gpfup-update-filename-markup.php: Added new snippet.

[malayladu]

Context

⛑️ Ticket(s): https://secure.helpscout.net/conversation/2736841634/72809

💬 Slack: https://gravitywiz.slack.com/archives/C03T0CNL8AV/p1742222792311989

Summary

This snippet will help update the filename markup of uploaded files through GP File Upload PRO.

[coderabbitai]

Walkthrough

This pull request introduces a new file, gp-file-upload-pro/gpfup-update-filename-markup.php, which defines the GPFUP_Update_Filename_Markup class. This class enhances the Gravity Forms File Upload Pro functionality by allowing filename markup to include file URLs. It initializes necessary hooks to inject JavaScript that stores file upload data in session storage and utilizes that data to update filename displays based on the provided form configuration.

Changes

File	Change Summary
gp-file-upload-pro/gpfup-update-filename-markup.php	Added the GPFUP_Update_Filename_Markup class with methods for construction, initialization (init), file data population (populate_file_data), script output (output_script), script loading (load_form_script), initialization registration (add_init_script), and form applicability check (is_applicable_form).

Suggested reviewers

• veryspry

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1fd355e and c209185.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

gp-file-upload-pro/gpfup-update-filename-marklup.php (4)

1-12: Possible file naming discrepancy.
The file is named "gpfup-update-filename-marklup.php" whereas references in the docblock say "update the filename markup." If this is unintentional, consider renaming for clarity (e.g., "markup" instead of "marklup").

---

44-68: Use WordPress-specific JSON helpers for better encoding.
When printing dynamic data in inline JavaScript, it’s safer to use wp_json_encode() rather than json_encode() to properly handle special characters and adhere to WordPress best practices.

- var fileData = " . json_encode( $file_upload_data ) . ";
+ var fileData = " . wp_json_encode( $file_upload_data ) . ";

---

79-121: Add security attributes to links opened in new tabs.
When using target="_blank", include rel="noopener noreferrer" to protect from potential reverse tabnabbing attacks.

- return fileUrl ? `<a href="${fileUrl}" target="__blank">${fileName}</a>` : fileName;
+ return fileUrl ? `<a href="${fileUrl}" target="_blank" rel="noopener noreferrer">${fileName}</a>` : fileName;

---

123-137: Use WordPress-compatible JSON encoding for init script.
Similar to above, consider replacing json_encode() with wp_json_encode() when generating inline scripts.

- $script = 'new ' . __CLASS__ . '( ' . json_encode( $args ) . ' );';
+ $script = 'new ' . __CLASS__ . '( ' . wp_json_encode( $args ) . ' );';

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b9e42a and e8e918d.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-marklup.php (1 hunks)

🔇 Additional comments (2)

gp-file-upload-pro/gpfup-update-filename-marklup.php (2)

139-143: No issues found with the applicability check.
The logic properly checks whether the form ID is specified, or if it matches the class configuration.

---

147-153: Instantiating for a specific form and field.
Providing these IDs directly is valid if you only intend to support a single form or field. If you plan to support multiple forms, consider instantiating the class dynamically or in a loop for each form.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

gp-file-upload-pro/gpfup-update-filename-markup.php (3)

24-25: Note on missing version check implementation.
The inline comment indicates a version check for Gravity Forms, but there is no actual check in the code. If Gravity Forms (or the relevant add-ons) is not available or at a certain version, this snippet may produce errors.

---

86-116: Add security attributes when opening links in new tabs.
Currently, links are opened in a new window with target="__blank". For consistency and security, consider using target="_blank" together with rel="noopener noreferrer" to protect against reverse tabnabbing.

- return fileUrl ? `<a href="${fileUrl}" target="__blank">${fileName}</a>` : fileName;
+ return fileUrl ? `<a href="${fileUrl}" target="_blank" rel="noopener noreferrer">${fileName}</a>` : fileName;

---

123-133: Use wp_json_encode() for safer initialization scripts.
Switching from json_encode() to wp_json_encode() here improves data escaping and line-break handling to reduce potential security or formatting issues in embedded scripts.

