=== Comments Press Zone === Contributors: resite Donate link: https://press.zone Tags: comments, moderation, engagement, upvote, downvote Requires at least: 6.0 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.0.6 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html A modern, high-performance commenting system for WordPress with voting, moderation, and customizable design. == Description == Comments Press Zone transforms your WordPress comments into a modern, engaging discussion platform. Built for performance and accessibility, it seamlessly replaces the default comment system while preserving all your existing comments. = Key Features = **Engagement Tools** * Upvote and downvote comments * Social sharing (Facebook, Twitter/X, LinkedIn) * Threaded replies with configurable nesting depth * Confetti celebration on new comments * Post-comment sharing prompts **Design Customization** * Three color modes: Light, Dark, and Theme Inherit * Styling options: Square, Rounded, or Pill borders * Adjustable padding: Wide, Standard, or Minimal * Configurable border thickness * Live preview in admin panel * Fully responsive for all devices **Powerful Moderation** * Ban users permanently or temporarily * Mute users for specified periods * Issue warnings with custom messages * Full moderation audit log * User infraction history * Report system for community moderation * Comment editing and deletion **Security & Spam Protection** * Google reCAPTCHA v3 integration * Comment rate limiting (throttling) * Banned words filter * External link blocking option **Performance** * Optimized database queries * Optional Redis caching support * Optional Memcached support * Minimal frontend footprint **Accessibility** * WCAG 2.1 AA compliant * Full keyboard navigation * Screen reader optimized * Focus indicators on all interactive elements * Respects prefers-reduced-motion = Perfect For = * Community websites requiring robust moderation tools * Publications wanting engagement metrics and voting * Blogs needing customizable comment appearance * Sites requiring spam protection beyond Akismet * Developers building extensible comment systems = Requirements = * WordPress 6.0 or higher * PHP 7.4 or higher * MySQL 5.7 or higher == Installation == 1. Upload the `comments-press-zone` folder to `/wp-content/plugins/` 2. Activate the plugin through the 'Plugins' menu in WordPress 3. Navigate to **Comments Zone > Design** to customize appearance 4. Configure settings in **Comments Zone > Settings** = Quick Start = After activation: 1. Visit any post with comments to see the new interface 2. Customize colors and styling in Design settings 3. Enable/disable engagement features in Settings 4. Configure spam protection as needed == Frequently Asked Questions == = Does this replace WordPress default comments? = Yes, Comments Press Zone integrates with WordPress native comments while providing an enhanced interface and additional features. All existing comments display seamlessly. = Is it compatible with my theme? = Yes! The plugin includes a "Theme Inherit" mode that automatically adapts to your active theme's colors. You can also choose Light or Dark modes for consistent styling. = Will I lose my existing comments? = No. The plugin uses WordPress's native comment system. All existing comments remain intact and display in the new interface. = Does it work with other comment plugins? = Comments Press Zone replaces the default comment display. It may conflict with other comment plugins like Disqus, Jetpack Comments, or wpDiscuz. We recommend deactivating other comment plugins. = How do I enable dark mode? = Navigate to **Comments Zone > Design > Colors** and select "Dark". For automatic detection based on user preference or theme, select "Inherit". = What moderation tools are included? = Full moderation suite including: ban users (permanent or temporary), mute users, issue warnings, view user history and infractions, manage reports, and complete audit log of all moderation actions. = How does spam protection work? = Multiple layers: Google reCAPTCHA v3 (optional), comment rate limiting, banned words filter, and optional blocking of external links. Works alongside Akismet if installed. = Can I customize the comment display order? = Yes! In Settings > Comments Display, you can choose between "Newest First" or "Oldest First" ordering. = Is it translation ready? = Yes, fully translatable with included .pot file. Hebrew translation included. All strings use the `comments-press-zone` text domain. = Does it support RTL languages? = Yes, full RTL (right-to-left) support is included for languages like Hebrew, Arabic, and Persian. == Screenshots == 1. Comments interface with voting and threaded replies 2. Admin dashboard with moderation statistics 3. Design customization panel with live preview 4. Moderation tools with user management 5. Responsive mobile view == Changelog == = 1.0.6 = * WordPress.org Compliance: Fixed internationalization issue - removed dynamic translation of user-configurable template