Releases: cakmoel/Scriptlog
Release list
v1.5.1
[1.5.1] - 2026-07-10
Added
- Unit tests: 11 new test files covering recent type safety, filter validation, and error handling fixes —
DaoFilteringIdTest(11 tests),PostServiceNewMethodsTest(9 tests),PostModelQueryTest(8 tests),MediaDaoBugFixesTest(6 tests),FormSecurityFunctionsTest(13 tests),FunctionsThemeTest(11 tests),PageControllerTest(7 tests),HumanLoginValidateTest(8 tests),UploadPhotoFunctionTest(7 tests),PostDaoDeleteRecordTest(6 tests),PostControllerConstructorTest(10 tests)
Fixed
- Dao::filteringId(): Now throws
InvalidArgumentExceptioninstead ofDbException; returnsintfor'sql'type with positive integer validation - PostDao::updatePost(): Added explicit
nullthird parameter todeleteRecord()call - MediaDao::findMediaBlog(): Fixed return type from boolean
truetonullfor empty results - MediaDao::imageUploadHandler(): Added null check on
$data_mediabefore array access - PostModel: Migrated all JOINs from
INNER JOINtoLEFT JOINfortbl_media; moved media filter conditions from WHERE to ON clause; fixedtbl_user→tbl_usersingetPostByAuthor() - PostService::setPostContent(): Added
$skipPurifyparameter to bypass HTMLPurifier for encrypted content - form-security.php::check_form_request(): Added
$alwaysAllowedfields (csrfToken,postFormSubmit,MAX_FILE_SIZE) that skip whitelist validation - human-login.php::validate_login_context(): Expanded whitelist with
csrf,rememberfields - upload-photo.php::upload_photo(): Skip
set_origin_photo()whenfileinfoextension is loaded (file already moved byset_webp_origin) - PostController: Refactored constructor to accept
TopicDaoandMediaDao; delegated image handling toPostService; expanded payload whitelist withpost_password,post_locale,post_tags - PageController: Added
post_modifiedtocheck_form_request()whitelist ininsert()andupdate() - admin/posts.php: Updated
PostControllerinstantiation with 3 constructor arguments - Theme functions: Added
filter_var()validation tolink_tag()andlink_topic(); added ID validation toretrieve_detail_post(); addedget_post_thumbnail()function with fallback image - single.php: Added 404 validation when post not found; added default value initialization for all template variables; restructured protected post content processing with proper
isset()guards
Changed
- PostController: Refactored
insert()andupdate()to use injected DAOs instead of creating new instances; removedhandlePostImage(),handleDefaultImage(),handleUploadedImage()(moved to PostService) - PostService: Added
processPostImage(),processDefaultImage(),processUploadedImage()methods orchestrating image handling logic
Chore
- Updated translation cache files and exception log
Notes
Patch release focused on type safety hardening, input validation, and error handling improvements across DAO, Service, Controller, and Model layers. 11 new test files (94+ tests) added to cover all recent changes. 33 commits since v1.5.0.
Codename
Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.
v1.5.0
[1.5.0] - 2026-07-09
Added
- IIS web.config generation: New
write-web-config.phputility for Microsoft IISweb.configrewrite rules (NGINX-style) FrontHelperclass: Static delegation layer providing convenient access to FrontService methods (e.g.,FrontHelper::getPosts(),FrontHelper::getPages())- IIS detection: Microsoft IIS server detection added to
detect-web-server.php - Installer IIS note: IIS configuration guidance displayed in the installation wizard (
setup.php,finish.php) - Permalink IIS support: IIS
web.configoption added to the permalink configuration dropdown - Unit tests: 6 new test files —
WebServerDetectionTest(12 tests),NginxConfigWriterTest(20 tests),WebConfigWriterTest(13 tests),ThemeMetaTest,LogErrorTest, and 7 handler test files (Archive/Blog/Category/Home/Page/Privacy/Post/Tag handlers)
Changed
- FrontService: Refactored to use standalone database queries instead of delegating to FrontHelper; public interface now accessible via FrontHelper static methods
- DAO layer: SQL injection prevention and return type hints added to
PostDao,PageDao,PageService,PostService - Handler classes: PHPDoc blocks added and return type consistency improved across all front-end request handlers
- LogError: Added return type hint and return value to
setStatusCode() - Installer: Batch insert optimization and debug logging removal in setup wizard
- Translation cache: Updated
en.jsonandes.json
Removed
- Development themes: Removed unused theme files
- Duplicate test files: Removed 4 redundant test files —
AdditionalUtilityFunctionsTest.php,UserDaoTest.php,PostDaoMethodIntegrationTest.php,TopicDaoTest.php(1686 lines)
Notes
Feature release focused on IIS web server support, FrontService delegation layer, expanded test coverage (45+ new tests), and code quality improvements across DAO and handler layers. Redundant test files consolidated.
