This update contains fixes for security vulnerabilities in Organizer and the admin back-end, where it was possible for an administrator to launch a SQL injection attack.

We recommend that anyone running Zenario applies this update.

Also included in this update are fixes for several other minor issues.

Zenario now requires at least PHP version 7.2

We are now asking server admins that they are running at least PHP version 7.2 as a hard requirement.

This is due to the fact that several third party tools and libraries that we use now also require at least PHP version 7.2.

However please note that you should be running at least PHP version 7.3 if you are able to, as PHP 7.2 and earlier have reached their end of life, and no longer receive security updates.

Support for later versions of PHP

This patch fixes a few error messages that could appear when trying to do a fresh install when running using PHP 7.4.

We're also starting to work towards supporting PHP 8, and this patch contains some initial changes that allow Zenario to run on PHP 8 without encountering fatal PHP errors.

Bug fixes

• Fixed a bug where the word count of the home page was reported as 0 immediately after doing a fresh install or a site reset.
• Fixed a bug in our migration scripts that was preventing anyone still running a Zenario 7 site from updating to version 8.
• Fixed a bug where Zenario stored multiple cached copies of SVG images by display size. (SVG images are vector images, their file contents is identical regardless of the size
  they are displayed at.)
• Fixed a bug where certain JavaScript libraries would not load if you had enabled the Show menu structure in friendly URLs option in the site settings.
• Fixed a bug where the caching debug button did nothing when clicked, due to a coding error.
• Fixed a bug that sometimes prevented you from saving the plugin settings of a Multiple Image Container plugin.
• Fixed a mistake in the message when changing a content item's alias, which incorrectly claimed that capital letters could not be used.
• Fixed a bug in Organizer where administrators saw a buggy menu of options when selecting multiple content items at the same time.
• Fixed a bug where administrators could not change the layouts of multiple content items at once.
• Fixed a bug where you could not view a preview of a layout.
• Fixed a display issue in Grid Maker, where the yellow toolbox could not be dragged around the screen as intended.
• Fixed a bug where you could not upload .encrypted backup files using the admin interface in Organizer.

Version 8.8 of Zenario is now available, and comes with several improvements in administration mode.

Improvements to Organizer

Organizer now has a new friendly start screen, that you see when opening Organizer. This has links to every different part of Organizer.

We've also added a new "Find services" box. If you're looking for a feature, but cannot remember where in Organizer it is, you can use this to quickly find it.

Improvements to managing plugins in different page-modes in the admin front-end

In the admin front-end, when managing plugins, we've added colour-coding to any plugins that are cannot be managed in your current mode.

In addition, clicking on one of these plugins will now automatically switch to the correct mode to manage them.

Improvements to Smart Groups

When making a smart group, you can now filter by users and contacts who are in a specific group, and who are not in a specific group.

In addition, when viewing a smart group, you can now delete users/contacts from this view.

Minor changes

• Added a History tab to the content item's admin box, which lets you see its version history.
• Added a contact us button to the admin toolbar and Organizer, which lets you send a message to us with feedback while using Zenario in admin mode.
• Added compatibility with Maxmind GeoLite2 for improved GeoIP lookups.

Bug fixes

• You can no longer copy or duplicate a document-type content item.
• If you attempt to use an alias that already exists, you'll now see an appropriate error message.

Notes for hosting providers

Check on the max_packet_size setting when installing

When installing Zenario, we now check that the MySQL max_packet_size config setting is not too small.

Version 8.7 of Zenario contains better support for optimisations in Cloudflare, as well as various new features for administrators and hosting providers.

New module: The Document Envelopes FEA

A document envelope allows you to display multiple versions of a document (e.g. .pdf, .doc and .ppt) on a page in a content-managed way.

The document versions can be displayed together with an thumbnail and/or a description.

Updates for the Video modules

The Videos Manager module has been updated to better support Vimeo privacy settings, and the Videos FEA module has been updated to allow creating/editing videos.

Small improvements to managing emails in Organizer

When looking at an email template in an admin box, we now show whether an email template is protected, and how it was created (i.e. upon installation by a module, or manually by an admin).

