Fixed a critical vulnerability of the install tool (see #6855).
Fix another weakness in the Input
class and further harden the deserialize()
function. Thanks to Martin Auswöger for his input.
Further harden the deserialize()
function and the Input
class (see #6724).
Do not pass POST data to the deserialize()
function, so it is not vulnerable
to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).
Sort the list of available modules (see #6391).
Decode entities in passwords (see #6252).
Replace insert tags in the details view of the listing module (see #6120).
Allow to paste into the root page in "edit multiple" mode (see #5620).
Updated TCPDF to version 6.0.010 (see #5676).
Backported the changes from e44864d2 (see #5683).
Handle all possible errors when uploading files (see #5934).
Improved the memory footprint of the search index rebuild (see #5681).
Do not trigger the "setNewPassword" hook twice (see #5247).
Updated SimplePie to version 1.3.1 (see #5604).
Delete the pathconfig.php
file in the install tool (see #5536).
Pass the style attribute to empty image gallery table cells (see #5485).
Do not override the website path in the default config file (see #5339).
Cast varchar date fields to int when selecting from the database (see #5503).
Only unset POST variables if Widget::submitInput()
returns true
(see #5474).
Strictly compare values when determining whether to save or not (see #5471).
Updated TinyMCE to version 3.5.8 (see #5329).
Correctly show the "invalid date and time" error message (see #5480).
Correctly split the words when adding to the search index (see #5363).
Correctly load TinyMCE in IE7 and IE8 (see #5346).
Send the correct cache headers in "client cache only" mode (see #5358).
Remove the session of deleted or disabled users (see #5353).
Correctly set the cookie paths (see #5339).
Support numeric front end dates in the form generator (see #5238).
Support whitespace characters when parsing simple tokens (see #5323).
Allow to run multiple TinyMCE instances with different configurations on the same page (thanks to Andreas Schempp) (see #4453).
Correctly trigger the "saveNewPassword" hook (see #5247).
Consider the save_callback
of the password field in tl_user
when a back end
user is forced to change his password (see #5138).
Do not group standalone lightbox elements on HTML5 pages (see #3742).
Anonymize IP addresses in Form::processFormData()
(see #5255).
Replaced the 1200 pixel limit when resizing images with the values defined in the system settings (see #5268).
Make sure there is an array in Controller::generateMargin()
(see #5217).
More robust input validation in the back end filter menu and no more absolute paths in error messages printed to the screen (thanks to aulmn) (see #4971).
Unset non-existing fields when restoring versions (see #5219).
Make sure entered dates map to an existing date (see #5086).
Fixed the MySQLi field count (see #5182).
The Date class should return 00:00
for Date(0)->time
(see #4249).
Handle dependencies when updating extensions (see #3804).
Fixed the unprefixed CSS gradient output (see #4569).
Fixed a small formatting issue in the Music Academy theme (see #5160).
Show all extensions in the log when updating multiple at once (see #5144).
Standardize RSS feed aliases (see #5096).
Make the FileUpload
constructor public (see #5054).
Use isset()
in the Database::fetch*()
methods (see #4990).
Changed the System::getReadableSize()
algorithm to powers of two (see #4283).
Removed Tahiti and the Netherlands Antilles from the countries list (see #3791).
Also adjust the be_navigation.html5
template to the new "getUserNavigation"
hook changes (see #3411).
Only execute runonce files after the DB tables have been created (see #5061).
Add an empty option in the TimePeriod widget if there are none (see #5067).
Handle auto_items in the Frontend::addToUrl()
method (see #5037).
Do not use specialchars()
in the "page" insert tag (see #4687).
Set the return path when sending e-mails (see #5004).
Handle border color names when importing style sheets (see #5034).
Prevent the "Illegal string offset" error in back end widgets (see #4979).
Handle dependencies when updating extensions (see #3804).
Switched all comments of the example website to "moderated" (see #4995).
Replaced the automatic copyright notice with a meta generator tag.
