From ef103b26ed0155040f7fb3ddb43c71d4d412ebd5 Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Thu, 4 Dec 2025 15:51:04 -0600
Subject: [PATCH 1/6] Wrap blocked domains and keywords tables in collapsible
 details element

---
 includes/wp-admin/class-settings-fields.php | 72 ++++++++++++++-------
 1 file changed, 48 insertions(+), 24 deletions(-)

diff --git a/includes/wp-admin/class-settings-fields.php b/includes/wp-admin/class-settings-fields.php
index 24cd4adb56..a249330753 100644
--- a/includes/wp-admin/class-settings-fields.php
+++ b/includes/wp-admin/class-settings-fields.php
@@ -429,23 +429,35 @@ public static function render_moderation_section_description() {
 	 */
 	public static function render_site_blocked_domains_field() {
 		$blocked_domains = Moderation::get_site_blocks()['domains'];
+		$count           = \count( $blocked_domains );
 		?>
 		<p class="description"><?php \esc_html_e( 'Block entire ActivityPub instances by domain name.', 'activitypub' ); ?></p>
 
 		<div class="activitypub-site-block-list">
 			<?php if ( ! empty( $blocked_domains ) ) : ?>
-			<table class="widefat striped activitypub-site-blocked-domain" role="presentation" style="max-width: 500px; margin: 15px 0;">
-				<?php foreach ( $blocked_domains as $domain ) : ?>
-					<tr>
-						<td><?php echo \esc_html( $domain ); ?></td>
-						<td style="width: 80px;">
-							<button type="button" class="button button-small remove-site-block-btn" data-type="domain" data-value="<?php echo \esc_attr( $domain ); ?>">
-								<?php \esc_html_e( 'Remove', 'activitypub' ); ?>
-							</button>
-						</td>
-					</tr>
-				<?php endforeach; ?>
-			</table>
+			<details style="margin: 10px 0;">
+				<summary style="cursor: pointer; padding: 8px 0; color: inherit;">
+					<?php
+					\printf(
+						/* translators: %s: Number of blocked domains */
+						\esc_html( \_n( '%s blocked domain', '%s blocked domains', $count, 'activitypub' ) ),
+						\number_format_i18n( $count )
+					);
+					?>
+				</summary>
+				<table class="widefat striped activitypub-site-blocked-domain" role="presentation" style="max-width: 500px; margin-top: 10px;">
+					<?php foreach ( $blocked_domains as $domain ) : ?>
+						<tr>
+							<td><?php echo \esc_html( $domain ); ?></td>
+							<td style="width: 80px;">
+								<button type="button" class="button button-small remove-site-block-btn" data-type="domain" data-value="<?php echo \esc_attr( $domain ); ?>">
+									<?php \esc_html_e( 'Remove', 'activitypub' ); ?>
+								</button>
+							</td>
+						</tr>
+					<?php endforeach; ?>
+				</table>
+			</details>
 			<?php endif; ?>
 
 			<div class="add-site-block-form" style="display: flex; max-width: 500px; gap: 8px;">
@@ -463,23 +475,35 @@ public static function render_site_blocked_domains_field() {
 	 */
 	public static function render_site_blocked_keywords_field() {
 		$blocked_keywords = Moderation::get_site_blocks()['keywords'];
+		$count            = \count( $blocked_keywords );
 		?>
 		<p class="description"><?php \esc_html_e( 'Block ActivityPub content containing specific keywords.', 'activitypub' ); ?></p>
 
