Changelog

Categories: Security, Feature, Fix, Perf, Admin, Deps.

[2.6.0] - 2026-05-25

Security + perf hardening pass following the 2026-05-25 audit. All high-severity security findings + the actionable high-impact perf findings are resolved. No change to public URLs, REST/GraphQL contracts or admin layouts.

Security

• SQL column-injection closed in every admin grid — the four listing data providers (Post, Author, Category, Comment) now whitelist sort/filter column names. A crafted sorting[field]=id,SLEEP(5)-- from an authenticated admin no longer reaches the DB.
• Path-traversal closed on Category featured_image and Author photo — the same sanitiser that already protected Post.featured_image (extracted into MediaPathSanitizer) now rejects anything that isn't a relative path under wimakeit/blog/ on the other two admin Save controllers.
• XSS closed in the BreadcrumbList JSON-LD on category pages — json_encode now emits JSON_HEX_* flags. A category name containing </script> can no longer break out of the script tag. Same fix already shipped for post pages in 2.4.0.
• SSRF closed in bin/magento wimakeit:blog:import-wp --download-images — the image downloader now validates the URL scheme, resolves the hostname and rejects private/reserved IPs (cloud metadata, internal services, 127/8, 10/8, …), uses curl with bounded timeouts and no redirect-follow, caps the response at 10 MB, and sanitises the saved filename. The CLI also rejects --file= paths outside the Magento install (BP).
• XXE mitigated on the WP import XML parser (LIBXML_NONET added).
• Imported comments are now PENDING regardless of wp:comment_approved — source DBs are untrusted, moderators review each carried-over comment.
• Comment rate-limiter no longer bypassable when the source IP is unavailable (was returning "not limited", now returns "limited" — fail-closed).
• Author social URLs sanitised at write-time — only http(s):// is persisted. Stored javascript: / data: URIs can no longer leak into the public profile or the GraphQL resolver.
• GraphQL BlogAuthor resolver lists columns explicitly — email and admin_user_id are excluded from the SELECT so they can never leak even if the GraphQL schema is extended.
• Post-view counter (TrackView) enforces same-origin Origin/Referer in addition to the session debounce. External <img>/<iframe> payloads can no longer inflate view counts cross-site.
• Category default_sort_direction is whitelisted to ASC / DESC on save.

Perf

• TrackView is now a single UPDATE (was SELECT-EXISTS + UPDATE) — saves one round-trip per published beacon hit.
• Post view controller skips the mediumtext content column when building the page metas (canonical, OG, hreflang, breadcrumbs). The full content is loaded once, by the ViewModel that actually renders it.
• GraphQL BlogCategories resolver lists columns explicitly — drops SELECT c. so featured_image, default_sort_, timestamps are no longer transferred when not requested.
• Pagination clamped to 1000 pages on /blog/search and /blog/tag/{slug} — blocks ?p=999999 DoS via deep OFFSET.

DB

• Composite (tag_id, post_id) index on wimakeit_blog_post_tag — tag-grouped JOINs (category tag pills, sitemap provider, related-by-tag) now resolve post_id index-only.
• Composite (category_id, position) index on wimakeit_blog_post — speeds up previous/next-post lookups on the post view.
• (updated_at) index on wimakeit_blog_post — used by the tag/author sitemap providers' GROUP BY + MAX(updated_at).
• Run bin/magento setup:upgrade after composer update so the new indexes get created.

Notes

• The constructor of the three admin Save controllers gained one extra dependency (MediaPathSanitizer); Post/TrackView gained two (StoreManagerInterface, BotDetector). All auto-injected via DI — no di.xml change is required in consumer projects.

[2.5.6] - 2026-05-25

Feature

• Author pages now have a canonical + breadcrumbs + Open Graph block — every /blog/author/{slug} declares rel="canonical" to the same URL the sitemap emits, renders a Home > Author Name trail and exposes og:url, og:type=profile, og:title, og:description, og:site_name. Author pages were previously SEO-orphan.

Fix

• Post breadcrumb shows the full title — the 40-char / em-dash truncation that turned long titles into something like "Pharmamed" in the breadcrumb is gone. The crumb now matches the H1 and the slug visible in the URL.

