CHANGELOG.md

Changelog

1.12.0 - 2026-04-27

Breaking change (security fix): The pre-1.12.0 /liveblog/v1/authors/<term> and /liveblog/v1/hashtags/<term> REST routes, and the matching admin-ajax liveblog_authors and liveblog_terms actions, only checked a global capability. That allowed any user holding publish_posts to enumerate every editor on the site and every entry in the hashtags taxonomy, regardless of which post — if any — they were editing (CWE-863). Closing that gap requires scoping the permission check to a specific post, which forces the post id to appear in the URL or the query string. The new shapes are /liveblog/v1/<post_id>/authors/<term>, /liveblog/v1/<post_id>/hashtags/<term>, and admin-ajax.php?action=liveblog_authors&post_id=… (likewise for liveblog_terms). The bundled JavaScript client has been updated. Anything else calling these endpoints — bespoke integrations, custom blocks, headless clients — needs to be updated to include the target post id.

Security

• fix: scope liveblog write authorisation to the target post by @GaryJones in #870 (CWE-285 BAC)
• fix: harden preview CSRF, autocomplete post-scoping, attribute escaping, and author/contributor validation by @GaryJones in #873 (CWE-352, CWE-863, CWE-79, CWE-639)
• fix: cap checks, ID sanitisation, and safer JSON-LD and AMP output by @GaryJones in #867 (CWE-285, CWE-20, CWE-79)

Documentation

• docs: restructure documentation around audience by @GaryJones in #872

Maintenance

• npm(deps): bump @lexical/react from 0.40.0 to 0.43.0 by @dependabot in #866
• npm(deps): bump @lexical/rich-text from 0.39.0 to 0.43.0 by @dependabot in #865
• npm(deps-dev): bump the dev-dependencies group with 2 updates by @dependabot in #864
• Actions(deps): bump actions/setup-node from 6.3.0 to 6.4.0 in the actions group by @dependabot in #863

1.11.1 - 2026-04-20

Security

• fix: require post read permission on public Liveblog REST endpoints by @GaryJones in #857 (CWE-639 IDOR)

Fixed

• fix: improve schema.org LiveBlogPosting structured data output by @GaryJones in #816
• fix: handle malformed comment_date_gmt in entry timestamp by @Ritesh-patel in #829

Maintenance

• chore: clean up distribution and remove non-functional Behat workflow by @GaryJones in #802
• fix: suppress duplicate class name PHPCS warning in test stub by @GaryJones in #851
• npm(deps): bump @lexical/html, @lexical/link, @lexical/list, @lexical/react, lexical from 0.39.0 to 0.40.0 by @dependabot in #831, #832, #833, #834, #835
• npm(deps): bump lodash, lodash-es from 4.17.21 to 4.18.1 by @dependabot in #826, #827, #849, #850
• npm(deps-dev): bump axios from 1.13.2 to 1.15.0 by @dependabot in #853
• npm(deps-dev): bump basic-ftp from 5.1.0 to 5.2.2 by @dependabot in #852
• npm(deps-dev): bump brace-expansion from 1.1.12 to 1.1.13 by @dependabot in #848
• npm(deps-dev): bump flatted from 3.3.3 to 3.4.2 by @dependabot in #844
• npm(deps-dev): bump follow-redirects from 1.15.11 to 1.16.0 by @dependabot in #855
• npm(deps-dev): bump immutable from 5.1.4 to 5.1.5 by @dependabot in #840
• npm(deps-dev): bump node-forge from 1.3.3 to 1.4.0 by @dependabot in #847
• npm(deps-dev): bump qs from 6.14.1 to 6.14.2 by @dependabot in #836
• npm(deps-dev): bump svgo from 3.3.2 to 3.3.3 by @dependabot in #841
• npm(deps): bump picomatch by @dependabot in #846
• npm(deps): bump yaml from 1.10.2 to 1.10.3 by @dependabot in #845
• Actions(deps): bump actions/checkout, actions/setup-node, softprops/action-gh-release by @dependabot in #821, #828, #843, #854

1.11.0 - 2026-01-14

Added

• feat: add Disable button to liveblog metabox by @GaryJones in #809 (fixes #807)
• feat: add filter to disable default Liveblog styles by @GaryJones in #810

Fixed

• fix: restore metabox JavaScript and rename dashboard to admin by @GaryJones in #805 (fixes #804)
• fix: prevent 404 errors from metabox links on unpublished posts by @GaryJones in #808 (fixes #806)
• fix: strip all HTML from key event titles by @cnaples79 in #785 (fixes #464)

1.10.0 - 2026-01-06

Added

• Replace Draft.js with Lexical editor for improved stability and maintenance by @GaryJones in #766
• Add image cropping and resizing to Lexical editor by @GaryJones in #782
• Add keyboard shortcut (Ctrl+Enter / Cmd+Enter) and auto-focus for entry publishing by @GaryJones in #792 (fixes #181)
• Add i18n support to React components by @GaryJones in #784
• Pre-load authors in dropdown for better discoverability by @GaryJones in #793
• Display total updates count in editor by @GaryJones in #777 (fixes #520)
• Add VIP edge cache purging when liveblog entries change by @GaryJones in #763
• Add liveblog_facebook_app_id filter for AMP sharing by @GaryJones in #756