v1.4.0
[1.4.0] - 2026-07-06
Added
ThemeRendererInterface: New interface for theme rendering with constructor dependency injectionThemeResolutionException: New exception class with factory methods for common failure modesIServiceThrowableinterface: Replaces deprecatedIEventThrowable; extendsIThrowablefor consistent service-layer exception handling- Unit tests: 3 new test files (
IServiceThrowableTest,ThemeRendererInterfaceTest,ThemeResolutionExceptionTest) — 4 tests
Changed
- ThemeRenderer: Refactored to implement
ThemeRendererInterfacewith constructor injection, documented public API, and improved theme directory resolution - Core library classes: Refactored Bootstrap, Dispatcher, HandleRequest, ApiRouter, Authentication, CSRFGuard, and other core classes with improved type safety, modular private methods, and code quality
- All controllers: Refactored PostController, UserController, MediaController, MenuController, PageController, PluginController, ThemeController, ReplyController, DownloadAdminController, and all API controllers with improved type safety
- DAO layer: Updated PostDao, PageDao, PluginDao, UserTokenDao, TopicDao, ThemeDao, MenuDao, PostTopicDao with improved type safety
- Service layer: Updated PostService, PageService, UserService, MigrationService, MediaService, PluginService, TranslationService, and other services
- Theme templates: Updated header, footer, download, and functions templates with deferred CSS loading for performance
- Admin UI templates: Updated all admin templates with security improvements
- Installation wizard: Updated
setup-db.phpandfinish.phpwith improved setup logic - Autoloader: Updated with new class mappings for new interfaces and classes
- Utility files: Updated with improved security and type safety
- Dependencies: Updated
composer.json(added explicit PHP extension requirements:ext-json,ext-mbstring,ext-pdo,ext-fileinfo,ext-openssl,ext-gd; removedguzzlehttp/psr7); updatedcomposer.lock
Fixed
- Test fixes: Fixed failing tests for Bootstrap property rename, NumberCpus code changes, PerformanceOptimization CSS deferral, and ThemeRenderer refactor
Removed
IEventThrowable: Deprecated interface removed, replaced byIServiceThrowable- Avatar images: Removed unused avatar images from admin assets
$configglobal: Removed unused$config = array()fromcommon.phpstart-session-on-site.php: Removed unused utility
Security
- Utility files: Updated with improved security and type safety across utility functions
Notes
Maintenance release focused on code quality improvements across the entire codebase — refactoring core library classes with new interfaces, improved type safety, deferred CSS loading for performance, updated dependencies, and expanded test coverage. All unit tests passing.
Codename
Maleo Senkawor — Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.
v1.3.1
[1.3.1] - 2026-07-03
Fixed
- I18nManager magic methods: Added __unserialize() method to I18nManager singleton to align with PHP 8.5 deprecation of __wakeup and prevent serialization bypasses.
Notes
Patch release addressing PHP 8.5 magic method deprecation and hardening singleton serialization.
Codename
Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.