Emails in the sent email log now display their "CC" email addresses if they have any.

Your last login is now shown on the diagnostics screen

When you log in as an administrator, the diagnostics screen will now show you the time that you last logged in previously.

It also shows the last IP address used, and its country.

Minor changes

• The Content Summary List plugin can now show a list of categories on the front-end if filtering is enabled. This information will only be shown to logged in admins.
• The Menu (Horizontal/Vertical) plugins can now list any groups the logged in user is part of.
• The Multiple Image Container has a new option which allows downloading the original image.
• The Storefront Checkout module can now send an invoice when an order is created.
• We've improved the feature which shows where a user form is used, and added this information into the form's admin box.

Notes for hosting providers

Better support for Cloudflare's optimisation

In 8.7, we've adjusted how our plugins work to support for some of Cloudflare's more disruptive optimisations.

You can now enable the feature that strips HTML comments from webpages without causing some of our plugins to break.

Better support for recent versions of PHP

Zenario versions 8.6 and 8.7 fix several PHP notices that were appearing when running using PHP version 7.3.

Note that better support for PHP version 7.4 is coming in Zenario version 8.8.

Protection against accidental database restores

Zenario now has a feature where you can disable database restores in the admin backend. You set this by setting the RESTORE_POLICY constant into your zenario_siteconfig.php file (and they'll be a nag-message on the diagnostics screen prompting you to do this).

There are three possible options:

define('RESTORE_POLICY', 'always');

This disables the protection. This is the same functionality as in version 8.6.

define('RESTORE_POLICY', 'never');

This enables the protection, preventing database restores.

define('RESTORE_POLICY', '2012-12-21');

This temporarily disables the protection on the given date. This format is recommended if you wish to temporarily enable restores, as it guards against the possibility that you forget to turn it back off later!

Dropped support for MariaDB

We've dropped support for MariaDB and no longer do testing on it. (Actually, we never "officially" supported it, but used to do testing on it unofficially.)

The reason for this is that MySQL introduced some new functionality that we now use in a few places, that MariaDB doesn't have, and doesn't plan to add.

We are now recommending that you use either MySQL 5.7, or the equivalent version of Aurora.

Minor changes

• If a site is using Personal Data Encryption, but the encryption key is missing or invalid, there will now be a warning on the diagnostics screen.

Notes for designers

Special pages

Most special pages can now be hidden if not required.

Also special pages are no longer automatically created in every enabled language, but may still be added manually if you need them.

Existing translations of special pages may now be trashed/deleted/hidden if not needed.

Notes for developers

Modules

If a module uses the classes folder, then for every admin box/Organizer panel/visitor plugin there will need to be a class file present. Zenario will display an error if a class file is missing, as well as inform where the file is expected, and what the class definition should be. If a module stops working because of this problem, you need to create a class file.

Previously the Content Summary List plugin would work when filtering by category was enabled, but no categories were selected. Now the filtering will need to be disabled, as otherwise the plugin will not display any results.

Renamed the reference directory for clarity

In Zenario 8.6 and earlier, we had a directory full of reference files aimed at developers called zenario/api/.

We originally named it "api" because when it was first created it contained reference files with lists of API functions into Zenario's core that plugin developers could call to interact with the CMS.

However now there are many more different types of file in this directory, containing references on more things than just the Zenario core functions, so we've renamed it to zenario/reference/, to make the reference files easier to find if someone's browsing the filesystem.

Changes to how FEA plugins determine whether they are list-type plugins or form-type plugins

In 8.7 we've rewritten how a developer flags that their FEA plugin is a list-type plugin or a form-type plugin.

Before, we had you write a JavaScript method to decide, however from version 8.7 there is now a new TUIX property to decided this. Now, all of the YAML files for your FEA plugins/modes need to contain either:

fea_type: form

or

fea_type: list

(depending on which type of FEA plugin you are writing).

You must set this, otherwise your FEA plugin will not do anything, and the property must be written in your .yaml file and it can't be changed in PHP. (The reason for that is it’s actually needed before your plugin is loaded.)

(You may also need to clear the site cache and do a browser reload if you've just changed it but your changes are not yet appearing.)

