Blogging prompts: Refinements

[creativecoder]

Addresses feedback from #26680 (review)

Changes proposed in this Pull Request:

• Adds nonce exception comments
• Use proper functions for time and date generation
• Remove locale conversion function (and tests) in favor of wpcom API change
• Remove unneeded escaping work-around for JSON data
• Better escaping/error handling in a couple of places

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?

Jetpack product discussion

See #26680 for context

Does this pull request change what data or activity we track or use?

No.

Testing instructions:

No user facing changes from #26680. Testing instructions from that PR
Jetpack Site

• Be sure the site is connected to WP.com to load Jetpack blocks in the editor
• Enable experimental blocks by adding define( 'JETPACK_EXPERIMENTAL_BLOCKS', true ) (or Settings > Jetpack Constants if you're using jurassic.ninja)
• Set the site as "having a blog" by doing at least one of the following
  • Set the site_intent option to write
  • Set the front page to show posts in Settings > Reading
  • Set a static page for the posts page in Settings > Reading
• Create a new post, you should see a writing prompt in the placeholder for the first paragraph
• Create a new post and add the answer_prompt query param with the prompt id for today as the value (e.g. /wp-admin/post-new.php?answer_prompt=2130), and you should see a writing prompt as a pullquote block, the tag dailyprompt added to the post, and the _jetpack_blogging_prompt_key post meta set to the prompt id.
• Create a new page or custom post type, and you should not see the writing prompt
• Open an existing post, and you should not see the writing prompt

Simple Site

• Sandbox a Simple site domain
• Apply this PR to your sandbox: bin/jetpack-downloader test jetpack try/paragraph-block-writing-prompts
• Continue with the testing instructions, as above.

[github-actions]

Are you an Automattician? You can now test your Pull Request on WordPress.com. On your sandbox, run bin/jetpack-downloader test jetpack update/blogging-prompt-refinements to get started. More details: p9dueE-5Nn-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ All commits were linted before commit.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Once your PR is ready for review, check one last time that all required checks (other than "Required review") appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team review" label and ask someone from your team review the code.
Once you’ve done so, switch to the "[Status] Needs Review" label; someone from Jetpack Crew will then review this PR and merge it to be included in the next Jetpack release.

---

Jetpack plugin:

• Next scheduled release: January 3, 2023.
• Scheduled code freeze: December 26, 2022.

[anomiex]

Comment on line 75 is the only one preventing me giving an approval. The others are optional as far as I'm concerned or are just for discussion.

[anomiex]

Wrong function, and the right function won't do the right thing as you're doing it here.

Suggested change

	$path = rawurldecode( '/sites/' . $blog_id . '/blogging-prompts?from=' . $day_before . '&number=10&_locale=' . $locale );
	$path = '/sites/' . rawurlencode( $blog_id ) . '/blogging-prompts?from=' . rawurlencode( $day_before ) . '&number=10&_locale=' . rawurlencode( $locale );

[creativecoder]

🤦🏼 Working too quickly on that one--thanks for the correction.

[anomiex]

If you want to be extra safe

Suggested change

	'var Jetpack_BloggingPrompts = ' . wp_json_encode( $daily_prompts, JSON_HEX_TAG ) . ';',
	'var Jetpack_BloggingPrompts = ' . wp_json_encode( $daily_prompts, JSON_HEX_TAG | JSON_HEX_AMP ) . ';',

[creativecoder]

Nice!

[anomiex]

Should we worry about the list of "draft" posts getting filled up by an attacker?

[creativecoder]

It's a fair question! In practice, I'm personally not worried--it seems like a lot of effort (or patience) to get a user to open the answer_prompt link enough times to be concerning. I think there are probably easier and lower effort attacks.

For me the desire to make answering a writing prompt as seamless as possible from multiple contexts outweighs the (arguably) minimal security benefit of a nonce in this particular case.

[anomiex]

Fair enough. I don't know enough about this to second-guess the decision, I just wanted to confirm that the decision was made with relevant factors having been considered.

[creativecoder]

FYI, I'm attempting to move the mag16 locale logic to wpcom here: D93225-code