 		<div class="activitypub-site-block-list">
 			<?php if ( ! empty( $blocked_keywords ) ) : ?>
-			<table class="widefat striped activitypub-site-blocked-keyword" role="presentation" style="max-width: 500px; margin: 15px 0;">
-				<?php foreach ( $blocked_keywords as $keyword ) : ?>
-					<tr>
-						<td><?php echo \esc_html( $keyword ); ?></td>
-						<td style="width: 80px;">
-							<button type="button" class="button button-small remove-site-block-btn" data-type="keyword" data-value="<?php echo \esc_attr( $keyword ); ?>">
-								<?php \esc_html_e( 'Remove', 'activitypub' ); ?>
-							</button>
-						</td>
-					</tr>
-				<?php endforeach; ?>
-			</table>
+			<details style="margin: 10px 0;">
+				<summary style="cursor: pointer; padding: 8px 0; color: inherit;">
+					<?php
+					\printf(
+						/* translators: %s: Number of blocked keywords */
+						\esc_html( \_n( '%s blocked keyword', '%s blocked keywords', $count, 'activitypub' ) ),
+						\number_format_i18n( $count )
+					);
+					?>
+				</summary>
+				<table class="widefat striped activitypub-site-blocked-keyword" role="presentation" style="max-width: 500px; margin-top: 10px;">
+					<?php foreach ( $blocked_keywords as $keyword ) : ?>
+						<tr>
+							<td><?php echo \esc_html( $keyword ); ?></td>
+							<td style="width: 80px;">
+								<button type="button" class="button button-small remove-site-block-btn" data-type="keyword" data-value="<?php echo \esc_attr( $keyword ); ?>">
+									<?php \esc_html_e( 'Remove', 'activitypub' ); ?>
+								</button>
+							</td>
+						</tr>
+					<?php endforeach; ?>
+				</table>
+			</details>
 			<?php endif; ?>
 
 			<div class="add-site-block-form" style="display: flex; max-width: 500px; gap: 8px;">

From 5689b6f13b90b9f22e1640c637051844bb9583d1 Mon Sep 17 00:00:00 2001
From: Automattic Bot <sysops+ghmatticbot@automattic.com>
Date: Thu, 4 Dec 2025 22:51:59 +0100
Subject: [PATCH 2/6] Add changelog

---
 .github/changelog/2591-from-description | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 .github/changelog/2591-from-description

diff --git a/.github/changelog/2591-from-description b/.github/changelog/2591-from-description
new file mode 100644
index 0000000000..92e4481c15
--- /dev/null
+++ b/.github/changelog/2591-from-description
@@ -0,0 +1,4 @@
+Significance: patch
+Type: changed
+
+Wrap blocked domains and keywords tables in collapsible details element.

From 3d484775097d868f89fb9d887c08f1b8a5f1eb3d Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Thu, 4 Dec 2025 15:58:54 -0600
Subject: [PATCH 3/6] Fix escaping for sprintf output

---
 includes/wp-admin/class-settings-fields.php | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/includes/wp-admin/class-settings-fields.php b/includes/wp-admin/class-settings-fields.php
index a249330753..cd554a81cf 100644
--- a/includes/wp-admin/class-settings-fields.php
+++ b/includes/wp-admin/class-settings-fields.php
@@ -438,10 +438,12 @@ public static function render_site_blocked_domains_field() {
 			<details style="margin: 10px 0;">
 				<summary style="cursor: pointer; padding: 8px 0; color: inherit;">
 					<?php
-					\printf(
-						/* translators: %s: Number of blocked domains */
-						\esc_html( \_n( '%s blocked domain', '%s blocked domains', $count, 'activitypub' ) ),
-						\number_format_i18n( $count )
+					echo \esc_html(
+						\sprintf(
+							/* translators: %s: Number of blocked domains */
+							\_n( '%s blocked domain', '%s blocked domains', $count, 'activitypub' ),
+							\number_format_i18n( $count )
+						)
 					);
 					?>
 				</summary>
@@ -484,10 +486,12 @@ public static function render_site_blocked_keywords_field() {
 			<details style="margin: 10px 0;">
 				<summary style="cursor: pointer; padding: 8px 0; color: inherit;">
 					<?php
-					\printf(
-						/* translators: %s: Number of blocked keywords */
-						\esc_html( \_n( '%s blocked keyword', '%s blocked keywords', $count, 'activitypub' ) ),
-						\number_format_i18n( $count )
+					echo \esc_html(
+						\sprintf(
+							/* translators: %s: Number of blocked keywords */
+							\_n( '%s blocked keyword', '%s blocked keywords', $count, 'activitypub' ),
+							\number_format_i18n( $count )
+						)
 					);
 					?>
 				</summary>

From 6205b3c3165cb0cf105b88aecd2af34344617ade Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Fri, 5 Dec 2025 08:33:36 -0600
Subject: [PATCH 4/6] Move inline CSS to stylesheet for site block details

