Skip to content

Releases: TribalSystems/Zenario

Zenario 9.5.60437

02 Feb 17:33
Choose a tag to compare

This release contains a security patch related to the usage of Twig code in the Twig Snippet plugin, and in the site-wide <head> and <body>.

Critical security patch

The Twig template engine currently has a vulnerability with how some of its filters are implemented, where it is possible for a designer or an administrator who is aware of the vulnerability to execute arbitrary CLI code on the server.

This update disables the ability for designers/administrators to call the affected filters, as a work-around in place of an actual patch for this from Twig's developers.

Other fixes

We've fixed a visual glitch where administrators could always see the "Delete archived versions" and "Rescan text/image extract" buttons in the Content Items panel in Organizer, even if they didn't have the permissions needed to actually press them.

Zenario 9.4.60437

02 Feb 17:32
Choose a tag to compare

This release contains a security patch related to the usage of Twig code in the Twig Snippet plugin, and in the site-wide <head> and <body>.

Critical security patch

The Twig template engine currently has a vulnerability with how some of its filters are implemented, where it is possible for a designer or an administrator who is aware of the vulnerability to execute arbitrary CLI code on the server.

This update disables the ability for designers/administrators to call the affected filters, as a work-around in place of an actual patch for this from Twig's developers.

Zenario 9.5.60240

05 Jan 17:52
Choose a tag to compare

This release is purely a bugfix release, with several miscellaneous small fixes.

Updates for minifying skins

After receiving feedback, we've reworked how the "Minify Skin" button works on the diagnostics screen.
Instead of having to manually press a button, it's now done when you press continue, and we no longer offer the choice to delay doing this.

We've also fixed a few bugs and inconsistencies, where the ability to do this would sometimes not appear when a site was in Production mode.

Fixes in visitor mode

  • Fixed a bug with the link from the login page to the registration page, where the link always went to the page in the default language. It should now go to the page in the visitor's current language.
  • Fixed a bug on extranet plugins with a password entry box, where the password requirement messages were always in English, and not able to be translated.
  • Fixed a bug when using implied cookie consent together with page caching, where the notice message explaining about cookies could sometimes fail close as intended.
  • Fixed an issue in our code where it was possible to trigger a PHP error by hacking the URL to the search page.

Fixes in admin mode

  • Fixed a bug where, if a site has a custom logo, the error messages shown in staging mode were not correct.
  • Fixed a bug where, under certain situations, the admin UI elements would bleed into "Preview" mode.
  • Fixed an issue where the WYSIWYG Editor would remove the "rel" attribute from elements.
  • Fixed an issue where the WYSIWYG Editor would corrupt an image's URL if it was used in an inline style rule.

Zenario 9.5.59647

11 Oct 15:48
Choose a tag to compare

By popular request, this update adds a migration script to automatically convert your print.css files for you into the new format needed in 9.5.

This will be run when you first log in to admin mode after updating your site to this version.

Bug fixes

  • Fixed a bug where the Registration plugin and Login plugin would display the message "Welcome, !" if you accessed those URLs whilst logged in.

  • To prevent false positives from GitHub's dependabot, we're now intentionally commenting out the "require-dev" property in the composer.json files of any libraries we include.

Zenario 9.5

02 Oct 17:29
Choose a tag to compare

This release introduces staging mode, improved performance for skins, and many more new features and changes.

Introducing Staging Mode!

Staging mode on a page lets you make a draft and share it with colleagues before it's published.

This is a great feature if you want feedback on a new content item before you publish it, while showing it to people who are not Zenario administrators.

How to use staging mode

To use it, just make a draft of a content item — either an existing content item or a v1 draft. 

Open the meta data of the content item, and look for the "Staging mode" tab. You can click "Suggest" to let Zenario suggest a staging code (a 5-letter code), or choose one yourself.

A staging code is the private code that you can send to your colleagues, who will be able to then view the draft. Staging mode only works with content items that are public (not private, password-protected pages).

Once you save, you'll see the thumbs-up icon in the admin toolbar. Copy the URL, which will include the Staging code, and send it to the people who you want to review the page. They will be able to access the page immediately.

Making a whole bunch of new pages?

That's fine. Go to each content item whose draft that you want to share, and just select "Use existing code". Then you can make a whole set of pages using the same code.

When you're done, simply publish the page (or delete the draft if it didn't work out). The staging code will be removed.

Improved performance for skins

Better print CSS files

This version of Zenario brings some SEO improvements via improved performance, achieved by reducing the site of print stylesheets (CSS):

  • They are now included along with the normal skin styles as a single download, rather than two separate downloads. This reduces the number of http requests per page as well as the total download size.
  • Zenario now includes a set of pre-written CSS rules as standard, that make most web pages look well-formatted when printed (whether to PDF or hard copy). They should look well-formatted even if the site has no specific print rules in the skin.

