Add wzlw-force-external / wzlw-force-external-wrapper class support to force links to be treated as external regardless of automatic detection. Both class names are configurable under Settings > Advanced.
The wzlw-no-icon and wzlw-no-icon-wrapper class names are now configurable under Settings > Advanced.
Security
Redirect endpoint now requires an HMAC signature on every URL. Unsigned or tampered URLs are rejected, preventing open-redirect abuse.
Bug Fixes
Redirect URLs with HMAC signatures were broken due to double-encoding of the & separator in HTML output.
Redundant URL encoding in get_redirect_url() caused malformed redirect URLs.
Same-host check now normalises hostnames before comparison, so variants like EXAMPLE.COM or example.com. are treated as internal.
Excluded domains now match correctly when entered with a scheme or trailing path.
Add wzlw-no-icon-wrapper class support — add it to any wrapper element to exclude all links inside it from visual indicators.
Improvements
Enhanced modal accessibility: background content is now hidden from screen readers when the modal is open, URL display includes a screen reader label, buttons have fallback accessible names, and the Continue button announces “opens in a new window” for target=”_blank” links.