Move the inline styles for the collapsible details/summary elements
to activitypub-admin.css instead of using inline styles in PHP.
---
 assets/css/activitypub-admin.css            | 19 +++++++++++++++++++
 includes/wp-admin/class-settings-fields.php | 16 ++++++++--------
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/assets/css/activitypub-admin.css b/assets/css/activitypub-admin.css
index ae415dbc66..5b3254654c 100644
--- a/assets/css/activitypub-admin.css
+++ b/assets/css/activitypub-admin.css
@@ -104,6 +104,25 @@ summary {
 	color: #2271b1;
 }
 
+.activitypub-site-block-details {
+	margin: 10px 0;
+}
+
+.activitypub-site-block-details summary {
+	padding: 8px 0;
+	color: inherit;
+	text-decoration: none;
+}
+
+.activitypub-site-block-details table {
+	max-width: 500px;
+	margin-top: 10px;
+}
+
+.activitypub-site-block-details td:last-child {
+	width: 80px;
+}
+
 .activitypub-settings-accordion {
 	border: 1px solid #c3c4c7;
 }
diff --git a/includes/wp-admin/class-settings-fields.php b/includes/wp-admin/class-settings-fields.php
index cd554a81cf..937ed5e1d3 100644
--- a/includes/wp-admin/class-settings-fields.php
+++ b/includes/wp-admin/class-settings-fields.php
@@ -435,8 +435,8 @@ public static function render_site_blocked_domains_field() {
 
 		<div class="activitypub-site-block-list">
 			<?php if ( ! empty( $blocked_domains ) ) : ?>
-			<details style="margin: 10px 0;">
-				<summary style="cursor: pointer; padding: 8px 0; color: inherit;">
+			<details class="activitypub-site-block-details">
+				<summary>
 					<?php
 					echo \esc_html(
 						\sprintf(
@@ -447,11 +447,11 @@ public static function render_site_blocked_domains_field() {
 					);
 					?>
 				</summary>
-				<table class="widefat striped activitypub-site-blocked-domain" role="presentation" style="max-width: 500px; margin-top: 10px;">
+				<table class="widefat striped activitypub-site-blocked-domain" role="presentation">
 					<?php foreach ( $blocked_domains as $domain ) : ?>
 						<tr>
 							<td><?php echo \esc_html( $domain ); ?></td>
-							<td style="width: 80px;">
+							<td>
 								<button type="button" class="button button-small remove-site-block-btn" data-type="domain" data-value="<?php echo \esc_attr( $domain ); ?>">
 									<?php \esc_html_e( 'Remove', 'activitypub' ); ?>
 								</button>
@@ -483,8 +483,8 @@ public static function render_site_blocked_keywords_field() {
 
 		<div class="activitypub-site-block-list">
 			<?php if ( ! empty( $blocked_keywords ) ) : ?>
-			<details style="margin: 10px 0;">
-				<summary style="cursor: pointer; padding: 8px 0; color: inherit;">
+			<details class="activitypub-site-block-details">
+				<summary>
 					<?php
 					echo \esc_html(
 						\sprintf(
@@ -495,11 +495,11 @@ public static function render_site_blocked_keywords_field() {
 					);
 					?>
 				</summary>
-				<table class="widefat striped activitypub-site-blocked-keyword" role="presentation" style="max-width: 500px; margin-top: 10px;">
+				<table class="widefat striped activitypub-site-blocked-keyword" role="presentation">
 					<?php foreach ( $blocked_keywords as $keyword ) : ?>
 						<tr>
 							<td><?php echo \esc_html( $keyword ); ?></td>
-							<td style="width: 80px;">
+							<td>
 								<button type="button" class="button button-small remove-site-block-btn" data-type="keyword" data-value="<?php echo \esc_attr( $keyword ); ?>">
 									<?php \esc_html_e( 'Remove', 'activitypub' ); ?>
 								</button>

From 71a34ad60a56ec6a3e5b8e79da488ea22c55ee85 Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Mon, 8 Dec 2025 09:49:08 -0600
Subject: [PATCH 5/6] Fix collapsible moderation tables UX and use wp.i18n for
 translations