Remove HTML tags when overriding the page title (see #4955).
Decode entities in meta tags like "description" (see #4949).
Remove newsletter subscriptions when a member closes his account (see #4943).
Prevent deleting referenced content elements using "edit multiple" (see #4898).
Updated SwiftMailer to version 4.2.1 (see #4935).
Set the file permissions depending on the server's umask setting (see #4941).
Correctly handle external image URLs in the image element (see #4923).
Fixed the too eager IP address anonymization (see #4924).
Fixed the automatic page alias generator (see #4880).
Correctly handle root pages in Controller::getPageDetails()
(see #4610).
Consider the page language when forwarding (see #4841).
URL encode the enclosure URLs in RSS/Atom feeds (see #4839).
Also create empty templates folders if a theme is imported (see #4793).
Decode Punycode domains when used via insert tag (see #4753).
Correctly handle open tags in String::substrHtml()
(see #4773).
Correctly handle units when importing style sheets (see #4721).
The mediabox plugin did not play Vimeo videos (see #4770).
Correctly align stylect menus in the form generator in the back end (see #4557).
Add a link if a news item or event points to an internal page (see #4671).
Wrap the MooTools fallback into CDATA tags on XHTML pages (see #4680).
Do not add a default value to textareas (see #4722).
Do not override the comments array in case login is required to comment, otherwise no commets will be shown (see #4064).
Crop theme preview images so they are not being distorted (see #4361).
The IDNA convert class did (again) not run under PHP 5.2 (see #4044).
Fixed an issue with getImage()
not working correctly when the $target
parameter was set (thanks to Tristan Lins) (see #4166).
Updated TinyMCE to version 3.5.5 to finally fix the issue with links pointing to the empty domain not being handled correctly (see #132).
Directly go to the new Live Update client if the file exists.
Correctly check the permissions to manage undo steps (see #4535).
Fixed the issue with new pages being inserted into first-level pages having the wrong default page type (see #4507).
Limit the "inputUnit" fields in the style sheet generator to 20 characters so they are stored correctly in the database (see #4472).
Update the style sheets when changing the theme, in case the global style sheet variables have changed (see #4471).
Added better border radius hints in the style sheet editor (see #4379).
Fixed the HTML5 "form action attribute must not be empty" issue (see #3997).
Fixed the SOAP compression issue in PHP 5.4 (see #4087).
Fixed the "division by zero" issue in the listing module (see #4485).
Do not hide the current page in the quick navigation (see #4523).
The "addEntry" hook does not intefere with the user object anymore (see #4414).
The function Controller::generateImage()
did not urldecode (see #4384).
Check if there is a text field when auto-focussing (see #4422).
Set the correct headers to prevent browser caching (see #4436).
Min- and max-width/height now support inherit
and none
(see #4449).
Fixed a critical privilege escalation vulnerability which allowed regular users to make themselves administrators (thanks to Fabian Mihailowitsch) (see #4427).
Support insert tags as external redirect target (see #4373).
Updated the CSS3PIE plugin to version 1.0.0 (see #4378).
Re-applied the "autofocus the first field" patch (see #4297).
The pagination menu fix was missing in the listing, search and RSS reader modules (see #4292).
Added the "required" attribute to the captcha input field (see #4247).
Correctly tell Google Analytics to anonymize the visitor's IP (see #4290). Heads
up: Adjust your moo_analytics
templates accordingly!
Correctly align stylect menus in Safari and Opera (see #4284).
Always check all modules when looking for runonce.php
files (see #4200).
Correctly insert the date picker in the DOM tree (see #4158).
Open popup windows so they are not blocked (see #4243).
Replaced is_a()
with instanceof
in the simplepie plugin (see #4212).
Use round()
instead of ceil()
when resizing images (see #3806).
Correctly handle empty FAQ categories in the front end modules (see #4084).
The comments module does no longer throw an error if there are no comments and the number of comments per page is greater 0 (see #4064).