[2.5.5] - 2026-05-24

Feature

• Tag pages now in the XML sitemap — every /blog/tag/{slug} is added by a new sitemap item provider, restricted to tags that have at least one active + published post on the current store. Priority 0.5, change-frequency weekly. SEO crawlers can discover the tag landings without a manual sitemap edit.
• Author pages now in the XML sitemap — same treatment for /blog/author/{slug}: only authors with at least one published post visible on the store, per-store-view slug from wimakeit_blog_author_store. Priority 0.5, change-frequency weekly.

[2.5.4] - 2026-05-22

Feature

• Tag pills with article counts on every category landing — below the search form, render the active tags for that category as orange pills, each suffixed with a compact numeric badge (e.g. #Magento 25, #Sécurité 6). Sorted by post count DESC. New ViewModel method joins wimakeit_blog_tag ↔ _post_tag ↔ _post ↔ _post_category and filters published + active posts only.
• Tags moved to the top of the post page — the #tag row sits directly under the hero meta (date / reading time) instead of next to the Share buttons at the bottom. Visitors see the topic at a glance before scrolling.

Admin

• Category card CTA is now context-aware in three branches — services keep "Learn more", news categories (actualites, news, nieuws, blog) say "Read the article" / "Lire l'article" / "Lees het artikel", every other category (projects, references…) keeps "Read the case study". Same rule extended to the count noun in the hero (30 articles vs 30 projets).

[2.5.3] - 2026-05-22

Feature

• .blog-tldr callout class — write <div class="blog-tldr"><ul><li>…</li></ul></div> and the "TL;DR" label is auto-prepended, the box gets the brand-orange left border and a light tint, bullets are tightly aligned. No more hand-written <p class="font-semibold">TL;DR</p> header in every article.
• Inline <code> and CLI <pre> styled in brand orange — <code> renders as smaller monospace in #EF7013 on a soft orange tint, matching the marketplace PDP changelog/install code styling. Fenced <pre> blocks get the same tint with a 3 px orange left border and horizontal scroll for long shell one-liners.

Fix

• Blog content list bullets — <ul> / <ol> inside post content lost their bullets after Hyvä's Tailwind preflight reset (list-style: none; padding: 0). Restored list-style: disc / decimal, padding-left: 1.5rem and brand-orange ::marker. Bullets are now visible and properly indented in every post body.

[2.5.2] - 2026-05-22

Feature

• Sticky table of contents on the left — long-form posts now show a 280 px lateral TOC on desktop (≥ 1024 px), pinned with position: sticky; top: 90px, so readers keep their place while scrolling. Rendered only when the JS detects at least 3 headings. Stacks above the content on tablet/mobile.
• TOC visual refresh — switched to a numbered <ol> with 1., 2., … prefixes; H3s indented under their parent. White rounded card with subtle border and shadow; hover paints the row light grey; the active section is brand orange #EF7013 on a 10% orange tint — same treatment as the front-end /fr/checkmo-availability#how-it-works Sommaire.

[2.5.1] - 2026-05-22

Fix

• Admin Tag listing now loads — missing <updateUrl path="mui/index/render"/> on the listing data source made the grid AJAX fall through to the default render endpoint and the UI showed "Something went wrong with processing the default view…". Same patch as the 2.2.4 author/comment fix; Tags were introduced in 2.4.0 and missed it.
• Post save accepts locale-formatted publish dates — saving a post with a French date picker (22/05/2026) raised DateMalformedStringException deep in Pdo\Mysql::formatDate() and surfaced as "Could not save blog post: Failed to parse time string (22/05/2026)…". The admin Post Save now runs publish_date through Stdlib\DateTime\Filter\Date, which parses with the current locale and returns the MySQL-compatible Y-m-d format.

[2.5.0] - 2026-05-22

Feature

• Per-category default sort in admin: pick the field (publish date, title, author, view count, manual position) and direction (ASC/DESC) used when a visitor opens the category without an explicit sort.
• Sort tabs on the category page — Most recent / Oldest / Most read / Title A-Z / Z-A / Author A-Z. Active tab highlighted; pagination links preserve the ?sort= selection.
• Real category-scoped search — the search input on the category hero now submits to /blog/search?q=…&cat={id} instead of a JS-only filter on the current page. Placeholder is category-aware ("Search in {Category}…") and the results page shows the active scope with a one-click escape to "Search all categories".
• Locale-aware dates — every blog date (post hero, category cards, related posts, author page, Latest Posts widget) now renders in the store's locale via IntlDateFormatter. A FR store sees "17 mai 2026" instead of "17 May 2026".

