Roadmap: WordPress.org Plugin Directory compliance

[TommsNL]

Hi Franky,

I'd like to help prepare Events Made Easy for publication in the official WordPress.org Plugin Directory. I've analyzed the plugin against the current WordPress.org guidelines and Plugin Check (PCP) automated requirements, and the good news is that the plugin is already ~80% compliant — prefixing, sanitization, escaping, i18n, enqueuing, and file access protection are all solid. Great work on that!

There are a few items that need attention for WordPress.org approval. I'd like to submit these as separate, small PRs that are easy to review.

Phase 1: Technical improvements

1. Add nonce verification to admin GET action handlers — PCP security check requires nonces on all admin actions to prevent CSRF
2. Add unminified source files for bundled .min.js libraries — required by PCP automated check
3. Convert inline script to wp_add_inline_script() — PCP flags inline <script> tags
4. Fix license inconsistency and update plugin metadata — readme.txt says GPLv3, LICENSE file is GPLv2, plugin header says GPLv2+

Phase 2: Deeper review

After the initial improvements, I'd like to do a more thorough review with the Plugin Check (PCP) tool and PHPCS WordPress coding standards to identify any remaining issues before submission.

Phase 3: WordPress.org submission

5. Remove GitHub updater — final step, only when ready to submit to WordPress.org

All changes are designed to be non-breaking. The plugin will continue to work via GitHub throughout.

Let me know if you're interested and if you have any preferences on the approach!

References

• WordPress.org Detailed Plugin Guidelines
• Plugin Check (PCP)
• PCP automated security reports (2025)

[liedekef]

I see you already started :-) I guess the first phase is easy, but the second phase won't be as easy ... I tried complying with late escaping in the past but I also have a thing for efficiency and WP rules are sometimes extremely messy in resulting code. But we'll see ...

[liedekef]

I reverted the changes (for now), reasons are in the closed PR's

[TommsNL]

Hi Franky,

Quick status update on the roadmap:

PR #923 — Add per-action nonce verification to admin GET handlers
This replaces the earlier PR #920 (which broke the discount management menu links). PR #923 uses a per-action approach instead of a blanket check: only data-processing actions (booking_printable, booking_csv, tasksignups_csv) get nonce verification, while navigation actions (discounts, dgroups, states, etc.) remain untouched. All admin pages and sub-navigation continue to work normally.

PR #921 (unminified JS sources) — We're postponing this one for now. It was already merged, but since you reverted, we'll revisit it later when the higher-priority items (escaping, prepare) are further along.

Next focus will be on the escaping and $wpdb->prepare() work (Phase 2 from the roadmap). We've built a test framework to catch regressions, so future PRs should be safer to review.

[TommsNL]

Status update: Escaping progress

We're making steady progress on the late escaping work (Phase 2 from the roadmap).

Merged:

• PR Add late escaping to 5 admin page files (WP Store readiness) #924 -- Late escaping batch 1: 5 small admin files (eme-discounts.php, eme-countries.php, eme-categories.php, eme-templates.php, eme-holidays.php)
• PR Fix $message escaping: use nl2br(esc_html()) pattern #925 -- Follow-up fix: nl2br(esc_html($message)) pattern for admin messages that can contain newlines (from CSV import errors). Applied consistently across all batch 1 files.

Open for review:

• PR Late escaping batch 2: 6 admin files #926 -- Late escaping batch 2: 6 more files (eme-todos.php, eme-attributes.php, eme-cron.php, eme-cleanup.php, eme-formfields.php, eme-options.php)

Progress so far:

• Unescaped output count: ~319 -> ~234 (with PR Late escaping batch 2: 6 admin files #926)
• Test suite expanded to 70 tests including admin form CRUD (add/edit/delete via POST with nonce verification)

Approach:
We're working in small, reviewable batches, applying context-appropriate escaping:

• esc_attr() for HTML attributes
• nl2br(esc_html()) for plain-text admin messages (consistent pattern per your feedback)
• wp_kses_post() only where variables intentionally contain HTML
• phpcs:ignore for hardcoded trusted output

Each batch is reviewed for runtime context (variable assignments traced to catch cases like the $message HTML issue in PR #924). Next up will be the more complex files (eme-rsvp.php, eme-functions.php).

[TommsNL]

Status update: Escaping complete, next phases identified

Merged since last update:

• PR Late escaping batch 2: 6 admin files #926 — Late escaping batch 2 (eme-widgets, eme-cleanup, eme-ui, eme-actions + 6 admin files)
• PR Late escaping batch 3: esc_attr/wp_kses_post/checked() across 10 files #929 — Late escaping batch 3 (eme-rsvp, eme-locations, eme-recurrence, eme-tasks, eme-attendances, eme-functions)

Open for review:

• PR Late escaping batch 4: complete remaining admin output escaping #934 — Late escaping batch 4: final batch (eme-events, eme-members, eme-people, eme-mailer, eme-ical, eme-locations, cli_mail). Includes fixes per reviewer feedback on Late escaping batch 3: esc_attr/wp_kses_post/checked() across 10 files #929 (esc_url() for ICAL/RSS URLs, esc_html(eme_translate()) instead of eme_trans_esc_html() for PHPCS recognition).

