Releases: Automattic/liveblog
Releases · Automattic/liveblog
Liveblog 1.12.2
Security
- fix: gate liveblog reads on the post password requirement by @GaryJones in #910 (CWE-639 / CWE-200)
Contributors
GaryJones
Assets 3
Liveblog 1.12.1
Security
- fix: bind liveblog entry CRUD to the authorised post by @GaryJones in #895 (CWE-639 IDOR)
- fix: bind the post_state write route to the URL post by @GaryJones in #896 (CWE-639 IDOR)
- fix: stop the author autocomplete matching on email by @GaryJones in #897 (CWE-203 information exposure)
- fix: strip nested restricted shortcodes idempotently by @GaryJones in #898 (CWE-94 via CWE-185)
- fix: coerce REST entry content to a string by @GaryJones in #899 (CWE-20)
Maintenance
- npm(deps): bump qs and express by @dependabot in #893
- npm(deps): bump js-cookie from 3.0.5 to 3.0.7 by @dependabot in #892
- Actions(deps): bump shivammathur/setup-php from 2.37.0 to 2.37.1 in the actions group by @dependabot in #891
- npm(deps-dev): bump axios from 1.15.0 to 1.16.1 by @dependabot in #890
- npm(deps-dev): bump @babel/plugin-transform-modules-systemjs from 7.28.5 to 7.29.4 by @dependabot in #888
- npm(deps-dev): bump fast-uri from 3.1.0 to 3.1.2 by @dependabot in #887
- npm(deps-dev): bump ip-address from 10.1.0 to 10.2.0 by @dependabot in #885
- npm(deps): bump @lexical/list from 0.43.0 to 0.44.0 by @dependabot in #884
- npm(deps-dev): bump the dev-dependencies group with 2 updates by @dependabot in #883
- npm(deps): bump @lexical/rich-text from 0.43.0 to 0.44.0 by @dependabot in #882
- npm(deps): bump @lexical/link from 0.43.0 to 0.44.0 by @dependabot in #881
- npm(deps): bump lexical from 0.43.0 to 0.44.0 by @dependabot in #880
- npm(deps): bump @lexical/react from 0.43.0 to 0.44.0 by @dependabot in #879
- npm(deps): bump @lexical/html from 0.43.0 to 0.44.0 by @dependabot in #878
- npm(deps-dev): bump postcss from 8.5.6 to 8.5.12 by @dependabot in #877
Contributors
GaryJones and dependabot
Assets 3
Liveblog 1.12.0
Breaking change (security fix): The pre-1.12.0 /liveblog/v1/authors/<term> and /liveblog/v1/hashtags/<term> REST routes, and the matching admin-ajax liveblog_authors and liveblog_terms actions, only checked a global capability. That allowed any user holding publish_posts to enumerate every editor on the site and every entry in the hashtags taxonomy, regardless of which post — if any — they were editing (CWE-863). Closing that gap requires scoping the permission check to a specific post, which forces the post id to appear in the URL or the query string. The new shapes are /liveblog/v1/<post_id>/authors/<term>, /liveblog/v1/<post_id>/hashtags/<term>, and admin-ajax.php?action=liveblog_authors&post_id=… (likewise for liveblog_terms). The bundled JavaScript client has been updated. Anything else calling these endpoints — bespoke integrations, custom blocks, headless clients — needs to be updated to include the target post id.
