Replaced inline button/wrapper style=”…” attributes with wp_add_inline_style(), generated programmatically from sanitised settings only.
Wrapped every dynamic output point in wp_kses() with a precise per-tag/per-attribute allowlist so the inline SVG icon and rendered button HTML are escaped at output.
JSON settings export now uses wp_send_json() (the WPCS-whitelisted output sink) instead of a manual echo wp_json_encode().
Settings page conditional rows hidden via a CSS class (scefcw-hidden) instead of inline style=”display:none;” snippets, with the toggle JS updated to toggleClass().
All admin asset filenames realigned to the scefcw- prefix so the registered handles resolve correctly (assets/css/scefcw-public.css, assets/js/scefcw-public.js, etc.).
Removed all phpcs:ignore WordPress.Security.EscapeOutput comments. The two remaining ignores (NonceVerification for the read-only ?tab= parameter and the ?settings-updated=true flag, and ValidatedSanitizedInput for the JSON import payload that is parsed and then run through SCEFCW_Settings::sanitize()) are documented inline.
1.0.4
Removed the Custom CSS field from settings, per WordPress.org plugin guidelines that disallow plugins from accepting arbitrary code (CSS/JS/PHP). Use the WordPress Customizer’s “Additional CSS” panel to override widget styles instead.
1.0.3
Renamed plugin to SourceCodeEs Floating Contact Widget (slug: sourcecodees-floating-contact-widget) to comply with WordPress.org plugin naming guidelines requiring the distinctive brand term at the beginning.
Updated text domain, block name, settings page slug, and language file accordingly.
1.0.2
Removed server-side click counter (Statistics tab) — GA event tracking is unaffected.
Fixed admin settings tabs not loading CSS/JS due to stale page hook slug after plugin rename.
1.0.1
Fixed scheduling bug: unchecked days now correctly hide the button when working hours are enabled.
Fixed timezone fallback: timezone_name_from_abbr() now uses is_dst = -1 for reliable offset matching.
Hardened is_working_hours(): missing or malformed start/end times now default to hidden instead of visible.
Added defensive array guards in get_all() to prevent empty working_hours from bypassing day checks.
