Refactoring : sécurité (XSS), découpage en modules inc/* et js/admin/*, IDs résolus par slug, perf (caches, cron Gravatar, assets auto-hébergés), tests

inc/single-helpers.php

@@ -40,14 +40,16 @@ function thalim_get_single_data($post_id) {
     $data = [
         // Text fields
         'sous_titre'            => thalim_bilingual( get_post_meta($post_id, 'sous-titre', true) ?: '', $lang ),
-        'reference_bibliographique' => get_post_meta($post_id, 'reference_bibliographique', true) ?: '',
+        // wp_kses_post: rendus en |raw dans single.twig (autoescape off) et
+        // éditables par les contributeurs listés en membres → filtrer le HTML.
+        'reference_bibliographique' => wp_kses_post( get_post_meta($post_id, 'reference_bibliographique', true) ?: '' ),
         'editeur'               => get_post_meta($post_id, 'editeur', true) ?: '',
         'journal'               => get_post_meta($post_id, 'journal', true) ?: '',
         'lieu'                  => thalim_bilingual( get_post_meta($post_id, 'lieu', true) ?: '', $lang ),
         'adresse'               => nl2br( esc_html( get_post_meta($post_id, 'adresse', true) ?: '' ) ),
         'autrepersonnes'        => get_post_meta($post_id, 'autrepersonnes', true) ?: '',
         'autre_autrepersonnes'  => get_post_meta($post_id, 'autre_autrepersonnes', true) ?: '',
-        'body_en'               => apply_filters( 'the_content', get_post_meta($post_id, 'body_en', true) ?: '' ),
+        'body_en'               => apply_filters( 'the_content', wp_kses_post( get_post_meta($post_id, 'body_en', true) ?: '' ) ),
 
         // Dates (formatted for display)
         'datetime'        => thalim_format_date(get_post_meta($post_id, 'datetime', true), $lang),
@@ -110,10 +112,10 @@ function thalim_get_single_data($post_id) {
     if ($ts_debut) $data['date_debut_ymd'] = date('Y-m-d', $ts_debut);
     if ($ts_fin)   $data['date_fin_ymd']   = date('Y-m-d', $ts_fin);
 
-    // Ouvrages (cat 15): override display to year only — raw timestamps and
+    // Ouvrages: override display to year only — raw timestamps and
     // *_ymd fields stay full-precision so sorting/filtering on index pages
     // (`thalim_event_date_order`) keeps working.
-    if (in_array(15, wp_get_post_categories($post_id), true)) {
+    if (in_array(thalim_cat_id('ouvrages'), wp_get_post_categories($post_id), true)) {
         $data['date_de_debut'] = thalim_format_date($raw_debut, $lang, 'Y');
         $data['date_de_fin']   = thalim_format_date($raw_fin, $lang, 'Y');
         $data['datetime']      = thalim_format_date(get_post_meta($post_id, 'datetime', true), $lang, 'Y');
@@ -138,7 +140,7 @@ function thalim_get_single_data($post_id) {
 
     // --- Category hierarchy for breadcrumb and color ---
     $categories = wp_get_post_categories($post_id, ['fields' => 'all']);
-    $excluded_ids = [12, 31];
+    $excluded_ids = array_filter([ thalim_cat_id('seance'), thalim_cat_id('non-classe') ]);
     foreach ($categories as $cat) {
         if (in_array($cat->term_id, $excluded_ids)) continue;
         $ancestor_ids = get_ancestors($cat->term_id, 'category');
@@ -256,7 +258,6 @@ function thalim_get_single_data($post_id) {
             'post_type'      => 'post',
             'post__in'       => array_map('intval', $related_ids),
             'posts_per_page' => -1,
-            'lang'           => '',
         ]);
     }
 
@@ -272,7 +273,6 @@ function thalim_get_single_data($post_id) {
             'orderby'        => 'meta_value',
             'meta_key'       => 'date_de_debut',
             'order'          => 'ASC',
-            'lang'           => '',
             'post_status'    => ['publish', 'future'],
         ]);
         $now = time();
@@ -303,7 +303,7 @@ function thalim_get_single_data($post_id) {
                 'heure_de_fin'    => substr( get_post_meta($seance->ID, 'heure_de_fin', true) ?: '', 0, 5 ),
                 'lieu'            => thalim_bilingual( get_post_meta($seance->ID, 'lieu', true) ?: '', $lang ),
                 'adresse'         => nl2br( esc_html( get_post_meta($seance->ID, 'adresse', true) ?: '' ) ),
-                'body_en'         => apply_filters( 'the_content', get_post_meta($seance->ID, 'body_en', true) ?: '' ),
+                'body_en'         => apply_filters( 'the_content', wp_kses_post( get_post_meta($seance->ID, 'body_en', true) ?: '' ) ),
                 'intervenants'    => [],
                 'images'          => [],
                 'documents'       => [],
@@ -372,7 +372,6 @@ function thalim_get_single_data($post_id) {
                     'post_type'      => 'post',
                     'post__in'       => array_map('intval', $s_related_ids),
                     'posts_per_page' => -1,
-                    'lang'           => '',
                 ]);
             }