### Added
- DKIM record checker: shortcodes `global_dns_dkim_input` and `global_dns_dkim`; REST `POST /global-dns/v1/dkim/{selector}/{domain}`; raw TXT plus parsed tags.
- Propagation toolbar: export CSV/JSON and **Copy share link** (outline-style actions; share uses admin primary color); time-limited snapshots (`POST /global-dns/v1/propagation/share`); read-only `GET .../propagation/share/{uuid}`; shortcode `global_dns_propagation_share_view` with `?global_dns_share={uuid}`.
- Database table for snapshots, daily cron prune, uninstall cleanup.
- Admin: **Verify TLS for DNS probe URLs**, **HTTP connect timeout**, **Propagation share TTL (days)**, **Propagation share button** (show or hide “Copy share link” on the server list), **DKIM checker shortcut** (toolbar link when DKIM form exists on page).
- Shared `Global_Dns_Dns_Input_Validator`, `Global_Dns_Http_Probe`, `Global_Dns_Rate_Limiter`; rate limits (transient buckets) for DNS propagation fetch, propagation share create, and `global_dns_throttle_contact()` for third-party contact forms.
### Changed
- Remote DNS probe calls use hardened HTTP client (timeouts, connect timeout, optional TLS verify).
- IP lookup (on-site tool) uses the same HTTP client with TLS verification always on; HTTPS ip-api endpoint.
- `dig` execution prefers `proc_open` with existing `escapeshellarg` command line; falls back to `shell_exec`.
### Fixed
- DMARC input partial corrupted docblock repaired; safer JSON/options output.
- Deactivation now clears propagation cron and removes `global_dns` capability (was incorrectly removing unrelated cap).
- Propagation UI: clearer per-server errors from REST; URL hash uses `encodeURIComponent` for domain/type deep links; minimal export/share toolbar (admin primary color on Copy share link).
- Repaired `clearResults` / map reset when the map is absent.
- REST propagation and related calls: base64 domain segments are URL-safe (`encodeURIComponent` + server decode); `X-WP-Nonce` sent on REST POSTs for better compatibility.
- Hostname normalization (`Global_Dns_Dns_Input_Validator::normalize_hostname_input`) fixed regex delimiter clash that broke domain parsing and caused false “invalid domain” errors.
- Creating share snapshots returns **403** when the share button is disabled in settings.
### Removed
- Unused duplicate `public/js/global-dns-public-jquery.min.js` (only `global-dns-public-jquery.js` is registered).
### Housekeeping
- Removed scaffold “demonstration purposes” comment blocks from public and admin enqueue methods; shortened the public jQuery file header; fixed admin “Timeout” label typo.
### 🔐 Security
- **CRITICAL**: Fixed command injection vulnerability in DNS record lookup functionality
- **HIGH**: Added comprehensive input validation for all API endpoints
- **HIGH**: Fixed DNS injection vulnerabilities in DMARC, SPF, and WHOIS APIs
- **MEDIUM**: Resolved XSS vulnerabilities in shortcode template files
- **MEDIUM**: Fixed SSRF vulnerability in IP lookup API
- **MEDIUM**: Added validation for blacklist checker API
### 🛡️ Added
- **New Security Functions**:
- `sanitizeDomain()` - Validates and sanitizes domain name inputs
- `sanitizeDnsType()` - Whitelist validation for DNS record types
- `sanitizeDnsServer()` - Validates DNS server IP addresses and hostnames
### 🔧 Changed
- **API Security Improvements**:
- All base64 decoded inputs are now validated before processing
- DNS queries now use sanitized and validated parameters
- External API calls include proper input validation
- Shell commands now use `escapeshellarg()` for parameter escaping
- **Template Security**:
- CSS color values are now properly escaped with `esc_attr()`
- JavaScript variables are sanitized with `esc_js()`
- All user-controlled output is properly escaped
### 🐛 Fixed
- Fixed potential command execution through malicious DNS server parameters
- Resolved XSS vulnerabilities in all shortcode input templates:
- `global-dns-shortcode-input.php`
- `dmarc/global-dns-shortcode-input.php`
- `email_headers/global-dns-shortcode-input.php`
- `blacklist/global-dns-shortcode-input.php`
- `ip_lookup/global-dns-shortcode-input.php`
- `spf_checker/global-dns-shortcode-input.php`
- `whois/global-dns-shortcode-input.php`
- Fixed DNS injection in DMARC record lookups
- Fixed DNS injection in SPF record queries
- Fixed unvalidated IP addresses in blacklist checking
- Improved error handling for invalid input parameters
### 📋 Security Enhancements by API
- **DNS Records API**: Added domain, DNS type, and DNS server validation
- **WHOIS API**: Implemented domain validation for all WHOIS queries
- **IP Lookup API**: Added IP address validation and SSRF protection
- **Domain to IP API**: Added domain validation for hostname resolution
- **Blacklist API**: Added IP and domain validation for blacklist queries
- **DMARC API**: Secured DNS queries with proper domain validation
- **SPF API**: Added input validation for SPF record lookups
### ⚠️ Important Notes
- All changes maintain backward compatibility
- No breaking changes to existing functionality
- Follows WordPress security best practices
- Enhanced protection against OWASP Top 10 vulnerabilities
- Added ability to Enable/Disable Expected Button
- Optimized & Cleaned DNS Results
- Fixed PHP Warnings
- Fixed Minor CSS Issues in the Settings Area
- Fixed Broken External Links
- Added Contact Form
- Added SMTP Settings for Contact Form
- Added Captcha for Contact Form
- Fixed Vulnerability Issues with NPM Packages
- Fixed Minor UI Issues
- Fixed Blacklist Server Delete
- Fixed Alignment Issue for DNS Type Dropdown
- Fixed Expected Value Button
- Minor Design Changes
- Added User IP Shortcode
- Fixed Minor CSS Issues
- Optimized Shortcode View in Admin Panel
- Added User IP Shortcode
- Fixed Minor CSS Issues
- Optimized Shortcode View in Admin Panel