All notable changes to CloudScale Code Block are documented in this file.
The format is based on Keep a Changelog.
- Code Block editor: raw paste transform now detects markdown fenced blocks pasted as
<p>elements (plain-text clipboard format from terminals and text editors) and converts them to a CloudScale code block with the correct language set — previously the fence markers became stray paragraphs
- Thumbnails: Diagnose button on each flagged post row — checks meta state (both old
_cs_social_formatsand new_csdt_social_formatskeys), file existence on disk for each platform, URL reachability per crawler UA, and og:image seen by each crawler - Thumbnails: URL checker results — Copy Results to Clipboard button
- Thumbnails: Crawler Access Test merged into URL checker results; removed from separate Cloudflare Setup panel
- Thumbnails:
output_crawler_og_image()now falls back to legacy_cs_social_formatsmeta key so posts published before the cs_ → csdt_ rename still serve the correct og:image - Thumbnails: optimum image size targets reduced from 900 KB → 400 KB for Facebook, Twitter, LinkedIn, and Instagram
- Admin CSS: section header layout — title and hint text no longer run together; hint is right-aligned via
flex: 1; margin-left: auto
- Code Block editor: Paste button (and Ctrl+V into the textarea) now detects markdown fenced code blocks — extracts language from the fence header (handles aliases:
sh/shell/zsh→ bash,py→ python,js→ javascript, etc.) and strips fence markers so only the code content is stored
- Explain modals: description content now renders formatted HTML — inline
<code>tokens styled with dark background and amber text,<strong>/<em>emphasis, and<ul>/<li>bullet lists - Explain modals: all plain-text
descitems converted tohtmlformat with<code>markup for commands, file paths, query types, and technical values - Expand
$explain_ksesallowlist: addedul,ol,li,p,h4so structured content can be used in item descriptions
- Thumbnails: "Fix All Posts on Site" batch button — processes every published post in groups of 10 with live progress counter
- Thumbnails: Crawler UA detection — wp_head priority-1 og:image output so each platform receives its correctly-sized image
- Thumbnails: PNG and WebP featured images now converted to JPEG during social format generation so lossy compression can meet platform size targets
- Thumbnails: WebP source images were silently skipped by Fix/Fix All — webp now in supported formats list
- CS Monitor: performance data was injected after footer scripts ran (priority 9999), so the panel always showed empty data; data now injected at priority 15 via wp_add_inline_script() before scripts print at priority 20
- PCP: email-verified modal countdown script moved from inline PHP
<script>to wp_add_inline_script() - PCP: Thumbnails tab inline
<style>block moved to wp_add_inline_style() on the cs-admin-tabs handle - PCP: wp_delete_file() replaces unlink() for image backup temp-file cleanup
- PCP: REST hi-score endpoints use explicit anonymous permission callbacks instead of
__return_truestring - PCP: Missing wp_unslash() before sanitize_text_field() on $wp->query_vars values in perf monitor
- SSRF protection on admin URL-check endpoints — private/reserved IP ranges rejected before outbound HTTP
- Cloudflare cache-purge endpoint validates supplied URL belongs to the current site
- DOM XSS fixed in email 2FA enable flow — innerHTML concatenation replaced with safe DOM + textContent
- TOTP secret cleared from DOM immediately after successful activation
- Session cookie: hook moved from login_form_login (display-only, never fires on POST) to login_init so persistent-cookie flag is set before WordPress processes credentials
- Login: brute-force protection — configurable per-account lockout after N failed attempts (default 5 attempts, 5-minute lock) with admin UI
- Thumbnails tab: Social Preview Diagnostics — URL checker (9-point OG/image diagnostic), recent posts auto-scan, Cloudflare WAF setup guide, crawler UA tester, cache purge, Media Library auditor with one-click recompress
- Login: session persistence — auth cookie is now persistent (not a session cookie) when a custom session duration is set
- Code Block Settings: checkbox to show/hide the CS Monitor performance panel (saved via AJAX alongside theme settings; hides the panel for all users when unchecked)
- CS Monitor: Assets tab — all enqueued JS and CSS files, attributed to plugin/theme/wp-core, with type filter and search
- CS Monitor: Hooks tab — top 50 WordPress hooks by cumulative execution time; sortable by count, total, or max time; search filter
- CS Monitor: Object cache stats card in Summary — hit rate, hit/miss counts, persistent cache detection (Redis/Memcache)
- CS Monitor: Slowest Hooks section in Summary — top 8 hooks by total time with bar chart
- CS Monitor: Assets summary card showing JS + CSS counts
editor.js:onPasteCodenow handles both the toolbar Paste button and the browser's native paste event (Ctrl+V) — previously Ctrl+V completely bypasseddecodeClipboardText(), meaning escape-sequence decoding never ran on keyboard pastes; textarea now hasonPastehandler that callsevent.preventDefault()and reads fromevent.clipboardDatasynchronously
editor.js:decodeClipboardText()replaced brokenJSON.parseapproach with direct regex-based decoding —JSON.parsewas silently failing when\u0022decoded to"inside the JSON string, causing\nto be stored as literalnand\u0022to be stored as literalu0022in the database; now handles\n,\t,\r,\\,\uXXXX, and bareuXXXXcorrectlyeditor.js: Added(attributes.content || '')null guard on.split('\n')row calculation to prevent TypeError on null contentcs-code-block.php: Removedopacity:.5;pointer-events:noneinline styles from the Migrate All button — inline styles were never cleared when the button was re-enabled via JS, leaving it visually disabledassets/cs-code-migrate.css: Added.cs-btn-orange:disabledand.cs-btn-primary:disabledCSS rules to handle disabled state declarativelycs-code-block.php: Fixedprintf()inrender_migrate_panel()— outer format string was wrapped inesc_html__()while%swas replaced with raw HTML; outer string now uses__()with aphpcs:ignoreannotationblocks/code/block.json: Syncedversionfield from1.7.18to1.7.23
