Show full reply tree in orphan drawer

buildThreadEntry alone was called per orphan, so only the root
message appeared in the drawer. Now each orphaned thread renders
with its complete reply tree (re

Show full reply tree in orphan drawer

buildThreadEntry alone was called per orphan, so only the root
message appeared in the drawer. Now each orphaned thread renders
with its complete reply tree (read-only: no Reply/Edit/Delete
buttons on replies). A .ann-orphan-thread wrapper groups each
thread visually, mirroring the inline panel styling.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

show more ...

Add clear-resolved to admin overview; make orphaned annotations read-only

Admin panel now shows a Resolved column alongside Normal and Orphaned, with
per-page and wiki-wide "clear resolved" actions

Add clear-resolved to admin overview; make orphaned annotations read-only

Admin panel now shows a Resolved column alongside Normal and Orphaned, with
per-page and wiki-wide "clear resolved" actions mirroring the existing orphan
clears. The counts deliberately overlap: a resolved annotation is counted in
both its anchoring facet (Normal or Orphaned) and the Resolved column, so each
clear button removes exactly what its label says.

helper::pageCounts() gains the resolved key; clearResolvedAll() mirrors
clearOrphanedAll(). In the front-end, orphaned annotation threads are now
read-only — Resolve/Reopen and Edit are suppressed, leaving only Delete.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

show more ...

Fix stored XSS in JSINFO embed and self-deadlocking write lock

Two serious bugs found during review, plus three minor fixes:

- Stored XSS: the inline-embedded annotation payload was encoded with

Fix stored XSS in JSINFO embed and self-deadlocking write lock

Two serious bugs found during review, plus three minor fixes:

- Stored XSS: the inline-embedded annotation payload was encoded with
JSON_UNESCAPED_SLASHES and appended into the page's inline <script>. A
body containing "</script>" closed the script element and injected
arbitrary HTML, executing in every viewer's browser. Anyone who can
annotate (AUTH_READ + login) could exploit it. Add JSON_HEX_TAG so < and
> are escaped, neutralising every tag-based breakout.

- Write lock: mutate() held io_lock($file) and then called
io_saveFile($file), which takes io_lock($file) again internally. The
inner lock collided with the outer, busy-waiting ~3s for the stale-lock
timeout on every create/edit/delete/resolve/clear and defeating mutual
exclusion. Lock on a sentinel key ($file.lock) instead, leaving
io_saveFile's own lock uncontended (matches DokuWiki TaskRunner idiom).

- style.css: the :root colour fallbacks were self-referential
(var(--x) of themselves), i.e. cyclic and invalid, not a fallback.
Replace with the literal config-default triplets.

- action.php: drop hsc() from a JSON error string (wrong context).

- script.js: refresh the open orphan drawer after a thread mutation so an
edited body shows there too.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

show more ...

Add config, selection guards, annotation overlap detection, and glow button

- Config: color_open / color_resolved (hex, drives CSS vars); embed_max_bytes,
context_length, body_cap move from consta

Add config, selection guards, annotation overlap detection, and glow button

- Config: color_open / color_resolved (hex, drives CSS vars); embed_max_bytes,
context_length, body_cap move from constants to conf/default + metadata.
action.php injects --ann-open-rgb / --ann-resolved-rgb as CSS custom props;
style.css escapes every rgba(var(…)) with LESS ~"…" so lesserphp doesn't
bake them to #000000 at compile time.
- Selection guards: Annotate button suppressed inside .ann-* UI, #dw__toc,
.docInfo, .secedit; the old endpoint-only isInsideHighlight is replaced by
selectionHitsHighlight (range.intersectsNode over all highlight spans) so a
selection overrunning an existing annotation on either side opens it instead
of offering a new overlapping one.
- Glow: static amber box-shadow on .ann-tooltip .ann-btn (no animation).
- Removed email line from plugin.info.txt; updated GeneralTest accordingly.
- context_length fed to JS via JSINFO.annotations.contextLen so capture and
PHP trimming stay in sync.
- conf/ + lang/*/settings.php + README/DESIGN updated.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

show more ...

Add spinner to Clear buttons; close orphan drawer when last orphan removed

- doClearResolved and doClearOrphaned now accept a btn param and call
setBusy so they spin consistently with all other AJ

Add spinner to Clear buttons; close orphan drawer when last orphan removed

- doClearResolved and doClearOrphaned now accept a btn param and call
setBusy so they spin consistently with all other AJAX buttons; both
also gain a .catch that resets the spinner and alerts on failure.
- New syncOrphanDrawer() rebuilds or removes the open orphan drawer after
any mutation so deleted entries disappear live. Hooked into
doDeleteAnnotation (one-by-one), doClearOrphaned, and doClearResolved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

show more ...

Eliminate load round-trip by embedding annotations in JSINFO

action.php now reads the annotation list once during page render and
ships it inline as JSINFO.annotations.annotations, so script.js rend

Eliminate load round-trip by embedding annotations in JSINFO

action.php now reads the annotation list once during page render and
ships it inline as JSINFO.annotations.annotations, so script.js renders
immediately at DOMContentLoaded with no second AJAX bootstrap (~300 ms
saved per view). The embedded list also removes the double file read
that existed before (getStats called getAnnotations internally, then the
client fetched the same file again).

helper.php adds statsFor(array) so action.php can derive stats from the
already-loaded list instead of re-reading through getStats(). getStats
now delegates to it.

script.js uses the embedded list when present; falls back to the GET
load endpoint only when the list was too large to embed (>128 KB cap).
Adds a window.load repositionMarkers call so gutter markers re-align
after late-loading images shift the layout.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

show more ...

Rework annotation UI: threaded replies, polish, and fixes

Builds the threaded-reply UI on the new parentId backend and tidies up
the front-end overlay.

