Shortcode output: Hardened escaping for [strava_nmr_table] cells, OAuth authorize links, connect/disconnect URLs, and surfaced OAuth errors (esc_html / esc_url).
Webhook POST: subscription_id in the JSON body is checked for every event type before processing (403 on mismatch). Soft rate limit: up to 30 events per 60 seconds per Strava owner_id (429 when exceeded).
work in progress: Pro bridge: includes/nmr-strava-license-bridge.php — nmr_strava_is_pro() and nmr_strava_pro_can() for the separate Pro add-on.
1.0.12
Readme: short description (≤150 chars for WordPress.org), tags, FAQ, installation path, developer examples aligned with code
WordPress.org visual assets: banners, icons, screenshot placeholders in .wordpress-org/
1.0.11
Update column activities.external_id from not null to null – looks like a strava manual entry will generate null external_id
Update SQL string to use string interpolation for table name
1.0.10
Update column activities.name to text
1.0.9
Update column activities.raw_activity to mediumtext
1.0.8
Fixed XSS in [strava_nmr_connect]
1.0.7
Updated code according to wordpress code review.
1.0.6
Added nmr_strava_save_activity_full filter that sends the entire Strava data as array. One can use it to filter out manual activities, for instance.
Remove dangling options by the name nmr-strava-%
Save subscription_id once we read it from Strava
1.0.5
Added top property to shortcode [strava_nmr_table top=10]. Default value if 100.
[strava_nmr_table top=10] shows km and minutes instead of meters and seconds.
Activate Strava will also save the settings.
1.0.4
Added simple shortcode to list activities received from Strava: [strava_nmr_table]
1.0.3
Store Strava username, firstname, lastname and profile link
Delete duplicate rows
1.0.2
Fixed strava activity import when there is no associated wordpress user.
Add filter nmr_strava_save_activity
1.0.1
Fixed option save
Add button to deactivate Strava subscription
Removed use of PHP session
Allow Strava activities from anonymous visitors (un-registered users)
