Skip to content

Releases: cakmoel/Scriptlog

v1.5.1

Choose a tag to compare

@cakmoel cakmoel released this 10 Jul 14:24

[1.5.1] - 2026-07-10

Added

  • Unit tests: 11 new test files covering recent type safety, filter validation, and error handling fixes — DaoFilteringIdTest (11 tests), PostServiceNewMethodsTest (9 tests), PostModelQueryTest (8 tests), MediaDaoBugFixesTest (6 tests), FormSecurityFunctionsTest (13 tests), FunctionsThemeTest (11 tests), PageControllerTest (7 tests), HumanLoginValidateTest (8 tests), UploadPhotoFunctionTest (7 tests), PostDaoDeleteRecordTest (6 tests), PostControllerConstructorTest (10 tests)

Fixed

  • Dao::filteringId(): Now throws InvalidArgumentException instead of DbException; returns int for 'sql' type with positive integer validation
  • PostDao::updatePost(): Added explicit null third parameter to deleteRecord() call
  • MediaDao::findMediaBlog(): Fixed return type from boolean true to null for empty results
  • MediaDao::imageUploadHandler(): Added null check on $data_media before array access
  • PostModel: Migrated all JOINs from INNER JOIN to LEFT JOIN for tbl_media; moved media filter conditions from WHERE to ON clause; fixed tbl_usertbl_users in getPostByAuthor()
  • PostService::setPostContent(): Added $skipPurify parameter to bypass HTMLPurifier for encrypted content
  • form-security.php::check_form_request(): Added $alwaysAllowed fields (csrfToken, postFormSubmit, MAX_FILE_SIZE) that skip whitelist validation
  • human-login.php::validate_login_context(): Expanded whitelist with csrf, remember fields
  • upload-photo.php::upload_photo(): Skip set_origin_photo() when fileinfo extension is loaded (file already moved by set_webp_origin)
  • PostController: Refactored constructor to accept TopicDao and MediaDao; delegated image handling to PostService; expanded payload whitelist with post_password, post_locale, post_tags
  • PageController: Added post_modified to check_form_request() whitelist in insert() and update()
  • admin/posts.php: Updated PostController instantiation with 3 constructor arguments
  • Theme functions: Added filter_var() validation to link_tag() and link_topic(); added ID validation to retrieve_detail_post(); added get_post_thumbnail() function with fallback image
  • single.php: Added 404 validation when post not found; added default value initialization for all template variables; restructured protected post content processing with proper isset() guards

Changed

  • PostController: Refactored insert() and update() to use injected DAOs instead of creating new instances; removed handlePostImage(), handleDefaultImage(), handleUploadedImage() (moved to PostService)
  • PostService: Added processPostImage(), processDefaultImage(), processUploadedImage() methods orchestrating image handling logic

Chore

  • Updated translation cache files and exception log

Notes

Patch release focused on type safety hardening, input validation, and error handling improvements across DAO, Service, Controller, and Model layers. 11 new test files (94+ tests) added to cover all recent changes. 33 commits since v1.5.0.

Codename

Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Download Scriptlog

v1.5.0

Choose a tag to compare

@cakmoel cakmoel released this 09 Jul 08:06

[1.5.0] - 2026-07-09

Added

  • IIS web.config generation: New write-web-config.php utility for Microsoft IIS web.config rewrite rules (NGINX-style)
  • FrontHelper class: Static delegation layer providing convenient access to FrontService methods (e.g., FrontHelper::getPosts(), FrontHelper::getPages())
  • IIS detection: Microsoft IIS server detection added to detect-web-server.php
  • Installer IIS note: IIS configuration guidance displayed in the installation wizard (setup.php, finish.php)
  • Permalink IIS support: IIS web.config option added to the permalink configuration dropdown
  • Unit tests: 6 new test files — WebServerDetectionTest (12 tests), NginxConfigWriterTest (20 tests), WebConfigWriterTest (13 tests), ThemeMetaTest, LogErrorTest, and 7 handler test files (Archive/Blog/Category/Home/Page/Privacy/Post/Tag handlers)

Changed

  • FrontService: Refactored to use standalone database queries instead of delegating to FrontHelper; public interface now accessible via FrontHelper static methods
  • DAO layer: SQL injection prevention and return type hints added to PostDao, PageDao, PageService, PostService
  • Handler classes: PHPDoc blocks added and return type consistency improved across all front-end request handlers
  • LogError: Added return type hint and return value to setStatusCode()
  • Installer: Batch insert optimization and debug logging removal in setup wizard
  • Translation cache: Updated en.json and es.json

Removed

  • Development themes: Removed unused theme files
  • Duplicate test files: Removed 4 redundant test files — AdditionalUtilityFunctionsTest.php, UserDaoTest.php, PostDaoMethodIntegrationTest.php, TopicDaoTest.php (1686 lines)

Notes

Feature release focused on IIS web server support, FrontService delegation layer, expanded test coverage (45+ new tests), and code quality improvements across DAO and handler layers. Redundant test files consolidated.