Comparison
- Previous release: v1.3.0
- Changes since v1.3.0: 2 commits
v1.3.0
[1.3.0] - 2026-07-01
Added
referrer_policy()function: New security header function for Referrer-Policy configurationpermissions_policy()function: New security header function for Permissions-Policy configuration- Security headers to API entry point: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy headers integrated into
api/index.php - Bootstrap security header integration:
referrer_policyandpermissions_policywired intoBootstrap::applySecurity() - CSRF protection for API write endpoints:
validateCsrfForWrite()andgenerateCsrfToken()methods inApiAuth - CSRF validation in API controllers: Integrated CSRF validation into MediaApiController and other API controllers
create_encoded_key()hardening: Defuse cipher key derivation with_try_decrypt()helper for multi-path backward-compatible decryption- Controller test suite: 5 new test files (PostController, UserController, CommentController, MediaController, TopicController) — 34 tests
- Core class test suite: 6 new test files (SessionMaker, Paginator, Sanitize, DbFactory, Dispatcher, View) — 65 tests
- phpunit.xml suite directories: Added Controller Tests and Core Tests directories to the PHPUnit configuration
Changed
- Password hashing: Upgraded from md5 to sha256 in
protect_post()andsetPassPhrase()for stronger hashing - CSP hardening: Removed
unsafe-evalfrom Content-Security-Policy; added Report-Only header for migration monitoring - Dynamic tests badge: Replaced static badge with dynamic GitHub Actions badge in README
Fixed
- Test infrastructure:
Registry::set('dbc')added for Dao, MediaDao, Authentication constructors in integration tests - Locale column length: Shortened
lang_codefrom VARCHAR(20) to VARCHAR(10) to match schema - Unique locale collision: Fixed via counter in test data setup
is_htmlcast: Cast to integer 0 instead of boolean false in translation tests- DownloadUtilityTest race condition: Resolved
time() + 1race condition in data provider - DownloadCreateLinkTest paths: Corrected file paths for
src/directory structure - Theme auto-activate test: Deactivate all themes first to ensure clean state
- Removed stale tests: Removed tests for non-existent
setCredential()method andcrendentialproperty - Translation insert transaction: Wrapped translation insert in transaction in setup-db; added hard lock detection for fully installed databases
generate_request()null safety: Removed redundantisset($data) &&beforearray_key_exists()calls
Security
- Password hashing: Upgraded from md5 to sha256 for protected post passwords
- CSP hardening: Removed
unsafe-evalfrom Content-Security-Policy - Security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy added to API
- API CSRF protection: CSRF validation for API write endpoints
Tests
- 950 unit tests passing (2031 assertions)
- 5 new controller test files, 6 new core class test files
- Security headers, CSRF, encrypt-decrypt, password hashing test coverage
Notes
Feature release with security hardening (CSRF API protection, CSP hardening, password hashing upgrade, security headers), expanded test suite (+99 tests across controllers and core classes), and code quality improvements.
Codename
Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.
Comparison
- Previous release: v1.2.3
- Changes since v1.2.3: 50 commits
v1.2.3
[1.2.3] - 2026-06-26
Added
check_session_dir()function: New installer requirements check for sessions directory writability- Sessions directory check: Added to installer requirements UI for user visibility during setup
.gitkeepandindex.html: Protectpublic/files/cache/sessions/directory from directory listing
Changed
resolve_session_save_path(): Added chmod fallback logic to attempt permission recovery when sessions directory exists but is not writable, with fallback tosys_get_temp_dir()
Fixed
- Session initialization: Used
resolve_session_save_path()in both Bootstrap and API session init to ensure consistent session storage location - PHP 7.4 backwards compatibility: Removed mixed return type declarations that caused fatal errors on PHP 7.4
number_cpus()mac branch: Removed redundantis_resourceguard and replacedfalsecomparison withis_resourceforpopen()in all branches
Security
- Sessions directory protection: Added
index.htmlto prevent directory listing of session files
Tests
- Bootstrap tests: Added tests for
\Throwablecatch andinstanceof PDOguard in theme renderer number_cpus()tests: Comprehensive unit tests covering Linux, Windows, and Mac branchesgenerate_requestandsanitize_urlstests: Full coverage for request generation and URL sanitizationdb-mysqlifunction tests: Unit tests withis_table_existsguard coverage
Removed
- Stale translation caches: Cleared stale
en.jsonandes.jsonfor clean regeneration
Notes
Maintenance release focused on session path reliability, PHP 7.4 compatibility, expanded test coverage, and installer hardening. All unit tests passing (829 tests, 1854 assertions).
Codename
Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.
Comparison
- Previous release: v1.2.2
- Changes since v1.2.2: 24 commits
v1.2.2
v1.2.2
Security-focused release with 10+ vulnerability fixes, comprehensive utility loader stabilization, i18n expansion, and removal of external image dependencies.
