Enable and Control a Custom Maintenance Mode for your WordPress Website.
Home Page: https://www.tukutoi.com/program/tukutoi-maintenance/
License: GNU General Public License v2.0
https://github.com/TukuToi/tkt-maintenance/blob/18c552f0089296be71e39d1c9521a61df0f6d6e1/README.txt#L15
should be "Coming Soon"
https://github.com/TukuToi/tkt-maintenance/blob/18c552f0089296be71e39d1c9521a61df0f6d6e1/README.txt#L27
There is no "native WordPress Settings > Maintenance Menu"
https://github.com/TukuToi/tkt-maintenance/blob/18c552f0089296be71e39d1c9521a61df0f6d6e1/README.txt#L31
Shouldn't this be unlimited? CSS max-width:100% makes any image resize to its container...
Maybe it's just me, but you shouldn't use the word "core" anywhere in a plugin.
This contradicts the fact that the plugin headers are in the main file and there is a define there for the version number.
Why load both admin and front end for every request? It's either one or the other, not both.
Why do you need a whole class for a single function call?
Why is the loader separate? You have a main class to load the loader. Weird.
Your plugin is not correctly including JS and/or CSS. You should be using the built in functions for this:
https://developer.wordpress.org/reference/functions/wp_enqueue_script/
https://developer.wordpress.org/reference/functions/wp_enqueue_style/
And remember you can use this function to add inline javascript:
https://developer.wordpress.org/reference/functions/wp_add_inline_script/
As of WordPress 5.7, you can pass attributes like async, nonce, and type by using new functions and filters:
https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/
If you're trying to enqueue on the admin pages you'll want to use the admin enqueues
https://developer.wordpress.org/reference/hooks/admin_enqueue_scripts/
https://developer.wordpress.org/reference/hooks/admin_print_scripts/
https://developer.wordpress.org/reference/hooks/admin_print_styles/
Example(s) from your plugin:
tkt-maintenance/public/partials/tkt-maintenance-public-display.php:74: <script type="text/javascript">var time = '<?php echo $options[ $this->plugin_short . '_time' ]; '</script><?php
From your plugin, you have set your text domain as follows: tkt-maintenance
tkt-maintenance/admin/class-tkt-maintenance-admin.php:404: echo '<fieldset><legend><span>'. __( 'Add your own Header Text', 'tkt-maintenance' ) .'</span></legend><input name="'. $this->plugin_short . '_header" id="'. $this->plugin_short . '_header" type="text" value="' . sanitize_text_field( get_option( $this->plugin_short . '_header' ) ) . '" /><p>'. __( 'Add your own Header Text', 'tkt-maintenance' ) .'</p></fieldset>';
However the auto generated permalink is this: tukutoi-maintenance
In order for your plugin to work properly in our directory, those must match.
https://developer.wordpress.org/plugins/internationalization/how-to-internationalize-your-plugin/#text-domains
We can change your permalink for you, but there are limits to what we can use for your plugin slug. You need to tell us if the permalink should be changed, otherwise it will remain as is, and you should correct your code before uploading to SVN.
If the timer expires, shouldn't the site be shown?
This text is not translated.
Since you don't know the image color or transparency, and you didn't set the body background color, you probably need to use some text-shadow to make sure the text is visible.
I suggest you use font-family: serif; or font-family: sans-serif; instead so it works for all languages.
It would be more accessible with font-size: 150%
Won't this distort the image?
For the <html> tag, themes usually use
<html <?php language_attributes(); ?>>
and then
<meta charset="<?php bloginfo( 'charset' ); ?>">
along with a meta tag for the viewport width so it looks right on mobile.
I see you call wp_head(), I guess to get your style and script output, and I saw where you make the plugin's script and style overwrite everything else. But core also outputs the <title> tag there, although you have one in this file.
https://github.com/TukuToi/tkt-maintenance/blob/18c552f0089296be71e39d1c9521a61df0f6d6e1/public/partials/tkt-maintenance-public-display.php#L49
https://github.com/TukuToi/tkt-maintenance/blob/18c552f0089296be71e39d1c9521a61df0f6d6e1/public/partials/tkt-maintenance-public-display.php#L63
Do the class names take into account RTL languages? Do the styles?
Why the inline style, when you load a stylesheet? Inline is harder for novices to override.
So the JS option is supposed to include the <script> tag?
These functions should be prefixed, not suffixed.
Use one prefix across the whole plugin.
The last one seems a bit odd. You define the function and then call it. Why make it a function?
https://github.com/TukuToi/tkt-maintenance/blob/18c552f0089296be71e39d1c9521a61df0f6d6e1/tkt-maintenance.php#L64
Seeing your folders named admin and public, it sure seemed like you should do a check right here and only load (require) admin or public.
Why is it a class? You could separate it easier if it wasn't a class, or make two classes.
Edit: sorry, I think you do have more than one class, as evidenced by the names in the activate and deactivate functions.
Not only is it empty, but it is not enqueued, so why is it here?
This whole class is duplicating what already exists in core, so all it does is waste memory.
We no longer permit arbitrary plugins to allow users to save custom CSS, JavaScript, or PHP within the plugin.
The primary reason for this is that WordPress includes it's own, robust, error-checking, CSS editor in the Customizer already. Any time your plugin replicates functionality found in WordPress (i.e. the uploader, jquery) is frowned upon, as it presents a possible security risk. The features in WordPress have been tested by many more people than use most plugins, so the built in tools are less likely to have issues.