- $script = 'new ' . __CLASS__ . '( ' . json_encode( $args ) . ' );';
+ $script = 'new ' . __CLASS__ . '( ' . wp_json_encode( $args ) . ' );';

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e8e918d and 23dc4e3.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

109-109: Use the conventional _blank target.

Using target="__blank" is non-standard. Update it to _blank for broader consistency and compatibility.

-return fileUrl ? `<a href="${fileUrl}" target="__blank">${fileName}</a>` : fileName;
+return fileUrl ? `<a href="${fileUrl}" target="_blank">${fileName}</a>` : fileName;

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 23dc4e3 and c3bb17b.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🔇 Additional comments (3)

gp-file-upload-pro/gpfup-update-filename-markup.php (3)

1-16: Looks good so far!

The class declaration and constructor logic are straightforward. Storing _args with wp_parse_args() for form ID and field ID is a neat way to keep the snippet configurable without hardcoding.

---

58-66: Escape data in JavaScript output to prevent potential XSS.

The code still uses json_encode($file_upload_data). Even if the file metadata is trusted, it is best practice to sanitize or escape user-generated data for safe rendering. Consider using wp_json_encode() with JSON_HEX flags or a similar approach:

- var fileData = " . json_encode( $file_upload_data ) . ";
+ var fileData = " . wp_json_encode( $file_upload_data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS ) . ";

---

139-143: Form applicability check looks solid!

Your is_applicable_form logic is a concise way to apply the snippet conditionally based on form ID. This ensures minimal overhead for unrelated forms.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

gp-file-upload-pro/gpfup-update-filename-markup.php (2)

59-72: ⚠️ Potential issue

Security vulnerability: Unescaped JSON data in JavaScript output.

The code directly outputs JSON data to JavaScript without proper escaping, which could lead to XSS vulnerabilities if the file data contains malicious content.

- var fileData = " . json_encode( $file_upload_data ) . ";
+ var fileData = " . wp_json_encode( $file_upload_data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS ) . ";

---

138-138: 🛠️ Refactor suggestion

Improve security by escaping JSON output in script initialization.

Similar to the earlier issue, JSON is being output without proper escaping.

- $script = 'new ' . __CLASS__ . '( ' . json_encode( $args ) . ' );';
+ $script = 'new ' . __CLASS__ . '( ' . wp_json_encode( $args, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS ) . ' );';

🧹 Nitpick comments (3)

gp-file-upload-pro/gpfup-update-filename-markup.php (3)

44-44: Fix method name casing inconsistency.

There's a casing inconsistency in the method name reference - 'populate_file_Data' has a capital 'D', but the actual method declaration uses the same inconsistent casing.

- 'populate_file_Data',
+ 'populate_file_data',

---

49-58: Method name casing inconsistency in function declaration.

The PHPDoc is well structured, but the method name follows an inconsistent casing pattern.

- public function populate_file_Data( $file_upload_data, $form, $field ) {
+ public function populate_file_data( $file_upload_data, $form, $field ) {

---

84-126: Well-structured JavaScript implementation with potential security improvement.

The JavaScript code is well-structured and adds a useful filter to enhance filename markup with URLs. The code handles various scenarios to find the file URL.

Consider adding some sanitization or validation of the URL before outputting it to the DOM to prevent potential XSS:

- return fileUrl ? `<a href="${fileUrl}" target="__blank">${fileName}</a>` : fileName;
+ return fileUrl ? `<a href="${fileUrl.replace(/[<>"'&]/g, function(c) { return '&#' + c.charCodeAt(0) + ';'; })}" target="_blank" rel="noopener">${fileName}</a>` : fileName;

Also, note the typo in __blank (should be _blank) and missing rel="noopener" for security.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c3bb17b and 2423099.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🔇 Additional comments (7)

gp-file-upload-pro/gpfup-update-filename-markup.php (7)

1-12: Well-documented header with clear purpose and installation instructions.

The file header clearly explains the snippet's purpose, where it can be used, and provides links to documentation for installation. This follows good documentation practices.

---

13-16: LGTM: Clear class definition with private property for arguments.

The class is appropriately named to match its functionality, and the private property for arguments follows good OOP practices.

---

17-31: Constructor correctly handles arguments and checks for dependencies.

