Under the Hood: Security Fixes, Routing Overhaul, and Contract Cleanup

This release focuses on what happens beneath the surface: safer editing, smarter routing, and a streamlined content workflow.

Security Hardening

• Atomic file writes — All JSON saves now use file locking, so two editors working on the same page simultaneously can't corrupt each other's changes.
• Stronger sanitization — The HTML sanitizer now catches a wider range of potentially dangerous URI schemes, keeping your content safe even when pasting from external sources.
• Safer previews — Media previews (YouTube, SoundCloud, audio, images) in the inline editor now escape all user input before rendering, providing an extra layer of protection.

Language-Agnostic Routing

Switching your site's primary language is now a single config change. The routing system reads your SITE_LANG_DEFAULT setting and adapts all URL handling automatically — both in production (Apache) and during local development. No need to edit .htaccess or any other file.

Dev and production routing now share the same config loading mechanism, so you'll never see a URL work locally but fail on the server.

Auto-Write: Templates That Wire Themselves Up

Building a new page just got simpler. Write your PHP template with meaningful fallback values, and Nibbly takes care of the rest. When an admin visits the page for the first time, every editableText(), editableImage(), and editableLink() call that doesn't yet have a matching JSON key automatically creates one — using your fallback as the initial content.

This means you can focus entirely on the template. The JSON content file populates itself, and the Content Editor in the dashboard immediately shows all fields. A toast notification confirms how many fields were auto-generated, so you always know what happened.

For standard pages using sections[] and for editable lists, you still provide the JSON structure upfront — but for custom layouts, the template is all you need.