Fixes

Author: PDowney

CHANGELOG.md

@@ -5,12 +5,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Added
-
 ### Changed
 
+- Renamed 11 globally-scoped functions to use the `es_optimizer_` prefix to prevent naming collisions with other plugins (`disable_emojis`, `remove_jquery_migrate`, `disable_classic_theme_styles`, `remove_header_items`, `remove_recent_comments_style`, `add_preconnect`, `add_dns_prefetch`, `disable_jetpack_ads`, `disable_post_via_email`, `disable_emojis_tinymce`, `disable_emojis_remove_dns_prefetch`)
+- `es_optimizer_get_options()` now accepts an optional `$force_refresh` parameter so the static cache can be properly invalidated
+- `es_optimizer_add_settings_page()` page title and menu title are now wrapped in `__()` for correct translation
+- Settings page heading, description, and submit button value are now translatable
+- All functions that previously called `get_option( 'es_optimizer_options' )` directly now use the `es_optimizer_get_options()` caching wrapper for consistency
+- Render function callers now pass `__()` instead of `esc_html__()` to avoid double-escaping; the render functions themselves handle escaping at output
+- Removed redundant custom `wp_nonce_field()` and its bypassable verification from the settings form; CSRF protection is already handled by WordPress Settings API via `settings_fields()`
+
 ### Fixed
 
+- **Critical**: Fixed whitespace embedded inside form field `name` attributes (checkbox and textarea) that prevented settings from ever being saved — `$_POST['es_optimizer_options']` was never set because browsers sent the literal newlines/tabs as part of the field name
+- **Critical**: Fixed inverted IP-validation logic in `es_optimizer_validate_single_domain()` that caused every domain name (e.g. `fonts.googleapis.com`) to be incorrectly rejected when saving preconnect/DNS-prefetch settings
+- **Critical**: Fixed `es_optimizer_clear_options_cache()` which created an independent closure-scoped static variable and therefore never cleared the cache inside `es_optimizer_get_options()`
+- Fixed textarea content containing leading whitespace (newlines/tabs between `<textarea>` tag and PHP output)
+- Fixed missing `esc_url()` and `esc_html__()` escaping on the Settings link rendered in the Plugins list
+- Removed unreachable dead code (`if ( ! is_admin() ) { return; }`) inside `es_optimizer_add_settings_page()`, which is only ever called from the `admin_menu` hook
+
+
+
 ## [1.8.0] - 2025-10-23
 
 ### Added

readme.txt

@@ -2,7 +2,7 @@
 Contributors: enginescript
 Tags: optimization, performance, cleanup
 Requires at least: 6.5
-Tested up to: 6.8
+Tested up to: 6.9
 Stable tag: 1.8.0
 Requires PHP: 7.4
 License: GPLv3 or later
@@ -43,6 +43,19 @@ No, the plugin has a simple interface where you can toggle features on and off.
 
 == Changelog ==
 
+= Unreleased =
+* **BUG FIX (Critical)**: Fixed whitespace inside form field `name` attributes that prevented all settings from being saved — browsers sent literal newlines/tabs as part of the field name so WordPress never received the data
+* **BUG FIX (Critical)**: Fixed inverted IP-validation logic that caused every preconnect/DNS-prefetch domain name to be incorrectly rejected when saving settings
+* **BUG FIX (Critical)**: Fixed `es_optimizer_clear_options_cache()` which was not actually clearing the static options cache
+* **BUG FIX**: Fixed textarea content containing leading whitespace between the HTML tag and the PHP value output
+* **SECURITY**: Added missing `esc_url()` and `esc_html__()` escaping to the Settings link in the Plugins list
+* **SECURITY**: Removed redundant custom nonce field and its bypassable verification; CSRF protection is handled by WordPress Settings API
+* **CODE QUALITY**: Fixed double-escaping — render callers now pass `__()` instead of `esc_html__()`, with escaping done at output in the render functions
+* **CODE QUALITY**: Renamed 11 globally-scoped functions to use the `es_optimizer_` prefix, preventing potential naming collisions with other plugins
+* **CODE QUALITY**: Unified all option retrieval calls to use the `es_optimizer_get_options()` caching wrapper
+* **CODE QUALITY**: Settings page heading, description, and submit button are now fully translatable
+* **CODE QUALITY**: Removed unreachable dead code in `es_optimizer_add_settings_page()`
+
 = 1.8.0 - 2025-10-23 =
 * **FEATURE**: Added new option to remove RSD (Really Simple Discovery) link from WordPress header
 * **FEATURE**: Added separate DNS Prefetch option for lighter-weight domain lookups