Shed Form

Historique des changements

1.7.4

• Confirmed compatibility with WordPress 7.0

1.7.3

• Fixed: Uploaded files and database records now deleted when a submission is deleted (prevents personal data from remaining on server).
• Fixed: Cron file cleanup now scans subdirectories recursively (year/month hierarchy).
• Fixed: Redundant wp_unslash() calls removed from mail settings save handler.
• Fixed: Console log prefix updated from [WSF] to [Shed Form].

1.7.2

• Fixed: Zipcode auto-fill, conditional fields, and consent scroll not working due to dataset attribute name mismatch (wsf → shedform prefix).
• Fixed: Turnstile verification failure now shows an error message instead of silently re-rendering the form.
• Fixed: Redundant wp_unslash() calls in settings save handler (title, html, text, error, blocked_ips keys).
• Fixed: Form deletion now also removes related row records.
• Fixed: error_log() calls are now gated by WP_DEBUG.
• Fixed: Cloud phrase « version » value is now sanitized before saving to wp_options.
• Fixed: Cloud phrases with invalid regex patterns are now filtered out before caching (ReDoS prevention).
• Fixed: License header notation unified to GPL-2.0-or-later.

1.7.1

• Fixed: NG phrase list not saving when phrases contained regex patterns (double wp_unslash corrupted JSON).
• Fixed: syncJson() not called when phrases array is empty (全クリア not persisting).

1.7.0

• Added: Shortcode copy button on the form edit page.
• Added: Per-form maximum width setting (form_max_width).
• Added: « 協業 » and « 情報交換 » to default NG phrase list.
• Changed: NG phrase type label updated from « 完全一致 » to « 部分一致（含む） » to accurately reflect matching behavior.

1.6.23

• Fix: Removed specific add-on names from FAQ to reflect current availability.

1.6.22

• Fix: Corrected Privacy Policy URL for WP Shed NG Phrase service in Third-Party Services section.

1.6.21

• Code quality: Renamed JS global variable wsfPreview to shedformPreview to comply with WordPress.org prefix requirements.
• Code quality: Renamed wpshed_ option keys for NG phrase cache to shedform_ prefix (shedform_default_phrases_cache, shedform_phrases_cache_version, shedform_phrases_cache_updated). Migration runs automatically on update.
• Code quality: Removed obsolete wpshed_license_key / wpshed_license_cache option writes from migration function (no longer used after updater removal in v1.6.19).
• Code quality: Wrapped hardcoded 同意する strings with __() for i18n in 3 locations.
• Code quality: Added phpcs:disable NonPrefixedVariableFound to page-settings.php and form-complete.php template files.
• Disclosure: Added Terms of Service URLs for ZipCloud and WP Shed NG Phrase API in Third-Party Services section.

1.6.20

• Code quality: Added phpcs:disable for NonPrefixedVariableFound in all template files (view templates included from callbacks — variables are scoped to each template, not global API).
• Code quality: Added PluginCheck.Security.DirectDB.UnescapedDBParameter phpcs:ignore to RENAME TABLE migration query ($old_table/$new_table are built from $wpdb->prefix + hardcoded map, no user input).

1.6.19

• Changed: Removed custom auto-updater (WPShed_Updater) — plugin is distributed exclusively via WordPress.org.

1.6.18

• Fixed: Undefined method Shedform_Field_Manager::get_fields() in ajax_restore_submission() — changed to get_by_form() (caused fatal error on « process as normal » action).
• Code quality: Wrap consent confirmation label with esc_html__() for i18n.
• Code quality: Wrap CSV export status labels with __() for i18n.
• Code quality: Add esc_attr() to nav-tab-active and display:none inline style echoes in form editor.

1.6.17

• Security: Added nonce verification to mail log detail view (auto-read-mark access now CSRF-protected).
• Security: « 詳細 » list links in mail logs now use wp_nonce_url() to include nonce parameter.
• Security: Cross-link from mail log detail to submission detail now includes nonce for check_admin_referer() on the submissions page.

1.6.16

• Security: Added nonce verification to submission detail view (auto-read-mark state change now CSRF-protected).
• Security: Sanitize validation and extras JSON field values on save (rule → sanitize_key, message/param → sanitize_text_field, _url keys → esc_url_raw, regex param validated by shedform_validate_regex_phrase).