- Always render <details> wrapper structure (even when empty) with data-type attribute
- Add <tbody> wrapper for proper striped table styling
- Update JavaScript to work with collapsible structure and update summary counts dynamically
- Use wp.i18n._n() for proper pluralization instead of localized strings
- Add wp-i18n dependency and wp_set_script_translations()
- Extract duplicated validation/message code into helper functions
- Add JSDoc comments for better IDE support
---
 assets/js/activitypub-moderation-admin.js   | 210 +++++++++++---------
 includes/wp-admin/class-admin.php           |  15 +-
 includes/wp-admin/class-settings-fields.php |  68 ++++---
 3 files changed, 166 insertions(+), 127 deletions(-)

diff --git a/assets/js/activitypub-moderation-admin.js b/assets/js/activitypub-moderation-admin.js
index 95cef0f7b3..0a891cfbda 100644
--- a/assets/js/activitypub-moderation-admin.js
+++ b/assets/js/activitypub-moderation-admin.js
@@ -2,11 +2,39 @@
  * ActivityPub Moderation Admin JavaScript
  */
 
-(function( $ ) {
+/* global activitypubModerationL10n, jQuery */
+
+/**
+ * @param {Object} $  - jQuery
+ * @param {Object} wp - WordPress global object
+ * @param {Object} wp.i18n - Internationalization functions
+ * @param {Object} wp.a11y - Accessibility functions
+ * @param {Object} wp.ajax - AJAX functions
+ */
+(function( $, wp ) {
 	'use strict';
 
+	var __ = wp.i18n.__;
+	var _n = wp.i18n._n;
+	var sprintf = wp.i18n.sprintf;
+
+	/**
+	 * Helper function to show a message using wp.a11y and alert
+	 *
+	 * @param {string} message - The message to display
+	 */
+	function showMessage( message ) {
+		if ( wp.a11y && wp.a11y.speak ) {
+			wp.a11y.speak( message, 'assertive' );
+		}
+		alert( message );
+	}
+
 	/**
 	 * Helper function to validate domain format
+	 *
+	 * @param {string} domain - The domain to validate
+	 * @return {boolean} Whether the domain is valid
 	 */
 	function isValidDomain( domain ) {
 		// Basic domain validation - must contain at least one dot and valid characters
@@ -16,6 +44,12 @@
 
 	/**
 	 * Helper function to check if a term already exists in the UI
+	 *
+	 * @param {string}      type    - The type of block (domain or keyword)
+	 * @param {string}      value   - The value to check
+	 * @param {string}      context - The context (user or site)
+	 * @param {number|null} userId  - The user ID (for user context)
+	 * @return {boolean} Whether the term is already blocked
 	 */
 	function isTermAlreadyBlocked( type, value, context, userId ) {
 		var selector;
@@ -27,29 +61,90 @@
 		return $( selector ).length > 0;
 	}
 
+	/**
+	 * Validate a blocked term value
+	 *
+	 * @param {string}      type    - The type of block (domain or keyword)
+	 * @param {string}      value   - The value to validate
+	 * @param {string}      context - The context (user or site)
+	 * @param {number|null} userId  - The user ID (for user context)
+	 * @return {boolean} Whether the value is valid
+	 */
+	function validateBlockedTerm( type, value, context, userId ) {
+		if ( ! value ) {
+			showMessage( __( 'Please enter a value to block.', 'activitypub' ) );
+			return false;
+		}
+
+		if ( type === 'domain' && ! isValidDomain( value ) ) {
+			showMessage( __( 'Please enter a valid domain (e.g., example.com).', 'activitypub' ) );
+			return false;
+		}
+
+		if ( isTermAlreadyBlocked( type, value, context, userId ) ) {
+			showMessage( __( 'This term is already blocked.', 'activitypub' ) );
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	 * Helper function to add a blocked term to the UI
 	 */
 	function addBlockedTermToUI( type, value, context, userId ) {
+		var table;
+
 		if ( context === 'user' ) {
 			// For user moderation, add to the appropriate table
 			var container = $( '.activitypub-user-block-list[data-user-id="' + userId + '"]' );
 
