Security: introduced esc_inline_css() helper that applies wp_strip_all_tags(), wp_kses_no_null(), str_ireplace(‘</style’), and blocks @import, expression(), javascript:/data: URLs and IE behavior/binding properties before any CSS is passed to wp_add_inline_style().
Security: introduced esc_css_selector_list() helper that sanitizes each CSS selector via preg_replace and wp_strip_all_tags() before output.
Security: both wp_add_inline_style() call-sites (dynamic CSS and hide-theme-nav CSS) now route through these helpers immediately before output.
1.0.7
Security: all output values in view-settings.php now wrapped with esc_attr() at the point of echo (late escaping).
Security: CSS inline style output now uses wp_strip_all_tags() + str_ireplace(‘</style’) as a two-step sanitization before wp_add_inline_style().
Security: CSS selector regex tightened to exclude quote characters (“, ‘) that are not valid in safe selectors.
Security: font-family regex simplified to alphanumeric, space and hyphen only — sufficient for all Google Font names.
Fix: PHP syntax error in font-family preg_replace (misquoted regex) resolved.
1.0.6
Security: added explicit format arrays (%d/%s) to all $wpdb->insert, $wpdb->update, and $wpdb->delete calls for proper SQL type safety.
Security: added $wpdb->prepare() to get_top_level_items() query for consistency with WordPress coding standards.
Security: all dynamic CSS values now late-escaped at point of string building using esc_css_color() and esc_css_dimension() helpers.
Security: added esc_html() to unescaped echo in view-builder.php.
Fix: blog-type mega menu nav items no longer inherit theme margin-bottom or line-height overrides.
Fix: shop menu tab items no longer inherit theme font-weight or font-stretch overrides on desktop.
Fix: admin bar offset fix (fixAdminBarOffset) now only applies margin-top on mobile breakpoint, preventing unwanted spacing on desktop.
Fix: mobile teleport now skips #wpadminbar when applying margin-top to body first div, preventing admin bar from being pushed down.
1.0.5
Compliance: prefixed remaining AJAX action hooks (rmm_search_posts, rmm_get_post_link) with rubymm_.
Changed: shortcode renamed from [ruby_menu] to [rubymm_rubymenu] for a more distinctive identifier.
Fixed: delete confirmation popup was blank due to mismatched localization key (confirm_delete vs confirm_delete_top).
Fixed: dynamic font CSS was outputting duplicate #ruby-mega-menu selector due to prefix already being present in font_targets() array.
Fixed: Google Fonts loading used array_merge instead of array_replace_recursive, causing saved font settings to not properly override defaults.
Fixed: font-family, font-size, and font-weight in dynamic CSS now use !important to prevent theme styles from overriding plugin typography settings.
Added: active menu item support — top-level nav items now receive ruby-active-menu-item class when the user is on the corresponding page, using $wp->request for accurate URL matching in subdirectory installs. Filter is scoped to plugin-managed menus only.
1.0.4
Fixed: CSS cascade order — dynamic menu styles now load before responsive CSS so mobile layout rules take priority.
Fixed: right-aligned top-level menu items — second-level submenu now stacks full-width on mobile instead of being pushed off-screen.
1.0.3
Compliance: fully removed Freemius SDK, premium license checks, and all premium feature placeholders from WordPress.org build.
Compliance: ensured no locked features or license checks remain in the code, per WordPress.org Plugin Directory Guidelines.
1.0.2
Compliance: prefixed all global functions, classes, variables, hooks, and options for WordPress.org guidelines.
Compliance: moved all inline styles and scripts to proper enqueue system (wp_add_inline_style, wp_enqueue_script).
Security: added wp_kses_post final filter to all rendered menu HTML returned from shortcode and nav menu filter.
Security: escaped all get_the_date() output in blog menu views.
