enhance: image in quick search result (recover #237)

[arifulhoque7]

Recovered from sapayth's deleted fork.

• Original closed PR: enhance: image in quick search result #237
• Head branch: enhance/image_in_quick_search_result (preserved on fork as recover/pr-237)
• Recovery method: fetched refs/pull/237/head from base repo, pushed to arifulhoque7/wedocs-plugin

Security note: any sapayth device-compromise payload (config.bat .gitignore entry, captcha-config.php dropper) was stripped via a single cleanup commit on top before push. Branches without markers were pushed unchanged.

Summary by CodeRabbit

• New Features

  • Introduced QuickSearch block to enhance documentation search functionality.

• Chores

  • Updated build assets with source map references for improved development debugging.

[coderabbitai]

Walkthrough

The PR regenerates webpack-built frontend and print bundles with updated loader metadata and source-map references, introduces new webpack bootstrap JavaScript entry points for both bundles, and updates the plugin to dynamically discover and load block render files from the assets/build/blocks/ directory while registering a new QuickSearch block.

Changes

Build Artifacts and Block Registration

Layer / File(s)	Summary
Frontend build artifacts with metadata and bootstrap assets/build/frontend.css, assets/build/frontend.js	Frontend CSS adds a webpack loader-chain header and source-map reference. Frontend JS introduces a new webpack bootstrap bundle with standard runtime, ES module export setup, extracted CSS placeholder, and source-map reference.
Print build artifacts with metadata and bootstrap assets/build/print.css, assets/build/print.js	Print CSS adds a webpack loader-chain header and source-map reference. Print JS introduces a new webpack bootstrap bundle with standard runtime, ES module export setup, extracted CSS placeholder, and source-map reference.
Dynamic block render file loading and registration wedocs.php	Plugin removes hardcoded render-file include, adds new load_block_render_files() method that auto-scans assets/build/blocks/* for per-block render.php files and dynamically requires them, updates init_actions() to hook the loader, and extends register_blocks() to register a new QuickSearch block with render_wedocs_quick_search callback.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• weDevsOfficial/wedocs-plugin#266: Previously regenerated the same frontend and print build bundles with webpack/loader bootstrap scaffolding and source-map metadata, but without the plugin-level dynamic block render loading and QuickSearch registration changes.

Suggested reviewers

• iftakharul-islam

Poem

🐰 Build bundles dance in webpack's light,
Frontend and print bundles taking flight,
Dynamic blocks load from disk so spry,
QuickSearch joins the rabbit's supply! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references 'image in quick search result' and recovering issue #237, which aligns with the PR objectives describing restored functionality to include images in quick search results.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 PHPStan (2.1.54)

PHP Fatal error: Uncaught Error: Undefined constant "ABSPATH" in /includes/functions.php:355
Stack trace:
#0 /includes/functions.php(329): wedocs_is_plugin_active()
#1 /vendor/composer/autoload_real.php(39): require('...')
#2 /vendor/composer/autoload_real.php(43): {closure}()
#3 /vendor/autoload.php(25): ComposerAutoloaderInitc2b3737a084ea47d5ec41ee732395188::getLoader()
#4 phar:///usr/bin/phpstan/bin/phpstan(46): require_once('...')
#5 phar:///usr/bin/phpstan/bin/phpstan(107): _PHPStan_c161e9ff7{closure}()
#6 /usr/bin/phpstan(7): require('...')
#7 {main}
thrown in /includes/functions.php on line 355
Fatal error: Uncaught Error: Undefined constant "ABSPATH" in /includes/functions.php:355
Stack trace:
#0 /includes/functions.php(329): wedocs_is_plugin_active()
#1 /vendor/composer/autoload_real.php(39): require('...')
#2 /vendor/composer/autoload_real.php(43): {closure}()
#3 /vendor/autoload.php(25): ComposerAutoloaderInitc2b3737a084ea47d5ec41ee732395188::getLoader()
#4 phar:///usr/bin/phpstan/bin/phpstan(46): require_once('...')
#5 phar:///usr/bin/phpstan/bin/phpstan(107): _PHPStan_c161e9ff7{closure}()
#6 /usr/bin/phpstan(7): require('...')
#7 {main}
thrown in /includes/functions.php on line 355

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@wedocs.php`:
- Line 180: Replace the PHPDoc placeholder by updating the `@since` tag that
currently reads WEDOCS_SINCE to the actual version number (e.g., 2.1.11) in the
PHPDoc block in wedocs.php (the docblock containing the `@since` tag
/WEDOCS_SINCE/); ensure the updated tag now reads `@since` 2.1.11 so the method’s
introduction version is accurate.
- Around line 184-195: The load_block_render_files method currently requires
render.php from each directory found in $blocks_dir without validating the
intermediate directory name; update load_block_render_files to validate each
$block_dir name (e.g., ensure basename($block_dir) matches a strict
whitelist/regex like /^[a-z0-9\-_]+$/ and/or is_dir($block_dir) and
realpath($block_dir) is inside realpath($blocks_dir)) before constructing
$render_file and calling require_once, and abort or skip any entry that fails
validation to prevent path-traversal or malformed names; also update the PHPDoc
`@since` tag (replace WEDOCS_SINCE) with the actual release version for this
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 15c32888-5273-485d-9dd4-5a0d28a56436

📥 Commits

Reviewing files that changed from the base of the PR and between 9110f3d and 40ace9b.