A print stylesheet is still formatted in a similar way to previous versions of Zenario, in the sense that a designer still needs to write the rules in the print.css file in the skin.

The print.css file will be inside the skin's editable CSS directory, which is in turn inside the zenario_custom/skins/ directory. For example, for the Zebra Designs skin (called zebra_designs), it will be in:


Automatic minification

Zenario now minifies the skin CSS bundle file, to reduce download time of the CSS of the site and improve SEO.

Easier admin login

It is now possible to log in to a Zenario site using admin/ (with a trailing slash), for example,

Other new features

  • The Advanced Search plugin now has the ability to search for locations.
  • The Extranet Profile form now has the facility to allow a user to delete their account.
  • The admin toolbar now has a "hide" button that allows you to remove it from view and browse your site in preview mode.

"Quality of Life" changes

  • Forms now support client-side (Ajax-based) validation on text fields.
  • We have made some updates on the WYSIWYG editors, so that full-featured ones now have a better layout, and minimal-featured ones (like for editing a content item's Summary field) now just have the essential buttons.
  • When editing the categories of a content item, there is more information beside each category name to say if it's public or private, what its public name is, and how many content items use that category.
  • When viewing the properties of an image in the Image Library, it's now much easier to see the URL to use when linking to the image.
  • When closing Gridmaker after opening it from the front end, the "Show mobile and empty slots" option will now automatically be turned on without you needing to click it.
  • We have deleted the admin permission for viewing a layout's properties. Letting all administrators view information on a layout's size/columns/slots is not a security issue and didn't need a permission.

Other miscellaneous changes

  • Advanced Search plugin is now enabled on a new site by default.
  • You can no longer use images in the summary field of a content item.
  • When in Edit mode, Zenario now shows a grey triangle when there's a link to a hidden content, instead of orange covering both hidden and draft items.
  • When a newsletter is sent via scheduled sending, it's now possible for all admins to be sent a copy.
  • Scheduled publishing has had an update, with Zenario now sending an email to confirm when relevant scheduled publishing actions occur.
  • For the Promo Menu with Images plugin, the size of images is now controlled on the plugin rather than on the menu node itself.
  • It's now possible to associate a page or an area of a site with a promotional image. The meta data module's plugin can now show the promotional image of the menu node or of its parents.
  • On the Users/Contacts dataset, the linked countries field has been improved and it's now possible to edit certain options. It can also now be exported.
  • We've changed our terminology in relation to content items from "orphaned" to "not in menu".

Security related changes

  • Version 9.5 of Zenario contains an internal rewrite to how plugins function when displayed, to improve the security and fix security vulnerabilities in a few rare/specific cases.
  • Whenever an administrator saves content in a WYSIWYG Editor, we now run what they submit through a HTML sanitiser to improve security.
  • When making an anchor link from a banner, a controlled list of characters is now applied, so that anchor links cannot contain spaces or certain special characters. This is for security, to help prevent XSS attacks.
  • We've improved security around email templates. It is no longer possible to include certain fields in email templates, e.g. that might include certain data from the users table.
  • We've decided to remove our "Domain redirects" feature. This feature used to let you redirect a domain to a content item without needing to edit your Apache virtual hosts file. However doing this without actually needing to edit the Apache virtual hosts file was only possible if a domain was using HTTP and not HTTPS, so the feature was a bit obsolete.
  • When we generate an Excel spreadsheet, we are now using the PHPSpreadsheet library, instead of the abandoned PHPExcel library.

Bug fixes

  • If someone tries to access and browse the site using the cookie-free domain, we now redirect them to the actual domain.
  • The "Repair public images" now repairs not just images at full size but images that have been resized in a WYSIWYG area.
  • Fixed a bug when trying to export a list of spare aliases used on a site from Organizer
  • On forms, consent fields are now mandatory by default, when added to a form.

Changes for hosting providers

Important: you will need to delete the old dummy admin/ directory

If you have previously downloaded Zenario, you may have a dummy admin/ directory in your CMS root directory to redirect admins to the actual admin login.

This is now down by the .htaccess file, and this dummy directory can cause conflicts or redirect loops if it is allowed to stay in the filesystem, so we recommend you delete it.

Changes for designers

Important: you will need to change your CSS!

If you are using a print.css file, you will now need a media query around your print rules, e.g. like this:

@media print {
    /* Your print rules here */

If you are upgrading from an earlier version of Zenario prior to 9.5, you will need to modify the print.css file to add the code shown above.