Escaping progress:

• Unescaped output count: 319 → 0 (across PRs Add late escaping to 5 admin page files (WP Store readiness) #924, Fix $message escaping: use nl2br(esc_html()) pattern #925, Late escaping batch 2: 6 admin files #926, Late escaping batch 3: esc_attr/wp_kses_post/checked() across 10 files #929, Late escaping batch 4: complete remaining admin output escaping #934)
• Test suite: 76 automated tests, 0 failures, 0 PHP errors

Remaining WP Store readiness items:

Category	Count	Effort
$url without esc_url() in template processing	~17	Small — promised in #929 feedback
ABSPATH protection (missing defined('ABSPATH') guard)	3 files	Quick win
Unprefixed functions	2	Quick win
$wpdb without prepare()	~461	Large
Unsanitized superglobals ($_GET/$_POST)	~690	Large
Inline <script> / <style> tags	4 / 4 files	Medium

Planned next steps:

1. Quick PR: esc_url() for template URLs + ABSPATH protection + unprefixed functions
2. Then tackle $wpdb->prepare() and/or input sanitization in batches

[TommsNL]

Status update: PHPCS escaping recognition + admin_url wrapping

Merged since last update:

• PR esc_url() for template URLs, ABSPATH guards, prefix CLI functions #935 — esc_url() for template URLs, ABSPATH guards on 3 class files, prefix CLI functions in cli_mail.php

Open for review:

• PR Replace eme_trans_esc_html() with WP escaping, wrap admin_url() in esc_url() #936 — Two related escaping improvements in one batch:

  1. Replace all ~209 eme_trans_esc_html() calls with PHPCS-recognized WP core functions (esc_html(eme_translate()) for text content, esc_attr(eme_translate()) for attribute values)
  2. Wrap all ~148 admin_url() calls in output context with esc_url()

  The function definition in eme-translate.php is preserved for backwards compatibility. Where admin_url() was inside wp_nonce_url(), the outer call is wrapped. Also cleaned up & to & inside admin_url() parameters since esc_url() handles the encoding.

  21 files changed, 347 insertions, 365 deletions.

Test results (PR #936):

• PHP syntax: all 21 files pass
• Test suite: 73/76 pass (3 pre-existing CSRF nonce failures, unrelated)
• Zero remaining eme_trans_esc_html() outside the definition

Remaining WP Store readiness items:

Category	Count	Effort
$wpdb without prepare()	~461	Large
Unsanitized superglobals ($_GET/$_POST)	~690	Large
Inline <script> / <style> tags	4 / 4 files	Medium

[TommsNL]

Status update: $wpdb->prepare() complete, all escaping done

Merged since last update (8 PRs):

• PR Replace eme_trans_esc_html() with WP escaping, wrap admin_url() in esc_url() #936 — Replace ~209 eme_trans_esc_html() with WP core functions + wrap ~148 admin_url() with esc_url()
• PR Wrap translations with esc_attr in attributes, esc_html in link text #937 — esc_attr__() for ~108 translations in HTML attributes, esc_html__() for ~50 translations as link text
• PR Add phpcs:ignore for trusted eme_ui_select() output #940 — phpcs:ignore for ~143 eme_ui_select*() echo/print statements
• PR Add phpcs:ignore for UI helpers & wp_nonce_field, fix canonical URL escaping #941 — phpcs:ignore for ~59 remaining eme_ui_*() + ~11 wp_nonce_field() + 2 canonical URL fixes
• PR Use esc_attr for values in HTML attribute contexts #942 — esc_attr corrections for ~14 attribute contexts (replacing incorrect esc_html in attributes)
• PR Add $wpdb->prepare() for small admin files (batch 1) #943 — $wpdb->prepare() batch 1: 9 small admin files (~118 queries, metric ~457 → ~339)
• PR Add $wpdb->prepare() and phpcs:ignore for all remaining files (batch 2) #944 — $wpdb->prepare() batch 2: all 13 remaining files (~339 queries, metric → ~3)
• PR Parameterize 4 remaining IN clauses in eme-rsvp.php #945 — Follow-up to Add $wpdb->prepare() and phpcs:ignore for all remaining files (batch 2) #944 feedback: parameterize 4 missed IN clauses in eme-rsvp.php

Current metrics:

Category	Count	Status
Unescaped output	0	Done (was 319)
$wpdb without prepare()	~3	Done (was ~457). 3 remaining are false positives in a /* */ comment block
Unsanitized superglobals ($_GET/$_POST)	~693	Open — next target
Inline <script> / <style> tags	4 / 4 files	Open

Test suite: 76/76 passed, 0 failures.