As for JavaScript, we recognizing that script insertion plugins are amazing and powerful. They're also incredibly dangerous and require a high level understanding of sanitization, security, and usage. And in the case of most plugins, these are entirely unnecessary. You should never be asking users to paste in arbitrary JavaScript. Instead have them paste in the values custom to their scripts, and generate the rest on your own.
PHP is even more complex. This is why WordPress itself allows you to lock people out of being able to edit theme and plugin files directly (via DEFINES that are used by many managed hosts), but also has a serious of post-processing checks that verify the site will still function after any changes.
Please remove this from your plugin:
tkt-maintenance/admin/class-tkt-maintenance-admin.php:358: public function custom_js_cb() {
tkt-maintenance/admin/class-tkt-maintenance-admin.php:369: public function custom_css_cb() {
I think I mentioned in the other issue (for the main file) that you don't need a class for a single function call.
Remove this since it's empty. If you have something to do later, add it then.
Motto: no bloat!
I would remove the big comment.
This text is not translated.
There are some code formatting inconsistencies in here that make it more difficult to follow the code.
The way the options are handled is quite awkward. The options class doesn't help at all, and just makes it more difficult to read and use.
This is not translated.
Couldn't you spoof this with the login URL as a query on a real URL?
Using current_user_can() with a role is highly discouraged. Would it even work right for multisite?
Should this logic have some parentheses, or are you trying to use short-circuiting? If they aren't logged in, they can't be administrator.
Same with maybe_run_maintenance_mode
If in future, you need to do something during uninstall, add the file and do it. But having an empty uninstall is just silly.
Much related to sanitizing everything, all variables that are echoed need to be escaped, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.
This is true for all $-variables, as it's possible that an XSS vulnerability in another plugin, or a MITM (Man in the Middle) attack, could subvert your data. It's doubly important when you're echoing content on the back-end of WordPress, as those are regularly targeted for exploits. By escaping, you ensure that you have future-proofed your plugin and protected your users.
Also keep in mind that sometimes a function is echoing when it should really be returning content instead. This is a common mistake when it comes to returning JSON encoded content. Very rarely is that actually something you should be echoing at all. Echoing is because it needs to be on the screen, read by a human. Returning (which is what you would do with an API) can be json encoded, though remember to sanitize when you save to that json object!
There are a number of options to secure all types of content (html, email, etc). Yes, even HTML needs to be properly escaped.
https://developer.wordpress.org/plugins/security/securing-output/
Remember: You must use the most appropriate functions for the context. If you’re outputting HTML, use esc_html(), and so on.
Example(s) from your plugin:
tkt-maintenance/admin/class-tkt-maintenance-admin.php:382: echo '<fieldset><legend><span>'. __( 'Enter an URL or Upload an Image for the Logo', 'tkt-maintenance' ) .'</span></legend><input name="'. $this->plugin_short . '_logo" id="'. $this->plugin_short . '_logo" type="text" size="36" value="' . esc_url_raw( get_option( $this->plugin_short . '_logo' ) ) . '" /><input id="'. $this->plugin_short . '_logo_button" type="button" value="Upload Image" /><p>'. __( 'Enter an URL or Upload an Image for the Logo', 'tkt-maintenance' ) .'</p></fieldset>';
tkt-maintenance/admin/class-tkt-maintenance-admin.php:393: echo '<fieldset><legend><span>'. __( 'Add your own Footer Text', 'tkt-maintenance' ) .'</span></legend><input name="'. $this->plugin_short . '_footer" id="'. $this->plugin_short . '_footer" type="text" value="' . sanitize_text_field( get_option( $this->plugin_short . '_footer' ) ) . '" /><p>'. __( 'Add your own Footer Text', 'tkt-maintenance' ) .'</p></fieldset>';
tkt-maintenance/admin/class-tkt-maintenance-admin.php:404: echo '<fieldset><legend><span>'. __( 'Add your own Header Text', 'tkt-maintenance' ) .'</span></legend><input name="'. $this->plugin_short . '_header" id="'. $this->plugin_short . '_header" type="text" value="' . sanitize_text_field( get_option( $this->plugin_short . '_header' ) ) . '" /><p>'. __( 'Add your own Header Text', 'tkt-maintenance' ) .'</p></fieldset>';
What's the deal? You don't need an empty class!
I think the settings should be one array instead of individual fields.
But what is going on with
$this->plugin_short . '_active', and $this->plugin_short . '_dequeue_styles_scripts',
using validate_number as a sanitization callback? They look like booleans.
https://developer.wordpress.org/reference/functions/wp_validate_boolean/
Also, for non-negative integers: https://developer.wordpress.org/reference/functions/absint/
In the template, there are no script tags output, so the user would have to put them in here, but then they would be escaped.
The CSS field doesn't have that problem, but the esc_html function is probably not the right one for sanitizing.
This should be current_user_can( 'manage_options' ) and/or 'unfiltered_upload' or 'manage_network_options'.
It would be better if the options were stored in an array in the database instead of many separate option entries.
It would also be better if there were valid defaults used.
It is a bit confusing to have a function named set_options which doesn't actually set the options in the database. And then get_options calls set_options.
Is this going to produce valid CSS? Core uses simply strip_tags() for the Additional CSS output.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.