Correctly sort content element and module types in the help wizard (see #4156).
Add the admin e-mail address of a website root page to the page object so it can be used in the form generator (see #4115).
Add a "protected" icon to subpages of a protected page (see #4123).
Allow "disabled" and "readonly" attributes in the back end (see #4131).
Add a log entry if a new version is created by toggling the visibility of an element via Ajax (see #4163).
Re-added the version 2.9.2 update code in the install tool template (see #4165).
Correctly check the permission to edit tasks (see #4140).
Check the uploader class before instantiation (see #4086).
Convert the "rel" attribute inserted by TinyMCE to a "data-lightbox" attribute if it is an HTML5 page (see #4073).
Uploaded files should now be resized correctly (see #3806).
Fixed the "setCookie" hook (see #4116).
Fixed the mediabox .mp4 file not found issue (see #4066).
The stylect menus in the module wizard are now duplicated correctly (see #4079).
Define BE|FE_USER_LOGGED_IN
in the cron script (see #4099).
Correctly align the versions drop-down menu (see #4083).
Fixed an issue with the CSS3PIE url being incorrectly rewritten (see #4074).
Fixed a security vulnerability in the file manager which allowed back end users
to download files from the tl_files
directory even if they were not mounted in
their profile (thanks to Marko Cupic).
Fixed a potential XSS vulnerability in the undo module (thanks to Oliver Klee). The issue is not considered critical, because it requires the script tag to be in the list of allowed HTML tags, which is not the case by default.
The IDNA convert class did not run under PHP 5.2 (see #4044).
Store the date added when creating an admin user upon installation (see #4054).
Purge the Zend Optimizer+ cache after writing the local configuration file.
The IDNA convert class did not run under PHP 5.2 (see #4044).
Inject error messages of checkbox and radio groups inside the fieldset, so they can be associated with it (accessibility) and do not break the CSS formatting. This change does not require any template adjustments (see #3392).
Correctly handle tabs and line breaks when importing CSV data (see #4025).
Event feeds did not show the date anymore (see #4026).
Preserve absolute URLs in style sheets in the Combiner (see #4002).
Support all kinds of keydown events in the stylect plugin, so options can be selected by pressing the first key of their label (see #3812).
Added a separate version check for LTS releases.
Prevent the auto_item feature from generating duplicate content (see #4012).
Do not add the language
parameter when forwarding to a page (see #4011).
The date picker in the back end did not work correctly due to MooTools failing to parse dates correctly (see #3954).
The TinyMCE links popup failed under certain conditions (see #3995).
Correctly add the language to insert tag links (see #3983).
When creating an admin user in the install tool, the username was not validated correctly (see #4006).
Updated MooTools to version 1.4.5 which fixes a critical bug.
Relative URLs are now validated correctly ('rgxp'=>'url'
) (see #3792).
Adjust the submit button height in Opera (see #3940).
The front end preview drop-down menu did not use the stylect plugin.
Use the Facebook sharer instead a third-party app (see #3990).
Preserve IE conditionals like [if (lt IE 9) & (!IEMobile)]
when replacing
ampersands in the front end (see #3985).
Set the maximum length of inputUnit
fields to 200 (see #3987).
If an image with a title was added to a text element, the lightbox did not show the title anymore (see #3986).
The hyperlink element did not output the link title anymore (see #3973).
Send a 404 header and do not index or cache a page if there is a pagination menu
and the page
parameter is outside the range of existing pages. Now that list
and reader modules can be shown on the same page, it is likely that those pages
will be cached. This fix prevents the search index and temporary directory from
being flooded with non-existing resources (such as ?page=100000
).
Fixed the module wizard so you can use the stylect menu of a duplicated element without having to reload the page (see #3970).
Added the Slovenian translation of the TinyMCE "typolinks" plugin (thanks a lot to Davor) (see #3952)
Fixed the "getContentElement", "getFrontendModule" and "getForm" hooks, so they pass the generated content to the callback function (see #3962).
