24 Releases 24 Tags

• v1.0.8 89afa00678

  Compare

  WP Bootstrap 1.0.8 Stable

  magdev released this 2026-02-19 12:23:40 +00:00 | 11 commits to main since this release

  Security

  • Archive XSS hardening: ContextBuilder::getArchiveData() now wraps get_the_archive_title() and get_the_archive_description() with wp_kses_post(). Term descriptions are user-editable by Editors and above; without sanitization an injected <script> tag would execute via the |raw filter in archive.html.twig
  • Comment author XSS hardening: ContextBuilder::buildCommentTree() now applies esc_html() to comment_author and esc_url() to comment_author_url at the data source, preventing injection via user-supplied comment fields
  • Dark mode localStorage whitelist: getPreferredTheme() in dark-mode.js now validates the stored theme value against ['dark', 'light'] before use, preventing attribute injection from a tampered localStorage value written by a third-party script
  • Twig escaping functions marked safe: esc_html(), esc_attr(), and esc_url() registered in TwigService are now declared with ['is_safe' => ['html']], preventing double-encoding if Twig autoescape is ever enabled

  Changed

  • views/partials/comment-item.html.twig: Comment author URL now output via {{ comment.author_url|raw }} (escaped in PHP) instead of calling esc_url() from the template, keeping escaping logic in one place

  Downloads

  • wp-bootstrap-1.0.8.zip
    1.8 MiB

    2026-02-19 12:26:46 +00:00
  • wp-bootstrap-1.0.8.zip.sha256
    89 B

    2026-02-19 12:26:46 +00:00
  • Source Code (ZIP)
  • Source Code (TAR.GZ)