GoValid QR

3.6.7

• Fix: Replace direct $_POST/$_FILES superglobal access in public_submit() with WP_REST_Request methods
• Fix: Refactor handle_form_file_upload() to accept file array parameter instead of reading $_FILES
• Fix: Add X-WP-Nonce header to frontend form submission fetch for CSRF protection
• Fix: Add real wp_verify_nonce() check to OAuth callback via transient-stored nonce from handle_connect()
• Fix: Remove all phpcs:ignore/disable suppression comments for NonceVerification on these methods

3.6.6

• Fix: Move all $_GET flash-message reads from partials into render methods with real wp_verify_nonce() checks
• Fix: Add _wpnonce to all wp_safe_redirect() calls in generator, settings, and forms handlers
• Fix: Pass adminNonce via wp_localize_script() and append to JS-generated admin page URLs
• Fix: Replace phpcs:ignore on render_field() and build_status_section() echoes with wp_kses() and custom allowed-HTML arrays
• Fix: Add phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized on $_FILES tmp_name uses in REST controller

3.6.5

• Fix: Add current_user_can() capability guards to all remaining admin page partials
• Fix: Add phpcs annotation for pre-nonce form_id read in handle_delete_form()

3.6.4

• Fix: Add nfloval1739 to Contributors list
• Fix: Host NexHub promotional images locally (removed remote nexhub.earth image requests)
• Fix: Add detailed phpcs annotations for unescaped echo in shortcode render_field() and build_status_section() methods
• Fix: Add Nominatim/OpenStreetMap and NexHub entries to External Services in readme.txt
• Fix: Add Bundled Libraries section documenting jsQR v1.4.0 (Apache-2.0) source
• Fix: Improve nonce verification phpcs comments in admin partials and REST controller
• Fix: Cast file upload error code to int; add block comment explaining nonce-free REST endpoint design
• Fix: Fix count_forms() SQL using variable interpolation with phpcs annotations

3.6.2

• Fix: Replace all inline and tags with wp_enqueue_script() / wp_enqueue_style() / wp_add_inline_script()
• Fix: Extracted verify-page JS to public/js/verify-page.js with wp_localize_script() for dynamic data
• Fix: Moved form-builder config object to wp_add_inline_script() in enqueue_assets()
• Fix: Moved generator prefill script to wp_add_inline_script() in enqueue_assets()
• Fix: Moved modal overlay CSS to admin/css/govalid-admin.css
• Fix: Updated text domain from govalid-qr to govalid-qr-validator across all 1122 i18n calls
• Fix: Updated Chart.js from v4.4.4 to v4.5.1
• Fix: Added == External Services == section to readme.txt documenting GoValid API and Esri ArcGIS
• Fix: Added clarifying comment on intentionally public form submission REST endpoint

3.1.3

• NEW: QR Label Layout — design and export printable QR label sheets (PDF/PNG/JPG/Print)
• NEW: 16 unique frame styles (Pill, Groove, Ridge, Inset, Outset, Ticket, Elegant, Glow, Stamp + originals)
• Fix: Correct QR card selectors for label layout data collection

3.1.1

• Fix: Replace %i SQL placeholders for WP 5.8 compatibility
• Fix: Bundle SortableJS locally instead of loading from CDN
• Fix: Add missing output escaping across all templates
• Fix: Add translators comments for i18n placeholders
• Fix: Use wp_safe_redirect() instead of wp_redirect()
• Fix: Remove debug error_log() calls from production code
• Fix: Add database query caching and proper LIKE wildcard escaping
• Fix: Prefix all global template variables with plugin prefix
• Fix: Sanitize file upload and URL inputs
• Fix: Add phpcs annotations for nonce-delegated methods and DB queries

2.0.1

• NEW: Shortcode-based verification page — customizable via WordPress page editor
• NEW: [govalid_verify_result] shortcode for full verification card
• NEW: Individual field shortcodes ([govalid_verify_field], [govalid_verify_status], [govalid_verify_alerts], [govalid_powered_by])
• NEW: Custom Verification settings tab with setup guide and shortcode reference
• NEW: One-click verification page creation
• Server-side API verification (no client-side JavaScript needed)

2.0.0

• NEW: Custom verification page — serve QR verification at yoursite.com/v/{token}
• NEW: Settings toggle to enable/disable custom verification route
• NEW: Smart Verify widget recognizes the site’s own /v/ URLs
• Automatic rewrite rule management on toggle/activation/deactivation

1.0.0

• Initial release
• QR Code Generator with multiple types
• Gutenberg block with visual picker
• Shortcode support
• Dashboard scan analytics widget
• OAuth 2.0 + PKCE connection
• Local image caching