-			var table = container.find( '.activitypub-blocked-' + type );
+			table = container.find( '.activitypub-blocked-' + type );
 			if ( table.length === 0 ) {
 				table = $( '<table class="widefat striped activitypub-blocked-' + type + '" role="presentation" style="max-width: 500px; margin: 15px 0;"><tbody></tbody></table>' );
 				container.find( '#new_user_' + type ).closest( '.add-user-block-form' ).before( table );
 			}
 			table.append( '<tr><td>' + value + '</td><td style="width: 80px;"><button type="button" class="button button-small remove-user-block-btn" data-type="' + type + '" data-value="' + value + '">Remove</button></td></tr>' );
 		} else if ( context === 'site' ) {
-			// For site moderation, add to the appropriate table
-			var container = $( '#new_site_' + type ).closest( '.activitypub-site-block-list' );
-			var table = container.find( '.activitypub-site-blocked-' + type );
+			// For site moderation, add to the table inside the details element
+			var details = $( '.activitypub-site-block-details[data-type="' + type + '"]' );
+			table = details.find( '.activitypub-site-blocked-' + type );
+
 			if ( table.length === 0 ) {
-				table = $( '<table class="widefat striped activitypub-site-blocked-' + type + '" role="presentation" style="max-width: 500px; margin: 15px 0;"><tbody></tbody></table>' );
-				container.find( '.add-site-block-form' ).before( table );
+				// Create table inside the details element (after summary)
+				table = $( '<table class="widefat striped activitypub-site-blocked-' + type + '" role="presentation"><tbody></tbody></table>' );
+				details.find( 'summary' ).after( table );
 			}
-			table.append( '<tr><td>' + value + '</td><td style="width: 80px;"><button type="button" class="button button-small remove-site-block-btn" data-type="' + type + '" data-value="' + value + '">Remove</button></td></tr>' );
+
+			table.find( 'tbody' ).append( '<tr><td>' + value + '</td><td><button type="button" class="button button-small remove-site-block-btn" data-type="' + type + '" data-value="' + value + '">Remove</button></td></tr>' );
+
+			updateSiteBlockSummary( type );
+		}
+	}
+
+	/**
+	 * Helper function to update the site block summary count
+	 */
+	function updateSiteBlockSummary( type ) {
+		var details = $( '.activitypub-site-block-details[data-type="' + type + '"]' );
+		var table = details.find( '.activitypub-site-blocked-' + type );
+		var count = table.find( 'tbody tr' ).length || table.find( 'tr' ).length;
+		var summary = details.find( 'summary' );
+
+		if ( count === 0 ) {
+			// Empty state
+			var emptyText = type === 'domain'
+				? __( 'No blocked domains', 'activitypub' )
+				: __( 'No blocked keywords', 'activitypub' );
+			summary.text( emptyText );
+			details.attr( 'open', '' );
+			table.remove();
+		} else {
+			// Has items - use _n for proper pluralization
+			var text = type === 'domain'
+				? _n( '%s blocked domain', '%s blocked domains', count, 'activitypub' )
+				: _n( '%s blocked keyword', '%s blocked keywords', count, 'activitypub' );
+			summary.text( sprintf( text, count ) );
 		}
 	}
 
@@ -63,13 +158,11 @@
 
 		if ( button.length > 0 ) {
 			// Remove the parent table row
-			var parent = button.closest( 'tr' );
-			var container = parent.closest( 'table' );
-			parent.remove();
+			button.closest( 'tr' ).remove();
 
-			// If the container is now empty, remove it
-			if ( container.find( 'tr' ).length === 0 ) {
-				container.remove();
+			// Update the summary count for site blocks
+			if ( context === 'site' ) {
+				updateSiteBlockSummary( type );
 			}
 		}
 	}
@@ -94,33 +187,7 @@
 			var input = $( '#new_user_' + type );
 			var value = input.val().trim();
 
-			if ( ! value ) {
-				// Use wp.a11y.speak for better accessibility.
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( activitypubModerationL10n.enterValue, 'assertive' );
-				} else {
-					alert( activitypubModerationL10n.enterValue );
-				}
-				return;
-			}
-
-			// Validate domain format if this is a domain block
-			if ( type === 'domain' && ! isValidDomain( value ) ) {
-				var message = activitypubModerationL10n.invalidDomain || 'Please enter a valid domain (e.g., example.com).';
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				}
-				alert( message );
-				return;
-			}
-
-			// Check if the term is already blocked
-			if ( isTermAlreadyBlocked( type, value, 'user', userId ) ) {
-				var message = activitypubModerationL10n.alreadyBlocked || 'This term is already blocked.';
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				}
-				alert( message );
+			if ( ! validateBlockedTerm( type, value, 'user', userId ) ) {
 				return;
 			}
 
