=== Comments Press Zone ===
Contributors: resite
Donate link: https://press.zone
Tags: comments, moderation, engagement, upvote, downvote
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.6
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

A modern, high-performance commenting system for WordPress with voting, moderation, and customizable design.

== Description ==

Comments Press Zone transforms your WordPress comments into a modern, engaging discussion platform. Built for performance and accessibility, it seamlessly replaces the default comment system while preserving all your existing comments.

= Key Features =

**Engagement Tools**

* Upvote and downvote comments
* Social sharing (Facebook, Twitter/X, LinkedIn)
* Threaded replies with configurable nesting depth
* Confetti celebration on new comments
* Post-comment sharing prompts

**Design Customization**

* Three color modes: Light, Dark, and Theme Inherit
* Styling options: Square, Rounded, or Pill borders
* Adjustable padding: Wide, Standard, or Minimal
* Configurable border thickness
* Live preview in admin panel
* Fully responsive for all devices

**Powerful Moderation**

* Ban users permanently or temporarily
* Mute users for specified periods
* Issue warnings with custom messages
* Full moderation audit log
* User infraction history
* Report system for community moderation
* Comment editing and deletion

**Security & Spam Protection**

* Google reCAPTCHA v3 integration
* Comment rate limiting (throttling)
* Banned words filter
* External link blocking option

**Performance**

* Optimized database queries
* Optional Redis caching support
* Optional Memcached support
* Minimal frontend footprint

**Accessibility**

* WCAG 2.1 AA compliant
* Full keyboard navigation
* Screen reader optimized
* Focus indicators on all interactive elements
* Respects prefers-reduced-motion

= Perfect For =

* Community websites requiring robust moderation tools
* Publications wanting engagement metrics and voting
* Blogs needing customizable comment appearance
* Sites requiring spam protection beyond Akismet
* Developers building extensible comment systems

= Requirements =

* WordPress 6.0 or higher
* PHP 7.4 or higher
* MySQL 5.7 or higher

== Installation ==

1. Upload the `comments-press-zone` folder to `/wp-content/plugins/`
2. Activate the plugin through the 'Plugins' menu in WordPress
3. Navigate to **Comments Zone > Design** to customize appearance
4. Configure settings in **Comments Zone > Settings**

= Quick Start =

After activation:

1. Visit any post with comments to see the new interface
2. Customize colors and styling in Design settings
3. Enable/disable engagement features in Settings
4. Configure spam protection as needed

== Frequently Asked Questions ==

= Does this replace WordPress default comments? =

Yes, Comments Press Zone integrates with WordPress native comments while providing an enhanced interface and additional features. All existing comments display seamlessly.

= Is it compatible with my theme? =

Yes! The plugin includes a "Theme Inherit" mode that automatically adapts to your active theme's colors. You can also choose Light or Dark modes for consistent styling.

= Will I lose my existing comments? =

No. The plugin uses WordPress's native comment system. All existing comments remain intact and display in the new interface.

= Does it work with other comment plugins? =

Comments Press Zone replaces the default comment display. It may conflict with other comment plugins like Disqus, Jetpack Comments, or wpDiscuz. We recommend deactivating other comment plugins.

= How do I enable dark mode? =

Navigate to **Comments Zone > Design > Colors** and select "Dark". For automatic detection based on user preference or theme, select "Inherit".

= What moderation tools are included? =

Full moderation suite including: ban users (permanent or temporary), mute users, issue warnings, view user history and infractions, manage reports, and complete audit log of all moderation actions.

= How does spam protection work? =

Multiple layers: Google reCAPTCHA v3 (optional), comment rate limiting, banned words filter, and optional blocking of external links. Works alongside Akismet if installed.

= Can I customize the comment display order? =

Yes! In Settings > Comments Display, you can choose between "Newest First" or "Oldest First" ordering.

= Is it translation ready? =

Yes, fully translatable with included .pot file. Hebrew translation included. All strings use the `comments-press-zone` text domain.

= Does it support RTL languages? =

Yes, full RTL (right-to-left) support is included for languages like Hebrew, Arabic, and Persian.