You no longer need to write the typeOfLogic() JavaScript method, and should delete it anywhere you’ve used it before.

The 8.6 release of Zenario contains better security for file uploads, improvements for managing phrases on multilingual sites, more control over generating user identifiers, and improved audit trail for users, companies & locations.

Better security for file uploads

In Zenario 8.6 we've added better security for file uploads.

When a user uploads a file, we now do a full type/consistency check to see if the files contents match the file's extension. (This is a big improvement on the simple check that was introduced in a 8.3 patch.)

We now also have functionality to perform a virus scan, and reject any uploaded file if a virus is found inside.

(Both of these features require a UN*X server to work, and the virus scan needs the clamAV antivirus scanner to be installed and running.)

Improvements to how translations of phrases are created on multilingual sites

If you have a multilingual site where not every content item has a translation, in Zenario 8.5 and earlier you would still be prompted by the phrases system to translate every single phrase used on the site.

In Zenario 8.6 and later, a phrase will now only be created if it is spotted on a content item that uses translations.

This means that if you have an English-only page on an otherwise multilingual site, any plugins that only appear on the English-only page will not need translating.

Improvements for suggested/enforced menu positions

If you edit a menu node's properties and go to the advanced tab, you can enable an option to use that menu node as the suggested position when creating new blog or news type content items.

There is also an option in the content type settings to enforce these suggestions (i.e. stop administrators from creating those content items in any other position in the menu).

This is not new, however in version 8.6 the UI for this has been given an overhaul and is now friendlier to use.

One small change has also been made, now the newly created items will appear at the start of the lists. (Previously they appeared at the end of the lists.)

More control over User Identifiers

In Zenario, when you create a user or a contact, an identifier will be created for that user and will be visible in the admin backend.

For example, John Smith might have an identifier of "JohnSmith".

In version 8.6 you now have a bit more control over this; you can specify whether the first name, last name or both names are used, and also change how many characters from each are included.

For example, you could use two from the first name and three from the second name, in which case John Smith would have an identifier of "JoSmi".

Audit trail for users, companies and locations

When a user, company or location is created or edited, Zenario now stores the date and the identity of the user/admin who did it.

This information is available in admin boxes and on the front-end.

Panels in Organizer can now show an info-bar at the top

We've introduced a small new feature where an Organizer panel can now have an info-bar at the top in certain situations.

We've added a warning-bar in the email template panel, that appears to remind you when a site is placed into email debug mode.

We've added a warning-bar on the scheduled tasks panel, that appears when scheduled tasks are not enabled or running properly, and a confirmation-bar that appears when they are running properly.

Minor changes

• On sites where you the admin login is protected by both a captcha and two-factor authentication, when you complete both checks the captcha will not be shown again until while your two-factor authentication cookie is still valid.
• When duplicating a form which makes use of CRM integration, the CRM settings will now be copied accordingly.

Notes for hosting providers

Zenario now uses clamdscan for virus scanning

Zenario now uses the clamdscan program to scan files for viruses.

To use this feature, you will need to install clamAV, and ensure that the clamd daemon is running.

Improvements to the garbage collection of the files in the cache and private directories

There is now a scheduled task called jobCleanDirectories that handles deleting old files from the cache/ and private/ directories.

Enabling this task may improve site performance and page load time for visitors, as these tasks will no longer be performed during page loads.

Improvements for handling missing public images

If you've moved your site and the images from the public directory are missing, there is now a button in the image library panel of Organizer that will automatically restore them.

There is also now a warning on the diagnostics screen alerting you if you need to do this.

Changes to Security Policy Headers

Our default .htaccess file now contains some suggested rules for security policy headers and other security headers.

Better support for PHP version 7.3

This release of Zenario fixes several PHP notices that were appearing when running using PHP version 7.3.

Notes for designers

New feature : TUIX Snippets

We've added a new feature called TUIX Snippets. TUIX Snippets allow you to override labels, tweak functionality by changing properties, hide existing objects or and even add entirely new custom objects to any TUIX-based plugin.

Anywhere you have a Front-end Administration (FEA) plugin that is TUIX-based, you can now customise it by choosing a TUIX Snippet in the plugin settings.