Admin

• New category settings Default Sort Field and Default Sort Direction under Content > Blog > Categories.

[2.4.0] - 2026-05-22

Security

• REST endpoints under /rest/V1/wimakeit-blog/* now all require the matching admin ACL (previously anonymous). Closes draft-post enumeration via filter[is_active][eq]=0 and a public leak of author.email.
• GraphQL: WimakeitBlogAuthor.email removed from the public type. wimakeitBlogCreateComment now applies the same post-existence, parent integrity, rate-limit and reCAPTCHA enforcement as the HTTP form via a shared service.
• Comment submit: every payload is validated (post must exist and be active, parent must belong to the same post and be approved, reply depth capped at 2). Author website URLs are restricted to http(s) schemes both at write time and at display time on author / comment pages.
• Featured-image uploads: extension whitelist now backed by a real MIME-content check (mime_content_type / finfo), so a shell.jpg with PHP bytes is rejected.
• Featured-image save path is sanitized to only accept wimakeit/blog/-prefixed relative paths (blocks .. traversal and absolute paths).
• Admin Post Save now intersects category_ids / tag_ids against the DB before inserting pivots — orphan rows can no longer be smuggled in via crafted POST.
• Admin Author Save validates admin_user_id against admin_user.user_id.
• Post template <script> blocks render json_encode with JSON_HEX_TAG flags — closes a stored-XSS path through a crafted post slug.
• Store switcher rebuilds the redirect URL from the target store's base URL instead of trusting the incoming host.
• Comment submit no longer leaks raw exception messages to the visitor.
• New Wimakeit_Blog::tag ACL resource for the tags CRUD.

Feature

• Tags CRUD in admin under Content > Blog > Tags (listing, edit, slug auto-generated) and tag_ids multiselect on the post form.
• Public tag page at /blog/tag/{slug} — paginated listing of every post that carries the tag for the current store.
• Tags rendered on the post view are now clickable links to their tag page.

Perf

• view_count decoupled from the request path — incremented out-of-band via a JS beacon hitting Controller/Post/TrackView, so Full Page Cache can serve the post page without the synchronous UPDATE. Session-debounced so the same visitor counts once per session.
• N+1 killed in the category listing: post specs are now batch-loaded for the whole page in one query instead of one per card.
• getIdentities() on the category and Latest Posts widget no longer issue SQL — they used to JOIN three tables on every FPC cache-tag check, including cache hits.
• Hreflang generation on the post page batched into one IN (?) lookup per table (was 2 × N queries with N stores).
• ViewModel/PostView memoizes category, author, tags and related posts per request — duplicate calls inside the same render are free now.
• ViewModel/PostList / TagList no longer pull the content mediumtext column for listing queries; getTotalCount() memoized so paged listings don't run the COUNT twice.
• GraphQL BlogPosts resolver inspects the requested fields and only joins ps.content when the query actually asks for it.
• New DB indexes on wimakeit_blog_post_tag(tag_id), wimakeit_blog_post_store(store_id), wimakeit_blog_comment(parent_id), wimakeit_blog_post(author_id).
• Ui/DataProvider/Post/ListingDataProvider uses COUNT(DISTINCT main.id) so admin grid pagination no longer drifts from the JOIN multiplier.
• WordPress importer: comments are inserted via insertMultiple in batches of 250 (was one ORM save per row), and the attachment lookup is pre-indexed once (was O(n) per post).
• Sitemap provider batches the post fetch in 500-row pages so the cron stays within memory limits on large catalogs.
• Category and post templates: ~400 lines of inline CSS extracted to view/frontend/web/css/blog.css — smaller FPC payload, browser-cacheable styles, CSP-compatible.

Admin

• og:site_name now resolves to the store name (was hardcoded).
• All admin controllers normalized to public const ADMIN_RESOURCE and every execute() declares a ResultInterface return type.