Fixed

• Fix accessibility: WCAG AA contrast for placeholders, 16px font size, aria-labels by @GaryJones in #793
• Fix author selection keyboard navigation for react-select v5 by @GaryJones in #793
• Prevent orphaned entry updates from breaking lazy-loading by @GaryJones in #787 (fixes #478)
• Use add_action for template_redirect hook by @GaryJones in #788 (fixes #620)
• Fix Facebook embed parsing for legacy XFBML format by @GaryJones in #761 (fixes #306)
• Fix crash when editing entries containing timestamp-like text by @GaryJones in #762
• Correct timezone handling in time ago display by @GaryJones in #770
• Use DST-aware timezone offset for entry timestamps by @GaryJones in #774
• Honour site locale in entry timestamps by @GaryJones in #775
• Resolve stale JSON data on initial cached page load by @GaryJones in #772
• Round both polling timestamps for cache efficiency by @GaryJones in #771
• Stop polling on archived liveblogs and enforce AMP refresh minimum by @GaryJones in #768
• Support drag-and-drop of multiple images by @GaryJones in #767
• Reset Preview tab when publishing a new entry by @GaryJones in #765
• Preserve image attributes with filterable render output by @GaryJones in #773
• Use add_action for template_redirect hook in AMP class by @GaryJones in #776
• Replace prohibited use of extract() by @psorensen in #760 (fixes #361)
• Check template part variable names against allow list by @psorensen in #764

Maintenance

• Migrate assets from assets/ to build/ directory and automate builds in deploy workflow by @GaryJones in #781 (fixes #461)
• Remove redundant polyfills and add build CI step by @GaryJones in #752 (fixes #661)
• Resolve all PHPCS coding standards violations by @GaryJones in #778
• Enable PHPCS code style checks in CI by @GaryJones in #779
• Add concurrency controls to GitHub Actions workflows by @GaryJones in #790
• Modernise SCSS: @use/@forward syntax, CSS custom properties, and code consolidation by @GaryJones in #736
• Migrate PHPUnit test infrastructure to yoast/wp-test-utils by @GaryJones in #737
• Separate unit tests from integration tests by @GaryJones in #738
• Add JavaScript unit tests for React reducers and utilities by @GaryJones in #741
• Standardise workflows, harden security with SHA-pinned actions by @GaryJones in #747
• Add Dependabot configuration with CODEOWNERS for reviewers by @GaryJones in #720, #748
• Standardise test matrix and update readme by @GaryJones in #749
• Resolve webpack-dev-server security vulnerabilities by @GaryJones in #719
• Actions(deps): Bump softprops/action-gh-release in the actions group by @dependabot in #783
• npm(deps): Bump @babel/runtime and @wordpress/i18n by @dependabot in #786
• npm(deps-dev): Bump qs from 6.14.0 to 6.14.1 by @dependabot in #791

1.9.7 - 2024-06-07

• Adds a capability check to the preview, authors and hashtag endpoint to prevent unauthenticated calls (#685)

1.9.6 - 2021-09-29

• Revert #597, restoring get_fields_for_render() that is being used in some implementations (#639)
• Harden check when rendering media library (#652)
• Clean comment cache after direct SQL queries (#658)
• REST API routes require a permission_callback (#669)
• Load CPT support later to avoid fatals with early use of WP_Query (#672)

props anigeluk, david-binda, GaryJones, jeffersonrabb, mslinnea, philipjohn, rebeccahum

1.9.5 - 2019-01-23

• Fix PHP 7.3 continue switch warning (#617)
• Remove unused get_fields_for_render() (#597)

1.9.4 - 2018-12-07

• Send the correct data to get_liveblog_metadata() (#558)
• Render AMP css safe without using esc_html to pass AMP validation (#586)
• Don't run WPCOM_Liveblog_AMP::setup() on non-live posts. (#593)

1.9.3 - 2018-11-09

• Improve caching by setting a short TTL on future timestamps (#542)

1.9.2 - 2018-10-26

• Fix for overzealous API requests in author list (#417)
• Prevent empty entries (#475)
• Restored customisable Key Events widget title (#372)
• Restore deletion confirmation for entries (#482)
• Performance improvements to the build (#495)

props cain, GaryJones, jasonagnew, kevinlisota, lidocaine, maxhartshorn, no-sws, paulschreiber, philipjohn, sathyapulse, scottblackburn, sboisvert, tomjn

1.9.1 - 2018-10-17

• Multiple coding standards fixes
• Removes unused debug code
• Fix rendering embeds upon entry updates
• Avoid null dereference in get_user_data_for_json()
• Improvements to code review process

props, cain, GaryJones, maevelander, paulschreiber, philipjohn, rgllm, rogertheriault

