Download Latest Version scriptlog-v1.4.0.zip (10.9 MB)
Email in envelope

Get an email when there's a new version of Scriptlog

Home / v1.3.0
Name Modified Size InfoDownloads / Week
Parent folder
scriptlog-v1.3.0.zip 2026-07-01 10.1 MB
README.md 2026-07-01 3.9 kB
v1.3.0 source code.tar.gz 2026-07-01 11.3 MB
v1.3.0 source code.zip 2026-07-01 12.6 MB
Totals: 4 Items   34.1 MB 0

[1.3.0] - 2026-07-01

Added

  • referrer_policy() function: New security header function for Referrer-Policy configuration
  • permissions_policy() function: New security header function for Permissions-Policy configuration
  • Security headers to API entry point: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy headers integrated into api/index.php
  • Bootstrap security header integration: referrer_policy and permissions_policy wired into Bootstrap::applySecurity()
  • CSRF protection for API write endpoints: validateCsrfForWrite() and generateCsrfToken() methods in ApiAuth
  • CSRF validation in API controllers: Integrated CSRF validation into MediaApiController and other API controllers
  • create_encoded_key() hardening: Defuse cipher key derivation with _try_decrypt() helper for multi-path backward-compatible decryption
  • Controller test suite: 5 new test files (PostController, UserController, CommentController, MediaController, TopicController) — 34 tests
  • Core class test suite: 6 new test files (SessionMaker, Paginator, Sanitize, DbFactory, Dispatcher, View) — 65 tests
  • phpunit.xml suite directories: Added Controller Tests and Core Tests directories to the PHPUnit configuration

Changed

  • Password hashing: Upgraded from md5 to sha256 in protect_post() and setPassPhrase() for stronger hashing
  • CSP hardening: Removed unsafe-eval from Content-Security-Policy; added Report-Only header for migration monitoring
  • Dynamic tests badge: Replaced static badge with dynamic GitHub Actions badge in README

Fixed

  • Test infrastructure: Registry::set('dbc') added for Dao, MediaDao, Authentication constructors in integration tests
  • Locale column length: Shortened lang_code from VARCHAR(20) to VARCHAR(10) to match schema
  • Unique locale collision: Fixed via counter in test data setup
  • is_html cast: Cast to integer 0 instead of boolean false in translation tests
  • DownloadUtilityTest race condition: Resolved time() + 1 race condition in data provider
  • DownloadCreateLinkTest paths: Corrected file paths for src/ directory structure
  • Theme auto-activate test: Deactivate all themes first to ensure clean state
  • Removed stale tests: Removed tests for non-existent setCredential() method and crendential property
  • Translation insert transaction: Wrapped translation insert in transaction in setup-db; added hard lock detection for fully installed databases
  • generate_request() null safety: Removed redundant isset($data) && before array_key_exists() calls

Security

  • Password hashing: Upgraded from md5 to sha256 for protected post passwords
  • CSP hardening: Removed unsafe-eval from Content-Security-Policy
  • Security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy added to API
  • API CSRF protection: CSRF validation for API write endpoints

Tests

  • 950 unit tests passing (2031 assertions)
  • 5 new controller test files, 6 new core class test files
  • Security headers, CSRF, encrypt-decrypt, password hashing test coverage

Notes

Feature release with security hardening (CSRF API protection, CSP hardening, password hashing upgrade, security headers), expanded test suite (+99 tests across controllers and core classes), and code quality improvements.

Codename

Maleo Senkawor – Honoring Macrocephalon maleo, the critically endangered megapode endemic to Sulawesi, Indonesia.

Comparison

  • Previous release: v1.2.3
  • Changes since v1.2.3: 50 commits

Download Scriptlog

Source: README.md, updated 2026-07-01