pH7 Social Dating Builder, v18.3.0 🎉
General Improvements & SEO/LLM Optimisation
- Several general minor improvements.
- General code maintenance cleanups and refactoring following our core principles.
- Few specific optimisations for SEO & LLMs.
Security & Hardening
-
Centralize CSRF action token names
All forms and controllers now use a shared helper for CSRF token-name derivation, ensuring consistent and reliable validation across the codebase.
-
Validate forum admin delete requests
Forum admin destructive actions now strictly require valid CSRF tokens, preventing accidental or malicious deletes.
-
Enhance blog, note, and profile XSS protection
Blog post content, note content, and profile descriptions are now sanitized with XSS cleaning and proper escaping, closing multiple stored XSS vectors.
([d1a773aef](d1a773aef), [f6055396a](f6055396a), [87fa7ae2e](87fa7ae2e), [163b64123](163b64123), [d3757811c](d3757811c), [8e2f6cb13](8e2f6cb13))
-
Harden file editor path validation
Improved path validation and allowlisting in admin file editors to prevent traversal and unauthorized file access.
([5aa6f489a](5aa6f489a), [f457eb220](f457eb220), [bc3f0fed6](bc3f0fed6), [37bcf3d33](37bcf3d33), [f64f2412b](f64f2412b))
Developer & Maintainer Tooling
-
Add CLI command for GitHub issue resolution
New Symfony Console command to inspect, comment, and close GitHub issues from the CLI.
-
Simplify GitHub issue resolution flow
Refactored the CLI issue resolver for maintainability and safety.
-
Document safer GitHub token usage
Updated CLI docs to recommend environment variables for authentication, reducing accidental token leaks.
Performance & Code Quality
-
Remove redundant emoticon parsing from note content
Improved performance by moving emoticon logic into the controller.
-
Refactor and clarify file path validation
Boolean conditions in file editors are now encapsulated in clear, self-descriptive functions.