Changes to browser-specific styles

If you are using browser specific files (e.g. style_ff.css or style_webkit.css), there are some additional changes needed. You will need to edit each rule to include a browser-specific prefix, e.g. like this:

body.webkit p {
    /* Your browser-specific styles here */

The full list of prefixes used for each browser are as follows:

Browser-specific file Prefix needed
style_edge.css body.edge
style_ff.css body.ff
style_ios.css body.ios
style_ipad.css body.ipad
style_iphone.css body.iphone
style_opera.css body.opera
style_safari.css body.safari
style_webkit.css body.webkit

Styling external links in the menu tree

All external hyperlinks from menu nodes now have a class "link_external".

Removed support for Internet Explorer

In February 2023 Mircosoft will be completely removing all support for Internet Explorer, including the ability to even run the program.

In version 9.5 of Zenario, we are following suit, and removing any code that was there to support Internet Explorer.

In addition, you will not even be able to log in to admin mode using Internet Explorer, and instead will see the compatibility message asking you to switch.

Changes for developers

Check your JS libraries

If you were using requireJSLib() and requireJSLibsForFEAs() in your plugins, these functions were previously called statically.

In Zenario version 9.5 we now need to track what libraries your plugin requests, as part of our improvements to ou...

Zenario 9.4.59574

02 Oct 17:18
Choose a tag to compare

This update disables MultiViews to allow logging in via admin/ (with the trailing slash). It also contains several other small bug fixes for using Zenario in admin mode.

Updates to our .htaccess files

We are now recommending that you disable "MultiViews" in Apache as these interfer with friendly URLs in Zenario.

The default .htaccess files that come with Zenario now contain the following line to try to disable them on a directory-level:

Options -Indexes -MultiViews

Fixes in admin mode

  • Adjusted the hit area for the drag-handle of our admin boxes.
  • Fixed a bug in the Content items panel, where the "content type" quick filter was sometimes visible when it shouldn't be.
  • Fixed a bug where site-wide slots in a layout did not function correctly if you created a layout by duplicating an existing one, and never edited it in Gridmaker.
  • Fixed a bug where the "width" and "height" fields would sometimes not appear when they should do in the plugin settings of the Banner plugin.
  • Fixed a bug where you could sometimes see a glitched confirmation message when trying to delete images from the image library.
  • Fixed a glitched warning message that appeared if you attempted to view the backups area in Organizer before setting up the backup path site settings.
  • Fixed a bug where the CMS backup tool could fail if the database user account did not have permissions to manage tablespaces.

Zenario 9.4.59197

11 Aug 15:55
Choose a tag to compare

This update fixes a some small issues with sending support emails, using editable CSS for nested plugins, and the page caching system.

Several small fixes for using Zenario in admin mode have also been made.

Fixes in visitor mode

  • Fixed a bug where the support email address was being used instead of the site's name in the "name to" metadata when sending emails to the support address.
  • Fixed a bug where editable CSS files for nested plugins were not included on the page.

Fixes for the page caching system

  • Fixed a bug with the Content Summary List plugin, where if you used the "Use text of its menu node" option and the menu text changed, the cache would not be cleared.
  • Fixed a bug where using Google Analytics on your site caused some plugins to stop using the page caching system.
  • Fixed a bug where the page caching configuration for banners was more stricter than intended.
  • If a plugin cannot use the page cache due to the Geo Landing Pages module being active, you should now correctly see a message about this when using the caching debug tools.

Fixes in admin mode

  • If a site setting is encrypted when saved in the database, we now show you a the "key" icon next to it.
  • If you are migrating a site to Zenario 9.4, and you have some bad or missing images linked to in a WYSIWYG editor, you should no longer see PHP warning messages whilst running database updates.
  • Fixed some buggy behaviour if you opened the slot drop-down menu by left-clicking the slot instead of using the menu. The menu should now appear at your mouse cursor as intended.
  • Fixed a bug where the Impersonate user Admin Box allowed you to navigate to pending users when selecting which user to impersonate.
  • Fixed a bug when duplicating something in Organizer, where if the newly created item does not match your current filters, the next visible item would be selected in its place.
  • Fixed a bug where you could not delete multiple spare aliases at once.
  • Fixed a bug where the "create slideshow" buttons were missing from the slideshow library in Organizer.
  • Fixed a problem where the contents of header and footer slots were not being displayed on the "Slots on the Content Item" and the "Slots on the Layout" panels.

Zenario 9.4

24 May 15:54
Choose a tag to compare

This release brings the ability to create a site-wide header and footer in GridMaker, and many more new features and improvements.