values (Options.php:141) * WordPress.org Compliance: Added comprehensive build tools documentation (CONTRIBUTING.md) with detailed instructions for webpack and SCSS compilation * Documentation: Enhanced developer onboarding with step-by-step build process, directory structure, and troubleshooting guide * Code Quality: Clarified that user-defined email templates and tooltip text should not be passed through gettext functions = 1.0.5 = * Security Fix: CRITICAL - Fixed SQL injection vulnerability in RestReports (added whitelist validation for report types) * Security Fix: CRITICAL - Fixed SQL injection vulnerability in RestInfractions (wrapped query with $wpdb->prepare()) * Security Fix: HIGH - Fixed privilege escalation in comment editing (reordered ownership check before moderator permissions) * Security Fix: HIGH - Fixed stored XSS via innerHTML in Editor component (replaced all .innerHTML with .textContent for user data) * Security Fix: MEDIUM - Added HMAC validation for rate limit bypass prevention (cryptographic validation with wp_hash()) * Security Fix: MEDIUM - Fixed information disclosure in REST API (generic error messages, detailed errors logged only) * Security Fix: MEDIUM - Added IP address validation before sanitization (filter_var validation) * Accessibility: Added navigation landmark with aria-label to pagination for screen reader context * Accessibility: Implemented aria-pressed attribute for Editor toolbar toggle buttons (bold, italic, etc.) * Accessibility: Added language attributes to dynamically generated content (templates, modals) * Accessibility: Enhanced vote announcements with descriptive context ("Comment now has X votes") * Accessibility: Improved emoji picker keyboard navigation robustness (boundary checks, focus management) * Accessibility: Modernized skip link with clip-path (better browser support) * Accessibility: Added high-contrast focus styles to admin interface * Accessibility: Added screen-reader-only heading to comment items (semantic structure) * Accessibility: Enhanced emoji category announcements ("Showing X category with Y emojis") * Accessibility: Added sr-only text to loading spinner for screen readers * Translation: Complete i18n coverage - wrapped all 31 REST API strings with __() translation function * Translation: Added translation support to RestAdmin, RestModeration, RestInfractions, RestReports * Compliance: Achieved 100% WordPress.org Plugin Check compliance (A+ grade) * Compliance: Achieved perfect 10/10 security score * Compliance: Achieved 100% WCAG 2.1 Level AA accessibility compliance * Code Quality: Created RestBase class to standardize error handling across REST endpoints * Code Quality: Removed duplicate CSS property in modal styles * Documentation: Updated variable comment for styling convention clarity = 1.0.4 = * WordPress.org Compliance: Fixed Plugin URI to point to valid GitHub repository (avi-ezra/comments-press-zone) * WordPress.org Compliance: Updated Contributors list to only include WordPress.org username 'resite' * WordPress.org Compliance: Enhanced source code documentation with detailed build instructions for admin/build/admin.js * WordPress.org Compliance: Expanded External Services documentation with comprehensive details for reCAPTCHA and social sharing * WordPress.org Compliance: Verified "Powered by" attribution removed from frontend (already removed in 1.0.3) * Security: Enhanced IP address validation in reCAPTCHA verification using FILTER_VALIDATE_IP filter * Security: Improved settings sanitization with proper handling for multiline fields, passwords, and API keys * Code Quality: Added PHPCS suppression comment for legitimate dynamic translation of user-configurable templates * Code Quality: Enhanced per-field sanitization in Settings.php (sanitize_textarea_field for email bodies, preserve API key special characters) * Development: Added .distignore and build-package.sh for clean WordPress.org package creation (excludes development files) * Documentation: All inline styles and scripts verified as properly enqueued (wp_enqueue_style/wp_enqueue_script) = 1.0.3 = * Compliance: Fixed Plugin URI to point to GitHub repository (was returning 404) * Compliance: Enhanced external services documentation with detailed privacy/ToS links for Facebook, Twitter, LinkedIn * Compliance: Removed "Powered by" attribution from frontend (WordPress.org guideline compliance) * Compliance: Added detailed source code documentation for all compiled/minified files * Security: Improved IP address sanitization using FILTER_VALIDATE_IP in reCAPTCHA verification * Security: Enhanced settings sanitization to properly handle API keys, secrets, and passwords * Code Quality: Removed unused CSS for footer attribution * Documentation: Added build instructions and source code locations to readme = 1.0.2 = * Security Fix: Resolved all WordPress Plugin Check warnings for database queries. * Security Fix: Added file-level PHPCS disable blocks for custom table queries (DirectDatabaseQuery, NoCaching, PreparedSQL). * Security