v1.7.21 — PCP compliance: fix readme tags, description, phpcs:ignore, JS error handling

Andrew Baker · claude · Andrew Baker · commit 2982bb6f0fef · 2026-03-22T20:24:38.000+02:00
Critical (WordPress.org): readme.txt tags reduced from 8 to 5; short
description trimmed to 141 chars. Medium: Requires at least corrected
to 6.0; phpcs:ignore added on POST reads validated via custom methods;
.catch() on clipboard promise; console.error() in settings save catch;
onclick removed from toast button in favour of addEventListener.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [1.7.21] - 2026-03-22
+
+### Fixed
+- `readme.txt`: Reduced tags from 8 to 5 (WordPress.org enforces a maximum of 5)
+- `readme.txt`: Shortened short description to 141 characters (WordPress.org maximum is 150)
+- `readme.txt`: Updated `Requires at least` from 5.8 to 6.0 to match plugin header
+- `cs-code-block.php`: Added `phpcs:ignore InputNotSanitized` on `$_POST['sql']` — validated via `is_safe_query()`, not a standard `sanitize_*()` call
+- `cs-code-block.php`: Added `phpcs:ignore InputNotSanitized` on `$_POST['post_id']` reads in `ajax_preview()` and `ajax_migrate_single()` — sanitised via `(int)` cast
+- `cs-convert.js`: Removed `onclick` attribute from JS-generated toast button; replaced with `addEventListener`
+- `cs-code-block.js`: Added `.catch()` to `copyToClipboard()` promise chain — logs clipboard API rejection via `console.error()`
+- `cs-admin-settings.js`: Added `console.error()` to settings save `.catch()` block
+
 ## [1.7.18] - 2026-03-13
 
 ### Security
diff --git a/assets/cs-admin-settings.js b/assets/cs-admin-settings.js
@@ -38,9 +38,10 @@
                     }, 2000 );
                 }
             } )
-            .catch( function() {
+            .catch( function( e ) {
                 saveBtn.disabled    = false;
                 saveBtn.textContent = '💾 Save Settings';
+                console.error( 'cs-code-block: settings save failed', e );
             } );
     } );
 } )();
diff --git a/assets/cs-code-block.js b/assets/cs-code-block.js
@@ -199,6 +199,8 @@
                     setTimeout( function() {
                         copyBtn.classList.remove( 'copied' );
                     }, 2000 );
+                } ).catch( function( e ) {
+                    console.error( 'cs-code-block: clipboard write failed', e );
                 } );
             } );
         }
diff --git a/assets/cs-convert.js b/assets/cs-convert.js
@@ -125,7 +125,8 @@
             var s = coreBlocks.length > 1 ? 's' : '';
             toast.innerHTML = '' +
                 '<span>\u26A0\uFE0F ' + coreBlocks.length + ' core code block' + s + ' found</span>' +
-                '<button onclick="window.__csConvertAll()">\u26A1 Convert All to CloudScale</button>';
+                '<button>\u26A1 Convert All to CloudScale</button>';
+            toast.querySelector( 'button' ).addEventListener( 'click', convertAll );
         } else {
             if ( toast ) {
                 toast.remove();
diff --git a/cs-code-block.php b/cs-code-block.php
@@ -3,7 +3,7 @@
  * Plugin Name: CloudScale Code Block
  * Plugin URI: https://andrewbaker.ninja
  * Description: Syntax highlighted code block with auto language detection, clipboard copy, dark/light mode toggle, code block migrator, and read only SQL query tool. Works as a Gutenberg block and as a [cs_code] shortcode.
- * Version: 1.7.19
+ * Version: 1.7.21
  * Author: Andrew Baker
  * Author URI: https://andrewbaker.ninja
  * License: GPL-2.0-or-later
@@ -31,7 +31,7 @@
  */
 class CloudScale_Code_Block {
 