The constructor follows best practices by:

• Using wp_parse_args() to merge with defaults
• Checking for the existence of required dependency (GFCommon)
• Using the WordPress init hook to ensure Gravity Forms is loaded

---

33-47: Init method appropriately sets up hooks and filters.

The method correctly:

• Extracts needed arguments
• Registers filters for form rendering
• Sets up hooks for form script initialization
• Conditionally adds the action for file population when form_id and field_id are provided

---

75-82: LGTM: load_form_script method prevents duplicate script output.

The method correctly:

• Checks if the current form is applicable
• Uses has_action to prevent adding the action multiple times
• Registers the script for both standard and preview contexts
• Returns the form to maintain the filter chain

---

128-142: LGTM: add_init_script method correctly registers initialization script.

The method:

• Checks if the form is applicable
• Prepares arguments for the script
• Creates a unique slug for the script
• Uses the GFFormDisplay API correctly

---

144-148: LGTM: is_applicable_form method handles different input formats.

The method correctly handles both the form array and form ID integer inputs.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

58-73: ⚠️ Potential issue

Escape JSON with additional flags for safer JavaScript output.
Although wp_json_encode() is used, consider passing the JSON_HEX_* flags (e.g., JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS) to further reduce the risk of injecting malicious code via $file_upload_data.

- var fileData = " . wp_json_encode( $file_upload_data ) . ";
+ var fileData = " . wp_json_encode( $file_upload_data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS ) . ";

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2423099 and a2d63da.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🔇 Additional comments (6)

gp-file-upload-pro/gpfup-update-filename-markup.php (6)

17-31: Constructor looks good.
No concerns regarding the argument parsing and class loading check for Gravity Forms here.

---

33-48: Initialization logic is appropriate.
The class correctly defers the version check to the 'init' hook, ensuring Gravity Forms is fully loaded first.

---

75-83: Form script loading is well-structured for multi-step hooking.
Ensuring the script runs only once by checking ! has_action( 'wp_footer', ... ) is a good best practice.

---

128-143: Initialization script registration is solid.
The approach of generating a unique slug per form/field combination helps avoid collisions.

---

152-164: Usage example is clearly documented.
Instantiating the class in this snippet is helpful for demonstration, and the inline comments are concise.

---

144-149:

❓ Verification inconclusive

Confirm that defaulting to all forms is intentional.
If form_id is empty, the snippet will apply to every form. Verify that this behavior is desired.

---

🏁 Script executed:

#!/bin/bash
# Description: This script checks how often the snippet runs on forms other than the specified form ID.

rg -A 5 $'GFFormDisplay::add_form\('
echo "Manually verify whether the snippet is instantiated for multiple forms without specifying form_id."

Length of output: 244

---

Action Required: Confirm Default All-Forms Behavior
The code in gp-file-upload-pro/gpfup-update-filename-markup.php (lines 144-149) defaults to applying the functionality to all forms when the form_id parameter is empty. Please verify that this behavior is intentional. If this design decision is deliberate, consider adding a clarifying comment in the code. Otherwise, update the logic as needed to restrict the behavior only to specified forms.

• File: gp-file-upload-pro/gpfup-update-filename-markup.php
• Lines: 144-149

[veryspry]

@malayladu I left a few suggested changes and questions. I'm here or in Slack if you have any questions 🙂

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

gp-file-upload-pro/gpfup-update-filename-markup.php (3)

42-42: 🛠️ Refactor suggestion

Update hook name to match latest GP Easy Passthrough change.

As noted in a previous review comment, there was a small typo in the GP Easy Passthrough hook name.

-			add_action( "gpep_post_file_population_{$form_id}_{$field_id}", array(
+			add_action( "gpeb_post_file_population_{$form_id}_{$field_id}", array(

---

58-58: ⚠️ Potential issue

Correct method name to match its usage.

The method signature should be updated to match how it's called elsewhere in the code.

-	public function populate_file_Data( $file_upload_data, $form, $field ) {
+	public function populate_file_data( $file_upload_data, $form, $field ) {

---

17-22: 🛠️ Refactor suggestion

Add validation for required parameters.