[2.2.4] - 2026-05-19

Fix

• Admin Authors and Comments grids no longer break on load with the "Something went wrong with processing the default view" error — the listings now declare the mui/index/render updateUrl so bookmark, filter, paging and sorting AJAX calls hit the standard UI renderer instead of resolving to /undefined.

[2.2.2] - 2026-05-12

Admin

• Dashboard widget extracted to companion module wimakeit/module-blog-admin-dashboard. The main module is now installable on stores that don't use wimakeit/module-admin-dashboard.

Deps

• To keep the dashboard widget, install wimakeit/module-blog-admin-dashboard alongside this module.

[2.2.0] - 2026-05-09

Feature

• Per-store builder canvas inside each FR/EN/NL fieldset of the post form. Editors compose post content visually through wimakeit/module-page-builder instead of a raw HTML textarea.

Admin

• Switched to the shared Wimakeit PageBuilder helpers; persists per-store builder state alongside the rendered HTML.

Deps

• Requires wimakeit/module-page-builder ^1.4.

[2.1.0] - 2026-05-05

Feature

• Native Magento Page Builder replaced by wimakeit/module-page-builder for post content. Better multi-store handling and a lighter editor footprint.

[2.0.1] - 2026-03-15

Fix

• Featured-image fields in post/category/author edit forms now render the existing image instead of staying empty — the fileUploader UI component receives the proper array shape on load.
• Page Builder / WYSIWYG no longer crashes the admin with a LocalizedException on every load — invalid <value> elements removed from etc/widget.xml (defaults now resolved in the LatestPosts block).
• Featured-image uploads from the post and category forms no longer 404 — added the missing upload controllers for the wimakeit_blog/post/upload and wimakeit_blog/category/upload routes.

[2.0.0] - 2026-03-10

Feature

• New Authors entity (tables wimakeit_blog_author + wimakeit_blog_author_store): photo, email, bio, title, per-store slug and meta, social links. Admin CRUD under Content > Blog > Authors and frontend page at /blog/author/{slug}.
• New Comments with moderation and anti-spam: DB-backed comments, per-post listing, reply threading, honeypot, IP rate limiting, optional reCAPTCHA v3, three moderation modes (approve all / moderate all / moderate first only). Admin grid under Content > Blog > Comments with mass actions (approve / pending / spam / trash / delete). Guest commenting toggle.
• New CMS widget Blog - Latest Posts with widget title, post limit, category filter and per-toggle image/excerpt/date.
• New multi-category support via pivot wimakeit_blog_post_category. Primary category stays on post.category_id (canonical URL); migration patch seeds the pivot from existing data.
• Tag persistence from the post form (tag_ids input) — the pivot existed but was never wired.
• New view counter on post view (skips bots via User-Agent, skips ?preview=1).
• Related posts now rank by shared tag overlap first, then same category, then recency (previously same category only).
• New WordPress import CLI: bin/magento wimakeit:blog:import-wp --file=wp-export.xml [--store=1] [--default-category=X] [--download-images] [--dry-run]. Maps authors, categories, tags, posts, comments.
• New REST API at /rest/V1/wimakeit-blog/* with public read / admin write for posts, categories, authors, comments plus search endpoints.
• New GraphQL API with queries wimakeitBlogPost(s), wimakeitBlogCategory(ies), wimakeitBlogAuthor, wimakeitBlogComments and mutation wimakeitBlogCreateComment.
• New full-text search via MySQL/MariaDB FULLTEXT index on wimakeit_blog_post_store (title + excerpt + content), with automatic LIKE fallback and dedicated /blog/search?q=... results page.

Perf

• FPC identity tags on Post and Category blocks and models — saving a post or category now flushes only the relevant cache entries instead of the whole page cache.

Admin

• Post and Category data interfaces expose a CACHE_TAG constant and implement IdentityInterface.
• Repository interfaces gained deleteById() and getList(SearchCriteriaInterface) to match Magento service-contract expectations.
• New Comments settings group under Stores > Configuration > WiMakeIT > Blog > Comments.

Deps

• Sequences Magento_Widget (CMS widget) and Magento_GraphQl (GraphQL schema).