TUIX Snippets can be created and edited in a Organizer panel that lets you manage them. (They're kept separate to the plugin settings, so you can write one TUIX Snippet to cover multiple plugins.)

The TUIX inspector now has a new icon and a tooltip that tells you whether a TUIX Snippet is being used on each plugin or not. If a TUIX Snippet is in use, we've also added an edit button next to it that lets you quickly jump to the right place to edit it.

Finally, we've also added a new module called the Advanced interface tools FEA, which allows superusers to edit TUIX Snippets without logging into admin mode. (Though this functionality is currently somewhat limited, as they cannot currently choose nor change which TUIX Snippet each plugin uses.)

Changes to breadcrumb plugins

Breadcrumb separators in the breadcrumb plugins no longer default to an arrow (»). They now default to an empty string, on the assumption that you will style them.

Note: this update won't change the settings of any plugins where you've previously saved the settings.

Styling specific slides in Conductors, Nests and Slideshows

You can now go into a slide's properties and set a CSS class name on the slide.

This should help if you need to add styles to specific slides in a conductor, nest or slideshow.

Adding admin-specific styles to the front-end

You can now create a directory/file called adminstyles/admin_frontend.css in your skins.

This file will be included in the front-end of your site, only in admin mode.

Any code you write will only be visible in admin mode.

Notes for developers

We've updated to the latest version of jQuery

In Zenario 8.6 we've updated to the latest versions of jQuery and jQueryUI.

For the most part everything should work as before, however this will break compatibility with a small number of very old jQuery plugins.

Changes to how breadcrumbs are generated in conductors

There's been a small change to how breadcrumbs are generated in the conductor navigation.

We had a small issue where there were two places that you could set the label that appears on a breadcrumb in the conductor:

• By typing the name into the text field in the slide properties.
• By writing the formatBreadcrumbRow() method in a module, and then choosing the Use for smart breadcrumbs option in the conductor.

The issue was that for some breadcrumbs there was a little overlap, and the system was picking different sources for the same breadcrumb in different situations, which could lead the the name shown being inconsistent where the breadcrumbs were different.

In version 8.6, the second option now always has priority over the first option, so even if you accidentally set the names differently in the settings, visitors to your site will not see this difference.

Functionality for multilingual number formats

In this version, we've added a Thousands separator setting and a Decimal point setting into the languages settings.

These settings are compatible with the PHP number_format() function, and can be used to format numbers in the visitors language.

For example, in English with the default settings, 12345 would be formatted as 12,345.

This patch prevents an XSS attack, where an attacker with hacking tools could enter
<script> tags and JavaScript code as their referrer URL and then navigate to a page on
your site that did not exist, and their JavaScript code would be executed when an
admin next visited the error log page in Organizer.

This commit also includes some various other miscellaneous fixes.

This patch prevents an XSS attack, where an attacker with hacking tools could enter
<script> tags and JavaScript code as their referrer URL and then navigate to a page on
your site that did not exist, and their JavaScript code would be executed when an
admin next visited the error log page in Organizer.

This commit also includes some various other miscellaneous fixes.

This patch fixes a problem where the Pick from Dropbox... buttons in admin mode had stopped working.

We've also fixed a problem where you could not add an image to a WYSIWYG Editor if it was in the plugin library, and a problem with Grid Maker where you could not edit the properties of a slot in a grouping.

Version 8.5 of Zenario is now available with the following features.

Improvements to strong password enforcement

Our old way of enforcing strong passwords was to assign a score to the passwords that people enter, and require a certain score, which wasn't very transparent.

Now, password have clear minimum requirements (for example, at least 1 upper case character and at least 1 number), and the requirements can be changed & customised in the site settings.

Password input fields will display their requirements when users hover the mouse over them.

Improvements for branding & logos

When doing a fresh install of Zenario, you can now upload a logo and set an organisation name for your website.

If you wish to change this later, all site settings for setting branding and logos have now been collected together and moved into one place, the Site logos and Branding category.

Improvements to editing content

We've made various friendliness improvements to improve the process of adding/editing content.