@@ -136,12 +203,8 @@
 				input.val( '' );
 				addBlockedTermToUI( type, value, 'user', userId );
 			}).fail( function( response ) {
-				var message = response && response.message ? response.message : activitypubModerationL10n.addBlockFailed;
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				} else {
-					alert( message );
-				}
+				var message = response && response.message ? response.message : __( 'Failed to add block.', 'activitypub' );
+				showMessage( message );
 			});
 		}
 
@@ -157,12 +220,8 @@
 			}).done( function() {
 				removeBlockedTermFromUI( type, value, 'user' );
 			}).fail( function( response ) {
-				var message = response && response.message ? response.message : activitypubModerationL10n.removeBlockFailed;
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				} else {
-					alert( message );
-				}
+				var message = response && response.message ? response.message : __( 'Failed to remove block.', 'activitypub' );
+				showMessage( message );
 			});
 		}
 
@@ -204,32 +263,7 @@
 			var input = $( '#new_site_' + type );
 			var value = input.val().trim();
 
-			if ( ! value ) {
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( activitypubModerationL10n.enterValue, 'assertive' );
-				} else {
-					alert( activitypubModerationL10n.enterValue );
-				}
-				return;
-			}
-
-			// Validate domain format if this is a domain block
-			if ( type === 'domain' && ! isValidDomain( value ) ) {
-				var message = activitypubModerationL10n.invalidDomain || 'Please enter a valid domain (e.g., example.com).';
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				}
-				alert( message );
-				return;
-			}
-
-			// Check if the term is already blocked
-			if ( isTermAlreadyBlocked( type, value, 'site' ) ) {
-				var message = activitypubModerationL10n.alreadyBlocked || 'This term is already blocked.';
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				}
-				alert( message );
+			if ( ! validateBlockedTerm( type, value, 'site', null ) ) {
 				return;
 			}
 
@@ -244,12 +278,8 @@
 				input.val( '' );
 				addBlockedTermToUI( type, value, 'site' );
 			}).fail( function( response ) {
-				var message = response && response.message ? response.message : activitypubModerationL10n.addBlockFailed;
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				} else {
-					alert( message );
-				}
+				var message = response && response.message ? response.message : __( 'Failed to add block.', 'activitypub' );
+				showMessage( message );
 			});
 		}
 
@@ -264,12 +294,8 @@
 			}).done( function() {
 				removeBlockedTermFromUI( type, value, 'site' );
 			}).fail( function( response ) {
-				var message = response && response.message ? response.message : activitypubModerationL10n.removeBlockFailed;
-				if ( wp.a11y && wp.a11y.speak ) {
-					wp.a11y.speak( message, 'assertive' );
-				} else {
-					alert( message );
-				}
+				var message = response && response.message ? response.message : __( 'Failed to remove block.', 'activitypub' );
+				showMessage( message );
 			});
 		}
 
@@ -302,4 +328,4 @@
 	// Initialize when document is ready.
 	$( document ).ready( init );
 
-})( jQuery );
+})( jQuery, wp );
diff --git a/includes/wp-admin/class-admin.php b/includes/wp-admin/class-admin.php
index e3b4ca4cfd..af99fc2032 100644
--- a/includes/wp-admin/class-admin.php
+++ b/includes/wp-admin/class-admin.php
@@ -342,22 +342,23 @@ public static function enqueue_moderation_scripts() {
 		\wp_enqueue_script(
 			'activitypub-moderation-admin',
 			ACTIVITYPUB_PLUGIN_URL . 'assets/js/activitypub-moderation-admin.js',
-			array( 'jquery', 'wp-util', 'wp-a11y' ),
+			array( 'jquery', 'wp-util', 'wp-a11y', 'wp-i18n' ),
 			ACTIVITYPUB_PLUGIN_VERSION,
 			true
 		);
 
