3.13.1

Fixes

• Restore the entity generic on the Table base class, so IdeHelper-generated Table subclass annotations and entity-typed finder return types resolve under PHPStan again (#334)

Improvements

• Port the LoginLink authenticator and identifier to cakephp/authentication v4 and declare a conflict with older majors (<4.0.0), so the plugin can no longer be paired with an incompatible authentication version (#335)

Full Changelog: 3.13.0...3.13.1

3.13.0

Fixes

• Honor camelCase DataPreparation.noTrim config key (#329)

Features

• Tokens can now persist per-type validity windows on each row, so login links, password resets, API tokens, and similar flows can expire differently without retroactively changing already-issued tokens (#332)

Full Changelog: 3.12.9...3.13.0

3.12.9

Fixes

• Gravatar now uses SHA-256, encryption is idempotent, and pregMatch() no longer splices UTF-8 incorrectly (#326)
• PasswordHasherFactory now resolves app- and plugin-provided password hashers instead of being locked to the Tools plugin prefix, while still keeping the built-in Default hasher safe from being silently shadowed (#328)

Full Changelog: 3.12.8...3.12.9

3.12.8

Fixes

• Stop rendering the title attribute unescaped in FormatHelper::neighbors(). The link options forced escape => false, which in CakePHP HtmlHelper disables escaping of both the link text and attribute values, so the title attribute rendered raw from arbitrary DB content (XSS surface). Switched to escapeTitle => false so the icon HTML stays in the link text but attributes escape normally. Regression test covers <script> and &" payloads in title-field values.
• Tighten the HTTP status check in Tools\Model\Table\Table::_validUrl(). Both ternary branches returned 'HTTP', and the [(200|301|302)] regex used a character class instead of an alternation — so it matched any status line containing one of ( 0 1 2 3 |). Replaced with a hardcoded HTTP/ prefix and real (200|301|302) / (404|999) alternations.

Improvements

• Pagination element is now CSP-compatible. The per-page limit <select> no longer carries an inline onchange="window.location.href=this.value" handler — replaced with a data-paginator-navigate attribute and a small delegated change listener at the bottom of the element. The accompanying <script> block carries a CSP nonce sourced from the cspNonce request attribute, so apps with a strict script-src 'self' 'nonce-...' policy can run it; falls back gracefully when no nonce is set. (Inline event handlers are blocked under strict CSP without unsafe-inline / unsafe-hashes, and the nonce directive does not cover them per the CSP spec — removing the attribute entirely is the only portable fix.)
• Switched all remaining bare __() calls in user-facing strings to __d('tools', ...) so translations resolve through the plugin's own i18n domain instead of leaking into the host app's default domain. Affects four static labels in templates/Admin/Helper/{chars,bitmasks}.php and four dynamic title/icon strings in IconCollection, CommonHelper, and FormatHelper. Also refreshes resources/locales/tools.pot (the previous POT was ~6 years stale); existing language files are left for translators to msgmerge against the new POT.

Full Changelog: 3.12.7...3.12.8

3.12.7

Fixes

• Enforce validity window in TokensTable::useKey(). Previously an unused token stayed redeemable past its configured validity until the garbage collector ran — a real gap for magic-login, email-verification, and password-reset style flows. useKey() now rejects tokens where created < now - validity unless marked unlimited.

Improvements

• Forward TEntity template through Tools\Model\Table\Table so subclasses can type their entity for PHPStan. Requires dereuromark/cakephp-shim 3.8.4+ and CakePHP 5.3.4+.

Full Changelog: 3.12.6...3.12.7

3.12.6

Fixes

• Fix autoPrefixUrl() calling urlExists() with invalid URL when input already has https:// protocol

Full Changelog: 3.12.5...3.12.6

3.12.5

Fixes

• Add timeout to urlExists() cURL request (#315)

  • CURLOPT_TIMEOUT (5s) - total request timeout
  • CURLOPT_CONNECTTIMEOUT (3s) - connection timeout
  • CURLOPT_FOLLOWLOCATION with MAXREDIRS (3) - follow redirects
  • curl_close() - properly clean up handle

• Add timeout to remaining HTTP requests (#316)

  • Utility::urlExists() fallback: 5s stream context timeout
  • Utility::getHeaderFromUrl(): 5s timeout
  • Mime::getMimeTypeByUrl(): 5s timeout
  • Message::_readFile(): 10s timeout

• Fix autoPrefixUrl() calling urlExists() with invalid URL

  • URLs with https:// are now returned as-is
  • URLs with http:// are properly upgraded by replacing the prefix
  • Prevents invalid URLs like https://https://example.com

This prevents requests from hanging indefinitely when servers don't respond.

3.12.4

Improvements

• Use ServerRequest::clientIp() instead of env('REMOTE_ADDR') for proper proxy header handling

Full Changelog: 3.12.3...3.12.4

3.12.3

Fixes

• Fix page action URLs to use dasherized format instead of camelCase

Enhancements

• Add dynamic scope and onDirty options to SluggedBehavior

Full Changelog: 3.12.2...3.12.3

3.12.2

Improvements

• Fix CakePHP 5.3.0 behavior method deprecations - #310
• Add uniqueCallback option to SluggedBehavior - #312

Full Changelog: 3.12.1...3.12.2