• When creating a new content item that can have a release date, the release date will now default to today's date.
• <h1> tags now have a blue outline in admin mode, that appears when you hover your mouse over them, to help you spot them.
• The lines around slots in admin mode are now colour-coded, to give you a visual clue as to what type of plugin is in each slot, and at what level it was placed.
• Where a menu node points to an unpublished page and is only visible to admins, it is now shown in italics in admin mode.
• When you delete or trash a content item which is translated, you are now prompted to delete/trash the translations as well.

New modules

There are new modules available: the Country and Language Picker and a new Location Map and Listing module.

Conferences

Both the Conference Manager and Conference FEA modules have seem some bugfixes and improvements.

When delegates select extras, we now store who ordered what, and delegates can reconfirm their choices at a later time.

There's now an ability to assign a user-group to a conference. Any confirmed delegates will then be automatically added to that group.

Finally, there are new Excel export features.

Added more checks on the Diagnostics screen

We've continued to improve the usefulness of the diagnostics screen and have added more checks, including:

• We've added a warning if any external programs are set to paths that don't exist/work.
• We've added a warning if you're using the timezone module and the default timezone isn't set in the site settings.
• We've added a warning if a plugin that needs to be on a public or private content item is placed on a private or public content item by mistake. (For example, you'll see a warning if a Change Email plugin is placed on a public page, or the Extranet Registration plugin is placed on a private page.)

Minor changes

• When setting the maximum number of results to show for a Content Summary List or a Search plugin, you can now enter any number you wish.
• User forms now support sending attachments by email, for forms that have file uploads on them.
• Fixed a bug when duplicating a user form, where any CRM settings were not being copied to the new form.
• Added a Test Connection button next to the site settings for Salesforce.

Notes for designers

Designers can now specifically target WYSIWYG editors with selectors.

WYSIWYG editors are now wrapped with an extra <div>, with a CSS class name specific to them, so a designer can style them without having their styles also apply to HTML snippets.

Notes for developers

Bower has been replaced by Yarn

The Bower package manager has been removed from Zenario, and we're now using Yarn instead.

For the most part, all this means is that if you had a library in zenario/libs/bower/_name_/ then all you need to do is change the path in your code to zenario/libs/yarn/_name_/ instead.

However be aware that some of the directory names are slightly different in some cases, as the names of a few of the packages in Bower are slightly different to their corresponding package names in Yarn.

Yarn doesn't handle the d3 and fabric libraries very well, so these have been moved outside of the package manager into the manually_maintained/ directory at zenario/libs/manually_maintained/bsd/d3/ and zenario/libs/manually_maintained/mit/fabric/ instead.

A .htaccess file has been left in the bower/ directory to server redirects to any client site/module that does not have the names updated.

Improvements for using Two-factor Authentication in email debug mode

The emails send containing the security codes for two-factor authentication will now always go to their intended recipients, even if email debug mode is enabled.

Zenario 8.4

The 8.4 release of Zenario has the following new features and changes.

New Default Skin

Anyone doing a fresh install of Zenario will now see Black Dog, a new skin and default layout with a fresher look and feel.

Lazy Loading of images in Banners

The Banner module now has an option to use lazy loading for images. This is useful for images that will appear under the cut of the page, and thus do not need to be loaded straight away.

Changes to slideshows

The Slideshow 2 module has been renamed to the Slideshow (simple) module and has had a few changes made under the hood. It now uses the jQuery Cycle library, the same library as the Advanced Slideshow module, however it still has its more friendly interface.

Friendlier admin login URL

The admin login URL for Zenario sites is now at /admin.php.

(Our default .htaccess file now contains a redirect rule to ensure anyone accessing the link via an old bookmark is redirected to the new location, so no need to go around updating your bookmarks.)

The emails for two-factor authentication are more friendly

We've made some changes to the authentication email that is sent when you enable two-factor authentication on your site and attempt to log into admin mode.

There is now also an authenticate button in the email, which will allow you to authenticate with just a click, instead of having to copy/paste or type in the 5 letter code. (You can still manually type the code if needed, e.g. if you are opening the email on a different machine.)

