magdev/wp-bootstrap
1
Fork 0
Code Issues Pull Requests Actions Releases 24 Activity
Files
v1.0.8
wp-bootstrap/CHANGELOG.md
magdev 89afa00678
All checks were successful
Create Release Package / PHP Lint (push) Successful in 1m8s
Details
Create Release Package / Build Release (push) Successful in 1m53s
Details
security: OWASP audit and hardening (v1.0.8) 
- Archive XSS: wrap get_the_archive_title/description with wp_kses_post()
  in ContextBuilder to sanitize Editor-editable term content rendered via |raw
- Comment fields: esc_html() on comment_author, esc_url() on comment_author_url
  at data source; template updated to output pre-escaped URL via |raw
- dark-mode.js: whitelist localStorage value against ['dark','light'] to
  prevent attribute injection from third-party script tampering
- TwigService: add is_safe=>html to esc_html/esc_attr/esc_url Twig functions
  to prevent double-encoding if autoescape is ever enabled
- Add .markdownlint.json (disable MD024 duplicate headings, MD013 line length)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-19 13:23:33 +01:00

231 lines
12 KiB
Markdown
Raw Permalink Blame History

# Changelog
All notable changes to this project will be documented in this file.
## [1.0.8] - 2026-02-19
### Security
- **Archive XSS hardening**: `ContextBuilder::getArchiveData()` now wraps `get_the_archive_title()` and `get_the_archive_description()` with `wp_kses_post()`. Term descriptions are user-editable by Editors and above; without sanitization an injected `<script>` tag would execute via the `|raw` filter in `archive.html.twig`
- **Comment author XSS hardening**: `ContextBuilder::buildCommentTree()` now applies `esc_html()` to `comment_author` and `esc_url()` to `comment_author_url` at the data source, preventing injection via user-supplied comment fields
- **Dark mode localStorage whitelist**: `getPreferredTheme()` in `dark-mode.js` now validates the stored theme value against `['dark', 'light']` before use, preventing attribute injection from a tampered localStorage value written by a third-party script
- **Twig escaping functions marked safe**: `esc_html()`, `esc_attr()`, and `esc_url()` registered in `TwigService` are now declared with `['is_safe' => ['html']]`, preventing double-encoding if Twig autoescape is ever enabled
### Changed
- `views/partials/comment-item.html.twig`: Comment author URL now output via `{{ comment.author_url|raw }}` (escaped in PHP) instead of calling `esc_url()` from the template, keeping escaping logic in one place
## [1.0.7] - 2026-02-18
### Added
- `do_shortcode()` registered as a Twig function in `TwigService`, allowing shortcodes to be rendered directly from Twig templates via `{{ do_shortcode('[shortcode]') }}`
## [1.0.6] - 2026-02-14
### Fixed
- Sidebar widgets not rendered on pages using the "Page with Sidebar" template — `ContextBuilder::build()` only populated `sidebar` context for `is_home()`, so `page-sidebar.html.twig` received no widget data
## [1.0.5] - 2026-02-11
### Added
- 11 new translation files: de_CH_informal, de_DE, de_DE_informal, en_GB, es_ES, fr_CH, it_CH, it_IT, nl_NL, pl_PL, pt_PT (total: 13 locales + en_US base)
- Compiled .mo files for all 13 translations
### Changed
- Standardized all .po file names to use `wp-bootstrap-` prefix (WordPress convention: `{text-domain}-{locale}.po`)
## [1.0.4] - 2026-02-11
### Added
- `wp_bootstrap_should_render_template` filter in `TemplateController::render()` — allows plugins and child themes to prevent the theme from rendering a specific request, enabling clean separation of concerns when plugins handle their own page rendering
## [1.0.3] - 2026-02-11
### Fixed
- Double `<h1>` headings on pages where plugins provide their own titles — `page.html.twig` now wraps `<h1>` in `{% if post.title is not empty %}` guard so plugins can suppress it by passing empty `post.title`
## [1.0.2] - 2026-02-10
### Fixed
- Missing HTML `<title>` tag on all pages — theme never declared `add_theme_support('title-tag')`, so WordPress's `_wp_render_title_tag()` hook was inactive during `wp_head()` output in Twig templates
## [1.0.1] - 2026-02-09
### Added
- Bootstrap Icons web font integration — all 2,000+ icons available via `<i class="bi bi-*"></i>` CSS classes
- `copy:icons` build step to copy icon font files (`.woff`, `.woff2`) from `node_modules` to `assets/fonts/`
- Bootstrap Icons SCSS imported in both frontend and editor stylesheets for icon support in templates and block editor