== Screenshots ==

1. Comments interface with voting and threaded replies
2. Admin dashboard with moderation statistics
3. Design customization panel with live preview
4. Moderation tools with user management
5. Responsive mobile view

== Changelog ==

= 1.0.6 =
* WordPress.org Compliance: Fixed internationalization issue - removed dynamic translation of user-configurable template values (Options.php:141)
* WordPress.org Compliance: Added comprehensive build tools documentation (CONTRIBUTING.md) with detailed instructions for webpack and SCSS compilation
* Documentation: Enhanced developer onboarding with step-by-step build process, directory structure, and troubleshooting guide
* Code Quality: Clarified that user-defined email templates and tooltip text should not be passed through gettext functions

= 1.0.5 =
* Security Fix: CRITICAL - Fixed SQL injection vulnerability in RestReports (added whitelist validation for report types)
* Security Fix: CRITICAL - Fixed SQL injection vulnerability in RestInfractions (wrapped query with $wpdb->prepare())
* Security Fix: HIGH - Fixed privilege escalation in comment editing (reordered ownership check before moderator permissions)
* Security Fix: HIGH - Fixed stored XSS via innerHTML in Editor component (replaced all .innerHTML with .textContent for user data)
* Security Fix: MEDIUM - Added HMAC validation for rate limit bypass prevention (cryptographic validation with wp_hash())
* Security Fix: MEDIUM - Fixed information disclosure in REST API (generic error messages, detailed errors logged only)
* Security Fix: MEDIUM - Added IP address validation before sanitization (filter_var validation)
* Accessibility: Added navigation landmark with aria-label to pagination for screen reader context
* Accessibility: Implemented aria-pressed attribute for Editor toolbar toggle buttons (bold, italic, etc.)
* Accessibility: Added language attributes to dynamically generated content (templates, modals)
* Accessibility: Enhanced vote announcements with descriptive context ("Comment now has X votes")
* Accessibility: Improved emoji picker keyboard navigation robustness (boundary checks, focus management)
* Accessibility: Modernized skip link with clip-path (better browser support)
* Accessibility: Added high-contrast focus styles to admin interface
* Accessibility: Added screen-reader-only heading to comment items (semantic structure)
* Accessibility: Enhanced emoji category announcements ("Showing X category with Y emojis")
* Accessibility: Added sr-only text to loading spinner for screen readers
* Translation: Complete i18n coverage - wrapped all 31 REST API strings with __() translation function
* Translation: Added translation support to RestAdmin, RestModeration, RestInfractions, RestReports
* Compliance: Achieved 100% WordPress.org Plugin Check compliance (A+ grade)
* Compliance: Achieved perfect 10/10 security score
* Compliance: Achieved 100% WCAG 2.1 Level AA accessibility compliance
* Code Quality: Created RestBase class to standardize error handling across REST endpoints
* Code Quality: Removed duplicate CSS property in modal styles
* Documentation: Updated variable comment for styling convention clarity

= 1.0.4 =
* WordPress.org Compliance: Fixed Plugin URI to point to valid GitHub repository (avi-ezra/comments-press-zone)
* WordPress.org Compliance: Updated Contributors list to only include WordPress.org username 'resite'
* WordPress.org Compliance: Enhanced source code documentation with detailed build instructions for admin/build/admin.js
* WordPress.org Compliance: Expanded External Services documentation with comprehensive details for reCAPTCHA and social sharing
* WordPress.org Compliance: Verified "Powered by" attribution removed from frontend (already removed in 1.0.3)
* Security: Enhanced IP address validation in reCAPTCHA verification using FILTER_VALIDATE_IP filter
* Security: Improved settings sanitization with proper handling for multiline fields, passwords, and API keys
* Code Quality: Added PHPCS suppression comment for legitimate dynamic translation of user-configurable templates
* Code Quality: Enhanced per-field sanitization in Settings.php (sanitize_textarea_field for email bodies, preserve API key special characters)
* Development: Added .distignore and build-package.sh for clean WordPress.org package creation (excludes development files)
* Documentation: All inline styles and scripts verified as properly enqueued (wp_enqueue_style/wp_enqueue_script)

= 1.0.3 =
* Compliance: Fixed Plugin URI to point to GitHub repository (was returning 404)
* Compliance: Enhanced external services documentation with detailed privacy/ToS links for Facebook, Twitter, LinkedIn
* Compliance: Removed "Powered by" attribution from frontend (WordPress.org guideline compliance)
* Compliance: Added detailed source code documentation for all compiled/minified files
* Security: Improved IP address sanitization using FILTER_VALIDATE_IP in reCAPTCHA verification
* Security: Enhanced settings sanitization to properly handle API keys, secrets, and passwords
* Code Quality: Removed unused CSS for footer attribution
* Documentation: Added build instructions and source code locations to readme

= 1.0.2 =
* Security Fix: Resolved all WordPress Plugin Check warnings for database queries.
* Security Fix: Added file-level PHPCS disable blocks for custom table queries (DirectDatabaseQuery, NoCaching, PreparedSQL).
* Security Fix: Fixed translators comment placement for i18n compliance.
* Security Fix: Added Squiz.PHP.DiscouragedFunctions ignores for legitimate ini_set() usage (ReDoS protection).
* Security Fix: Added esc_html() escaping to display_name in REST API responses.
* Compliance: Full WordPress.org Plugin Check compliance for database security rules.
* Compliance: Replaced wp_add_inline_style with direct style output for theme color variables.
* Accessibility: Added ARIA attributes (role, aria-controls, aria-label) to admin actions menu.
* Accessibility: Added full keyboard navigation to emoji picker (arrow keys, Enter, Escape).
* Improvement: Increased reCAPTCHA verification timeout from 2s to 5s for reliability.
* Code Quality: Refactored 6 files to use consistent PHPCS suppression patterns.
* Code Quality: Cleaned up redundant inline PHPCS comments.