1.9 - 2018-09-27

• Round out polling timestamp for improved performance (#496)
• Use the new core jshint rules, instead of ours (#120)
• Add LiveBlogPosting Schema (#337)
• AMP Support (#450)
• Move is_robot function to javascript (#266)
• JS api actions can now be configured to send cross domain requests (#463)
• Fix deprecated notice about non-static function (#484)
• Remove deprecated lazyload JS (#498)
• Readme updates (#512)

props david-binda, GaryJones, jacklenox, jasonagnew, joshbetz, justnorris, jvpcode, lovestulip, maevelander, maxhartshorn, mjangda, mikeselander, nb, paulschreiber, philipjohn, rogertheriault, sboisvert, scottblackburn, tessaneedham

1.8.2 - 2018-05-11

• Fix issue with time format (#424)
• Adds check around the jetpack is_mobile flag (#428)
• Restore current user back in to localised scripts (#430)
• Cast liveblog rewrite version before checks (#439)
• Document the minimum PHP version (#447)
• Fix bug where pagination did not update (#433)
• Fix GMT offsets in entry times (#432)

props justnorris, mjangda, paulschreiber, philipjohn, scottblackburn

1.8.1 - 2018-05-01

• Fix bug with changing contributors
• Fix multiple PHP Coding Standards issues

props paulschreiber

1.8 - 2018-04-22

• New: Allow multiple authors for each Liveblog entry
• New: Entries no longer have to have an author
• New: Share entries with entry-specific permalinks
• New: Media library integration in the entry editor
• New: Edit entry HTML within the editor
• Fixed: Bug with some installs using the correct REST API base URL
• Fixed: Various coding standards issues

props jasonagnew, liam-defty, paulschreiber, philipjohn, sboisvert

1.7.1 - 2018-02-02

• Fix bug with REST endpoints in Multisite
• Fix for some failing unit tests due to core changes
• Fix for bug where shortcodes would be removed completely
• Fixed some pagination issues in relatively unique circumstances
• Fixed a bug that failed to correctly handle avatars
• Made sure we handle timezones in entries properly

props jasonagnew, justnorris, liam-defty

1.7 - 2018-01-10

• New: Mobile-friendly React-based frontend UI for a better editing experience across devices.
• Various UI bugfixes thanks to the new frontend.
• Fix for incorrect use of defined()

props jasonagnew, jrmd, kevinfodness, liam-defty

1.6.1 - 2017-10-26

• Remove support for Flash + Silverlight which are no longer supported in WP 4.9, see https://core.trac.wordpress.org/ticket/41755#no0
• Bugfix for WPCOM: Don't force an AJAX URL if we're using the REST API.
• Bugfix WPCOM: Retain SA access for A12s

1.6 - 2017-09-26

• REST API support
• Performance improvements to lazy loading
• Auto-archiving of Liveblogs
• Removed copied core functions
• Improved test coverage
• Bugfix for edited comments appearing on archived Liveblogs
• Bugfix for multiple edits issue
• Bugfix for deleted key events appearing after edits
• Bugfix for shortcodes within key events
• Bugfix to allow editing entries more than once

Thanks to mjangda, jasonagnew, Max Katz, Olly Warren, rebeccahum, travisw

1.5 - 2015-12-06

• New "Key Events" feature
• New "Lazyloading" feature
• Improved escaping

People who helped make this happen: jasonagnew, joshbetz, sarahblackstock, sboisvert, iandunn, scottsweb, tfrommen, markgoodyear, ChrisHardie, philipjohn, pkevan, Connor Parks

1.4.1 - 2015-06-12

• Bump tested tag to 4.2.2.
• Added Composer support!

1.4 - 2015-04-22

• Rich-text editing!
• Archived liveblogs now display in chronological order (live ones show reverse chron)
• New and udpated translations
• Bump to fix SVN sync issues (thanks kevinlisota)

1.3.1 - 2015-03-01

• Fixed a bug where liveblog would show up in secondary loops

1.3 - 2013-01-23

The liveblog plugin now requires WordPress 3.5.

New functionality:

• Liveblog archiving
• Shows automatically new entries, with a slick notification bar if we have scrolled out of view. With the help of borkweb and zbtirrell
• Front-end editing
• Pasting an image URL embeds the image

Translations:

• German by cfoellmann
• Spanish by elarequi

Also a lot of internal improvements and bug fixes. See the full list of closed issues.

1.2 - 2012-12-13

New functionality:

• Introduce many new hooks and filters, which help customization without changing the plugin code.
• Allow shortcodes and OEmbed in liveblog entries
• Translations:
  • Spanish by elarequi
  • Dutch by defries
  • Catalan by gasparappa
  • German by cfoellmann
• Add github-friendly version of readme.txt
• Optimize PNG files

Fixed problems:

• Fix JavaScript errors on IE8, props pippercameron
• Fix preview tab
• Compatibility with plupload 1.5.4, props borkweb

1.1 - 2012-09-04

• Backwards compatibility for 3.4
• Support for non-pretty permalinks
• Support for permalinks without trailing slashes
• Fix preview tab

1.0 - 2012-09-04

• Initial release