-    const VERSION      = '1.7.19';
+    const VERSION      = '1.7.21';
     const HLJS_VERSION = '11.11.1';
     const HLJS_CDN     = 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/';
     const TOOLS_SLUG   = 'cloudscale-code-sql';
@@ -952,7 +952,7 @@ public static function ajax_sql_run(): void {
             wp_send_json_error( 'Bad nonce', 403 );
         }
 
-        $raw = isset( $_POST['sql'] ) ? $_POST['sql'] : '';
+        $raw = isset( $_POST['sql'] ) ? $_POST['sql'] : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- raw SQL for admin tool; unslashed on next line, validated via is_safe_query()
         $sql = trim( wp_unslash( $raw ) );
         if ( ! $sql ) {
             wp_send_json_error( 'Empty query' );
@@ -1304,7 +1304,7 @@ public static function ajax_preview() {
             wp_send_json_error( 'Bad nonce', 403 );
         }
 
-        $post_id = (int) ( $_POST['post_id'] ?? 0 );
+        $post_id = (int) ( $_POST['post_id'] ?? 0 ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitised via (int) cast
         $post    = get_post( $post_id );
 
         if ( ! $post ) {
@@ -1336,7 +1336,7 @@ public static function ajax_migrate_single() {
             wp_send_json_error( 'Bad nonce', 403 );
         }
 
-        $post_id = (int) ( $_POST['post_id'] ?? 0 );
+        $post_id = (int) ( $_POST['post_id'] ?? 0 ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitised via (int) cast
         $post    = get_post( $post_id );
 
         if ( ! $post ) {
diff --git a/readme.txt b/readme.txt
@@ -1,14 +1,14 @@
 === CloudScale Code Block ===
 Contributors: andrewbaker
-Tags: code, syntax highlighting, highlight.js, developer, gutenberg block, sql, code block, dark mode
-Requires at least: 5.8
+Tags: code block, syntax highlighting, gutenberg block, dark mode, highlight.js
+Requires at least: 6.0
 Tested up to: 6.7
 Requires PHP: 7.4
-Stable tag: 1.7.19
+Stable tag: 1.7.21
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
-Syntax highlighted code block with 14 color themes, auto language detection, clipboard copy, dark/light toggle, code block migrator, and read only SQL query tool.
+Syntax highlighted code block with 14 color themes, auto language detection, clipboard copy, dark/light toggle, migrator, and SQL query tool.
 
 == Description ==
 
@@ -79,7 +79,16 @@ Yes. Press Enter to run the query. Use Shift+Enter to insert a newline. Ctrl+Ent
 
 == Changelog ==
 
-= 1.7.19 =
+= 1.7.21 =
+* Fixed: readme.txt tags reduced from 8 to 5 (WordPress.org maximum)
+* Fixed: readme.txt short description trimmed to 141 chars (maximum is 150)
+* Fixed: readme.txt Requires at least updated to 6.0 to match plugin header
+* Fixed: phpcs:ignore comments added on POST reads validated via custom methods
+* Fixed: inline onclick removed from toast button in cs-convert.js; replaced with addEventListener
+* Fixed: .catch() added to clipboard promise chain in cs-code-block.js
+* Fixed: console.error() added to settings save catch block in cs-admin-settings.js
+
+= 1.7.20 =
 * Security: is_safe_query() now rejects queries containing semicolons, preventing statement stacking
 * Security: Removed $_REQUEST fallback in SQL AJAX handler
 * Fixed: Echoed <style> block removed from admin page; inline <script> blocks extracted to enqueued JS files (PCP compliance)

Original file line number	Diff line number	Diff line change
`@@ -199,6 +199,8 @@`
`199`	`199`	`setTimeout( function() {`
`200`	`200`	`copyBtn.classList.remove( 'copied' );`
`201`	`201`	`}, 2000 );`
	`202`	`+ } ).catch( function( e ) {`
	`203`	`+ console.error( 'cs-code-block: clipboard write failed', e );`
`202`	`204`	`} );`
`203`	`205`	`} );`
`204`	`206`	`}`