As suggested in a previous review comment, if form_id and field_id are required parameters, you should validate them and throw an exception if they're not provided.

	public function __construct( $args = array() ) {
		// Set our default arguments, parse against the provided arguments, and store for use throughout the class.
		$this->_args = wp_parse_args( $args, array(
			'form_id'  => false,
			'field_id' => false,
		) );
+
+		// If these parameters are required, uncomment the following:
+		// if ( empty( $this->_args['form_id'] ) || empty( $this->_args['field_id'] ) ) {
+		//     throw new \Exception( 'Both form_id and field_id are required for GPFUP_Update_Filename_Markup.' );
+		// }

🧹 Nitpick comments (5)

gp-file-upload-pro/gpfup-update-filename-markup.php (5)

41-46: Consider supporting more flexible application of this functionality.

Currently, this hook is only added when both form_id and field_id are specified. As noted in a previous review comment, it would be more flexible to allow this functionality to work even without specific form/field IDs.

-		if ( $form_id && $field_id ) {
-			add_action( "gpep_post_file_population_{$form_id}_{$field_id}", array(
-				$this,
-				'populate_file_data',
-			), 10, 3 );
-		}
+		$args = [ 'gpep_post_file_population' ];
+		if ( $form_id ) $args[] = $form_id;
+		if ( $form_id && $field_id ) $args[] = $field_id;
+
+		add_action( implode( '_', $args ), array(
+			$this,
+			'populate_file_data',
+		), 10, 3 );

---

29-30: Consider using gform_loaded hook instead of version check.

As noted in a previous review comment, the gform_loaded hook might be more appropriate here as it ensures that Gravity Forms is fully loaded before your code executes.

-		// Do version check in the init to make sure if GF is going to be loaded, it is already loaded.
-		add_action( 'init', array( $this, 'init' ) );
+		// Use gform_loaded hook to ensure Gravity Forms is fully loaded
+		add_action( 'gform_loaded', array( $this, 'init' ) );

---

100-100: Fix whitespace in conditional statement.

There's an inconsistent whitespace in the conditional check.

-                            if ( !fileUrl) {
+                            if (!fileUrl) {

---

114-114: Fix target attribute value in anchor tag.

The target attribute value should be "_blank" instead of "__blank" (with a single underscore).

-                            return fileUrl ? `<a href="${fileUrl}" target="__blank" rel="noopener noreferrer">${fileName}</a>` : fileName;
+                            return fileUrl ? `<a href="${fileUrl}" target="_blank" rel="noopener noreferrer">${fileName}</a>` : fileName;

---

152-164: Update example usage comment.

The example usage comment should explicitly mention that the instantiation should be removed or commented out in production environments.

 /*
  * Example Usage (for demonstration purposes only):
  *
  * - Update 'form_id' and 'field_id' to match your specific requirements.
+ * - Remove or comment out this instantiation in production to prevent duplicate initialization.
  */

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a2d63da and 35f3c88.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

Learnt from: veryspry
PR: gravitywiz/snippet-library#1050
File: gp-file-upload-pro/gpfup-update-filename-markup.php:84-127
Timestamp: 2025-03-19T12:16:10.791Z
Learning: In the GP File Upload Pro plugin, user-generated content like filenames and URLs should be sanitized before being output in HTML to prevent XSS attacks. File URLs should be encoded with encodeURI() and filenames should have special characters replaced with HTML entities.

🔇 Additional comments (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

84-115: Ensure proper sanitization of user-generated content.

Based on the retrieved learning, it's important to sanitize user-generated content like filenames and URLs before outputting them in HTML to prevent XSS attacks. Though this was addressed in a previous commit, ensuring this sanitization is critical:

The following pattern should be implemented to protect against XSS:

- return fileUrl ? `<a href="${fileUrl}" target="__blank" rel="noopener noreferrer">${fileName}</a>` : fileName;
+ const sanitizedFileUrl = encodeURI(fileUrl || '');
+ const sanitizedFileName = fileName.replace(/[<>&"']/g, (c) => {
+   const escapes = {'<':'&lt;','>':'&gt;','&':'&amp;','"':'&quot;',"'":'&#39;'};
+   return escapes[c];
+ });
+ return fileUrl
+   ? `<a href="${sanitizedFileUrl}" target="_blank" rel="noopener noreferrer">${sanitizedFileName}</a>`
+   : sanitizedFileName;

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

29-29: Clarify or remove the version check comment.

