v1.7.18: PCP compliance, security hardening, i18n, uninstall, docblocks

Critical (PCP):
- Remove echoed <style> block from admin page; extract inline <script>
  blocks into enqueued cs-admin-settings.js and cs-sql-editor.js
- Replace document.head.appendChild(style) in cs-convert.js with
  wp_add_inline_style()

Security:
- Harden is_safe_query(): reject queries containing semicolons
- Remove $_REQUEST fallback in SQL AJAX handler (POST only)
- Add phpcs:ignore annotations for intentional direct DB queries

Standards:
- Add uninstall.php to clean up plugin options on deletion
- Add load_plugin_textdomain() on init; wrap 48 user-facing strings
  with esc_html_e() / esc_attr_e() across frontend and admin
- Remove console.warn() and console.log() from cs-convert.js
- Replace date() with wp_date() in migration scan
- Consolidate wp_ajax_cs_save_theme_setting hook into init()
- Full DocBlocks on all methods (@SInCE, @param, @return)
- Sync block.json version to plugin version

Docs:
- Add CHANGELOG.md in Keep a Changelog format
- Add missing 1.7.16 and 1.7.17 entries to readme.txt changelog

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: Andrew Baker

CHANGELOG.md

@@ -0,0 +1,136 @@
+# Changelog
+
+All notable changes to CloudScale Code Block are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [Unreleased]
+
+## [1.7.18] - 2026-03-13
+
+### Security
+- Hardened `is_safe_query()`: SQL queries containing semicolons are now rejected, preventing statement stacking
+- Removed `$_REQUEST` fallback in SQL AJAX handler — only `$_POST` accepted
+- Added `phpcs:ignore` annotations with rationale for all intentional `$wpdb` direct-query patterns
+
+### Fixed
+- Removed echoed `<style>` block from admin tools page — all styles now served via enqueued `cs-admin-tabs.css`
+- Extracted inline `<script>` blocks from settings and SQL panels into enqueued JS files (`cs-admin-settings.js`, `cs-sql-editor.js`)
+- Replaced dynamic `document.head.appendChild(style)` injection in block editor with `wp_add_inline_style()`
+- Removed `console.warn()` and `console.log()` debug calls from `cs-convert.js`
+
+### Added
+- `uninstall.php` — removes `cs_code_default_theme` and `cs_code_theme_pair` options on plugin deletion
+- `load_plugin_textdomain()` called on `init`; 48 user-facing strings wrapped with i18n functions across frontend and admin
+- Full DocBlocks (`@since`, `@param`, `@return`) on all class methods and class definition
+- `@package` and `@since` tags in plugin file header
+
+### Changed
+- `wp_ajax_cs_save_theme_setting` hook consolidated into `init()` alongside all other AJAX hooks
+- `date()` replaced with `wp_date()` in migration scan to respect site timezone
+- `block.json` version synced to plugin version
+
+## [1.7.17]
+
+### Added
+- Copy button now shows a "Copy" label alongside the clipboard icon
+
+### Changed
+- CSS refactored for copy button styling
+
+## [1.7.16]
+
+### Fixed
+- `build_migrate_block()` JSON encoding corrected: removed `JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES` flags that caused `<`, `>`, and quote characters to be stored as literal bytes, corrupting block attributes on subsequent Gutenberg saves
+
+### Changed
+- All enqueued assets now use `filemtime()` for cache busting
+- Block editor toolbar improvements
+
+## [1.7.15]
+
+### Fixed
+- Split `decode_migrated_content()` into two independent passes so the bare-`\n` newline fix always runs regardless of whether unicode escapes were already decoded in the database
+
+## [1.7.14]
+
+### Fixed
+- `decode_migrated_content()` in `render_block()` decodes unicode escapes and bare newline separators left by the v1 migration bug, fixing display of affected code blocks without requiring database changes
+
+## [1.7.13]
+
+### Fixed
+- Code Block Migrator now uses safe JSON encoding so special characters like `<`, `>`, and quotes are stored as proper unicode escapes in block comment attributes, preventing content corruption on subsequent Gutenberg saves
+
+## [1.7.8]
+
+### Added
+- Copy, Paste, and Clear buttons to the block editor toolbar
+
+## [1.7.6]
+
+### Fixed
+- White toolbar text for improved contrast
+- UNDEFINED language badge no longer displayed
+- Powered by CloudScale link added to block toolbar
+
+## [1.7.3]
+
+### Changed
+- Admin CSS embedded inline for reliable rendering across all WordPress configurations
+- Admin UI restyled to match the CloudScale plugin family: navy gradient banner, dark tab bar with orange active indicator, white card panels with coloured gradient section headers
+
+## [1.7.0]
+
+### Added
+- 14 popular syntax colour themes: Atom One, GitHub, Monokai, Nord, Dracula, Tokyo Night, VS 2015/VS Code, Stack Overflow, Night Owl, Gruvbox, Solarized, Panda, Tomorrow Night, Shades of Purple
+- Colour Theme selector in the settings panel
+- HCL/Terraform and TOML to the language selector
+- 14 new SQL quick queries organised into four groups: Health and Diagnostics, Content Summary, Bloat and Cleanup Checks, URL and Migration Helpers
+
+### Changed
+- Each theme loads its dark and light variant from the highlight.js CDN
+- Toggle button switches between the dark and light variant of the chosen theme
+- Frontend CSS refactored to use CSS custom properties for theme-agnostic styling
+- Theme backgrounds and toolbar colours adapt automatically to the selected theme
+- Enter key now runs the SQL query; Shift+Enter inserts a newline
+
+## [1.6.0]
+
+### Added
+- Merged CloudScale SQL Command plugin into CloudScale Code Block
+- Combined Tools page at Tools > CloudScale Code and SQL with tabbed interface
+- AJAX save for theme settings (no page reload required)
+
+### Removed
+- Separate Settings > CloudScale Code Block page
+- Separate Tools > CloudScale SQL page
+
+## [1.5.0]
+
+### Added
+- Code Block Migrator tool to batch-convert legacy WordPress code blocks
+- Auto-convert toast in the block editor for `core/code` and `core/preformatted` blocks
+- Transform support from `core/code` and `core/preformatted`
+
+## [1.1.0]
+
+### Fixed
+- Block now spans full content width in both editor and frontend
+- Dark mode is now the proper default with Atom One Dark syntax colours
+- Code no longer wraps; horizontal scroll on overflow
+- Editor style properly registered via `block.json` `editorStyle`
+
+### Added
+- Alignment support (wide, full) in block toolbar
+
+## [1.0.0]
+
+### Added
+- Initial release: Gutenberg block and `[cs_code]` shortcode for syntax-highlighted code
+- Auto language detection for 30+ languages via highlight.js
+- One-click clipboard copy button
+- Dark/light mode toggle per block with site-wide default
+- Language badge auto-detection
+- Optional line numbers toggle
+- Custom title/filename label per block