Download Scriptlog

v1.4.0

Choose a tag to compare

@cakmoel cakmoel released this 06 Jul 08:48

[1.4.0] - 2026-07-06

Added

  • ThemeRendererInterface: New interface for theme rendering with constructor dependency injection
  • ThemeResolutionException: New exception class with factory methods for common failure modes
  • IServiceThrowable interface: Replaces deprecated IEventThrowable; extends IThrowable for consistent service-layer exception handling
  • Unit tests: 3 new test files (IServiceThrowableTest, ThemeRendererInterfaceTest, ThemeResolutionExceptionTest) — 4 tests

Changed

  • ThemeRenderer: Refactored to implement ThemeRendererInterface with constructor injection, documented public API, and improved theme directory resolution
  • Core library classes: Refactored Bootstrap, Dispatcher, HandleRequest, ApiRouter, Authentication, CSRFGuard, and other core classes with improved type safety, modular private methods, and code quality
  • All controllers: Refactored PostController, UserController, MediaController, MenuController, PageController, PluginController, ThemeController, ReplyController, DownloadAdminController, and all API controllers with improved type safety
  • DAO layer: Updated PostDao, PageDao, PluginDao, UserTokenDao, TopicDao, ThemeDao, MenuDao, PostTopicDao with improved type safety
  • Service layer: Updated PostService, PageService, UserService, MigrationService, MediaService, PluginService, TranslationService, and other services
  • Theme templates: Updated header, footer, download, and functions templates with deferred CSS loading for performance
  • Admin UI templates: Updated all admin templates with security improvements
  • Installation wizard: Updated setup-db.php and finish.php with improved setup logic
  • Autoloader: Updated with new class mappings for new interfaces and classes
  • Utility files: Updated with improved security and type safety
  • Dependencies: Updated composer.json (added explicit PHP extension requirements: ext-json, ext-mbstring, ext-pdo, ext-fileinfo, ext-openssl, ext-gd; removed guzzlehttp/psr7); updated composer.lock

Fixed

  • Test fixes: Fixed failing tests for Bootstrap property rename, NumberCpus code changes, PerformanceOptimization CSS deferral, and ThemeRenderer refactor

Removed

  • IEventThrowable: Deprecated interface removed, replaced by IServiceThrowable
  • Avatar images: Removed unused avatar images from admin assets
  • $config global: Removed unused $config = array() from common.php
  • start-session-on-site.php: Removed unused utility

Security

  • Utility files: Updated with improved security and type safety across utility functions

Notes

Maintenance release focused on code quality improvements across the entire codebase — refactoring core library classes with new interfaces, improved type safety, deferred CSS loading for performance, updated dependencies, and expanded test coverage. All unit tests passing.

Codename

Maleo Senkawor — Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Download Scriptlog

v1.3.1

Choose a tag to compare

@cakmoel cakmoel released this 02 Jul 17:53

[1.3.1] - 2026-07-03

Fixed

  • I18nManager magic methods: Added __unserialize() method to I18nManager singleton to align with PHP 8.5 deprecation of __wakeup and prevent serialization bypasses.

Notes

Patch release addressing PHP 8.5 magic method deprecation and hardening singleton serialization.

Codename

Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Comparison

  • Previous release: v1.3.0
  • Changes since v1.3.0: 2 commits

Download Scriptlog

v1.3.0

Choose a tag to compare

@cakmoel cakmoel released this 01 Jul 03:57

[1.3.0] - 2026-07-01

Added

  • referrer_policy() function: New security header function for Referrer-Policy configuration
  • permissions_policy() function: New security header function for Permissions-Policy configuration
  • Security headers to API entry point: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy headers integrated into api/index.php
  • Bootstrap security header integration: referrer_policy and permissions_policy wired into Bootstrap::applySecurity()
  • CSRF protection for API write endpoints: validateCsrfForWrite() and generateCsrfToken() methods in ApiAuth
  • CSRF validation in API controllers: Integrated CSRF validation into MediaApiController and other API controllers
  • create_encoded_key() hardening: Defuse cipher key derivation with _try_decrypt() helper for multi-path backward-compatible decryption
  • Controller test suite: 5 new test files (PostController, UserController, CommentController, MediaController, TopicController) — 34 tests
  • Core class test suite: 6 new test files (SessionMaker, Paginator, Sanitize, DbFactory, Dispatcher, View) — 65 tests
  • phpunit.xml suite directories: Added Controller Tests and Core Tests directories to the PHPUnit configuration