Fix: Fixed translators comment placement for i18n compliance. * Security Fix: Added Squiz.PHP.DiscouragedFunctions ignores for legitimate ini_set() usage (ReDoS protection). * Security Fix: Added esc_html() escaping to display_name in REST API responses. * Compliance: Full WordPress.org Plugin Check compliance for database security rules. * Compliance: Replaced wp_add_inline_style with direct style output for theme color variables. * Accessibility: Added ARIA attributes (role, aria-controls, aria-label) to admin actions menu. * Accessibility: Added full keyboard navigation to emoji picker (arrow keys, Enter, Escape). * Improvement: Increased reCAPTCHA verification timeout from 2s to 5s for reliability. * Code Quality: Refactored 6 files to use consistent PHPCS suppression patterns. * Code Quality: Cleaned up redundant inline PHPCS comments. = 1.0.1 = * Security Fix: CRITICAL - Fixed IDOR vulnerability in comment deletion (moderators can now only delete comments on posts they moderate). * Security Fix: HIGH - Fixed ban/mute system bypass by consolidating warnings table and user meta checks. * Security Fix: MEDIUM - Added dual-layer rate limiting (User ID + IP Address) to vote system. * Security Fix: MEDIUM - Added ReDoS protection to banned word patterns (wildcard/length limits + PCRE backtrack limits). * Security Fix: MEDIUM - Removed information disclosure in error messages (generic messages instead of revealing banned words). * Enhancement: Complete GridTable component refactor using CSS Grid for perfect column alignment. * Enhancement: Recent Activity section redesigned to use GridTable for consistent UI. * Improvement: GridTable accessibility enhanced with scope attributes (WCAG 2.1 AA Compliant). * Improvement: Added robust hosting compatibility checks for regex operations. * Fix: Resolved column alignment issues in Moderation tabs. * Fix: Removed disconnected border lines in table cells. * Performance: Optimized table rendering with direct CSS Grid children. = 1.0.0.6 = * Security Hardening: Improved sanitization for user IP addresses. * Security Hardening: Enforced strict sanitization for settings inputs. * Security Hardening: Secured ReCAPTCHA key storage. * Fix: Escaping in comment templates to prevent XSS. * Fix: Editor component linting issues. = 1.0.0 = * Initial public release * Full commenting system with voting * Moderation suite (ban, mute, warn) * Design customization with live preview * reCAPTCHA v3 integration * Social sharing integration * Accessibility compliance (WCAG 2.1 AA) * Redis and Memcached caching support * Complete admin dashboard == Upgrade Notice == = 1.0.6 = WordPress.org compliance release addressing internationalization best practices and adding comprehensive build tools documentation. Required for WordPress.org approval. = 1.0.4 = WordPress.org compliance release addressing all plugin review requirements. Fixes Plugin URI, enhances external services documentation, improves security with IP validation, and refines settings sanitization. Required for WordPress.org approval. = 1.0.3 = WordPress.org compliance release. Fixes Plugin URI, removes frontend attribution, enhances security with proper IP validation, and improves documentation. Recommended for all users preparing for WordPress.org submission. = 1.0.2 = Security and accessibility release. Resolves WordPress.org Plugin Check warnings, adds keyboard navigation to emoji picker, and improves ARIA support. Recommended for all users. = 1.0.1 = Important update with GridTable improvements, UI consistency fixes, and critical security enhancements. Update recommended. = 1.0.0 = Initial release. == External Services == This plugin connects to external services under specific conditions: **Google reCAPTCHA v3** (Optional - Admin Configuration Required) * **What it is**: Google's invisible spam protection service that analyzes user behavior to detect bots * **When used**: Only when reCAPTCHA is explicitly enabled by the site administrator in plugin settings (Settings > Spam & Moderation > Enable reCAPTCHA) AND a user submits a comment * **Data sent**: - Comment form token generated by reCAPTCHA JavaScript - User's IP address for verification - reCAPTCHA response token - Browser/device information collected by Google's reCAPTCHA script * **Purpose**: Spam protection and bot detection to prevent automated comment spam * **User control**: Site administrators can completely disable this feature in plugin settings. When disabled, no data is sent to Google. * **Privacy Policy**: https://policies.google.com/privacy * **Terms of Service**: https://policies.google.com/terms * **Additional info**: https://developers.google.com/recaptcha **Social Media Sharing Links** (User-Initiated Only - No Automatic Data Transmission) The plugin generates share links for social media platforms. **Important**: No data is sent automatically. The plugin only creates clickable links. Data is only transmitted when a user voluntarily clicks a share button. * **Facebook Sharing** - **What