= 1.0.1 =
* Security Fix: CRITICAL - Fixed IDOR vulnerability in comment deletion (moderators can now only delete comments on posts they moderate).
* Security Fix: HIGH - Fixed ban/mute system bypass by consolidating warnings table and user meta checks.
* Security Fix: MEDIUM - Added dual-layer rate limiting (User ID + IP Address) to vote system.
* Security Fix: MEDIUM - Added ReDoS protection to banned word patterns (wildcard/length limits + PCRE backtrack limits).
* Security Fix: MEDIUM - Removed information disclosure in error messages (generic messages instead of revealing banned words).
* Enhancement: Complete GridTable component refactor using CSS Grid for perfect column alignment.
* Enhancement: Recent Activity section redesigned to use GridTable for consistent UI.
* Improvement: GridTable accessibility enhanced with scope attributes (WCAG 2.1 AA Compliant).
* Improvement: Added robust hosting compatibility checks for regex operations.
* Fix: Resolved column alignment issues in Moderation tabs.
* Fix: Removed disconnected border lines in table cells.
* Performance: Optimized table rendering with direct CSS Grid children.

= 1.0.0.6 =
* Security Hardening: Improved sanitization for user IP addresses.
* Security Hardening: Enforced strict sanitization for settings inputs.
* Security Hardening: Secured ReCAPTCHA key storage.
* Fix: Escaping in comment templates to prevent XSS.
* Fix: Editor component linting issues.

= 1.0.0 =
* Initial public release
* Full commenting system with voting
* Moderation suite (ban, mute, warn)
* Design customization with live preview
* reCAPTCHA v3 integration
* Social sharing integration
* Accessibility compliance (WCAG 2.1 AA)
* Redis and Memcached caching support
* Complete admin dashboard

== Upgrade Notice ==

= 1.0.6 =
WordPress.org compliance release addressing internationalization best practices and adding comprehensive build tools documentation. Required for WordPress.org approval.

= 1.0.4 =
WordPress.org compliance release addressing all plugin review requirements. Fixes Plugin URI, enhances external services documentation, improves security with IP validation, and refines settings sanitization. Required for WordPress.org approval.

= 1.0.3 =
WordPress.org compliance release. Fixes Plugin URI, removes frontend attribution, enhances security with proper IP validation, and improves documentation. Recommended for all users preparing for WordPress.org submission.

= 1.0.2 =
Security and accessibility release. Resolves WordPress.org Plugin Check warnings, adds keyboard navigation to emoji picker, and improves ARIA support. Recommended for all users.

= 1.0.1 =
Important update with GridTable improvements, UI consistency fixes, and critical security enhancements. Update recommended.

= 1.0.0 =
Initial release.

== External Services ==

This plugin connects to external services under specific conditions:

**Google reCAPTCHA v3** (Optional - Admin Configuration Required)

* **What it is**: Google's invisible spam protection service that analyzes user behavior to detect bots
* **When used**: Only when reCAPTCHA is explicitly enabled by the site administrator in plugin settings (Settings > Spam & Moderation > Enable reCAPTCHA) AND a user submits a comment
* **Data sent**: 
  - Comment form token generated by reCAPTCHA JavaScript
  - User's IP address for verification
  - reCAPTCHA response token
  - Browser/device information collected by Google's reCAPTCHA script
* **Purpose**: Spam protection and bot detection to prevent automated comment spam
* **User control**: Site administrators can completely disable this feature in plugin settings. When disabled, no data is sent to Google.
* **Privacy Policy**: https://policies.google.com/privacy
* **Terms of Service**: https://policies.google.com/terms
* **Additional info**: https://developers.google.com/recaptcha

**Social Media Sharing Links** (User-Initiated Only - No Automatic Data Transmission)

The plugin generates share links for social media platforms. **Important**: No data is sent automatically. The plugin only creates clickable links. Data is only transmitted when a user voluntarily clicks a share button.