There's a comment referencing a version check, but no actual version checking logic is implemented. Either remove the comment or implement a genuine version check to maintain clarity.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 35f3c88 and c6a3766.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

Learnt from: veryspry
PR: gravitywiz/snippet-library#1050
File: gp-file-upload-pro/gpfup-update-filename-markup.php:84-127
Timestamp: 2025-03-19T13:19:26.987Z
Learning: In the GP File Upload Pro plugin, user-generated content like filenames and URLs should be sanitized before being output in HTML to prevent XSS attacks. File URLs should be encoded with encodeURI() and filenames should have special characters replaced with HTML entities.

🔇 Additional comments (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

114-114: Sanitize file URLs and filenames to prevent XSS attacks.

Since filenames and URLs might contain user-generated content, you should encode them to avoid potential malicious injections. Also, replace target="__blank" with the standard _blank.

- return fileUrl ? `<a href="${fileUrl}" target="__blank" rel="noopener noreferrer">${fileName}</a>` : fileName;
+ const sanitizedUrl = encodeURI(fileUrl || '');
+ const sanitizedName = fileName.replace(/[<>&"']/g, c => {
+   const escapes = { '<': '&lt;', '>': '&gt;', '&': '&amp;', '"': '&quot;', "'": '&#39;' };
+   return escapes[c] || c;
+ });
+ return fileUrl 
+   ? `<a href="${sanitizedUrl}" target="_blank" rel="noopener noreferrer">${sanitizedName}</a>`
+   : sanitizedName;

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

17-34: Consider using the gform_loaded hook if necessary.
Currently, the constructor checks class_exists( 'GFCommon' ) and returns early if Gravity Forms is unavailable. If a version check is needed, consider hooking into gform_loaded for more reliable plugin load ordering. Otherwise, this is acceptable as is.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c6a3766 and 1fbdc4a.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

Learnt from: veryspry
PR: gravitywiz/snippet-library#1050
File: gp-file-upload-pro/gpfup-update-filename-markup.php:84-127
Timestamp: 2025-03-26T17:10:38.154Z
Learning: In the GP File Upload Pro plugin, user-generated content like filenames and URLs should be sanitized before being output in HTML to prevent XSS attacks. File URLs should be encoded with encodeURI() and filenames should have special characters replaced with HTML entities.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Danger JS

🔇 Additional comments (4)

gp-file-upload-pro/gpfup-update-filename-markup.php (4)

1-16: No concerns on the opening section.
The file header and class declaration look fine.

---

68-68: Escape data in JavaScript output to prevent potential XSS.
Use JSON_HEX flags with wp_json_encode() to reduce the risk of script injection.

- var fileData = " . wp_json_encode( $file_upload_data ) . ";
+ var fileData = " . wp_json_encode( $file_upload_data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS ) . ";

---

117-117: Sanitize file URL and filename to prevent potential XSS.
Additionally, replace target="__blank" with the correct _blank.

- return fileUrl ? `<a href="${fileUrl}" target="__blank" rel="noopener noreferrer">${fileName}</a>` : fileName;
+ const sanitizedFileUrl = encodeURI(fileUrl || '');
+ const sanitizedFileName = fileName.replace(/[<>&"']/g, (c) => {
+   const escapes = {'<':'&lt;','>':'&gt;','&':'&amp;','"':'&quot;',"'":'&#39;'};
+   return escapes[c];
+ });
+ return fileUrl
+   ? `<a href="${sanitizedFileUrl}" target="_blank" rel="noopener noreferrer">${sanitizedFileName}</a>`
+   : sanitizedFileName;

---

157-167: Clarify usage example to avoid duplicate instantiation.
Add a note that the example usage is for demonstration and should be removed or commented out in production if not needed.

 /*
  * Example Usage (for demonstration purposes only):
+ * - Remove or comment out this instantiation in production to avoid duplicate initialization.
  * - Update 'form_id' and 'field_id' to match your specific requirements.
  */
 new GPFUP_Update_Filename_Markup(

[veryspry]

@malayladu following up on this comment: https://github.com/gravitywiz/snippet-library/pull/1050/files#r2003176733

I'd like to see this snippet work even if $form_id and $field_id aren't passed. That way, it can optionally be applied to all forms OR all fields on a form.

