Fix Flow output escaping for plugin checks

Smart Cloud Solutions Inc. · Smart Cloud Solutions Inc. · commit 70aead97ba98 · 2026-05-28T18:34:26.000+02:00
diff --git a/admin/php/admin.php b/admin/php/admin.php
@@ -259,6 +259,21 @@ public function renderShortcodeColumn($column, $post_id)
 
         $copy_label = esc_html__('Copy', 'smartcloud-flow');
         $rows = array();
+        $allowed_html = array(
+            'div' => array(
+                'class' => true,
+            ),
+            'span' => array(
+                'class' => true,
+                'id' => true,
+            ),
+            'code' => array(),
+            'a' => array(
+                'href' => true,
+                'class' => true,
+                'data-target' => true,
+            ),
+        );
 
         foreach ($shortcodes as $index => $shortcode) {
             $target_id = sprintf('wpc-sc-%1$d-%2$d', (int) $post_id, (int) $index);
@@ -271,7 +286,7 @@ public function renderShortcodeColumn($column, $post_id)
             );
         }
 
-        echo implode('', $rows);
+        echo wp_kses(implode('', $rows), $allowed_html);
     }
 
     public function copyShortcode($hook)
diff --git a/blocks/dist/modal/render.php b/blocks/dist/modal/render.php
@@ -102,7 +102,7 @@
             </button>
         <?php endif; ?>
         <div class="wps-flow-modal__content">
-            <?php echo $content; ?>
+            <?php echo wp_kses_post($content); ?>
         </div>
     </div>
 </dialog>
diff --git a/blocks/package.json b/blocks/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@smart-cloud/flow-blocks",
   "private": true,
-  "version": "1.1.6",
+  "version": "1.1.7",
   "type": "module",
   "license": "ISC",
   "scripts": {
diff --git a/blocks/src/modal/block.json b/blocks/src/modal/block.json
@@ -2,7 +2,7 @@
   "$schema": "https://schemas.wp.org/trunk/block.json",
   "apiVersion": 3,
   "name": "smartcloud-flow/modal",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "title": "Flow Modal",
   "category": "smartcloud-flow",
   "icon": "feedback",
diff --git a/blocks/src/modal/render.php b/blocks/src/modal/render.php
@@ -102,7 +102,7 @@
             </button>
         <?php endif; ?>
         <div class="wps-flow-modal__content">
-            <?php echo $content; ?>
+            <?php echo wp_kses_post($content); ?>
         </div>
     </div>
 </dialog>
diff --git a/readme.txt b/readme.txt
@@ -5,7 +5,7 @@ Tags: forms, workflows, gutenberg, aws, automation
 Requires at least: 6.2
 Tested up to: 7.0
 Requires PHP: 8.1
-Stable tag: 1.1.7
+Stable tag: 1.1.8
 License: MIT
 License URI: https://mit-license.org/
 Text Domain: smartcloud-flow
@@ -217,6 +217,10 @@ Flow Pro includes additional functionality such as backend-powered submissions m
 
 == Changelog ==
 
+= 1.1.8 =
+* Fix: Added explicit escaped output handling for the modal block rendered content template to satisfy WordPress plugin security checks.
+* Fix: Added explicit escaped output handling for the Flow Patterns shortcode column markup in wp-admin to satisfy WordPress plugin security checks.
+
 = 1.1.7 =
 * Fix: Async modal actions now expose a generic pending state on the active trigger while awaited handlers are running.
 * Fix: Modal header spacing now only reserves room for the built-in close button when that button is actually rendered.
@@ -277,14 +281,17 @@ Flow Pro includes additional functionality such as backend-powered submissions m
 
 == Upgrade Notice ==
 
+= 1.1.8 =
+Recommended maintenance update if you run WordPress plugin checks or package Flow for release; this version adds explicit escaped output handling in the modal render template and Flow Patterns shortcode admin column.
+
 = 1.1.7 =
 Recommended update if you use Flow modals with async actions or custom modal headers; this release adds generic pending-state hooks for running action triggers, removes unnecessary header spacing when the built-in close button is hidden, and expands the modal API docs.
 
 = 1.1.6 =
 Recommended update if you use Flow modals; this release improves Gutenberg button triggers, dismiss/default action handling, full-height layout stability, background scroll locking, and the modal editor toolbar for header, body, and actions sections.
 
 = 1.1.5 =
-Recommended update if you use modal presentations, custom submit or API-backed option endpoints, or older saved Flow blocks; this release adds the modal block/runtime, expands endpoint interpolation and request options, improves API error handling, and restores Gutenberg compatibility for legacy serialized content.
+Recommended update if you use modal presentations, custom submit or API-backed option endpoints; this release adds the modal block/runtime, expands endpoint interpolation and request options, improves API error handling, and restores Gutenberg compatibility for legacy serialized content.
 
 = 1.1.4 =
 Recommended update if you reuse Flow patterns outside Gutenberg; this release adds content-root patterns to the admin list and exposes the matching copy-ready shortcode targets.
diff --git a/smartcloud-flow.php b/smartcloud-flow.php
@@ -6,7 +6,7 @@
  * Requires at least: 6.2
  * Tested up to:      7.0
  * Requires PHP:      8.1
- * Version:           1.1.7
+ * Version:           1.1.8
  * Author:            Smart Cloud Solutions Inc.
  * Author URI:        https://smart-cloud-solutions.com
  * License:           MIT
@@ -18,7 +18,7 @@
 
 namespace SmartCloud\WPSuite\Flow;
 
-const VERSION = '1.1.7';
+const VERSION = '1.1.8';
 
 if (!defined('ABSPATH')) {
     exit;

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@smart-cloud/flow-blocks",`
`3`	`3`	`"private": true,`
`4`		`- "version": "1.1.6",`
	`4`	`+ "version": "1.1.7",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"license": "ISC",`
`7`	`7`	`"scripts": {`