Changed

  • Password hashing: Upgraded from md5 to sha256 in protect_post() and setPassPhrase() for stronger hashing
  • CSP hardening: Removed unsafe-eval from Content-Security-Policy; added Report-Only header for migration monitoring
  • Dynamic tests badge: Replaced static badge with dynamic GitHub Actions badge in README

Fixed

  • Test infrastructure: Registry::set('dbc') added for Dao, MediaDao, Authentication constructors in integration tests
  • Locale column length: Shortened lang_code from VARCHAR(20) to VARCHAR(10) to match schema
  • Unique locale collision: Fixed via counter in test data setup
  • is_html cast: Cast to integer 0 instead of boolean false in translation tests
  • DownloadUtilityTest race condition: Resolved time() + 1 race condition in data provider
  • DownloadCreateLinkTest paths: Corrected file paths for src/ directory structure
  • Theme auto-activate test: Deactivate all themes first to ensure clean state
  • Removed stale tests: Removed tests for non-existent setCredential() method and crendential property
  • Translation insert transaction: Wrapped translation insert in transaction in setup-db; added hard lock detection for fully installed databases
  • generate_request() null safety: Removed redundant isset($data) && before array_key_exists() calls

Security

  • Password hashing: Upgraded from md5 to sha256 for protected post passwords
  • CSP hardening: Removed unsafe-eval from Content-Security-Policy
  • Security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy added to API
  • API CSRF protection: CSRF validation for API write endpoints

Tests

  • 950 unit tests passing (2031 assertions)
  • 5 new controller test files, 6 new core class test files
  • Security headers, CSRF, encrypt-decrypt, password hashing test coverage

Notes

Feature release with security hardening (CSRF API protection, CSP hardening, password hashing upgrade, security headers), expanded test suite (+99 tests across controllers and core classes), and code quality improvements.

Codename

Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Comparison

  • Previous release: v1.2.3
  • Changes since v1.2.3: 50 commits

Download Scriptlog

v1.2.3

Choose a tag to compare

@cakmoel cakmoel released this 26 Jun 11:27

[1.2.3] - 2026-06-26

Added

  • check_session_dir() function: New installer requirements check for sessions directory writability
  • Sessions directory check: Added to installer requirements UI for user visibility during setup
  • .gitkeep and index.html: Protect public/files/cache/sessions/ directory from directory listing

Changed

  • resolve_session_save_path(): Added chmod fallback logic to attempt permission recovery when sessions directory exists but is not writable, with fallback to sys_get_temp_dir()

Fixed

  • Session initialization: Used resolve_session_save_path() in both Bootstrap and API session init to ensure consistent session storage location
  • PHP 7.4 backwards compatibility: Removed mixed return type declarations that caused fatal errors on PHP 7.4
  • number_cpus() mac branch: Removed redundant is_resource guard and replaced false comparison with is_resource for popen() in all branches

Security

  • Sessions directory protection: Added index.html to prevent directory listing of session files

Tests

  • Bootstrap tests: Added tests for \Throwable catch and instanceof PDO guard in theme renderer
  • number_cpus() tests: Comprehensive unit tests covering Linux, Windows, and Mac branches
  • generate_request and sanitize_urls tests: Full coverage for request generation and URL sanitization
  • db-mysqli function tests: Unit tests with is_table_exists guard coverage

Removed

  • Stale translation caches: Cleared stale en.json and es.json for clean regeneration

Notes

Maintenance release focused on session path reliability, PHP 7.4 compatibility, expanded test coverage, and installer hardening. All unit tests passing (829 tests, 1854 assertions).

Codename

Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Comparison

  • Previous release: v1.2.2
  • Changes since v1.2.2: 24 commits

Download Scriptlog

v1.2.2

Choose a tag to compare

@cakmoel cakmoel released this 24 Jun 21:15

v1.2.2

Security-focused release with 10+ vulnerability fixes, comprehensive utility loader stabilization, i18n expansion, and removal of external image dependencies.