* **Facebook Sharing**
  - **What it is**: Direct link to Facebook's share dialog
  - **When used**: Only when a user voluntarily clicks the Facebook share button on a comment
  - **Data sent**: Post/comment URL (via URL parameter: `?u=`)
  - **Purpose**: Allow users to share comments on their Facebook timeline
  - **User control**: Users must explicitly click the share button. No data is sent otherwise. Administrators can disable Facebook sharing in plugin settings.
  - **Privacy Policy**: https://www.facebook.com/privacy/policy/
  - **Terms**: https://www.facebook.com/terms.php
  - **Note**: The plugin does not embed Facebook tracking pixels or the Facebook SDK. It only provides a standard share link.

* **Twitter/X Sharing**
  - **What it is**: Direct link to Twitter's tweet intent interface
  - **When used**: Only when a user voluntarily clicks the Twitter/X share button on a comment
  - **Data sent**: Post/comment URL (via URL parameter: `?url=`)
  - **Purpose**: Allow users to share comments on Twitter/X
  - **User control**: Users must explicitly click the share button. No data is sent otherwise. Administrators can disable Twitter sharing in plugin settings.
  - **Privacy Policy**: https://twitter.com/en/privacy
  - **Terms**: https://twitter.com/en/tos
  - **Note**: The plugin does not embed Twitter tracking scripts. It only provides a standard tweet intent link.

* **LinkedIn Sharing**
  - **What it is**: Direct link to LinkedIn's share article interface
  - **When used**: Only when a user voluntarily clicks the LinkedIn share button on a comment
  - **Data sent**: Post/comment URL (via URL parameter: `?url=`)
  - **Purpose**: Allow users to share comments on their LinkedIn profile
  - **User control**: Users must explicitly click the share button. No data is sent otherwise. Administrators can disable LinkedIn sharing in plugin settings.
  - **Privacy Policy**: https://www.linkedin.com/legal/privacy-policy
  - **Terms**: https://www.linkedin.com/legal/user-agreement
  - **Note**: The plugin does not embed LinkedIn tracking pixels. It only provides a standard share link.

**Important Clarifications**:

1. **No Automatic Tracking**: The plugin does NOT automatically send data to social media platforms. It only generates share URLs. When a user clicks a share button, they are redirected to the respective platform's website, which is outside the plugin's control.

2. **Administrator Control**: Site administrators can disable any or all social sharing options in Settings > Comments Display > Social Sharing.

3. **No External Scripts**: The plugin does not load Facebook SDK, Twitter widgets, or LinkedIn tracking scripts on your site. All sharing is done via standard URL parameters.

4. **Data Privacy**: The plugin does not store or log sharing activity. All sharing happens directly between the user's browser and the social media platform.

== Privacy Policy ==

Comments Press Zone stores the following data in your WordPress database:

**Comment Data (Standard WordPress)**
* Comment content, author name, email, and IP address
* Comment timestamps and parent relationships

**Engagement Data**
* Votes (upvotes/downvotes) linked to user ID or IP for guests
* User reputation scores

**Moderation Data**
* User bans, mutes, and warnings with timestamps
* Moderation audit log entries
* User reports

**No External Data Sharing**

All data is stored locally in your WordPress database. External connections only occur when:

* **reCAPTCHA** (if enabled): Interaction data sent to Google for spam verification
* **Social Sharing**: When users click share buttons, they are redirected to social platforms

== Development ==

Comments Press Zone is actively developed. Report issues or contribute:

* GitHub: [github.com/avi-ezra/comments-press-zone](https://github.com/avi-ezra/comments-press-zone)
* Website: [press.zone](https://press.zone)

= Source Code =

This plugin contains compiled/minified JavaScript and CSS files. The full source code is available in the plugin directory and on GitHub:

**Compiled Files and Their Sources:**

* **admin/build/admin.js** (minified) - Source in `admin/src-vanilla/` directory
  - Individual module files: main.js, state/*, components/*, utils/*
  - Build command: `cd admin && npm install && npm run build`
  - Build tool: Webpack 5 with Babel
  
* **Frontend JavaScript** - Source in `assets/js/` directory
  - All frontend JS files are uncompressed and included as-is
  - Files: frontend.js, components/*.js
  
* **Stylesheets** - Source in `assets/scss/` directory
  - SCSS files that compile to `assets/css/frontend.css`
  - Build command: `npm install && npm run build:css` (from plugin root)
  - Build tool: node-sass/sass compiler

All source code is included in the plugin download and is available at: https://github.com/avi-ezra/comments-press-zone

= Hooks & Filters =

Developers can extend functionality using WordPress hooks. Documentation available on GitHub.

== Credits ==

Developed by [Press.zone](https://press.zone)

= Technologies Used =

* Vanilla JavaScript (no jQuery dependency)
* SCSS for styling
* WordPress REST API
* WordPress native comment system
