Add Reviewer Certificate plugin (generic)

[ssemerikov]

Summary

Adds the Reviewer Certificate plugin to the Plugin Gallery.

• Category: generic
• Product: reviewerCertificate
• Homepage: https://github.com/ssemerikov/reviewerCertificate
• Compatibility: OJS 3.3, 3.4, and 3.5 (separate packages per version)

The plugin generates personalized PDF certificates for peer reviewers after completing review assignments. Features include customizable templates with background images, QR code verification, batch generation, download tracking, and 32 language translations.

Release details (v1.4.0)

Three version-specific packages per reviewer recommendation:

OJS Version	Package	MD5
3.3.x	v1.4.0-3.3	5101e4cba8f77da3106297bd05c12ab0
3.4.x	v1.4.0-3.4	90b8fd33b000f741e7f1a00de0df45ba
3.5.x	v1.4.0-3.5	c2881550df8064a57949c357566a7206

Changes in v1.4.0 (addressing review feedback):

1. Version-specific branches (stable-3_3_0, stable-3_4_0, stable-3_5_0)
2. Context isolation — all handlers validate context_id to prevent cross-journal access
3. HTML title sanitization — strip_tags() for PDF, Smarty |escape for templates
4. Input validation — certificate codes checked against /^[A-F0-9]{16}$/

Checklist

• Packages are .tar.gz with correct root folder (reviewerCertificate/)
• version.xml present at top level with matching <application> name
• MD5 checksums match packages (all 3 verified)
• Package URLs return HTTP 200 (all 3 verified)
• No <certification> element (community plugin, not PKP-reviewed)
• Compatibility versions use ~ wildcard notation
• Separate <release> blocks per OJS major version

[asmecher]

@ssemerikov, thanks for the PR! I have a few notes to consider...

• I don't recommend making a single plugin package that's compatible with multiple major releases. Instead, create a stable-3_3_0, stable-3_4_0 and stable-3_5_0 branch, with each adapted for the equivalent version of OJS. This will keep things much more maintainable for future releases. As we continue to modernize the codebase for 3.6 and beyone, it will get harder to keep one codebase compatible. This is just a recommendation, I won't hold back the addition to the plugin gallery on this account, but I think it'll make your life much easier and your code shorter!
• Please make sure to validate your parameters. For example, some handlers take a reviewId parameter, which is never checked to ensure it's part of the current journal. Same with other user-supplied IDs.
• OJS 3.5 and later support HTML markup in submission titles; I don't think the plugin currently accommodates this.

[ssemerikov]

Thanks for the review, @asmecher! All three items addressed in v1.4.0:

1. Version-specific branches — Created stable-3_3_0, stable-3_4_0, stable-3_5_0 branches with separate releases. Each branch's version.xml declares compatibility only with its target OJS version. I've updated the PR XML below to use per-version packages.
2. Parameter validation — All handlers now enforce context isolation. download() and generateBatch() join review_assignments with submissions to filter by context_id, preventing cross-journal data access. verify() checks the certificate's context_id against the request context. Certificate code input is validated against /^[A-F0-9]{16}$/ before any DB lookup.
3. HTML in submission titles — strip_tags() applied to all title retrieval paths in PDF generation. Verify page template variables use Smarty |escape filter for XSS prevention.

Details: 596402b