- SECURITY Fix CVE-2017-5223, local file disclosure vulnerability if content passed to
msgHTML()is sourced from unfiltered user input. Reported by Yongxiang Li of Asiasecurity. The fix for this means that calls to
$basedirwill not import images with relative URLs, and relative URLs containing
..will be ignored.
- Add simple contact form example
- Emoji in test content
Important security update!
Possible side effect - complex sender addresses (such as those used in VERP addressing) may no longer work. We advise switching to the SMTP transport if you need that functionality, and it offers higher performance anyway.
Please update your systems as soon as possible.
Additional notes on this incident are available in the PHPMailer wiki.
Note that the vulnerability described in here likely affects many other projects in a similar way, so please practice responsible disclosure, and help project maintainers fix security issues.
A maintenance update with a few minor feature additions.
This is officially the last feature release of the 5.2.x line. Security fixes only from now on; use PHPMailer 6.0!
- Added ability to extract SMTP transaction ID from successful submissions
- Allow DKIM private key to be provided as a string
- Provide mechanism to allow overriding of boundary and message ID creation
- Improve Brazilian Portuguese, Spanish, Swedish, Romanian, and German translations
- PHP 7.1 support for Travis-CI
- Fix some language codes
- Add security notices
- Improve DKIM compatibility in older PHP versions
- Improve trapping and capture of SMTP connection errors
- Improve passthrough of error levels for debug output
A minor maintenance release
- Added DKIM example
- Fixed empty additional_parameters problem
- Fixed wrong version number in VERSION file!
- Improve line-length tests
- Use instance settings in
- Use more secure auth mechanisms first