revert: Restore conditional the_content filter usage

- Reverted nuclear option from v0.4.8
- get_post_data() now uses the_content filter conditionally
- All other protections remain in place
- Memory leak investigation to be continued later

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.9] - 2026-02-02
+
+### Changed
+
+- **Reverted nuclear option** - Restored conditional the_content filter usage
+  - `get_post_data()` now uses the_content filter only when NOT in shortcode context, NOT at depth > 1, and NOT loading page template
+  - All other protections remain in place (render depth, page template loading flag, main template lock, shortcode context)
+  - Memory leak investigation to be continued later
+
+## [0.4.8] - 2026-02-02
+
+### Fixed
+
+- **Nuclear option: NEVER apply the_content filter** - Completely removed the_content filter usage (reverted in 0.4.9)
+  - `get_post_data()` now ALWAYS strips shortcodes and uses raw content
+  - NEVER calls `apply_filters('the_content', ...)` or `get_the_excerpt()`
+  - FediStream posts don't need shortcode processing in their content anyway
+  - This guarantees no recursion through WordPress hook system
+
+## [0.4.7] - 2026-02-02
+
+### Fixed
+
+- **Hard main template rendering lock** - Added additional protection at Plugin::render() level
+  - Added `$rendering_main_template` flag that completely blocks any other render calls while main template is rendering
+  - Reduced MAX_RENDER_DEPTH from 5 to 2 (allows one level of {% include %} but prevents deeper recursion)
+  - template-wrapper.php now passes `is_main_template = true` to enable the hard lock
+  - Any render attempt during main template rendering is immediately blocked
+
+## [0.4.6] - 2026-02-02
+
+### Fixed
+
+- **Page template loading lock** - Block ALL shortcode rendering during page template loading
+  - Added `$loading_page_template` flag in TemplateLoader
+  - template-wrapper.php now sets this flag before loading theme header/footer
+  - Shortcodes::render_template() checks this flag and returns early if set
+  - This prevents any recursion triggered by theme components, widgets, or other plugins during page template loading
+  - Main template rendering still works (uses Plugin::render() directly, not through Shortcodes)
+
 ## [0.4.5] - 2026-02-02
 
 ### Fixed
@@ -243,7 +283,11 @@ Initial release of WP FediStream - a WordPress plugin for streaming music over A
 
 ---
 
-[Unreleased]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.5...HEAD
+[Unreleased]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.9...HEAD
+[0.4.9]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.8...v0.4.9
+[0.4.8]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.7...v0.4.8
+[0.4.7]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.6...v0.4.7
+[0.4.6]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.5...v0.4.6
 [0.4.5]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.4...v0.4.5
 [0.4.4]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.3...v0.4.4
 [0.4.3]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.2...v0.4.3

includes/Frontend/Shortcodes.php

@@ -552,6 +552,12 @@ class Shortcodes {
      * @return string
      */
     private function render_template( string $template, array $context ): string {
+        // Block shortcode rendering while loading page template to prevent recursion.
+        // This catches any shortcodes triggered by theme header/footer, widgets, etc.
+        if ( TemplateLoader::is_loading_page_template() ) {
+            return '<!-- FediStream: shortcode blocked during page template loading -->';
+        }
+
         // Check for unlicensed mode.
         if ( $this->unlicensed_mode ) {
             return $this->get_unlicensed_message();

includes/Frontend/TemplateLoader.php

@@ -44,6 +44,42 @@ class TemplateLoader {
      */
     private static int $shortcode_context_depth = 0;
 
+    /**
+     * Flag indicating we're currently loading a FediStream page template.
+     * This completely blocks any nested FediStream shortcode rendering.
+     *
+     * @var bool
+     */
+    private static bool $loading_page_template = false;
+
+    /**
+     * Enter page template loading mode.
+     * This blocks ALL shortcode rendering during page template loading.
+     *
+     * @return void
+     */
+    public static function enter_page_template_loading(): void {
+        self::$loading_page_template = true;
+    }
+
+    /**
+     * Exit page template loading mode.
+     *
+     * @return void
+     */
+    public static function exit_page_template_loading(): void {
+        self::$loading_page_template = false;
+    }
+
+    /**
+     * Check if we're loading a page template.
+     *
+     * @return bool
+     */
+    public static function is_loading_page_template(): bool {
+        return self::$loading_page_template;
+    }
+
     /**
      * Enter shortcode rendering context.
      * Call this before rendering shortcode content to prevent recursive shortcode processing.
@@ -256,9 +292,12 @@ class TemplateLoader {
         // Skip the_content filter if:
         // 1. We're in a shortcode context (prevents recursive shortcode processing)
         // 2. We're at depth > 1 (nested data loading)
-        $skip_content_filter = self::$shortcode_context_depth > 0 || self::$recursion_depth > 1;
+        // 3. We're loading a page template
+        $skip_content_filter = self::$shortcode_context_depth > 0
+            || self::$recursion_depth > 1
+            || self::$loading_page_template;
 