Added
- Local placeholder SVG image: Replaced external placeholder URLs with a local
placeholder.svgasset across all blog templates - THEME_DEVELOPER_GUIDE.md: Comprehensive standalone theme reference documentation
- Language indicator widget: i18n sidebar locale bootstrap with ARIA attributes
- Extended locale support: Arabic, Chinese, French, Russian, Spanish, Indonesian during install
- SidebarNavigationTest: Admin sidebar navigation tests
- MIT license: Added to the blog theme
Security
- SRI integrity hashes on all CSS/JS assets
- Frontend JS hardening with cookie/anchor validation
- XSS prevention in Summernote plugins
- Download identifier sanitization with preg_replace
- Prepared statements for previous/next post queries
- CVE-2026-55766: guzzlehttp/psr7 updated to 2.12.1
- CodeQL scanning extended to PHP
Fixed
- ThemeRenderer DB guard hardened with PDO type check and Throwable catch
- is_table_exists wrapped in function_exists guard
- require_once ordering in generate-request.php
- Session initialization before authenticator include
- ob_start() for front controller output buffering
- Theme directory fallback for missing header.php
- 20+ additional bug fixes across the codebase
Changed
- Utility loader ordering stabilized project-wide
- Translation caches restructured (en, es, id)
- Theme cookie expiry reduced to 30 days
Removed
- restoblog and tastybites themes (not production-ready)
Refactored
- External placeholder URLs removed in favor of local placeholder.svg
- AJAX error handling simplified in comment submission and search
Full changelog: https://github.com/cakmoel/Scriptlog/blob/main/CHANGELOG.md
v1.2.1
[1.2.1] - 2026-06-16
Added
- CSS design tokens: Custom properties for colors, spacing, and typography in the blog theme
- Dark mode support: Full theme support via
prefers-color-scheme: darkmedia query - Responsive improvements: Enhanced layout adaptability for mobile, tablet, and desktop viewports
Changed
- Blog theme templates: replaced
<main>with<div>for semantic consistency across 8 templates (archive, archives, blog, category, page, single, tag, homepage) - Improved header navigation with better layout and accessibility
- Enhanced footer template layout
- Updated homepage template
- Minified
style.sea.cssasset - Updated test bootstrap and file paths to match project structure
Fixed
- PHPUnit binary path corrected from
vendor/bin/phpunittolib/vendor/bin/phpunitin CI workflow - Added
workflow_dispatchtrigger to CI workflow for manual test runs - Fixed stale tastybites theme test files (theme was previously removed)
- Corrected test file paths from
../../lib/to../../src/lib/project-wide
Removed
- Stale test files for deleted
tastybitestheme (4 files)
Notes
Minor release focused on theme modernization with CSS design tokens, dark mode support, responsive improvements, and CI/test infrastructure cleanup. This version re-releases the same content as v1.2.0 under a new tag to avoid upstream tag mutation lock on Packagist.
Codename
Maleo Senkawor -- Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.
v1.1.0
v1.1.0 — Maleo Senkawor
Added
- Handler system: New front-end request handling pipeline with dedicated handlers for each content type (ArchiveHandler, BlogHandler, CategoryHandler, DownloadHandler, FrontRequestHandler, HomeHandler, PageHandler, PostHandler, PrivacyHandler, TagHandler) and a central HandlerRegistry
- FrontService: New service layer for front-end content retrieval and rendering
- ThemeRenderer: New core class for theme rendering
- CSRF/XSS protection: Comprehensive protection across all admin UI templates
- CSS design tokens: Custom properties for colors, spacing, typography in blog theme
- Dark mode support: prefers-color-scheme: dark media query with full theme support
- Test suite expansion: 25+ new test files covering handlers, services, downloads, integration
- Psalm static analysis: Configuration files for improved code quality enforcement
Changed
- Revamped blog theme templates with semantic HTML and accessibility improvements
- Enhanced header navigation, footer layout, single post view, and 404 page
- Updated all controllers, DAOs, services for PHP 8.x compatibility
- Replaced
<main>with<div>for semantic consistency across 8 templates
Fixed
- Test infrastructure: Corrected 30+ test file paths to match project structure
- CI workflow: Fixed phpunit binary path and added workflow_dispatch trigger
- Removed stale test files for deleted tastybites theme
- Fixed multiple test logic issues (InstallationTest, DownloadHandlerTest, ConfigFileGenerationTest)
- Updated .gitignore to exclude lib/vendor/
Removed
- Stale test files for deleted tastybites theme (4 files)
- Unused CSS from blog theme
Full Changelog: v1.0.8...v1.1.0
v1.0.8
Fixed
- Fixed terms-of-use link path in signup form (
src/admin/signup.php) - Changed recommended permissions from
777to755forpublic/cache/andpublic/log/directories (README.md,src/docs/DEVELOPER_GUIDE.md)
Notes
Patch release fixing the terms-of-use link URL and hardening directory permissions.
Codename
Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.