Actions when trashing and hiding

When trashing or hiding content items, there is now more assistance to help change things relating to that content item.

There is a box to let administrators determine what should happen to that item's alias, and it's easy to now make its alias become a spare alias, thus redirecting subsequent traffic to a different content item.

If there are are banners on the site with links to the item being trashed or hidden, there is helpful information about this, so that the administrator can make changes on those banners if desired.

CSS editing

We have made some improvements to the CSS skin editor. To access it, go to "Edit layout" tab and click "Edit skin CSS".

The interface now shows the constituent files of the skin listed on the left hand side, separated by their functional area. You can edit them in the main editor area, and see a preview up above, before saving.

Site-wide header and footer in GridMaker

Our GridMaker system, for creating page layouts, now supports a site-wide header and footer.

Each layout can now opt-in to using a shared common header and footer, and any changes in plugins that are on the common header and footer now apply across every layout, instantly, making it easier to make wide-reaching changes.

The common header and footer are optional to use, and when sites are upgraded from 9.3 to 9.4 their layout will not automatically be changed.

The Advanced Search plugin now covers more

Our on-site Advanced Search plugin now has greater flexibility, as it can return results not only from content items but also from HTML, document, news and blog content items, but also can retrieve results from other data areas.

For example, ecommerce publications can respond with search results, making it easier to integrate a paid-for search system into the site-wide search.

Search now allows a search scope to be given, so as to limit the search to content items in a given category or categories. This allows a search to just search in one part of a large website.

New Library area in Organizer

Navigation in Organizer has been restructured. Organizer now has a "Library" area, which contains things previously in other areas.

This is now the home for images, categories, writer profiles, spare aliases, hierarchical documents and their tags.

The Documents area — for non-content item type documents, and arranged into folders — is now inside the library and called Hierarchical documents.

Content Summary Lists

There is now an option in CSLs on multi-language sites, so that a single item can be displayed from an equivalent chain of content items (thus avoiding showing the "same" item in two or more languages).

There is now the option on a CSL to display the menu node text of the linked-to content item.

User and contacts

When exporting user and contact data, country name and code can now be exported.

We've improved the sample export file to make it reflect the fields that have been enabled (in the relevant Dataset) for export.

We have also improved the import routine to fix a number of bugs, as well as to allow countries to be imported.

When deleting a user or contact, and deleting the linked data to that account, there is now much better information about what exactly will be deleted.

In places where a user chooses a password, such as when registering, or when resetting or changing their password, Zenario now uses the zxcvbn library to prevent users choosing easily-guessable passwords.

Twig code allowed in site-wide <head> and <body>

We now allow Twig code to be embedded in the site-wise <head> of all pages, and just before the closing </body> tag of all pages.

Twig is a server-side executable language, similar to PHP, but which runs with heavy restrictions for security.

By allowing it to be placed in web pages in this way, it can invoke code on the server, for example to get environment variables for a content item, or about the current user.

To access it, go to a content item on the front end in admin mode, and click on the Layouts tab. Then in the admin box, you can add Twig code.

Security-related changes in this version

Extranet users

When someone is created a new password in one of the Extranet modules, we've implemented better checks on the passwords to make sure they are strong.


Zenario now counts the number of failed login attempts against an administrator's account. When an administrator logs in, if there have been one or more failed attempts since their last login, Zenario warns the administrator of this.

Adjusted the behaviour of the Zenario's admin login when you open an admin box, but then go away from your computer with the box still open. Zenario will now give you 3 hours from when the admin box was first opened get back and save, before it logs you out. (Previously Zenario would try to keep you logged in as long as the box remained open, with no time limit.)

In some admin boxes where we allow an administrator to directly enter HTML and/or JavaScript code that will appear on the site, we've added some warning messages to the effect that the admin must check the provenance and functionality of all code they enter, lest they inadvertently enter some code which creates a cross-site-scripting (XSS) vulnerability.

Twig code execution

We've done a security review on the functions available to the administrator when writing Twig code. We've made our whitelist a bit more restrictive, removing some functions that let the admin look up arbitrary information from the database, and removing a few functions that allowed the admin to update things in the database.

Changes for forms

  • The forms module now has a validation option for phone numbers.
  • The forms module now has a maximum form attachment file size, thus limiting how large a file can be uploaded by a user.
  • Added a setting to decide what should happen if a visitor who has rejected all cookies attempts to complete a form that requires a CAPTCHA to be completed. You can either block them, or let them skip the CAPTCHA and still complete the form.
  • It's now easier for an admin to see what forms a user has submitted.