assets/cs-admin-settings.js

@@ -0,0 +1,46 @@
+/**
+ * CloudScale Code Block - Admin Settings Save
+ *
+ * Handles the AJAX save for the Code Block Settings panel.
+ * Depends on csAdminSettings (nonce) localised by PHP.
+ */
+( function() {
+    'use strict';
+
+    var saveBtn  = document.getElementById( 'cs-settings-save' );
+    var selPair  = document.getElementById( 'cs-settings-pair' );
+    var selTheme = document.getElementById( 'cs-settings-theme' );
+    var savedMsg = document.getElementById( 'cs-settings-saved' );
+
+    if ( ! saveBtn ) {
+        return;
+    }
+
+    saveBtn.addEventListener( 'click', function() {
+        saveBtn.disabled    = true;
+        saveBtn.textContent = 'Saving...';
+
+        var fd = new FormData();
+        fd.append( 'action',     'cs_save_theme_setting' );
+        fd.append( 'nonce',      csAdminSettings.nonce );
+        fd.append( 'theme',      selTheme.value );
+        fd.append( 'theme_pair', selPair.value );
+
+        fetch( ajaxurl, { method: 'POST', body: fd } )
+            .then( function( r ) { return r.json(); } )
+            .then( function( resp ) {
+                saveBtn.disabled    = false;
+                saveBtn.textContent = '💾 Save Settings';
+                if ( resp.success ) {
+                    savedMsg.classList.add( 'visible' );
+                    setTimeout( function() {
+                        savedMsg.classList.remove( 'visible' );
+                    }, 2000 );
+                }
+            } )
+            .catch( function() {
+                saveBtn.disabled    = false;
+                saveBtn.textContent = '💾 Save Settings';
+            } );
+    } );
+} )();