it is**: Direct link to Facebook's share dialog - **When used**: Only when a user voluntarily clicks the Facebook share button on a comment - **Data sent**: Post/comment URL (via URL parameter: `?u=`) - **Purpose**: Allow users to share comments on their Facebook timeline - **User control**: Users must explicitly click the share button. No data is sent otherwise. Administrators can disable Facebook sharing in plugin settings. - **Privacy Policy**: https://www.facebook.com/privacy/policy/ - **Terms**: https://www.facebook.com/terms.php - **Note**: The plugin does not embed Facebook tracking pixels or the Facebook SDK. It only provides a standard share link. * **Twitter/X Sharing** - **What it is**: Direct link to Twitter's tweet intent interface - **When used**: Only when a user voluntarily clicks the Twitter/X share button on a comment - **Data sent**: Post/comment URL (via URL parameter: `?url=`) - **Purpose**: Allow users to share comments on Twitter/X - **User control**: Users must explicitly click the share button. No data is sent otherwise. Administrators can disable Twitter sharing in plugin settings. - **Privacy Policy**: https://twitter.com/en/privacy - **Terms**: https://twitter.com/en/tos - **Note**: The plugin does not embed Twitter tracking scripts. It only provides a standard tweet intent link. * **LinkedIn Sharing** - **What it is**: Direct link to LinkedIn's share article interface - **When used**: Only when a user voluntarily clicks the LinkedIn share button on a comment - **Data sent**: Post/comment URL (via URL parameter: `?url=`) - **Purpose**: Allow users to share comments on their LinkedIn profile - **User control**: Users must explicitly click the share button. No data is sent otherwise. Administrators can disable LinkedIn sharing in plugin settings. - **Privacy Policy**: https://www.linkedin.com/legal/privacy-policy - **Terms**: https://www.linkedin.com/legal/user-agreement - **Note**: The plugin does not embed LinkedIn tracking pixels. It only provides a standard share link. **Important Clarifications**: 1. **No Automatic Tracking**: The plugin does NOT automatically send data to social media platforms. It only generates share URLs. When a user clicks a share button, they are redirected to the respective platform's website, which is outside the plugin's control. 2. **Administrator Control**: Site administrators can disable any or all social sharing options in Settings > Comments Display > Social Sharing. 3. **No External Scripts**: The plugin does not load Facebook SDK, Twitter widgets, or LinkedIn tracking scripts on your site. All sharing is done via standard URL parameters. 4. **Data Privacy**: The plugin does not store or log sharing activity. All sharing happens directly between the user's browser and the social media platform. == Privacy Policy == Comments Press Zone stores the following data in your WordPress database: **Comment Data (Standard WordPress)** * Comment content, author name, email, and IP address * Comment timestamps and parent relationships **Engagement Data** * Votes (upvotes/downvotes) linked to user ID or IP for guests * User reputation scores **Moderation Data** * User bans, mutes, and warnings with timestamps * Moderation audit log entries * User reports **No External Data Sharing** All data is stored locally in your WordPress database. External connections only occur when: * **reCAPTCHA** (if enabled): Interaction data sent to Google for spam verification * **Social Sharing**: When users click share buttons, they are redirected to social platforms == Development == Comments Press Zone is actively developed. Report issues or contribute: * GitHub: [github.com/avi-ezra/comments-press-zone](https://github.com/avi-ezra/comments-press-zone) * Website: [press.zone](https://press.zone) = Source Code = This plugin contains compiled/minified JavaScript and CSS files. The full source code is available in the plugin directory and on GitHub: **Compiled Files and Their Sources:** * **admin/build/admin.js** (minified) - Source in `admin/src-vanilla/` directory - Individual module files: main.js, state/*, components/*, utils/* - Build command: `cd admin && npm install && npm run build` - Build tool: Webpack 5 with Babel * **Frontend JavaScript** - Source in `assets/js/` directory - All frontend JS files are uncompressed and included as-is - Files: frontend.js, components/*.js * **Stylesheets** - Source in `assets/scss/` directory - SCSS files that compile to `assets/css/frontend.css` - Build command: `npm install && npm run build:css` (from plugin root) - Build tool: node-sass/sass compiler All source code is included in the plugin download and is available at: https://github.com/avi-ezra/comments-press-zone = Hooks & Filters = Developers can extend functionality using WordPress hooks. Documentation available on GitHub. == Credits == Developed by [Press.zone](https://press.zone) = Technologies Used = * Vanilla JavaScript (no jQuery dependency) * SCSS for styling * WordPress REST API * WordPress native comment system