Security
- fix: scope liveblog write authorisation to the target post by @GaryJones in #870 (CWE-285 BAC)
- fix: harden preview CSRF, autocomplete post-scoping, attribute escaping, and author/contributor validation by @GaryJones in #873 (CWE-352, CWE-863, CWE-79, CWE-639)
- fix: cap checks, ID sanitisation, and safer JSON-LD and AMP output by @GaryJones in #867 (CWE-285, CWE-20, CWE-79)
Documentation
- docs: restructure documentation around audience by @GaryJones in #872
Maintenance
- npm(deps): bump @lexical/react from 0.40.0 to 0.43.0 by @dependabot in #866
- npm(deps): bump @lexical/rich-text from 0.39.0 to 0.43.0 by @dependabot in #865
- npm(deps-dev): bump the dev-dependencies group with 2 updates by @dependabot in #864
- Actions(deps): bump actions/setup-node from 6.3.0 to 6.4.0 in the actions group by @dependabot in #863
Full Changelog: 1.11.1...1.12.0
Contributors
GaryJones and dependabot
Assets 3
Liveblog 1.11.1
Security
- fix: require post read permission on public Liveblog REST endpoints by @GaryJones in #857 (CWE-639 IDOR)
Fixed
- fix: improve schema.org LiveBlogPosting structured data output by @GaryJones in #816
- fix: handle malformed comment_date_gmt in entry timestamp by @Ritesh-patel in #829
Maintenance
- chore: clean up distribution and remove non-functional Behat workflow by @GaryJones in #802
- fix: suppress duplicate class name PHPCS warning in test stub by @GaryJones in #851
- npm(deps): bump @lexical/html, @lexical/link, @lexical/list, @lexical/react, lexical from 0.39.0 to 0.40.0 by @dependabot in #831, #832, #833, #834, #835
- npm(deps): bump lodash, lodash-es from 4.17.21 to 4.18.1 by @dependabot in #826, #827, #849, #850
- npm(deps-dev): bump axios from 1.13.2 to 1.15.0 by @dependabot in #853
- npm(deps-dev): bump basic-ftp from 5.1.0 to 5.2.2 by @dependabot in #852
- npm(deps-dev): bump brace-expansion from 1.1.12 to 1.1.13 by @dependabot in #848
- npm(deps-dev): bump flatted from 3.3.3 to 3.4.2 by @dependabot in #844
- npm(deps-dev): bump follow-redirects from 1.15.11 to 1.16.0 by @dependabot in #855
- npm(deps-dev): bump immutable from 5.1.4 to 5.1.5 by @dependabot in #840
- npm(deps-dev): bump node-forge from 1.3.3 to 1.4.0 by @dependabot in #847
- npm(deps-dev): bump qs from 6.14.1 to 6.14.2 by @dependabot in #836
- npm(deps-dev): bump svgo from 3.3.2 to 3.3.3 by @dependabot in #841
- npm(deps): bump picomatch by @dependabot in #846
- npm(deps): bump yaml from 1.10.2 to 1.10.3 by @dependabot in #845
- Actions(deps): bump actions/checkout, actions/setup-node, softprops/action-gh-release by @dependabot in #821, #828, #843, #854
New Contributors
- @Ritesh-patel made their first contribution in #829
Full Changelog: 1.11.0...1.11.1
Contributors
GaryJones, Ritesh-patel, and dependabot
Assets 3
Liveblog 1.11.0
Added
- feat: add Disable button to liveblog metabox by @GaryJones in #809 (fixes #807)
- feat: add filter to disable default Liveblog styles by @GaryJones in #810
Fixed
- fix: restore metabox JavaScript and rename dashboard to admin by @GaryJones in #805 (fixes #804)
- fix: prevent 404 errors from metabox links on unpublished posts by @GaryJones in #808 (fixes #806)
- fix: strip all HTML from key event titles by @cnaples79 in #785 (fixes #464)
New Contributors
- @miguelpeixe made their first contribution in #805
- @cnaples79 made their first contribution in #785
Full Changelog: 1.10.0...1.11.0
Contributors
GaryJones, miguelpeixe, and cnaples79
Assets 3
1.10.0
Added
- Replace Draft.js with Lexical editor for improved stability and maintenance by @GaryJones in #766
- Add image cropping and resizing to Lexical editor by @GaryJones in #782
- Add keyboard shortcut (Ctrl+Enter / Cmd+Enter) and auto-focus for entry publishing by @GaryJones in #792
- Add i18n support to React components by @GaryJones in #784
- Pre-load authors in dropdown for better discoverability by @GaryJones in #793
- Display total updates count in editor by @GaryJones in #777