Threaded replies:
- Render replies as an inde

Rework annotation UI: threaded replies, polish, and fixes

Builds the threaded-reply UI on the new parentId backend and tidies up
the front-end overlay.

Threaded replies:
- Render replies as an indented tree (buildReplyTree / appendReplyTree)
with an inline "reply to this reply" form on each entry.

Fixes:
- Keep gutter markers aligned with their highlights. A marker lives in
document.body at absolute coordinates, so opening or closing a panel, or
resizing the window, used to leave it stranded away from its text;
repositionMarkers() now re-aligns them on those events.
- Stop stealing focus when a panel is re-opened after an action (resolve,
edit, delete), which previously jumped the viewport down to the reply box.
- Preserve panel position after replies and edits by merging the client
render state (_highlightEl, _markerEl, _range) onto server responses.

Polish:
- Show a busy spinner on buttons while an AJAX request is in flight.
- Layout: position the counter bar and orphan drawer correctly around the
floated TOC; fix highlight hover colours and the marker column position.

Cleanup / dedup:
- Fold the four near-identical thread mutation handlers (reply, edit,
edit-reply, delete-reply) into one submitThreadAction() helper.
- De-duplicate wrapHighlight()'s two branches and make its title null-safe.
- Remove the unused refreshAnnotation() left over from before the server
returned the full annotation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

show more ...

Fix highlight off-by-one, localise the UI, add tests

Anchoring (the core bug):
- Replace buildNormToRaw with normalizeWithMap so the normalised search
string and the normalised->raw index map are

Fix highlight off-by-one, localise the UI, add tests

Anchoring (the core bug):
- Replace buildNormToRaw with normalizeWithMap so the normalised search
string and the normalised->raw index map are built in one pass and share
the same trimming. DokuWiki indents its content markup, so the collected
text starts with a whitespace text node; the old untrimmed map shifted
every highlight by a character. Verified on the live wiki: a quote now
re-anchors exactly, including across element boundaries.
- Locate all matches first, then wrap last-to-first, so wrapping (which
splits text nodes) never disturbs a not-yet-wrapped offset.
- Fix a pre-existing orphan double-count: renderAll passed an orphan total
into updateCounter, which then recounted it from the _orphaned flags.

Localisation:
- Move front-end strings to $lang['js'] (exposed as LANG.plugins.annotations)
and read them via t()/fmt() with English fallbacks.
- Add de, ru and ja translations alongside en.

Conventions / cleanup:
- action.php: read request data via $INPUT; pass the CSRF token straight to
checkSecurityToken($token) instead of poking $_POST/$_REQUEST; unify admin
detection on auth_isadmin().
- helper.php: write annotation files with JSON_UNESCAPED_UNICODE | _SLASHES.
- Drop the dead ann-highlight-orphaned constant; set panel data-status so the
resolved accent in style.css applies.

Tests:
- Add _test/GeneralTest.php (manifest + conf invariant) and _test/HelperTest.php
(permission rules, CRUD, input cleaning, findOrphaned). 15 tests pass.

Docs: sync DESIGN.md and README.md; bump plugin.info.txt date.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

show more ...

Fix anchor capture when starting a new annotation

Browsers collapse the text selection before the tooltip button's click
handler runs, so captureAnchor() saw an empty selection and new
annotations w

Fix anchor capture when starting a new annotation

Browsers collapse the text selection before the tooltip button's click
handler runs, so captureAnchor() saw an empty selection and new
annotations were silently lost. Capture the anchor on the button's
mousedown -- while the selection is still intact -- into a module-level
_pendingAnchor that the click handler consumes. Don't replace an
already-showing tooltip (which would orphan the button mid-click), and
keep the new-annotation form alive through the mouseup that follows the
click instead of tearing it down with the tooltip.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

show more ...

Expose current user, admin flag and CSRF token to the front-end

DokuWiki's JSINFO carries no user identity, so script.js could not tell
who was logged in and could not gate the edit/delete/resolve U

Expose current user, admin flag and CSRF token to the front-end

DokuWiki's JSINFO carries no user identity, so script.js could not tell
who was logged in and could not gate the edit/delete/resolve UI. Inject
user, isAdmin and the security token into JSINFO.annotations from
action.php, and read them from there instead of the non-existent
JSINFO.userinfo object and the #dw__token hidden field.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

show more ...

Fix JSINFO injection timing and gutter marker positioning

handleMetaHeader() wrote the annotation payload to $JSINFO, but
tpl_metaheaders() has already serialised JSINFO into the inline <script>
by

Fix JSINFO injection timing and gutter marker positioning

handleMetaHeader() wrote the annotation payload to $JSINFO, but
tpl_metaheaders() has already serialised JSINFO into the inline <script>
by the time TPL_METAHEADER_OUTPUT fires, so the data never reached the
page. Append a `JSINFO.annotations = {...}` statement to that inline
block instead, and only inject it on show / export_xhtml views.

Anchor the gutter markers to .page (the article column) rather than
#dokuwiki__content: the latter's position:relative extended over the
sidebar and swallowed its navigation clicks.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

show more ...

Initial annotations plugin

Word- and sentence-level annotations for DokuWiki pages: text-quote
anchoring, threaded replies, open/resolved status, gutter markers,
client- and server-side orphan detec

Initial annotations plugin

Word- and sentence-level annotations for DokuWiki pages: text-quote
anchoring, threaded replies, open/resolved status, gutter markers,
client- and server-side orphan detection, a per-user on/off toggle, and
admin per-page bulk-clear. Annotations are stored out-of-band in a
per-page JSON file, so the wiki changelog is never touched.

Built with Claude Opus 4.7 and Sonnet 4.6.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

show more ...