From 03c9ca53a6c79038bfab2ae73a06b15fa4c03b23 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller@noreply.git.mokoconsulting.tech>
Date: Sun, 28 Jun 2026 13:48:31 -0500
Subject: [PATCH] docs: update changelog with license key, XSS fix, SQL compat
 entries

Authored-by: Moko Consulting
---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c26c599..30e1f7d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Leaflet.markercluster for automatic marker grouping at low zoom levels (#61)
 - Clustering toggle parameter in map module settings (enabled by default)
 - Junction table orphan cleanup on location/category delete (#60)
+- License key warning on install/update when no download key is configured
+- Download key (dlid) preserved across package upgrades
 
 ### Changed
 - Map module dispatcher uses aliased table queries with category JOIN
@@ -43,6 +45,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - ORDER BY injection prevention — replaced `$db->escape()` with allowlist validation
 - Map module: `$mapHeight` CSS value validated with regex pattern
 - CSP compatibility: all inline scripts use WebAssetManager for automatic nonce injection (#34)
+- XSS fix: detail map popup uses DOM textContent instead of raw string in bindPopup()
+
+### Fixed
+- SQL migration compatibility: removed `DROP COLUMN IF EXISTS` (MySQL 8.0.13+ only) in favor of plain `DROP COLUMN`
 
 ## [1.1.0] - 2026-06-23