part' === $template_block['blockName'] && isset( $template_block['attrs']['slug'] ) ) {
+					$slugs[] = $template_block['attrs']['slug'];
+				}
 			}
-		}
-
-		$templates_parts = get_block_templates( array( 'slugs__in' => $slugs ), 'wp_template_part' );
-
-		foreach ( $templates_parts as $templates_part ) {
-			if ( ! empty( $templates_part->content ) && ! empty( $templates_part->slug ) && in_array( $templates_part->slug, $slugs ) ) {
-				$content .= $templates_part->content;
+			
+			// Get the specific template parts referenced in the template.
+			$templates_parts = get_block_templates( array( 'slug__in' => $slugs ), 'wp_template_part' );
+			
+			foreach ( $templates_parts as $templates_part ) {
+				if ( ! empty( $templates_part->content ) && ! empty( $templates_part->slug ) && in_array( $templates_part->slug, $slugs ) ) {
+					$content .= $templates_part->content;
+				}
+			}
+			
+			$content .= $_wp_current_template_content;
+		} else {
+			// Fallback for classic themes with block-template-parts only.
+			// Get all template parts since we can't determine which ones are used.
+			$templates_parts = get_block_templates( array(), 'wp_template_part' );
+			
+			foreach ( $templates_parts as $templates_part ) {
+				if ( ! empty( $templates_part->content ) ) {
+					$content .= $templates_part->content;
+				}
 			}
 		}
 
-		$content .= $_wp_current_template_content;
-
 		$blocks = parse_blocks( $content );
 
 		if ( ! is_array( $blocks ) || empty( $blocks ) ) {

inc/plugins/class-stripe-api.php

@@ -239,7 +239,11 @@ public function save_customer_data( $session_id ) {
 		array_push( $data, $object );
 
 		if ( defined( 'COOKIEPATH' ) && defined( 'COOKIE_DOMAIN' ) && ! headers_sent() && ! $user_id ) {
-			setcookie( 'o_stripe_data', wp_json_encode( $data ), strtotime( '+1 week' ), COOKIEPATH, COOKIE_DOMAIN, false ); // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.cookies_setcookie
+			$data      = wp_json_encode( $data );
+			$hmac_data = hash_hmac( 'sha256', $data, wp_salt() );
+			$secure    = function_exists( 'is_ssl' ) ? is_ssl() : ( ! empty( $_SERVER['HTTPS'] ) && strtolower( $_SERVER['HTTPS'] ) !== 'off' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+			setcookie( 'o_stripe_data', $data, strtotime( '+1 week' ), COOKIEPATH, COOKIE_DOMAIN, $secure, true ); // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.cookies_setcookie
+			setcookie( 'o_stripe_hmac_data', $hmac_data, strtotime( '+1 week' ), COOKIEPATH, COOKIE_DOMAIN, $secure, true ); // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.cookies_setcookie
 			return;
 		}
 
@@ -258,8 +262,13 @@ public function get_customer_data() {
 		$user_id = get_current_user_id();
 
 		if ( ! $user_id ) {
-			if ( isset( $_COOKIE['o_stripe_data'] ) && ! empty( $_COOKIE['o_stripe_data'] ) ) { // phpcs:ignore WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE
-				$data = json_decode( stripcslashes( $_COOKIE['o_stripe_data'] ), true ); // phpcs:ignore WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+			if ( isset( $_COOKIE['o_stripe_data'] ) && ! empty( $_COOKIE['o_stripe_data'] ) && isset( $_COOKIE['o_stripe_hmac_data'] ) && ! empty( $_COOKIE['o_stripe_hmac_data'] ) ) { // phpcs:ignore WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE
+				$data_raw  = stripcslashes( $_COOKIE['o_stripe_data'] ); // phpcs:ignore WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+				$hmac_data = sanitize_text_field( $_COOKIE['o_stripe_hmac_data'] ); // phpcs:ignore WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE
+
+				if ( hash_equals( hash_hmac( 'sha256', $data_raw, wp_salt() ), $hmac_data ) ) {
+					$data = json_decode( $data_raw, true );
+				}
 			}
 
 			return $data;