## [1.0.0] - 2026-02-08
### Added
- Sidebar widget area (`primary-sidebar`) registered via `register_sidebar()` — manageable in Appearance > Widgets
- Widget area rendering in Twig sidebar with fallback to built-in content (recent posts, search, tags) when no widgets assigned
- Widget area description strings added to all translation files (en_US, de_CH, fr_FR)
### Changed
- Updated README.md with accurate feature counts (15 style variations, 41 patterns, 3 translations)
- Added documentation for style variation bridge, widget areas, RTL support, and accessibility features
## [0.3.3] - 2026-02-08
### Fixed
- Style variation colors not applied to Bootstrap frontend — bridge function checked wrong palette origin (`custom` instead of `theme`)
- Variation detection now compares `theme` origin against base theme.json defaults instead of looking for slugs in `custom` origin
## [0.3.2] - 2026-02-08
### Fixed
- Dark mode body colors overridden by WordPress global styles (`styles.color` in `theme.json` generated conflicting `body` CSS)
- Dark mode styling for plugin-generated form elements (`select`, `input`, `textarea`) that lack Bootstrap classes
- Footer columns template used hardcoded `bg-dark text-light` instead of semantic `bg-body-tertiary`
- Style variation bridge function ran with default palette when no variation was active, causing unnecessary CSS overrides
### Changed
- Removed `styles.color` from `theme.json` to prevent WordPress from generating body background/text CSS that conflicts with Bootstrap dark mode
- Added `!important` override in `_custom.scss` for `html[data-bs-theme="dark"] body` to ensure Bootstrap dark mode takes precedence
- Added broad dark mode rules for native form elements in `_custom.scss`
## [0.3.1] - 2026-02-08
### Added
- 4 new light style variations: Rose, Sand, Lavender, Mint
- 4 new dark style variations: Slate, Mocha, Nebula, Obsidian
- Total of 15 color palettes available in the Design Editor (7 light, 7 dark, plus default)
## [0.3.0] - 2026-02-08
### Added
- Skip-to-content link for keyboard navigation accessibility
- ARIA labels on all navigation landmarks (`<nav>`, `<aside>`)
- `aria-current="page"` on active dropdown menu items across all header variants
- Lazy loading (`loading="lazy"`) on all below-fold images (post thumbnails, cards, avatars)
- Screen reader announcement for dark mode toggle via `aria-live` status region
- Font preload hints for Inter and Lora variable fonts
- RTL language support: conditional RTL stylesheet, logical CSS properties for blockquote and list styles
- French (fr_FR) translation with all ~216 strings translated
- CSS classes for post thumbnails, card thumbnails, sidebar headings, and hero overlays (replacing inline styles)
### Fixed
- XSS vulnerability in search results template (`search_query` now escaped with `|e('html')`)
- Comment author URLs now explicitly escaped with `esc_url()` in Twig templates
### Changed
- Block style `blockquote-accent` uses `border-inline-start` instead of `border-left` for RTL compatibility
- Block style `list-unstyled` uses `padding-inline-start` instead of `padding-left` for RTL compatibility
- Inline styles in Twig templates replaced with CSS classes for maintainability
- Updated translation files (`.pot` and `de_CH.po`) with new accessibility strings
- Build pipeline includes RTL SCSS compilation step
## [0.2.0] - 2026-02-08
### Added
- Full Design Editor compatibility: Bootstrap JS in block editor, full Bootstrap SCSS in editor stylesheet
- 3 custom block categories: Bootstrap Layout, Bootstrap Components, Bootstrap Navigation
- 3 custom pattern categories: Layout, Components, Navigation
- 4 layout patterns: container, 2-column, 3-column, full-width section
- 2 component patterns: card group, accordion
- 3 full-page patterns: about, services, contact
- 4 custom page templates (FSE + Twig): landing (no header/footer), full-width, hero, sidebar
- 2 header variations (FSE + Twig): centered, transparent
- 2 footer variations (FSE + Twig): minimal, multi-column
- 2 navigation patterns: dark navbar, offcanvas mobile navigation
- Offcanvas navigation Twig partial with Bootstrap offcanvas component
- Editor SCSS overrides for alignment and spacing consistency
- Shadow presets (sm, md, lg), aspect ratio presets, and custom layout values in `theme.json`
- Header/footer variant support via `get_theme_mod()` in `ContextBuilder`
- Twig block inheritance in `base.html.twig` for header/footer variant overrides