Other plugin changes

  • When the Meta Data plugin is displaying a featured image, it now supports displaying the image credit.
  • When a search result in the advanced search plugin is pinned, we've added a CSS class name to allow you to style this.
  • When viewing document content items in the search results plugin, you can now choose whether they are downloaded straight away when the visitor clicks on a link, or whether the intermediary download page is used.
  • The Event Calendar plugin now has the ability, in months-of-the-year mode, to start in a month other than January, e.g. a school could show September to August for its academic year.

Other changes for administrators

  • Improved the process whereby a newly created administrator receives a link by email and chooses an admin password.
  • We've simplified the admin permissions system for lower-permission admins.

Other changes in admin mode

  • Added an option to auto-populate the browser title from the filename when creating document/picture/audio content items.
  • When editing a content item's meta data, there are now colour-coded quality bars on title, alias and description boxes now giving feedback on how well they are written and affecting search engine optimisation.
  • Rearranged the order of some of the settings in the Banner plugin. Options for the image and the link now appear before the options for the title and description.
  • The Videos Manager module will now stop you from adding the same Vimeo video or YouTube video more than once.
  • We have improved the Organizer panel for menu nodes, so it now shows a lot more information about the menu node and the associated content item.
  • When exporting a list of content items from Organizer, we've improved the range of fields which are available in the export.

Bug fixes

  • Fixed a bug when using the Advanced Search and Location Map & Listing plugins on the same page, where trying to changing a filter in the Location Map & Listing plugin would instead take you to the search results page!
  • Fixed a bug where if you selected a site logo from the image library, Zenario would then allow you to delete your site's logo.

Notes for designers

  • If you are using the Zebra skin (or any other skin where the designer has split the style rules up by module), Zenario is now more efficient, and will now only output CSS files for modules that are running.
  • Our slideshow plugins no-longer supper the old jQuery Cycle library. If you've not already done so, you will need to migrate to using the jQuery Cycle 2 library.

Notes for developers

  • The copy of the jQuery UI library Zenario uses has been updated to version 13.

Notes for hosting providers

  • We've updated the rules in our robots.txt file to allow Google to read the stylesheets on the page. This allows them to more accurately spider your site and may result in slightly higher search listings.
  • We no longer support setting SESSION_TIMEOUT to be 0 in the siteconfig file. This now must be set to a value somewhe...

Zenario 9.3.58670

23 May 16:32
Choose a tag to compare

This update fixes a some issues with the database error reporting tool, and document downloads.

Automated reporting of database errors

The latest versions of PHP come with its own database error reporting tool. However this has the unfortunately side-effect of stopping Zenario's own database error reporting tool from working.

We find our own tool better fits our workflow as we rely on the automated emails it sends to alert us to problems. So we've decided to take the step of turning PHP's version off for Zenario's scripts.

If this causes an issue for you please leave some feedback on the forums, we could always consider making this choice a site-config option or a site setting.

Fixes for document downloads

This patch release sees a few fixes for document downloads of documents stored in Amazon S3.

We've also fixed a bug where document download links would not work if the "Show menu structure in friendly URLs" option was enabled in the site settings.

Other fixes

Fixed a bug where the slot controls were missing in some places in admin mode, due to the security fixes in the previous patch being a little too zealous.

Fixed a mistake where we had linked to the wrong version of the wow.js library in our package.json file.

Updates for PHP 8.2

No more fixes for running on PHP 8.2 coming in the 9.3 branch of Zenario. Support for running on PHP 8.2 is coming in Zenario version 9.4, to be released shortly.

Zenario 9.3.57754

16 Dec 16:35
Choose a tag to compare

This update sees some security-related changes to what is available to administrators in admin mode .

Security-related changes in admin mode

In this update, we've done a review of which functions administrators have access to when writing frameworks and Twig Snippet plugins, and have decided to remove a few from Zenario's whitelist to tighten security.

The functions that let frameworks and Twig Snippet plugins look up values of specific columns from the database have been removed.

The functions that let frameworks and Twig Snippet plugins look up any extranet user's name/email/ip/group memberships by user ID have been removed.

The functions that let frameworks and Twig Snippet plugins check any extranet user's permissions has been removed, however there is a new version of this function now available that checks the current extranet user's permissions.

The function that let Twig Snippet plugins look up the values of site settings has been removed, however there is a new version of this function now available when writing frameworks.

Plugin developers writing frameworks can still call public functions from their own module, this has not changed.

Other fixes

Fixed a small security vulnerability in admin mode, where calling the refreshPluginSlot() function for plugins in admin mode was able to bypass the plugin's init() check.

If you have deleted/trashed a content item, you can now create a spare alias to another content item using its tag ID, e.g. html_12.