Add validation to reject plugin/theme slugs ending with slashes

Copilot · swissspidy · Copilot · commit f29a0cc4e3d6 · 2025-12-22T16:31:12.000Z
Co-authored-by: swissspidy &lt;841956+swissspidy@users.noreply.github.com&gt;
diff --git a/features/scaffold-plugin-tests.feature b/features/scaffold-plugin-tests.feature
@@ -240,6 +240,20 @@ Feature: Scaffold plugin unit tests
       """
     And the return code should be 1
 
+    When I try `wp scaffold plugin-tests my-plugin/`
+    Then STDERR should be:
+      """
+      Error: Invalid plugin slug specified. The slug cannot end with a slash.
+      """
+    And the return code should be 1
+
+    When I try `wp scaffold plugin-tests my-plugin\\`
+    Then STDERR should be:
+      """
+      Error: Invalid plugin slug specified. The slug cannot end with a slash.
+      """
+    And the return code should be 1
+
   Scenario: Scaffold plugin tests with invalid directory
     Given a WP install
     And I run `wp scaffold plugin hello-world --skip-tests`
diff --git a/features/scaffold-theme-tests.feature b/features/scaffold-theme-tests.feature
@@ -219,6 +219,20 @@ Feature: Scaffold theme unit tests
       """
     And the return code should be 1
 
+    When I try `wp scaffold theme-tests t12child/`
+    Then STDERR should be:
+      """
+      Error: Invalid theme slug specified. The slug cannot end with a slash.
+      """
+    And the return code should be 1
+
+    When I try `wp scaffold theme-tests t12child\\`
+    Then STDERR should be:
+      """
+      Error: Invalid theme slug specified. The slug cannot end with a slash.
+      """
+    And the return code should be 1
+
   Scenario: Scaffold theme tests with invalid directory
     When I try `wp scaffold theme-tests twentytwelve --dir=non-existent-dir`
     Then STDERR should be:
diff --git a/src/Scaffold_Command.php b/src/Scaffold_Command.php
@@ -829,6 +829,10 @@ private function scaffold_plugin_theme_tests( $args, $assoc_args, $type ) {
 			if ( in_array( $slug, [ '.', '..' ], true ) ) {
 				WP_CLI::error( "Invalid {$type} slug specified. The slug cannot be '.' or '..'." );
 			}
+			// Reject slugs ending with slashes to prevent corrupted bootstrap.php files.
+			if ( '/' === substr( $slug, -1 ) || '\\' === substr( $slug, -1 ) ) {
+				WP_CLI::error( "Invalid {$type} slug specified. The slug cannot end with a slash." );
+			}
 			if ( 'theme' === $type ) {
 				$theme = wp_get_theme( $slug );
 				if ( $theme->exists() ) {
