wc-bootstrap/CHANGELOG.md

# Changelog

All notable changes to this project will be documented in this file.

## [0.1.4] - 2026-03-01

### Security

- **fn() function whitelist** (`WooCommerceExtension`): The `callFunction()` method (exposed as `fn()` in Twig templates) now restricts callable functions to an explicit `ALLOWED_FUNCTIONS` whitelist. Previously any PHP function could be called, risking arbitrary code execution if template context were compromised. Only the 6 functions actually used in templates are permitted.
- **Notice data attribute escaping**: Changed `{{ notice.data|raw }}` to `{{ notice.data|wp_kses_post }}` in success, error, and notice Twig templates. Defense-in-depth against potential XSS via data attributes.
- **Search query escaping** (`product-searchform.html.twig`): Added `|esc_attr` filter to `get_search_query()` output in the search input value attribute.

### Performance

- **Per-request ContextBuilder caching**: New `wc_bootstrap_get_theme_context()` function with static variable caching eliminates redundant `ContextBuilder::build()` calls (10-20 DB queries each) when multiple WooCommerce render functions fire in the same request.

### Changed

- **Shared page shell helper**: New `wc_bootstrap_render_in_page_shell()` function extracts the duplicated context-injection-and-render pattern from `wc_bootstrap_render_page()`, `wc_bootstrap_render_product_archive()`, and `wc_bootstrap_render_single_product()`.
- **Removed unused constants**: Removed `WC_BOOTSTRAP_VERSION` and `WC_BOOTSTRAP_URL` constants that were defined but never referenced.

## [0.1.3] - 2026-02-28

### Added

- Theme screenshot showing dark mode product archive with Bootstrap 5 card grid

## [0.1.2] - 2026-02-28

### Fixed

- Dark mode: text inputs and textareas showing white background due to WooCommerce's `.woocommerce form .form-row .input-text` (specificity `0,3,1`) overriding theme's checkout form rules with `var(--wc-form-color-background, #fff)` fallback
- Dark mode: `table-light` class on `<thead>` forcing white table headers in cart, checkout review, orders, and payment methods pages
- Dark mode: WooCommerce notice focus ring appearing white when `focus_populate_live_region()` JS programmatically focuses alerts for screen reader accessibility
- WooCommerce notice overrides not matching alerts rendered by Twig templates (added `.alert.woocommerce-*` compound selectors alongside `.woocommerce .woocommerce-*` descendant selectors)
- Order details table on thank-you page not wrapped in a card like other sections
- Thank-you page success message line-wrapping after icon due to block-level `<p>` inside inline alert context

## [0.1.1] - 2026-02-28

### Fixed

- Dark mode: native `<select>` elements showing white background due to WooCommerce's `--wc-form-color-background` falling back to `#fff`
- Dark mode: SelectWoo/Select2 dropdowns (country/state pickers) rendering with hardcoded `#fff` backgrounds, text colors, and borders
- Dark mode: checkout form focus ring color for inputs, textareas, and selects
- WooCommerce notice borders not matching Bootstrap alert styles due to insufficient CSS specificity (bumped to `.woocommerce .woocommerce-*` at `0,2,0`)
- WooCommerce notice `border-top: 3px solid` and `background-color: #f6f5f8` overriding Bootstrap alert colors
- Double icons on WooCommerce notices (WooCommerce icon font `::before` conflicting with Bootstrap Icons)
- Product card images overlapping top rounded corners on catalog page (added `overflow-hidden` to card)

## [0.1.0] - 2026-02-28

### Added

- Docker development environment: multistage Dockerfile (WooCommerce download, wp-bootstrap npm build, Composer deps, WordPress runtime), Compose stack with MariaDB, auto-setup entrypoint
- Private registry image name and restart policies for Docker stack
- **My Account polish**: endpoint icon map, `offcanvas-lg` responsive navigation with sticky sidebar, card-based dashboard with avatar welcome greeting and quick-action grid, card-wrapped forms with icon headers, view-order summary card with status badge
- **Product archive**: Bootstrap 5 card grid with responsive columns, sale badges, star ratings, offcanvas sidebar for mobile filters, shop-sidebar widget area
- **Single product layout**: two-column responsive grid (image gallery + product summary), bridge for `wc_get_template_part()` interception, disabled WooCommerce block compatibility layer
- Global `$product` injection into Twig context for loop sub-templates
- CSS overrides: WooCommerce float/width layout reset, sale badge repositioning, shop_table border reset, gallery opacity fallback, My Account `max-width` reset