readme.txt: Reduced tags from 8 to 5 (WordPress.org enforces a maximum of 5)readme.txt: Shortened short description to 141 characters (WordPress.org maximum is 150)readme.txt: UpdatedRequires at leastfrom 5.8 to 6.0 to match plugin headercs-code-block.php: Addedphpcs:ignore InputNotSanitizedon$_POST['sql']— validated viais_safe_query(), not a standardsanitize_*()callcs-code-block.php: Addedphpcs:ignore InputNotSanitizedon$_POST['post_id']reads inajax_preview()andajax_migrate_single()— sanitised via(int)castcs-convert.js: Removedonclickattribute from JS-generated toast button; replaced withaddEventListenercs-code-block.js: Added.catch()tocopyToClipboard()promise chain — logs clipboard API rejection viaconsole.error()cs-admin-settings.js: Addedconsole.error()to settings save.catch()block
- Hardened
is_safe_query(): SQL queries containing semicolons are now rejected, preventing statement stacking - Removed
$_REQUESTfallback in SQL AJAX handler — only$_POSTaccepted - Added
phpcs:ignoreannotations with rationale for all intentional$wpdbdirect-query patterns
- Removed echoed
<style>block from admin tools page — all styles now served via enqueuedcs-admin-tabs.css - Extracted inline
<script>blocks from settings and SQL panels into enqueued JS files (cs-admin-settings.js,cs-sql-editor.js) - Replaced dynamic
document.head.appendChild(style)injection in block editor withwp_add_inline_style() - Removed
console.warn()andconsole.log()debug calls fromcs-convert.js
uninstall.php— removescs_code_default_themeandcs_code_theme_pairoptions on plugin deletionload_plugin_textdomain()called oninit; 48 user-facing strings wrapped with i18n functions across frontend and admin- Full DocBlocks (
@since,@param,@return) on all class methods and class definition @packageand@sincetags in plugin file header
wp_ajax_cs_save_theme_settinghook consolidated intoinit()alongside all other AJAX hooksdate()replaced withwp_date()in migration scan to respect site timezoneblock.jsonversion synced to plugin version
- Copy button now shows a "Copy" label alongside the clipboard icon
- CSS refactored for copy button styling
build_migrate_block()JSON encoding corrected: removedJSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHESflags that caused<,>, and quote characters to be stored as literal bytes, corrupting block attributes on subsequent Gutenberg saves
- All enqueued assets now use
filemtime()for cache busting - Block editor toolbar improvements
- Split
decode_migrated_content()into two independent passes so the bare-\nnewline fix always runs regardless of whether unicode escapes were already decoded in the database
decode_migrated_content()inrender_block()decodes unicode escapes and bare newline separators left by the v1 migration bug, fixing display of affected code blocks without requiring database changes
- Code Block Migrator now uses safe JSON encoding so special characters like
<,>, and quotes are stored as proper unicode escapes in block comment attributes, preventing content corruption on subsequent Gutenberg saves
- Copy, Paste, and Clear buttons to the block editor toolbar
- White toolbar text for improved contrast
- UNDEFINED language badge no longer displayed
- Powered by CloudScale link added to block toolbar
- Admin CSS embedded inline for reliable rendering across all WordPress configurations
- Admin UI restyled to match the CloudScale plugin family: navy gradient banner, dark tab bar with orange active indicator, white card panels with coloured gradient section headers
- 14 popular syntax colour themes: Atom One, GitHub, Monokai, Nord, Dracula, Tokyo Night, VS 2015/VS Code, Stack Overflow, Night Owl, Gruvbox, Solarized, Panda, Tomorrow Night, Shades of Purple
- Colour Theme selector in the settings panel
- HCL/Terraform and TOML to the language selector
- 14 new SQL quick queries organised into four groups: Health and Diagnostics, Content Summary, Bloat and Cleanup Checks, URL and Migration Helpers
- Each theme loads its dark and light variant from the highlight.js CDN
- Toggle button switches between the dark and light variant of the chosen theme
- Frontend CSS refactored to use CSS custom properties for theme-agnostic styling
- Theme backgrounds and toolbar colours adapt automatically to the selected theme
- Enter key now runs the SQL query; Shift+Enter inserts a newline
- Merged CloudScale SQL Command plugin into CloudScale Code Block
- Combined Tools page at Tools > CloudScale Code and SQL with tabbed interface
- AJAX save for theme settings (no page reload required)
- Separate Settings > CloudScale Code Block page
- Separate Tools > CloudScale SQL page
- Code Block Migrator tool to batch-convert legacy WordPress code blocks
- Auto-convert toast in the block editor for
core/codeandcore/preformattedblocks - Transform support from
core/codeandcore/preformatted
- Block now spans full content width in both editor and frontend
- Dark mode is now the proper default with Atom One Dark syntax colours
- Code no longer wraps; horizontal scroll on overflow
- Editor style properly registered via
block.jsoneditorStyle
- Alignment support (wide, full) in block toolbar
- Initial release: Gutenberg block and
[cs_code]shortcode for syntax-highlighted code - Auto language detection for 30+ languages via highlight.js
- One-click clipboard copy button
- Dark/light mode toggle per block with site-wide default
- Language badge auto-detection
- Optional line numbers toggle
- Custom title/filename label per block