I checked out the branch and looked around the snippet as well as how the gpeb_post_file_population filter works and I think this should be possible.

So to summarize, I'm suggesting there would be three potential ways to instantiate / configure this:

1. no arguments — apply to all forms and fields
2. $form_id only — apply to all fields on a form
3. $form_id and $field_id — apply to specific form and field

Please let me know if I missed something and if this is not possible with this snippet.

Sorry for all the back and forth, I know this has been a really lengthy ticket. I really appreciate your perseverance 🙂

[malayladu]

@veryspry

@malayladu following up on this comment: https://github.com/gravitywiz/snippet-library/pull/1050/files#r2003176733

I'd like to see this snippet work even if $form_id and $field_id aren't passed. That way, it can optionally be applied to all forms OR all fields on a form.

I checked out the branch and looked around the snippet as well as how the gpeb_post_file_population filter works and I think this should be possible.

So to summarize, I'm suggesting there would be three potential ways to instantiate / configure this:

1. no arguments — apply to all forms and fields
2. $form_id only — apply to all fields on a form
3. $form_id and $field_id — apply to specific form and field

Please let me know if I missed something and if this is not possible with this snippet.

Sorry for all the back and forth, I know this has been a really lengthy ticket. I really appreciate your perseverance 🙂

Further checking on this, I think you are right. It can be worked with or without form_id & field_id.

Modifying the code according to your feedback.

[github-actions]

	Warnings
⚠️	When ready, don't forget to request reviews on this pull request from your fellow wizards.

Generated by 🚫 dangerJS against c209185

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

178-188: Clarify usage instructions for production.

The example usage at the bottom of the file might inadvertently re-instantiate the class with hardcoded parameters. Consider adding a comment reminding users to remove or comment out the example to avoid duplicate initializations in real deployments.

178 /*
179  * Example Usage (for demonstration purposes only):
180  *
181  * - Update 'form_id' and 'field_id' to match your specific requirements.
182  *
+ * - Remove or comment out this block in production to avoid duplicating the class instantiation.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1fbdc4a and 1fd355e.

📒 Files selected for processing (1)

• gp-file-upload-pro/gpfup-update-filename-markup.php (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

gp-file-upload-pro/gpfup-update-filename-markup.php (1)

Learnt from: veryspry
PR: gravitywiz/snippet-library#1050
File: gp-file-upload-pro/gpfup-update-filename-markup.php:84-127
Timestamp: 2025-04-03T10:06:58.484Z
Learning: In the GP File Upload Pro plugin, user-generated content like filenames and URLs should be sanitized before being output in HTML to prevent XSS attacks. File URLs should be encoded with encodeURI() and filenames should have special characters replaced with HTML entities.

🔇 Additional comments (2)

gp-file-upload-pro/gpfup-update-filename-markup.php (2)

131-135: Great job on sanitizing user-generated content!

Using encodeURI for the URL and replacing special characters in the filename strongly mitigates potential XSS attacks. This aligns well with the recommended security measures for user-generated content.

---

172-173: Confirm desired behavior for empty form_id.

is_applicable_form() treats an empty form_id in the constructor as applying to all forms. Verify that this is intended. If you wish to scope to only certain forms, ensure _args['form_id'] is set accordingly.

[coderabbitai]

⚠️ Potential issue

Fix ternary operator syntax error.

The extra + at line 139 causes a syntax error in JavaScript. Remove the + so that the ternary is valid.

137    return fileUrl
138      ? `<a href="${sanitizedFileUrl}" target="_blank" rel="noopener noreferrer">${sanitizedFileName}</a>`
-139      + : sanitizedFileName;
+139      : sanitizedFileName;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	return fileUrl
	? `<a href="${sanitizedFileUrl}" target="_blank" rel="noopener noreferrer">${sanitizedFileName}</a>`
	+ : sanitizedFileName;
	return fileUrl
	? `<a href="${sanitizedFileUrl}" target="_blank" rel="noopener noreferrer">${sanitizedFileName}</a>`
	: sanitizedFileName;