+		\wp_set_script_translations(
+			'activitypub-moderation-admin',
+			'activitypub',
+			ACTIVITYPUB_PLUGIN_DIR . 'languages'
+		);
+
 		// Localize script with translations and nonces.
 		\wp_localize_script(
 			'activitypub-moderation-admin',
 			'activitypubModerationL10n',
 			array(
-				'enterValue'        => \__( 'Please enter a value to block.', 'activitypub' ),
-				'addBlockFailed'    => \__( 'Failed to add block.', 'activitypub' ),
-				'removeBlockFailed' => \__( 'Failed to remove block.', 'activitypub' ),
-				'alreadyBlocked'    => \__( 'This term is already blocked.', 'activitypub' ),
-				'invalidDomain'     => \__( 'Please enter a valid domain (e.g., example.com).', 'activitypub' ),
-				'nonce'             => \wp_create_nonce( 'activitypub_moderation_settings' ),
+				'nonce' => \wp_create_nonce( 'activitypub_moderation_settings' ),
 			)
 		);
 	}
diff --git a/includes/wp-admin/class-settings-fields.php b/includes/wp-admin/class-settings-fields.php
index 937ed5e1d3..d5065f77fa 100644
--- a/includes/wp-admin/class-settings-fields.php
+++ b/includes/wp-admin/class-settings-fields.php
@@ -434,21 +434,26 @@ public static function render_site_blocked_domains_field() {
 		<p class="description"><?php \esc_html_e( 'Block entire ActivityPub instances by domain name.', 'activitypub' ); ?></p>
 
 		<div class="activitypub-site-block-list">
-			<?php if ( ! empty( $blocked_domains ) ) : ?>
-			<details class="activitypub-site-block-details">
+			<details class="activitypub-site-block-details" data-type="domain"<?php echo empty( $blocked_domains ) ? ' open' : ''; ?>>
 				<summary>
-					<?php
-					echo \esc_html(
-						\sprintf(
-							/* translators: %s: Number of blocked domains */
-							\_n( '%s blocked domain', '%s blocked domains', $count, 'activitypub' ),
-							\number_format_i18n( $count )
-						)
-					);
-					?>
+					<?php if ( $count > 0 ) : ?>
+						<?php
+						echo \esc_html(
+							\sprintf(
+								/* translators: %s: Number of blocked domains */
+								\_n( '%s blocked domain', '%s blocked domains', $count, 'activitypub' ),
+								\number_format_i18n( $count )
+							)
+						);
+						?>
+					<?php else : ?>
+						<?php \esc_html_e( 'No blocked domains', 'activitypub' ); ?>
+					<?php endif; ?>
 				</summary>
+				<?php if ( ! empty( $blocked_domains ) ) : ?>
 				<table class="widefat striped activitypub-site-blocked-domain" role="presentation">
-					<?php foreach ( $blocked_domains as $domain ) : ?>
+					<tbody>
+						<?php foreach ( $blocked_domains as $domain ) : ?>
 						<tr>
 							<td><?php echo \esc_html( $domain ); ?></td>
 							<td>
@@ -457,10 +462,11 @@ public static function render_site_blocked_domains_field() {
 								</button>
 							</td>
 						</tr>
-					<?php endforeach; ?>
+						<?php endforeach; ?>
+					</tbody>
 				</table>
+				<?php endif; ?>
 			</details>
-			<?php endif; ?>
 
 			<div class="add-site-block-form" style="display: flex; max-width: 500px; gap: 8px;">
 				<input type="text" class="regular-text" id="new_site_domain" placeholder="<?php \esc_attr_e( 'example.com', 'activitypub' ); ?>" style="flex: 1; min-width: 0;" />
@@ -482,21 +488,26 @@ public static function render_site_blocked_keywords_field() {
 		<p class="description"><?php \esc_html_e( 'Block ActivityPub content containing specific keywords.', 'activitypub' ); ?></p>
 