1.6.15

• Changed: All function, class, constant, hook, option, and table prefixes renamed from wsf_/WSF_ to shedform_/SHEDFORM_/Shedform_ to meet WordPress.org 4-character prefix requirement.
• Migration: Existing wp_wsf_* database tables automatically renamed to wp_shedform_* on upgrade (data preserved).
• Migration: Existing wsf_* WordPress options automatically migrated to shedform_* on upgrade.

1.6.14

• Changed: Credit display changed to opt-in (default OFF) — removes Trialware violation. Setting added to Shed Form → Settings.
• Changed: Upload directory moved from wp-content/shedform-uploads/ to wp-content/uploads/shed-form/ (wp_upload_dir() based). Automatic migration for existing users.
• Fixed: Inline blocks in page-mail-logs.php replaced with wp_add_inline_script()
• Security: options JSON now sanitized recursively with sanitize_text_field(). validation/extras validated by json_decode() + key whitelist (regex patterns preserved).
• Disclosure: Added ZipCloud postal code API to Third-Party Services in readme.txt
• Updated: SortableJS 1.15.6 → 1.15.7
• Fixed: file_put_contents() replaced with WP_Filesystem API for .htaccess and index.php creation

1.6.13

• Code quality: Added phpcs:ignore for DirectQuery/NoCaching/SchemaChange/UnescapedDBParameter on migration ALTER TABLE and INFORMATION_SCHEMA queries in shed-form.php
• Code quality: Added Squiz.PHP.DiscouragedFunctions.Discouraged to ini_set phpcs:ignore in class-shedform-validator.php (restore-after-finally blocks)
• Code quality: Added NoCaching to $wpdb->update() phpcs:ignore in class-shedform-admin.php
• Code quality: Added UnescapedDBParameter to CSV export batch-query phpcs:ignore lines in class-shedform-admin.php
• Code quality: Added UnfinishedPrepare to $wpdb->prepare() with spread-operator placeholder in class-shedform-admin.php
• Code quality: Added InputNotSanitized to phpcs:disable block in sanitize_input_for_display() in class-shedform-form.php
• Code quality: Added NonceVerification.Recommended phpcs:ignore to read-only list filter GET params in page-submissions.php
• Code quality: Added InterpolatedNotPrepared and moved ReplacementsWrongNumber phpcs:ignore to correct lines in page-submissions.php

1.6.12

• Code quality: Added phpcs:ignore/disable annotations for PluginCheck.Security.DirectDB.UnescapedDBParameter across all DB-heavy files — table names from $wpdb->prefix are safe
• Code quality: Added phpcs:disable blocks to manager/template classes (field-manager, form-manager, row-manager, settings) for repetitive DirectQuery/NoCaching/InterpolatedNotPrepared false positives
• Code quality: Added phpcs:disable/enable blocks to sanitize_input() / sanitize_input_for_display() for NonceVerification.Missing — nonce verified by calling functions
• Code quality: Fixed remaining ini_set (restore in finally blocks) and set_error_handler phpcs:ignore annotations in shed-form.php and class-shedform-validator.php

1.6.11

• Code quality: Removed deprecated load_plugin_textdomain() call (auto-loaded since WordPress 6.7)
• Code quality: Added missing wp_unslash() to $_GET accesses in admin pages and mail-logs template
• Code quality: Added sanitize_url() to HTTP_REFERER handling in template helpers
• Code quality: Added phpcs:ignore annotations for justified WPCS false positives (DirectQuery on custom tables, NonceVerification on read-only admin GET params, ini_set/set_error_handler for ReDoS protection)

1.6.10

• Version bump for mobile performance investigation testing

1.6.9

• Added: Field description — each field can now have supplementary helper text displayed below the input

1.6.8

• Code quality: Removed wp_kses_post() from JSON fields (options/validation/extras) in ajax_save_field() — prevents silent corruption of regex patterns containing angle brackets
• Code quality: Nonce sanitization changed from sanitize_key() to sanitize_text_field() (WPCS compliance)
• Code quality: Replaced raw $_GET[‘status’] access with already-sanitized $filter_status variable in submissions page