-        // When skipping content filter, also use raw excerpt to avoid get_the_excerpt()
+        // When skipping content filter, use raw excerpt to avoid get_the_excerpt()
         // triggering the_content filter internally when generating auto-excerpts.
         if ( $skip_content_filter ) {
             $excerpt = $post->post_excerpt;
@@ -270,7 +309,7 @@ class TemplateLoader {
             $excerpt = get_the_excerpt( $post );
         }
 
-        // When skipping content filter, also strip shortcodes to prevent them from
+        // When skipping content filter, strip shortcodes to prevent them from
         // being processed by anything else that might call do_shortcode on the output.
         if ( $skip_content_filter ) {
             $content = strip_shortcodes( $post->post_content );

includes/Frontend/template-wrapper.php

@@ -13,7 +13,10 @@ if ( ! defined( 'ABSPATH' ) ) {
 use WP_FediStream\Plugin;
 use WP_FediStream\Frontend\TemplateLoader;
 
-// Enter shortcode context to prevent recursive shortcode processing in post content.
+// Enter page template loading mode - this completely blocks nested FediStream rendering.
+TemplateLoader::enter_page_template_loading();
+
+// Also enter shortcode context to prevent recursive shortcode processing in post content.
 TemplateLoader::enter_shortcode_context();
 
 // Get template context.
@@ -57,7 +60,8 @@ get_header();
     if ( $template_name ) {
         try {
             // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-            echo $plugin->render( $template_name, $context );
+            // Pass true for is_main_template to set the hard rendering lock.
+            echo $plugin->render( $template_name, $context, true );
         } catch ( \Exception $e ) {
             if ( WP_DEBUG ) {
                 echo '<div class="fedistream-error">';
@@ -78,7 +82,8 @@ get_header();
 </main>
 
 <?php
-// Exit shortcode context.
+// Exit shortcode context and page template loading mode.
 TemplateLoader::exit_shortcode_context();
+TemplateLoader::exit_page_template_loading();
 
 get_footer();

includes/Plugin.php

@@ -64,10 +64,19 @@ final class Plugin {
 
     /**
      * Maximum allowed Twig render depth.
+     * Set to 2 to allow one level of nested includes but prevent deeper recursion.
      *
      * @var int
      */
-    private const MAX_RENDER_DEPTH = 5;
+    private const MAX_RENDER_DEPTH = 2;
+
+    /**
+     * Flag to track if we're currently rendering the main page template.
+     * This is a hard lock that prevents ANY other rendering.
+     *
+     * @var bool
+     */
+    private static bool $rendering_main_template = false;
 
     /**
      * Post type instances.
@@ -856,18 +865,32 @@ final class Plugin {
      * @param array  $context  Template context variables.
      * @return string Rendered template.
      */
-    public function render( string $template, array $context = array() ): string {
+    public function render( string $template, array $context = array(), bool $is_main_template = false ): string {
+        // If we're already rendering the main template, block any other renders.
+        if ( self::$rendering_main_template && ! $is_main_template ) {
+            return '<!-- FediStream: blocked during main template render -->';
+        }
+
         // Prevent infinite recursion in Twig rendering.
         if ( self::$render_depth >= self::MAX_RENDER_DEPTH ) {
             return '<!-- FediStream: render depth exceeded -->';
         }
 
+        // Set main template lock if this is the main template.
+        $was_main = self::$rendering_main_template;
+        if ( $is_main_template ) {
+            self::$rendering_main_template = true;
+        }
+
         ++self::$render_depth;
 
         try {
             $result = $this->twig->render( $template . '.twig', $context );
         } finally {
             --self::$render_depth;
+            if ( $is_main_template ) {
+                self::$rendering_main_template = $was_main;
+            }
         }
 
         return $result;

wp-fedistream.php

@@ -3,7 +3,7 @@
  * Plugin Name: WP FediStream
  * Plugin URI: https://src.bundespruefstelle.ch/magdev/wp-fedistream
  * Description: Stream music over ActivityPub - Build your own music streaming platform for Musicians and Labels.
- * Version: 0.4.5
+ * Version: 0.4.9
  * Requires at least: 6.4
  * Requires PHP: 8.3
  * Author: Marco Graetsch
@@ -26,7 +26,7 @@ if ( ! defined( 'ABSPATH' ) ) {
  *
  * @var string
  */
-define( 'WP_FEDISTREAM_VERSION', '0.4.5' );
+define( 'WP_FEDISTREAM_VERSION', '0.4.9' );
 
 /**
  * Plugin file path.