- Custom page template routing via `get_page_template_slug()` in `TemplateController`
- Transparent header and offcanvas dark mode SCSS styles
### Changed
- Enhanced `editor-style.scss` to import full Bootstrap for WYSIWYG editor fidelity
- Enhanced `theme.json` with custom templates and template parts registration
- Enhanced `functions.php` with block editor assets, block categories, and pattern categories
- Enhanced `ContextBuilder` with header/footer variant methods
- Enhanced `TemplateController` with custom page template slug routing
- Updated translation files (`.pot` and `de_CH.po`) with all new translatable strings
## [0.1.1] - 2026-02-08
### Added
- Twig-based frontend rendering via `template_redirect` hook, bypassing FSE block markup on the frontend while preserving Site Editor functionality
- `TemplateController` class: resolves and renders Twig templates for all page types (home, single, page, archive, search, 404)
- `ContextBuilder` class: gathers WordPress data (posts, menus, pagination, comments, sidebar, archive info) into structured arrays for Twig
- `NavWalker` class: converts flat `wp_get_nav_menu_items()` into nested tree for Bootstrap dropdown menus
- 20 Twig templates with proper Bootstrap 5 HTML: base layout, 5 page templates, 9 partials (header, footer, pagination, sidebar, comments, search form, dark mode toggle, meta, post navigation), 3 components (post card, post grid card, post loop)
- Bootstrap 5 navbar with responsive collapse, brand, dropdown support, and dark mode toggle
- Bootstrap 5 card components for post listings
- Bootstrap 5 pagination component
- Bootstrap 5 comment section with threaded replies and Bootstrap-styled form fields
- Bootstrap 5 sidebar with recent posts, search, and tag cloud (badges)
- Previous/next post navigation and "More posts" grid on single posts
- WordPress functions in Twig: `wp_head`, `wp_footer`, `wp_body_open`, `language_attributes`, `body_class`, `home_url`, `get_bloginfo`, `get_search_query`, `wp_kses_post`, `number_format_i18n`, `_n`
- Twig globals: `site_name`, `site_description`, `site_url`, `theme_uri`, `charset`, `current_year`
- Twig filters: `wpautop`, `wp_kses_post`
- `primary` and `footer` navigation menu locations
- Comment form fields filter for Bootstrap classes (`form-control`, `form-label`, `form-check`, `btn`)
- Fallback menu from published pages when no menu is assigned
- Sidebar layout detection for "Blog with Sidebar" template
- README.md with project documentation
### Changed
- Enhanced `TwigService` with WordPress output-buffering functions, globals, and filters
## [0.1.0] - 2026-02-08
### Added
- Dark mode toggle with Bootstrap 5.3 `data-bs-theme` attribute, localStorage persistence, and `prefers-color-scheme` support
- 16 new block patterns: hero (cover, split, centered), features (3-col, icon list, 2-col offset), CTA (banner, newsletter), testimonials (2-col, centered), pricing (3-col), contact info, FAQ, about section, sidebar, dark mode toggle
- 17 custom block styles: cards (2), alerts (4), table variants (3), quote accent, image effects (2), button sizes (2), list styles (2), separator wide
- 4 style variations (color schemes): Ocean, Forest, Sunset, Midnight
- Sidebar template part with recent posts, search, and tag cloud
- "Blog with Sidebar" custom page template
- Inter (sans-serif) and Lora (serif) variable web fonts
- "Display" font size for hero headings
- 7 new pattern categories: hero, CTA, features, testimonials, pricing, contact, text
- Dark mode overrides for alert and card block styles in SCSS
### Changed
- Header pattern now includes dark mode toggle button
- Build pipeline adds theme JS copy step (`copy:theme-js`)
## [0.0.1] - 2026-02-08
### Added
- Initial theme scaffolding
- Bootstrap 5 CSS and JS integration (served locally via npm)
- SASS build pipeline with Dart Sass, PostCSS, Autoprefixer, cssnano
- Twig 3.0 template engine integration via Composer
- FSE templates: index, home, single, page, archive, search, 404
- Template parts: header, footer
- Block patterns: header, footer, query loop, comments, post navigation, more posts, 404, search, blog heading, written by
- `theme.json` with Bootstrap 5-aligned design tokens (colors, typography, spacing)
- WordPress i18n support with `en_US` (base) and `de_CH` translations
- Gitea CI/CD workflow for automated release packages
- Editor styles for block editor compatibility
Reference in New Issue View Git Blame Copy Permalink