Added

  • Local placeholder SVG image: Replaced external placeholder URLs with a local placeholder.svg asset across all blog templates
  • THEME_DEVELOPER_GUIDE.md: Comprehensive standalone theme reference documentation
  • Language indicator widget: i18n sidebar locale bootstrap with ARIA attributes
  • Extended locale support: Arabic, Chinese, French, Russian, Spanish, Indonesian during install
  • SidebarNavigationTest: Admin sidebar navigation tests
  • MIT license: Added to the blog theme

Security

  • SRI integrity hashes on all CSS/JS assets
  • Frontend JS hardening with cookie/anchor validation
  • XSS prevention in Summernote plugins
  • Download identifier sanitization with preg_replace
  • Prepared statements for previous/next post queries
  • CVE-2026-55766: guzzlehttp/psr7 updated to 2.12.1
  • CodeQL scanning extended to PHP

Fixed

  • ThemeRenderer DB guard hardened with PDO type check and Throwable catch
  • is_table_exists wrapped in function_exists guard
  • require_once ordering in generate-request.php
  • Session initialization before authenticator include
  • ob_start() for front controller output buffering
  • Theme directory fallback for missing header.php
  • 20+ additional bug fixes across the codebase

Changed

  • Utility loader ordering stabilized project-wide
  • Translation caches restructured (en, es, id)
  • Theme cookie expiry reduced to 30 days

Removed

  • restoblog and tastybites themes (not production-ready)

Refactored

  • External placeholder URLs removed in favor of local placeholder.svg
  • AJAX error handling simplified in comment submission and search

Full changelog: https://github.com/cakmoel/Scriptlog/blob/main/CHANGELOG.md

Download Scriptlog

v1.2.1

Choose a tag to compare

@cakmoel cakmoel released this 16 Jun 08:47

[1.2.1] - 2026-06-16

Added

  • CSS design tokens: Custom properties for colors, spacing, and typography in the blog theme
  • Dark mode support: Full theme support via prefers-color-scheme: dark media query
  • Responsive improvements: Enhanced layout adaptability for mobile, tablet, and desktop viewports

Changed

  • Blog theme templates: replaced <main> with <div> for semantic consistency across 8 templates (archive, archives, blog, category, page, single, tag, homepage)
  • Improved header navigation with better layout and accessibility
  • Enhanced footer template layout
  • Updated homepage template
  • Minified style.sea.css asset
  • Updated test bootstrap and file paths to match project structure

Fixed

  • PHPUnit binary path corrected from vendor/bin/phpunit to lib/vendor/bin/phpunit in CI workflow
  • Added workflow_dispatch trigger to CI workflow for manual test runs
  • Fixed stale tastybites theme test files (theme was previously removed)
  • Corrected test file paths from ../../lib/ to ../../src/lib/ project-wide

Removed

  • Stale test files for deleted tastybites theme (4 files)

Notes

Minor release focused on theme modernization with CSS design tokens, dark mode support, responsive improvements, and CI/test infrastructure cleanup. This version re-releases the same content as v1.2.0 under a new tag to avoid upstream tag mutation lock on Packagist.

Codename

Maleo Senkawor -- Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Download Scriptlog

v1.1.0

Choose a tag to compare

@cakmoel cakmoel released this 13 Jun 12:23

v1.1.0 — Maleo Senkawor

Added

  • Handler system: New front-end request handling pipeline with dedicated handlers for each content type (ArchiveHandler, BlogHandler, CategoryHandler, DownloadHandler, FrontRequestHandler, HomeHandler, PageHandler, PostHandler, PrivacyHandler, TagHandler) and a central HandlerRegistry
  • FrontService: New service layer for front-end content retrieval and rendering
  • ThemeRenderer: New core class for theme rendering
  • CSRF/XSS protection: Comprehensive protection across all admin UI templates
  • CSS design tokens: Custom properties for colors, spacing, typography in blog theme
  • Dark mode support: prefers-color-scheme: dark media query with full theme support
  • Test suite expansion: 25+ new test files covering handlers, services, downloads, integration
  • Psalm static analysis: Configuration files for improved code quality enforcement

Changed

  • Revamped blog theme templates with semantic HTML and accessibility improvements
  • Enhanced header navigation, footer layout, single post view, and 404 page
  • Updated all controllers, DAOs, services for PHP 8.x compatibility
  • Replaced <main> with <div> for semantic consistency across 8 templates

Fixed

  • Test infrastructure: Corrected 30+ test file paths to match project structure
  • CI workflow: Fixed phpunit binary path and added workflow_dispatch trigger
  • Removed stale test files for deleted tastybites theme
  • Fixed multiple test logic issues (InstallationTest, DownloadHandlerTest, ConfigFileGenerationTest)
  • Updated .gitignore to exclude lib/vendor/

Removed

  • Stale test files for deleted tastybites theme (4 files)
  • Unused CSS from blog theme

Full Changelog: v1.0.8...v1.1.0

Download Scriptlog

v1.0.8

Choose a tag to compare

@cakmoel cakmoel released this 14 May 09:03

Fixed

  • Fixed terms-of-use link path in signup form (src/admin/signup.php)
  • Changed recommended permissions from 777 to 755 for public/cache/ and public/log/ directories (README.md, src/docs/DEVELOPER_GUIDE.md)

Notes

Patch release fixing the terms-of-use link URL and hardening directory permissions.

Codename

Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Download Scriptlog