Added: When “Assign fonts to body text and headings” is enabled, the block editor canvas now receives explicit .editor-styles-wrapper font-family rules (the assigned family plus a system-font fallback) for body and headings, so the editor matches the front end even when the theme.json typography assignment doesn’t reach the iframe.
Fixed: Custom fonts now render inside the block editor canvas. The editor is an iframe (WP 6.3+/7.x) that ignores src-less inline styles, so @font-face is now injected through the editor styles setting — the same channel the Font Library and add_editor_style() use.
Fixed: Variable-font weight ranges with an out-of-spec low bound (e.g. 1 900) are normalized to 100 900. WordPress was silently dropping these faces — and their entry in the editor font picker — when validating theme.json.
Fixed: Components module CSS now reaches the block editor canvas reliably via the editor styles setting. The previous inline fallback could not cross into the WP 7 iframe when the generated CSS file was unavailable.
Changed: Removed the redundant admin_head font print. It reached only the parent admin document, never the editor iframe, and is superseded by the editor styles channel.
Housekeeping: Documented a single source-of-truth matrix for the font-loading paths and removed stale per-file @version docblocks that had drifted from the plugin version.
1.4.6
Added: Character range (unicode-range) support per font in the Fonts module — limit which characters trigger a font download for faster page loads
Added: Quick-pick presets in the admin UI for common subsets (Latin, Latin Extended, Greek, Cyrillic, Vietnamese, Punctuation/Symbols)
Added: unicode-range is also emitted into the theme.json fontFace data layer so it propagates to the block editor
Security: Login Security no longer trusts X-Forwarded-For / Client-IP headers by default — these were spoofable on direct connections, allowing IP-based lockouts to be evaded or weaponized. Sites behind a trusted reverse proxy or CDN can opt in via the new “Trust Proxy Headers” setting.
Security: Login Security now validates client IPs through FILTER_VALIDATE_IP when proxy headers are in use, dropping malformed values rather than hashing them into transient keys.
Fixed: Block Cleanup XPath query now safely escapes class names via a proper XPath 1.0 string-literal builder (addcslashes was the wrong escape function and silently failed on classes containing quotes).
Fixed: Snippets kses_with_styles() placeholder collision — <style> extraction now uses a per-call random token so a snippet body containing the literal placeholder string can no longer corrupt the output.
Fixed: Fonts module admin badge now reflects the Style field (free-text input) instead of looking for a <select> that doesn’t exist.
Fixed: Fonts module options static cache is invalidated automatically on update_option_functionalities_fonts, preventing stale font lists when the option is updated mid-request.
Fixed: Task Manager AJAX handlers (Export, Delete, etc.) now register whenever in admin, so existing projects remain manageable even when the module is toggled off.
Fixed: Task Manager card layout — widget badge now sits above the action row, so Open/Export/Delete align consistently across cards.
Fixed: Help & Support buttons now have higher CSS specificity to defeat WP 7.0’s button reset.
1.4.5
Added: WOFF and WOFF2 font file uploads now supported in the WordPress media library
Security: Font uploads validated via binary magic-byte signatures to prevent malicious file uploads
1.4.4
Fixed: Schema module filter_article() now skips content with Vue/Alpine.js directives — prevents DOMDocument from corrupting JS framework templates
Fixed: Block Cleanup module filter_content_cleanup() now skips content with JS framework directives
Refactored: Extracted Vue-safe DOMDocument guard into shared Has_Dom_Parser trait used by Link Management, Schema, and Block Cleanup
All three the_content filters that use DOMDocument (priorities 12, 14, 999) are now protected against JS framework corruption
1.4.3
Fixed: Link Management process_content() now skips HTML containing Vue.js directives (v-cloak, v-if, v-show, :class, @click, {{ }})
Fixed: DOMDocument re-parsing was corrupting Vue/React template syntax in themes like MyListing, causing explore pages to flash and disappear
Improved: Early-exit check prevents unnecessary DOM parsing on content with JavaScript framework directives
1.4.2
Fixed: wp_kses now preserves data-* attributes on <script>, <style>, and <link> tags in Header & Footer snippets
Fixed: async, defer, nomodule, id, nonce, crossorigin, and as attributes no longer stripped from snippet tags for non-admin users
Fixed: Unified allowed-tags list between snippet output and save sanitization to prevent attribute drift
Fixed: README.md version was outdated (still showed 1.4.0)
1.4.1
Added: Opt-in “Delete all plugin data when uninstalling” checkbox on the dashboard — removes all options, post metadata, transients, and files on uninstall
Fixed: Replaced all direct file_put_contents calls with WP_Filesystem API across Task Manager, Redirect Manager, and JSON file creation
Fixed: Extracted duplicate CSS sanitization into a shared trait used by Components and Fonts modules
Fixed: Removed sslverify => false from loopback HTTP requests in Assumption Detection
Fixed: Disabled debug console logging in SVG Icons editor script
Fixed: Removed dead code in admin UI script
1.4.0
Added: Bricks Builder font integration — custom fonts appear in Bricks typography picker and load inside the builder canvas
Added: PWA module prefills app name, short name, description, and icons from WordPress Settings and Site Icon