### Fixed

- Rename `base.html.twig` → `wc-base.html.twig` to prevent shadowing the parent theme's page shell via Twig `FilesystemLoader` path priority
- CSS dependency handle from unregistered `woocommerce` to `woocommerce-general` for `wc-bootstrap-overrides` stylesheet
- WooCommerce float-based two-column layout (`width: 48%` + `float`) fighting Bootstrap grid on single product pages
- Nested content wrapper doubling parent theme's `.container`
- Sale badge escaping image column and blocking breadcrumb clicks
- `|nl2br|esc_html` filter order in order details (was escaping `<br>` tags)
- HTML entity double-encoding (`&hellip;`) in up-sells, cross-sells, and related product headings
- Wrong `function() is defined` guards in cart totals, review order, checkout login, and terms templates
- Duplicate deprecated hook fires in dashboard template
- Missing `|raw` on brand description HTML filter chain
- Missing `role="alert"` on variation add-to-cart for accessibility
- Missing `|esc_attr` on notification type class attribute
- Missing `is defined` guard on `hidden` variable in global form-login
- Pagination URLs using `?page=` instead of `get_pagenum_link()` for archives
- Double-escaped `&ndash;` in result count
- Underscore.js triple-brace syntax conflict in variation template (wrapped in `{% verbatim %}`)

## [0.0.1] - 2026-02-28

### Added

- Initial theme scaffold (style.css, functions.php, Composer autoload)
- Comprehensive template conversion plan (PLAN.md)
- **Phase 1**: Global templates (wrapper, breadcrumb, sidebar, quantity-input, form-login) and notices (success, error, info)
- **Phase 2**: Product archive and shop loop templates (archive-product, content-product, loop components, pagination, orderby, sale-flash)
- **Phase 3**: Single product page templates (image gallery, title, price, meta, stock, tabs, add-to-cart forms for simple/variable/grouped/external)
- **Phase 4**: Cart templates (cart table, empty cart, cart totals, shipping calculator, mini-cart, cross-sells)
- **Phase 5**: Checkout templates (form-checkout, billing/shipping forms, coupon, order review, payment methods, terms, thank-you)
- **Phase 6**: My Account templates (dashboard, navigation, orders, view-order, addresses, edit-address, edit-account, downloads, payment methods, login/register, password reset)
- **Phase 7**: Order details templates (order-details, order-details-item, order-details-customer, form-tracking, order-again)
- **Phase 9**: Supplementary templates (brands, OAuth auth, back-in-stock form)
- Reusable Twig components (card, pagination, price, rating, address-card, status-badge, quantity-input, form-field)
- WooCommerce-to-Twig rendering bridge (`TemplateOverride` + `WooCommerceExtension`)
- ~50 WooCommerce/WordPress Twig functions and 7 Twig filters
- Stack-based output buffering for nested template interception
- Bootstrap 5 override stylesheet (`wc-bootstrap.css`)
- Quantity +/- button JavaScript handler
- Sticky header scroll shadow behavior
- Parent theme rendering delegation via `woocommerce_render_page` filter
- Theme wrapping signal via `woocommerce_is_theme_wrapped` filter
- CI/CD release workflow (Gitea Actions)
- Translation support (`.pot` template ready)
- Docker development environment (multistage Dockerfile, Compose, auto-setup entrypoint)

### Fixed

- Rename `base.html.twig` → `wc-base.html.twig` to prevent shadowing the parent theme's page shell via Twig `FilesystemLoader` path priority
- Correct CSS dependency handle from `woocommerce` to `woocommerce-general` for `wc-bootstrap-overrides` stylesheet

### Skipped

- **Phase 8** (Email templates): WooCommerce emails use `wc_get_template_html()` which bypasses the Twig rendering pipeline. Default email templates are sufficient; customization can be handled via dedicated email plugins.