Edit Flow 0.10.4

This release is dominated by defence-in-depth hardening following a security review of the plugin's authenticated code paths. None of the issues are known to be exploited in the wild, but all users are encouraged to update.

Security

• fix: require manage_options on the Add Custom Status form handler by @GaryJones in #940
• fix: correct ICS text escaping per RFC 5545 (semicolons, commas, backslashes, newlines) by @GaryJones in #941
• fix: stop double-escaping editorial comment author fields by @GaryJones in #942
• fix: use correct wp_kses arguments in inline-save error paths by @GaryJones in #943
• fix: harden calendar trashed-message Undo URL construction against query-arg injection by @GaryJones in #944
• fix: strip HTML from filter-supplied editorial metadata CSS to prevent </style> breakout by @GaryJones in #945
• fix: validate metadata term in calendar AJAX update handler by @GaryJones in #946
• fix: require edit_post access on notification subscription AJAX handlers by @Copilot in #931

Fixed

• fix: show "Immediately" for custom status posts in the block editor by @GaryJones in #938
• fix: stop passing null to wp_kses_post in list-table single_row (removes five PHP 8.1+ deprecations per row) by @GaryJones in #947
• fix: stop passing null to wp_kses_post on inline-save success (removes deprecations on Quick Edit) by @GaryJones in #948

Documentation

• docs: add AGENTS.md with structured agent guidance by @GaryJones in #906
• docs: add missing license fields to readme by @GaryJones in #889
• docs: update WordPress forums link in README by @MxchaelA8C in #929

Maintenance

• chore: exclude eslint from the Dependabot dev-dependencies group by @GaryJones in #919
• Routine dependency updates for npm packages and GitHub Actions

New Contributors

• @MxchaelA8C made their first contribution in #929
• @Copilot made their first contribution in #931

Full Changelog: 0.10.3...0.10.4