assets/cs-admin-tabs.css

@@ -1,5 +1,5 @@
 /* ============================================================
-   CloudScale Code and SQL — Admin UI  v1.7.1
+   CloudScale Code and SQL — Admin UI  v1.7.17
    Colour palette mirrors CloudScale Page Views: electric blue,
    bright green, vivid orange, deep navy, white.
    ============================================================ */

assets/cs-convert.js

@@ -10,7 +10,6 @@
 
     // Bail if wp.data or wp.blocks aren't available
     if ( ! window.wp || ! window.wp.data || ! window.wp.blocks ) {
-        console.warn( '[CloudScale] wp.data or wp.blocks not available' );
         return;
     }
 
@@ -101,52 +100,6 @@
     window.__csConvertBlock = convertBlock;
     window.__csConvertAll   = convertAll;
 
-    // =========================================================================
-    //  Inject CSS
-    // =========================================================================
-
-    var css = document.createElement( 'style' );
-    css.textContent = '' +
-        '#' + TOAST_ID + ' {' +
-            'position: fixed;' +
-            'bottom: 24px;' +
-            'right: 24px;' +
-            'z-index: 999999;' +
-            'background: linear-gradient(135deg, #1e3a5f 0%, #0d9488 100%);' +
-            'color: #fff;' +
-            'padding: 16px 20px;' +
-            'border-radius: 10px;' +
-            'box-shadow: 0 8px 32px rgba(0,0,0,0.3);' +
-            'display: flex;' +
-            'align-items: center;' +
-            'gap: 16px;' +
-            'font-size: 14px;' +
-            'font-weight: 500;' +
-            'font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;' +
-            'animation: cs-toast-in 0.3s ease-out;' +
-        '}' +
-        '#' + TOAST_ID + ' button {' +
-            'background: #fff;' +
-            'color: #1e3a5f;' +
-            'font-weight: 700;' +
-            'border-radius: 6px;' +
-            'padding: 10px 24px;' +
-            'font-size: 14px;' +
-            'border: none;' +
-            'white-space: nowrap;' +
-            'cursor: pointer;' +
-            'box-shadow: 0 2px 8px rgba(0,0,0,0.15);' +
-            'font-family: inherit;' +
-        '}' +
-        '#' + TOAST_ID + ' button:hover {' +
-            'background: #f0fdf4;' +
-        '}' +
-        '@keyframes cs-toast-in {' +
-            'from { opacity: 0; transform: translateY(20px); }' +
-            'to { opacity: 1; transform: translateY(0); }' +
-        '}';
-    document.head.appendChild( css );
-
     // =========================================================================
     //  Watch for core code blocks and show/hide toast
     // =========================================================================
@@ -188,6 +141,4 @@
     // Also run once after a short delay to catch initial state
     setTimeout( checkBlocks, 1000 );
 
-    console.log( '[CloudScale] Auto-convert watcher loaded' );
-
 } )();