1.6.7

• Security: Session token now stores form_id — token from form A can no longer be used to complete form B
• Security: Session token destroyed immediately after retrieval (was destroyed after DB write) — eliminates 1-hour replay window
• Security: Textarea fields capped at 20,000 characters server-side to prevent spam-scoring DoS via oversized input
• Security: Blocked phrase matching now runs per-field in addition to concatenated text, reducing split-phrase bypass risk
• Security: File uploads now reject filenames containing PHP/script extensions in any position (e.g., shell.php.jpg)
• Added: Honeypot hidden field — bots that fill the invisible field are silently blocked regardless of spam score

1.6.6

• Security: From: display name now encoded with RFC 2047 MIME encoding (mb_encode_mimeheader) — prevents header injection via non-ASCII characters or special chars
• Security: admin_email_to validated with is_email() and CRLF-stripped before passing to wp_mail()
• Security: Resend mail CC/BCC now re-validated with is_email() and CRLF-stripped on restore from DB
• Security: ajax_download_file() path check now uses trailing DIRECTORY_SEPARATOR (same pattern as set_attachments()) to prevent sibling-directory bypass
• Security: Email subject CRLF stripped at plugin layer in both admin notification and auto-reply
• Performance/Security: CSV export now streams in batches of 500 rows — prevents memory exhaustion on large datasets; keyword filter moved to SQL layer

1.6.5

• Security: CSV injection fix — user-supplied field values starting with =, +, -, @ are prefixed with a single-quote in CSV export
• Security: {page_url} tag now uses home_url() instead of $_SERVER[‘HTTP_HOST’] to prevent host-header injection
• Security: ReDoS validation probe improved with near-miss test strings; PCRE control verbs (*LIMIT_BACKTRACK etc.) now rejected at save time
• Security: pcre.recursion_limit added alongside backtrack_limit in all regex guards; try/finally ensures limit is always restored
• Security: field validation ‘pattern’ rule now runs with the same ReDoS guard as blocked-phrase regex matching
• Security: set_attachments() path check uses trailing DIRECTORY_SEPARATOR to prevent shedform-uploads-evil prefix bypass
• Security: wp_unslash() added to remaining $_POST accesses in admin handlers
• Added: Admin notice warning when server is Nginx (where .htaccess upload protection is ineffective)

1.6.4

• Security: ReDoS protection — NG phrase regex patterns now validated with length limit (500 chars) and pcre.backtrack_limit guard; malformed/explosive patterns are skipped with error_log
• Security: X-Forwarded-For IP spoofing mitigation — rightmost IP used instead of leftmost when behind a proxy
• Security: Email attachment path traversal prevention — set_attachments() now validates all paths with realpath() against the shedform-uploads base directory

1.6.3

• Security: Upload subdirectories (form_id/year/month) now get .htaccess and index.php protection on creation
• Security: Content-Disposition header uses RFC 5987 (filename*=UTF-8) for correct Japanese filename handling
• Fixed: ALTER TABLE migration queries annotated with phpcs:ignore (no user input, WPCS compliance)

1.6.2

• Security: XSS fix — {url_param} dynamic tag now uses wp_kses() instead of sanitize_text_field() only
• Security: XSS fix — {page_title} dynamic tag now escaped with esc_html()
• Security: File upload — finfo_file() unavailability now rejects upload instead of skipping MIME check
• Security: File upload — real MIME type passed to wp_handle_upload() instead of client Content-Type
• Security: File upload — file size now measured server-side with filesize() instead of trusting $_FILES[‘size’]
• Security: wp_unslash() added to all $_POST access in form input processing (WPCS compliance)
• Fixed: Double-escaping in consent scroll content (removed redundant esc_html() inside wp_kses_post())

1.6.1

• プラグインスラッグを shed-form に統一（WordPress.org 申請対応）

1.6.0

• Added: GPL-2.0+ license for WordPress.org directory compatibility
• Added: Privacy policy suggestion via wp_add_privacy_policy_content
• Added: Third-party service disclosure in readme.txt
• Changed: NG phrase cloud update from automatic cron to manual button
• Changed: Bundled SortableJS locally instead of CDN
• Improved: Internationalization — all hardcoded Japanese strings wrapped with __()
• Improved: Generated .pot file for translation support

1.5.4

• Fixed: Reply-To placeholder expansion in admin and auto-reply emails
• Improved: Email placeholder handling for field keys

1.5.3

• Added: Consent field type with scroll-to-enable functionality
• Improved: Static caching in settings class to reduce database queries

1.5.1

• Fixed: Submit button disabled until Turnstile verification completes
• Security: Replaced PHP sessions with WordPress transients and one-time tokens