What's next:
The two big remaining WP Store readiness items are input sanitization (~693 superglobals) and inline script/style extraction. Input sanitization is the larger task — we'll plan the approach and batch strategy before starting.

[liedekef]

meanwhile old comment block removed

[liedekef]

btw: none of the GET/POST vars are unsanitized, but WP-style is different ...

[TommsNL]

Thanks for cleaning up the comment block, $wpdb metric is now a clean 0.

Good to know on the superglobals. We'll treat it as a WP-style conversion (sanitize_text_field(), wp_unslash(), absint() etc.) rather than a security fix. Will plan the batching strategy accordingly, probably similar approach as the $wpdb work: start with the simpler files, establish patterns, then tackle the larger ones.

[liedekef]

Things currently left to fix (according to Plugin checker):

class-expressivedate.php

Line	Column	Type	Code	Message	Docs
161	77	ERROR	WordPress.Security.EscapeOutput.ExceptionNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$timezone'.	Docs
1138	70	ERROR	WordPress.Security.EscapeOutput.ExceptionNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$attribute'.	Docs
1160	70	ERROR	WordPress.Security.EscapeOutput.ExceptionNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$attribute'.	Docs
1191	70	ERROR	WordPress.Security.EscapeOutput.ExceptionNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$attribute'.	Docs
1281	96	ERROR	WordPress.Security.EscapeOutput.ExceptionNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$method'.	Docs

eme-gdpr.php

Line	Column	Type	Code	Message	Docs
407	11	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_kses_maybe_unfiltered'.	Docs

eme-ical.php

Line	Column	Type	Code	Message	Docs
248	18	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"\n$locurl\n$lastmod\n$changefreq\n$priority\n\n"'.	Docs

eme-locations.php

Line	Column	Type	Code	Message	Docs
816	14	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$field_name$field_html"'.	Docs

eme-members.php

Line	Column	Type	Code	Message	Docs
1649	22	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_localized_date'.	Docs
1660	22	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_localized_date'.	Docs
1700	22	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_localized_datetime'.	Docs
1710	10	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_member_form'.	Docs
2815	14	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$field_name$field_html"'.	Docs
3263	74	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$message'.	Docs
4971	10	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '""'.	Docs

eme-payments.php

Line	Column	Type	Code	Message	Docs
1990	18	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.	Docs
2074	14	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.	Docs
2472	11	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"\n'.	Docs
4165	48	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.	Docs

eme-rsvp.php

Line	Column	Type	Code	Message	Docs
5098	87	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$update_message'.	Docs
5107	85	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$update_message'.	Docs

eme-events.php

Line	Column	Type	Code	Message	Docs
599	18	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"\n'.	Docs
620	26	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"\n'.	Docs
630	36	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.	Docs
630	193	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"\n'.	Docs
6112	47	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"' $selected>"'.	Docs
6266	47	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"' $selected>"'.	Docs
6648	241	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$trash_button_text'.	Docs
6662	261	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$deleteRecurrence_button_text'.	Docs
6685	51	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"' $selected>"'.	Docs
6868	82	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$category['category_id']'.	Docs
6868	123	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$selected'.	Docs
7421	26	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'EME_PLUGIN_URL'.	Docs
8557	14	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$field_name$field_html"'.	Docs
8772	47	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"' $selected>"'.	Docs
8786	233	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'str_replace'.	Docs

eme-mailer.php

Line	Column	Type	Code	Message	Docs
2792	38	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'EME_RSVP_STATUS_APPROVED'.	Docs
2793	38	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'EME_RSVP_STATUS_PENDING'.	Docs

eme-people.php

Line	Column	Type	Code	Message	Docs
1485	48	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'get_stylesheet_directory_uri'.	Docs
1489	48	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'get_stylesheet_directory_uri'.	Docs
1501	14	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_replace_locations_placeholders'.	Docs
1616	19	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '""'.	Docs
1616	55	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$tmp_formfield['field_name']'.	Docs
1698	92	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$discount_name'.	Docs
1712	31	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '""'.	Docs
1712	55	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_answer2readable'.	Docs
1720	23	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" "'.	Docs
1737	27	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$grouping.$occurence "'.	Docs
1737	124	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_answer2readable'.	Docs
2598	170	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'EME_WP_DATE_FORMAT'.	Docs
4661	24	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_get_bookings_list_for_wp_id'.	Docs

eme-actions.php

Line	Column	Type	Code	Message	Docs
449	106	ERROR	WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion	Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_register_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
452	98	ERROR	WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion	Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_register_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
455	120	ERROR	WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion	Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_register_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
458	143	ERROR	WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion	Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_register_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
459	150	ERROR	WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion	Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_register_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
519	17	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.	Docs
688	10	ERROR	WordPress.Security.EscapeOutput.OutputNotEscaped	All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'eme_get_events_list'.	Docs

eme-options.php

Line	Column	Type	Code	Message	Docs
1225	9	ERROR	PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing	Sanitization missing for register_setting().	Docs