More features to prevent email address enumeration attacks

The Extranet Password Reset plugin and the admin password reset screen now have a security feature where we can block enumeration attacks that are trying to obtain the email addresses of the site's users.

Any attacker who is trying to check which email addresses are in use on a site will now no longer receive any useful feedback. This improves security as the existence of an account is harder for an intruder to establish.

In addition, we've added a warning in the plugin settings of the Extranet Login plugin if your settings leave you vulnerable to email address enumeration on extranet logins. (Note: this was also patched back to 8.3.)

This feature is optional for the extranet system (you can turn it off in the plugin settings if you feel it is unfriendly and are not worried about the security concerns), however it is mandatory for the admin login (there are no settings to turn this on or off).

Improvements to the Layouts panel in Organizer

The Layouts panel in Organizer has had a small redesign to be more user-friendly. The initial view has been tweaked, and we've added information/links against the layouts so you can quickly see at a glance where each layout is used.

Minor changes

• If a plugin in a nest is hidden in admin mode due to a setup error, the buttons to change its settings will now remain visible (previously they were hidden as well).
• The URL fields in any TUIX form will now stop you from accidentally entering "http://" in twice. (This was actually quite easy to do by mistake when copy-pasting URLs in from Chrome.)
• It's now possible to hide the Your Orders and Privacy Policy special pages, if you don't want to have them on your site.
• Administrators can now export what they see in the the Orders and Products panels in the E-Commerce section of Organizer as a CSV file or Excel Spreadsheet.
• The option to enable friendly URLs and the option to enable the site-map have been moved into the same category in the site settings, so they now appear together.
• Also, the site settings for newsletters have now been moved into the Email category.
• When writing an email template, you can now use Twig code.

Bug fixes

• Fixed a bug where _ReCAPTCHA_s would not appear under certain conditions when placed on a form in a plugin nest.
• Fixed a bug where using the Call a module's static method option to customise a menu node would cause page caching to operate incorrectly, if used in the same menu as private menu nodes..

Notes for hosting providers

More & better information on the diagnostics screen

We've added a lot more helpful information onto the diagnostics screen, such as missing files or missing functions.

Where possible, we've also added clickable links against each message, leading to where you might need to go to fix an issue.

Warnings when unrecognised files are found in Zenario's root directory

The diagnostics screen now warns you if any unrecognised files are found in the CMS root directory. (A file is classified as unrecognised if it's not listed under Configuration -> File types in Organizer.)

The diagnostics screen will also warn you if you leave what looks like a backup file in the CMS root directory.

Friendly URLs

We are now recommending that everyone enable the option for friendly URLs.

The diagnostics screen will now warn you if you have not turned this on, or if your .htaccess file is missing.

Zenario now prefers InnoDB tables

If you are using MySQL 5.7 or later, Zenario will now use InnoDB as its table engine.

We've added a migration script that will automatically run and convert all of Zenario's tables to use InnoDB when you update a site to Zenario 8.4.

We haven't dropped support for MySQL 5.5 and 5.6; if you are still using MySQL 5.5 or 5.6 then Zenario will keep using MyISAM as before.

Notes for designers

Changes to Simple Slideshows

Simple slideshows are now powered by the jQuery Cycle library, (the same library that the advanced slideshows use), instead of the Jssor library that they previously used.

There is a migration script for all of the settings in Zenario, so you may not need to change any for existing plugins, but they will likely need their CSS to be updated.

New libraries for animations

The animate.css and WOW.js libraries are now included with the Zenario download.

They're not included on the page by default, but you'll always be able to link to them from your header & footer slots without needing to manually upload their files for each client site.

Notes for developers

Changes to development mode

When putting a site into development mode, you can now set development mode to automatically end after a set amount of time.

The option to leave a site in development mode permanently is now only available if you are running on the HEAD branch of Zenario, and has been removed if you are running on of the stable branches.

The new ZENARIO\_TABLE\_ENGINE constant

We've added a new constant called ZENARIO\_TABLE\_ENGINE that you can use when writing a database update.

The value of this constant will be set to "MyISAM" when running on MySQL 5.5, and to "InnoDB" when running on MySQL 5.6 or later.