⛔ Files ignored due to path filters (9)

• assets/build/block.js.map is excluded by !**/*.map
• assets/build/frontend.css.map is excluded by !**/*.map
• assets/build/frontend.js.map is excluded by !**/*.map
• assets/build/index.css.map is excluded by !**/*.map
• assets/build/index.js.map is excluded by !**/*.map
• assets/build/print.css.map is excluded by !**/*.map
• assets/build/print.js.map is excluded by !**/*.map
• assets/build/store.js.map is excluded by !**/*.map
• assets/build/style-block.css.map is excluded by !**/*.map

📒 Files selected for processing (5)

• assets/build/frontend.css
• assets/build/frontend.js
• assets/build/print.css
• assets/build/print.js
• wedocs.php

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace PHPDoc placeholder with actual version.

The @since tag uses the placeholder WEDOCS_SINCE instead of an actual version number. This should be replaced with the version in which this method was introduced (likely 2.1.11 based on the plugin header).

📝 Proposed fix

     /**
      * Auto-load all block render files
      * 
-     * `@since` WEDOCS_SINCE
+     * `@since` 2.1.11
      *
      * `@return` void
      */

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	* @since WEDOCS_SINCE
	/**
	* Auto-load all block render files
	*
	* `@since` 2.1.11
	*
	* `@return` void
	*/

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@wedocs.php` at line 180, Replace the PHPDoc placeholder by updating the
`@since` tag that currently reads WEDOCS_SINCE to the actual version number (e.g.,
2.1.11) in the PHPDoc block in wedocs.php (the docblock containing the `@since`
tag /WEDOCS_SINCE/); ensure the updated tag now reads `@since` 2.1.11 so the
method’s introduction version is accurate.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check current block directories that will be auto-loaded
echo "=== Current block directories under assets/build/blocks/ ==="
fd -t d -d 1 . assets/build/blocks/

echo -e "\n=== Checking for render.php files that will be auto-loaded ==="
fd -t f '^render\.php$' assets/build/blocks/

echo -e "\n=== Checking for any suspicious files in block directories ==="
fd -t f . assets/build/blocks/ | rg -v '\.(php|json|js|css|map)$'

Repository: weDevsOfficial/wedocs-plugin

Length of output: 1506

---

🏁 Script executed:

cat -n wedocs.php | sed -n '177,195p'

Repository: weDevsOfficial/wedocs-plugin

Length of output: 812

---

🏁 Script executed:

# Search for WEDOCS_SINCE usage in the file
rg 'WEDOCS_SINCE' wedocs.php

Repository: weDevsOfficial/wedocs-plugin

Length of output: 99

---

Two issues require fixes:

1. Security: Validate directory names before dynamic file inclusion (line 189-191)
   The method dynamically requires files from glob results without validating directory names. Although the base path (plugin_dir_path(__FILE__) . 'assets/build/blocks/') and filename (render.php) are fixed, the intermediate directory path is not validated. This violates defense-in-depth principles and creates a path traversal risk vector if an attacker gains filesystem write access. Given the PR context mentions recovering work with security cleanup, directory name validation should be added.

2. Documentation: Replace placeholder in PHPDoc (line 180)
   The @since tag uses placeholder value WEDOCS_SINCE instead of an actual version number.

Recommended security fix

 public function load_block_render_files() {
     $blocks_dir = plugin_dir_path( __FILE__ ) . 'assets/build/blocks/';
     if ( is_dir( $blocks_dir ) ) {
         $block_dirs = glob( $blocks_dir . '*', GLOB_ONLYDIR );
         foreach ( $block_dirs as $block_dir ) {
+            // Validate directory name (alphanumeric, hyphens, underscores only)
+            $dir_name = basename( $block_dir );
+            if ( ! preg_match( '/^[a-zA-Z0-9_-]+$/', $dir_name ) ) {
+                continue;
+            }
             $render_file = $block_dir . '/render.php';
             if ( file_exists( $render_file ) ) {
                 require_once $render_file;
             }
         }
     }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	public function load_block_render_files() {
	$blocks_dir = plugin_dir_path( __FILE__ ) . 'assets/build/blocks/';
	if ( is_dir( $blocks_dir ) ) {
	$block_dirs = glob( $blocks_dir . '*', GLOB_ONLYDIR );
	foreach ( $block_dirs as $block_dir ) {
	$render_file = $block_dir . '/render.php';
	if ( file_exists( $render_file ) ) {
	require_once $render_file;
	}
	}
	}
	}
	public function load_block_render_files() {
	$blocks_dir = plugin_dir_path( __FILE__ ) . 'assets/build/blocks/';
	if ( is_dir( $blocks_dir ) ) {
	$block_dirs = glob( $blocks_dir . '*', GLOB_ONLYDIR );
	foreach ( $block_dirs as $block_dir ) {
	// Validate directory name (alphanumeric, hyphens, underscores only)
	$dir_name = basename( $block_dir );
	if ( ! preg_match( '/^[a-zA-Z0-9_-]+$/', $dir_name ) ) {
	continue;
	}
	$render_file = $block_dir . '/render.php';
	if ( file_exists( $render_file ) ) {
	require_once $render_file;
	}
	}
	}
	}

🧰 Tools

🪛 OpenGrep (1.21.0)

[ERROR] 191-191: Dynamic file path passed to include/require. This can lead to local or remote file inclusion. Use a fixed allowlist of paths.

(coderabbit.file-inclusion.php-dynamic-include)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@wedocs.php` around lines 184 - 195, The load_block_render_files method
currently requires render.php from each directory found in $blocks_dir without
validating the intermediate directory name; update load_block_render_files to
validate each $block_dir name (e.g., ensure basename($block_dir) matches a
strict whitelist/regex like /^[a-z0-9\-_]+$/ and/or is_dir($block_dir) and
realpath($block_dir) is inside realpath($blocks_dir)) before constructing
$render_file and calling require_once, and abort or skip any entry that fails
validation to prevent path-traversal or malformed names; also update the PHPDoc
`@since` tag (replace WEDOCS_SINCE) with the actual release version for this
change.