assets/cs-sql-editor.js

@@ -0,0 +1,129 @@
+/**
+ * CloudScale Code Block - SQL Editor
+ *
+ * Handles the SQL query editor, quick-query buttons, and results table.
+ * Depends on csSqlEditor (nonce) localised by PHP.
+ */
+( function() {
+    'use strict';
+
+    var input    = document.getElementById( 'cs-sql-input' );
+    var runBtn   = document.getElementById( 'cs-sql-run' );
+    var clearBtn = document.getElementById( 'cs-sql-clear' );
+    var results  = document.getElementById( 'cs-sql-results' );
+    var status   = document.getElementById( 'cs-sql-status' );
+    var meta     = document.getElementById( 'cs-sql-meta' );
+
+    if ( ! input || ! runBtn ) {
+        return;
+    }
+
+    var nonce = csSqlEditor.nonce;
+
+    function escHtml( s ) {
+        var d = document.createElement( 'div' );
+        d.textContent = s;
+        return d.innerHTML;
+    }
+
+    function run() {
+        var sql = input.value.trim();
+        if ( ! sql ) {
+            return;
+        }
+
+        runBtn.disabled    = true;
+        status.textContent = 'Running...';
+        status.style.color = '#888';
+        results.innerHTML  = '<div style="text-align:center;color:#888;padding:20px">⏳ Executing query...</div>';
+        meta.textContent   = '';
+
+        fetch( ajaxurl, {
+            method:  'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body:    'action=cs_sql_run&nonce=' + encodeURIComponent( nonce ) + '&sql=' + encodeURIComponent( sql )
+        } )
+        .then( function( r ) { return r.json(); } )
+        .then( function( resp ) {
+            runBtn.disabled = false;
+
+            if ( ! resp.success ) {
+                status.textContent = '✗ Error';
+                status.style.color = '#c3372b';
+                results.innerHTML  = '<div style="color:#c3372b;background:#fef0f0;border:1px solid #f5bcbb;padding:12px 14px;border-radius:4px;font-family:monospace;font-size:12px;white-space:pre-wrap">'
+                    + escHtml( typeof resp.data === 'string' ? resp.data : JSON.stringify( resp.data ) )
+                    + '</div>';
+                return;
+            }
+
+            var d = resp.data;
+            status.textContent = '✓ Success';
+            status.style.color = '#1a7a34';
+            meta.textContent   = d.count + ' row' + ( d.count !== 1 ? 's' : '' ) + ' in ' + d.elapsed + 'ms';
+
+            if ( ! d.rows || d.rows.length === 0 ) {
+                results.innerHTML = '<div style="text-align:center;color:#999;padding:20px">Query returned 0 rows</div>';
+                return;
+            }
+
+            var cols = Object.keys( d.rows[ 0 ] );
+            var html = '<table class="cs-sql-table"><thead><tr>';
+            cols.forEach( function( c ) {
+                html += '<th>' + escHtml( c ) + '</th>';
+            } );
+            html += '</tr></thead><tbody>';
+
+            d.rows.forEach( function( row ) {
+                html += '<tr>';
+                cols.forEach( function( c ) {
+                    var val = row[ c ];
+                    if ( val === null ) {
+                        val = '<span style="color:#999;font-style:italic">NULL</span>';
+                    } else {
+                        val = escHtml( String( val ) );
+                        val = val.replace(
+                            /(http:\/\/[^\s&lt;,;'"]+)/g,
+                            '<span style="background:#fef0f0;color:#c3372b;padding:1px 3px;border-radius:2px">$1</span>'
+                        );
+                    }
+                    html += '<td>' + val + '</td>';
+                } );
+                html += '</tr>';
+            } );
+
+            html += '</tbody></table>';
+            results.innerHTML = html;
+        } )
+        .catch( function( e ) {
+            runBtn.disabled    = false;
+            status.textContent = '✗ Network error';
+            status.style.color = '#c3372b';
+            results.innerHTML  = '<div style="color:#c3372b;padding:12px">' + escHtml( e.message ) + '</div>';
+        } );
+    }
+
+    runBtn.addEventListener( 'click', run );
+
+    clearBtn.addEventListener( 'click', function() {
+        input.value        = '';
+        results.innerHTML  = '<div style="text-align:center;color:#999;padding:40px 0">Run a query to see results here</div>';
+        status.textContent = '';
+        meta.textContent   = '';
+        input.focus();
+    } );
+
+    // Enter (plain) or Ctrl+Enter both run the query; Shift+Enter inserts a newline
+    input.addEventListener( 'keydown', function( e ) {
+        if ( e.key === 'Enter' && ! e.shiftKey ) {
+            e.preventDefault();
+            run();
+        }
+    } );
+
+    document.querySelectorAll( '.cs-sql-quick' ).forEach( function( btn ) {
+        btn.addEventListener( 'click', function() {
+            input.value = this.getAttribute( 'data-sql' );
+            run();
+        } );
+    } );
+} )();

blocks/code/block.json

@@ -2,7 +2,7 @@
     "$schema": "https://schemas.wp.org/trunk/block.json",
     "apiVersion": 3,
     "name": "cloudscale/code-block",
-    "version": "1.7.0",
+    "version": "1.7.18",
     "title": "CloudScale Code Block",
     "category": "formatting",
     "icon": "editor-code",