 		<div class="activitypub-site-block-list">
-			<?php if ( ! empty( $blocked_keywords ) ) : ?>
-			<details class="activitypub-site-block-details">
+			<details class="activitypub-site-block-details" data-type="keyword"<?php echo empty( $blocked_keywords ) ? ' open' : ''; ?>>
 				<summary>
-					<?php
-					echo \esc_html(
-						\sprintf(
-							/* translators: %s: Number of blocked keywords */
-							\_n( '%s blocked keyword', '%s blocked keywords', $count, 'activitypub' ),
-							\number_format_i18n( $count )
-						)
-					);
-					?>
+					<?php if ( $count > 0 ) : ?>
+						<?php
+						echo \esc_html(
+							\sprintf(
+								/* translators: %s: Number of blocked keywords */
+								\_n( '%s blocked keyword', '%s blocked keywords', $count, 'activitypub' ),
+								\number_format_i18n( $count )
+							)
+						);
+						?>
+					<?php else : ?>
+						<?php \esc_html_e( 'No blocked keywords', 'activitypub' ); ?>
+					<?php endif; ?>
 				</summary>
+				<?php if ( ! empty( $blocked_keywords ) ) : ?>
 				<table class="widefat striped activitypub-site-blocked-keyword" role="presentation">
-					<?php foreach ( $blocked_keywords as $keyword ) : ?>
+					<tbody>
+						<?php foreach ( $blocked_keywords as $keyword ) : ?>
 						<tr>
 							<td><?php echo \esc_html( $keyword ); ?></td>
 							<td>
@@ -505,10 +516,11 @@ public static function render_site_blocked_keywords_field() {
 								</button>
 							</td>
 						</tr>
-					<?php endforeach; ?>
+						<?php endforeach; ?>
+					</tbody>
 				</table>
+				<?php endif; ?>
 			</details>
-			<?php endif; ?>
 
 			<div class="add-site-block-form" style="display: flex; max-width: 500px; gap: 8px;">
 				<input type="text" class="regular-text" id="new_site_keyword" placeholder="<?php \esc_attr_e( 'spam keyword', 'activitypub' ); ?>" style="flex: 1; min-width: 0;" />

From c0d132f60617eb9d2d3d88b80dcca97f578c7f25 Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Mon, 8 Dec 2025 10:02:31 -0600
Subject: [PATCH 6/6] Fix XSS vulnerability by using DOM-safe methods for user
 input

Use jQuery's element construction with attributes object and .text()
instead of string concatenation when inserting user-controlled values
into the DOM. This prevents malicious input from being executed.
---
 assets/js/activitypub-moderation-admin.js | 24 +++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/assets/js/activitypub-moderation-admin.js b/assets/js/activitypub-moderation-admin.js
index 0a891cfbda..207d41c16a 100644
--- a/assets/js/activitypub-moderation-admin.js
+++ b/assets/js/activitypub-moderation-admin.js
@@ -89,6 +89,26 @@
 		return true;
 	}
 
+	/**
+	 * Create a table row for a blocked term.
+	 *
+	 * @param {string} type    - The type of block (domain or keyword)
+	 * @param {string} value   - The blocked value
+	 * @param {string} context - The context (user or site)
+	 * @return {jQuery} The constructed table row
+	 */
+	function createBlockedTermRow( type, value, context ) {
+		var $button = $( '<button>', {
+			type: 'button',
+			'class': 'button button-small remove-' + context + '-block-btn',
+			'data-type': type,
+			'data-value': value,
+			text: __( 'Remove', 'activitypub' )
+		} );
+
+		return $( '<tr>' ).append( $( '<td>' ).text( value ), $( '<td>' ).append( $button ) );
+	}
+
 	/**
 	 * Helper function to add a blocked term to the UI
 	 */
@@ -104,7 +124,7 @@
 				table = $( '<table class="widefat striped activitypub-blocked-' + type + '" role="presentation" style="max-width: 500px; margin: 15px 0;"><tbody></tbody></table>' );
 				container.find( '#new_user_' + type ).closest( '.add-user-block-form' ).before( table );
 			}
-			table.append( '<tr><td>' + value + '</td><td style="width: 80px;"><button type="button" class="button button-small remove-user-block-btn" data-type="' + type + '" data-value="' + value + '">Remove</button></td></tr>' );
+			table.find( 'tbody' ).append( createBlockedTermRow( type, value, context ) );
 		} else if ( context === 'site' ) {
 			// For site moderation, add to the table inside the details element
 			var details = $( '.activitypub-site-block-details[data-type="' + type + '"]' );
@@ -116,7 +136,7 @@
 				details.find( 'summary' ).after( table );
 			}
 
-			table.find( 'tbody' ).append( '<tr><td>' + value + '</td><td><button type="button" class="button button-small remove-site-block-btn" data-type="' + type + '" data-value="' + value + '">Remove</button></td></tr>' );
+			table.find( 'tbody' ).append( createBlockedTermRow( type, value, context ) );
 
 			updateSiteBlockSummary( type );
 		}