- Add VIP edge cache purging when liveblog entries change by @GaryJones in #763
- Add
liveblog_facebook_app_idfilter for AMP sharing by @GaryJones in #756
Fixed
- Fix accessibility: WCAG AA contrast for placeholders, 16px font size, aria-labels by @GaryJones in #793
- Fix author selection keyboard navigation for react-select v5 by @GaryJones in #793
- Prevent orphaned entry updates from breaking lazy-loading by @GaryJones in #787
- Use add_action for template_redirect hook by @GaryJones in #788
- Fix Facebook embed parsing for legacy XFBML format by @GaryJones in #761
- Fix crash when editing entries containing timestamp-like text by @GaryJones in #762
- Correct timezone handling in time ago display by @GaryJones in #770
- Use DST-aware timezone offset for entry timestamps by @GaryJones in #774
- Honour site locale in entry timestamps by @GaryJones in #775
- Resolve stale JSON data on initial cached page load by @GaryJones in #772
- Round both polling timestamps for cache efficiency by @GaryJones in #771
- Stop polling on archived liveblogs and enforce AMP refresh minimum by @GaryJones in #768
- Support drag-and-drop of multiple images by @GaryJones in #767
- Reset Preview tab when publishing a new entry by @GaryJones in #765
- Preserve image attributes with filterable render output by @GaryJones in #773
- Use add_action for template_redirect hook in AMP class by @GaryJones in #776
- Replace prohibited use of extract() by @psorensen in #760
- Check template part variable names against allow list by @psorensen in #764
Maintenance
- Migrate assets from
assets/tobuild/directory and automate builds in deploy workflow by @GaryJones in #781 - Remove redundant polyfills and add build CI step by @GaryJones in #752
- Resolve all PHPCS coding standards violations by @GaryJones in #778
- Enable PHPCS code style checks in CI by @GaryJones in #779
- Add concurrency controls to GitHub Actions workflows by @GaryJones in #790
- Modernise SCSS: @use/@forward syntax, CSS custom properties, and code consolidation by @GaryJones in #736
- Migrate PHPUnit test infrastructure to yoast/wp-test-utils by @GaryJones in #737
- Separate unit tests from integration tests by @GaryJones in #738
- Add JavaScript unit tests for React reducers and utilities by @GaryJones in #741
- Standardise workflows, harden security with SHA-pinned actions by @GaryJones in #747
- Add Dependabot configuration with CODEOWNERS for reviewers by @GaryJones in #720, #748
- Standardise test matrix and update readme by @GaryJones in #749
- Resolve webpack-dev-server security vulnerabilities by @GaryJones in #719
- Actions(deps): Bump softprops/action-gh-release in the actions group by @dependabot in #783
- npm(deps): Bump @babel/runtime and @wordpress/i18n by @dependabot in #786
- npm(deps-dev): Bump qs from 6.14.0 to 6.14.1 by @dependabot in #791
New Contributors
- @dependabot[bot] made their first contribution in #642
- @ellm made their first contribution in #660
- @deepakrohillas made their first contribution in #682
- @raamdev made their first contribution in #697
- @jberculo made their first contribution in #698
- @alexiskulash made their first contribution in #531
- @shantanu2704 made their first contribution in #539
- @rogertheriault made their first contribution in #514
- @psorensen made their first contribution in #760
Full Changelog: 1.9.7...1.10.0
Contributors
raamdev, GaryJones, and 9 other contributors
Assets 3
1.9.7
1.9.7
This tag was signed with the committer’s verified signature.
ingeniumed
Gopal Krishnan
1.9.6
- Revert #597, restoring get_fields_for_render() that is being used in some implementations (#639)
- Harden check when rendering media library (#652)
- Clean comment cache after direct SQL queries (#658)
- REST API routes require a permission_callback (#669)
- Load CPT support later to avoid fatals with early use of WP_Query (#672)
props anigeluk, david-binda, GaryJones, jeffersonrabb, mslinnea, philipjohn, rebeccahum
