Changelog

Security hardening per WordPress.org review: input sanitization, escaping, translation loading, and distribution cleanup.

• Applied esc_url_raw() directly at the point of reading $_POST URL fields in general settings — sanitization is no longer deferred to the validation block.
• Added sanitize_text_field() before every json_decode() call on cookie and POST data in the consent controller.
• Wrapped the inline CSS string with wp_strip_all_tags() before passing to wp_add_inline_style().
• Added load_plugin_textdomain() call so bundled translation files (de, fr, es, en) load correctly at runtime.
• Added complete plugin file headers: Requires at least, Requires PHP, and Tested up to.
• Bumped Requires at least from 5.0 to 5.3 to match the minimum version required by wp_date().
• Updated readme.txt External Services section to document fonts.gstatic.com alongside fonts.googleapis.com for Google Fonts delivery.
• Added is-dismissible class to admin error notices for consistent WordPress UX.

Policy compliance, performance, and code quality hardening across admin, frontend, and settings.

• Removed CSS rules that suppressed third-party admin notices and hid the WordPress admin footer.
• Scoped global textarea CSS rule to plugin admin pages only to prevent unintended style leakage.
• Removed commented-out HTML blocks from all admin templates (PHP inside HTML comments was still executing).
• Removed redundant global $wpdb declaration from plugin root file scope.
• Added Privacy Policy section to readme.txt documenting local data storage practices.
• Removed donate link from readme.txt (pointed to company homepage rather than a donation page).
• Added docs/, .idea/, .claude/ to .distignore to exclude development-only directories from distribution.
• Eliminated redundant double sanitization on URL fields in general settings.
• Replaced current_time('Y-m-d') with wp_date('Y-m-d') in metrics so write and read paths use the same timezone function.
• Moved metrics table install check from init to admin_init so upgrade.php is never loaded on frontend page requests.
• Added version guard to maybe_sync_defaults() so legacy content migration runs only on install or upgrade, not on every request.
• Moved consent log fallback cleanup from init to admin_init to prevent synchronous DB deletes on frontend page loads.
• Changed URL fields (privacy, terms, cookie policy, Matomo) to sanitize with esc_url_raw() instead of sanitize_text_field(), which can corrupt percent-encoded characters.
• Added darwin_gdpr_content_synced_version to uninstall cleanup.

Security and code quality fixes addressing WordPress.org review feedback.

• Fixed nonce verification to occur before any POST data is read on all settings pages.
• Replaced phpcs:ignore sanitization suppression with explicit map_deep sanitization on content input.
• Added wp_strip_all_tags() to inline CSS output for safer escaping.
• Fixed duplicate condition in ad_personalization consent normalization.
• Added missing options to uninstall cleanup.
• Added esc_attr() to all dynamic class attribute output.

This release adds support for Spanish language in the localized content settings, providing default translations and an expanded admin interface.

• Added support for Spanish language in the localized content settings.
• Included default Spanish translations for the cookie banner and settings modal.
• Updated the admin Content editor to include a dedicated tab for Spanish messages.
• Updated automatic locale detection to correctly handle Spanish site settings.
• Updated documentation and changelog to reflect the new language support.

Added separate banner and popup typography controls, popup text color settings, and always-on Google Consent Mode configuration.

• Added separate banner typography controls for heading, description, and banner text color.
• Added dedicated popup typography and color controls for popup heading, subheading, and body text.
• Made Google Consent Mode v2 permanently enabled and removed its toggle from Settings.
• Set both functionality_storage and security_storage to granted by default.
• Improved popup toggle styling so checked disabled items appear clearly locked.
• Updated activation defaults and uninstall cleanup for new appearance settings.

Recent implementation work focused on refactoring content management, refining consent control granularity, improving Google Consent Mode behavior, and polishing admin operations.

• Refactored localized content management for English, French, and German with automatic locale selection.
• Reduced the Content screen to consolidated consent copy for banner, modal, necessary cookies, analytical cookies, marketing tracking cookies, and advertising personalization cookies.
• Converted the banner message and modal intro to WordPress editor fields for richer formatting.
• Added reset actions for all languages and the current active language on the Content screen.
• Separated marketing tracking consent from advertising personalization consent and mapped them independently to Google Consent Mode.
• Added immediate client-side Google consent updates on user interaction to improve Google Tag Assistant testing for Advanced Consent Mode.
• Kept required cookies as an always-enabled item in the consent popup.
• Added recent banner view and accept metrics with reset support and an admin chart panel.
• Added plugin-hosted Documentation and Changelog links on the WordPress plugins screen.

Initial plugin delivery with a frontend consent banner, settings modal, integration settings, and core consent handling.

• Introduced the GDPR banner and modal experience.
• Added settings for appearance, legal links, analytics tools, and marketing tools.
• Added consent logging and retention cleanup support.