Correctly handle pages with the alias name "index" (see #3961).
Patched the MooTools core script to fix the accordion effect (see #3956).
The slimbox style sheets are now compatible with the combiner.
Also show todays events and running events in the RSS feed (see #3917).
Added "eot|woff|svg|ttf|htm" to the default .htaccess file (see #3930).
Fixed extracting the page alias when no URL suffix is used (see #3913).
Correctly calculate the width of the stylect select element in webkit.
Updated MooTools to version 1.4.4 (see #3906).
Trigger the Slimbox with the data-lightbox attribute (see #3908).
Removed the HTML5 article
and section
tags as it turned out that semantics
cannot be generated automatically (see #3833).
Updated MooTools to version 1.4.3 (see #3837).
Do not output (back end) system messages in the front end (see #3838).
Return the renameTo()
status in the Folder
class similar to how it is done
in the File
class (see #3872).
Trigger the Stylect plugin after loading a subpalette (see #3850).
Correctly redirect to front end pages (see #3843).
Handle external image URLs when generating style sheets (see #3832).
Handle empty format definitions when generating style sheets (see #3830).
More accurate format definition validation (see #3824).
Correctly close the rel="prev"
and rel="next"
link tags (see #3821).
The stylect plugin does not break mutiple select menus anymore (see #3819).
Request static resources and Google web fonts via https://
when the main page
is using an SSL connection (see #3802).
Images with spaces in the name are now displayed correctly (see #3817).
Do not load the empty URL from cache if the language is added and the empty domain will be redirected.
Fixed an issue in the Database_Statement::debugQuery()
method.
Correctly redirect when using an include content element (see #3766).
The stylect plugin did not work in IE < 9 (see #3628).
Added the event list formats "all upcoming of the current month/year" and "all past of the current month/year" (thanks to Dominik Zogg) (see #3801).
Added the "getRootPageFromUrl" hook.
Encrypt the default value of an encrypted field when creating new records or duplicating existing records (see #3740).
Added the "getCookie" hook (see #3233).
Added the copyTo()
method to the File
and Folder
class (see #3800).
Do not generate news or calendar feeds if there is no target page (see #3786).
You can now use a textual date format in the front end without breaking the "registration" and "personal data" modules, which will fall back to the numeric back end date.
Fixed the case-insensitive search in the back end (see #3789).
Support data: URIs in the style sheet generator (see #3661).
Added a "header_callback" to the parent view to format the header fields of the parent table (see #3417).
Added an option to anonymize IP addresses which are stored in the database and
IP addresses which are sent to Google Analytics (see #3406 and #2052). This does
not include the tl_session
table though, because IP addresses are bound to the
session for security reasons.
Force line-breaks in the filter menu so the filters do not exceed the column width (see #3777).
Added an "isAssociative" flag to the "eval" section of the DCA to mark numeric arrays as associative (see #3185).
The Email class now handles files with special characters (see #3713).
Correctly URL-encode image URLs (see #3751).
Added a fallback which loads the local MooTool core script if the Google CDN is not available, e.g. if you are not connected to the Internet (see #3619)
Re-added a color picker to the style sheets module (see #3228).
Do not import commented definitions when importing style sheets (see #3478).
Correctly idna-encode domain names (see #3649).
Added a chmod()
method to the File
and Folder
class (see #3641).
Added the Russian and Ukrainian translations for the TinyMCE "typolinks" plugin (thanks to DyaGa) (see #3648)
Support the CSS "ex" unit (see #3652).
Correctly set the CSS ID and class of articles when just their teaser is shown (see #3656). Note that the teaser element has its own CSS ID/class field.
Correctly set the classes "first" and "last" in the RSS reader (see #3687).
Mark past and upcoming events with a special CSS class (see #3692).
Restore basic entities before auto-generating an alias (see #3767).
Remove a page from the search index if it does not exist anymore (see #3761).
Select menus using the "chosen" plugin were not displayed when they were in a collapsed palette (see #3627).