Back-ported two security related changes from the upstream versions.
Correctly convert date strings depending on their rgxp format (see #7721).
Update news and calendar feeds from the content view (see #7679).
Do not generally encode stand-alone ampersands (see #7684).
Restore some globals when catching the unused argument exception (see #7659).
Correctly set the CSS classes in the jQuery accordion and do not try to mess with its ARIA handling (see #7622).
Handle language fragments without trailing slash when redirecting (see #7666).
Trigger the load_callback
upon saving in "override all" mode (see #7670).
Ensure a unique language file array in the Automator
class (see #7687).
Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See CVE-2015-0269 for more information.
Handle variables and functions when importing style sheets (see #7448).
Fix an infinite recursion problem in the FilesModel
class (see #7588).
Romanize style sheet names (see #7526).
Add the username to the "account has been locked" log entry (see #7551).
Consider the suhosin.memory_limit when raising the PHP limits (see #7035).
Added two missing exclude
flags in the tl_page
data container (see #7522).
Send an UTF-8 charset header in the die_nicely()
function (see #7519).
Correctly validate dates in the Widget
class (see #7498).
Back port the fixes from #7475 and #7473.
Send the same cache headers for cached and uncached pages (see #7455).
Fix the current() expects parameter 1 to be array
issue (see #6739).
Correctly replace the *_teaser
insert tags (see #7488).
Adjust the last and previous login labels (see #7426).
Unset the postUnsafeRaw
cache in Input::setPost()
(see #7481).
Fixed a potential directory traversal vulnerability.
Fixed a severe XSS vulnerability. In this context, the insert tag flags
base64_encode
and base64_decode
have been removed.
Handle nested insert tags in strip_insert_tags().
Correctly store the model in Dbafs::addResource() (see #7440).
Send the request token when toggling the visibility of an element (see #7406).
Always apply the IE security fix in the Environment class (see #7453).
Correctly handle archives being part of multiple RSS feeds (see #7398).
Correctly handle 0
in utf8_convert_encoding() (see #7403).
Send a 301 redirect to forward to the language root page (see #7420).
Always pass a DC object in the toggleVisibility
callback (see #7314).
Correctly render the "read more" and article navigation links (see #7300).
Consider the useSSL
flag of the root page when generating URLs (see #7390).
Fixed the FAQ sorting in the back end (see #7362).
Added the Widget::__isset()
method (see #7290).
Correctly handle dynamic parent tables in the DC_Table
driver (see #7335).
Correctly shortend HTML strings in String::substrHtml()
(see #7311).
Updated MooTools to version 1.5.1 (see #7267).
Updated swipe.js to version 2.0.1 (see #7307).
Use an .invisible
class which plays nicely with screen readers (see #7372).
Handle disabled modules in the module loader (see #7380).
Fixed the "link_target" insert tag.
Updated the ACE editor to version 1.1.6 (see #7278).
Fix the Database::list_fields()
method (see #7277).
Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
Allow floating point numbers in "number" input fields (see #7257).
Do not adjust the start time of past events (see #7121).
Reset the image margins if it exceeds the maximum image size (see #7245).
Reset $blnPreventSaving
when a model is cloned (see #7243).
Do not reload after storing CURRENT_ID
in the session (see #7240).
Correctly validate the page number of the versions menu (see #7235).
Handle underscores in the Google+ vanity name (see #7241).
Correctly handle the rem
unit when importing style sheets (see #7220).
Fix two issues with the extension repository theme.
Use DOMDocument::loadXML()
instead of DOMDocument::load()
(see 7192).
Specify the font size in rem
for modern browsers (see #7209).
Make sure the default language file is loaded in the DCA extractor (see #7202).
Do not add unpublished FAQs to the XML sitemap (see #7210).
Preserve new lines when replacing simple tokens (see #7178).
Always prevent saving if PageModel::loadDetails()
is executed (see #7199).
Use ===
to compare password hashes (see #7175).
Correctly mark GET parameters as used (see #7185).
Correctly apply the "disabled" attribute to input unit fields (see #7147).
Correctly check the permission to edit multiple files (see #7157).
Correctly handle other MySQL character sets (see #7140).
Correctly recognize Opera Mobile in the Environment
class (see #5869).
Fix the grid offset for articles (see #7166).
Restore the basic entities in the source editor (see #7170).
Correctly build the breadcrumb trail in the style sheets module (see #7132).
Do not associate the "use SSL" option with sitemaps only (see #7163).
URL encode the pipe character in the Google web font URL (see #7120).
Handle double quotes in the title attribute of the <link>
element (see #7124).
Use the save_callback
when generating multiple aliases (see #7114).
Update SwiftMailer to version 5.2.1 (see #7110).
Correctly handle double quotes in comments (see #7102).
Ignore hidden files when building the internal cache (see #7098).
Correctly pass the insert ID of the undo record (see #6234).
Replace insert tags in external redirect targets (see #6765).
Also apply the font settings to the ACE element (see #7103).
Show the placeholder image in the "edit file" dialog if the original image exceeds the maximum dimensions supported by the GD library (see #7032).
Preserve whitespace before <textarea>
tags when minifying code (see #7087).
Restore the PHP 5.3 compatibility of the listing module (see #7078).
Do not offer to drop tables or fields if the safe mode is active (see #7085).
Correctly detect binary fields during theme export (see #7079).
Make $this->locationLabel
available in the event list (see #7030).
Correctly set the root page title (see #7023).
Only show the sort hint if there is more than one element (see #6935).
Try to raise the PHP limits upon file synchronization (see #7035).
Correctly urlencode folder names in the file manager (see #6925).
Update MooTools to version 1.5.0 (see #6924).
Allow for up to 13 characters in Validator::isEmail()
(see #6950).
Only fall back to the default option if there is no POST data (see #6899).
Do not override the event start time in Events::addEvent()
(see #6701).
Correctly detect binary fields during theme import (see #6852).
Do not urldecode twice in DC_Folder
(see #6840).
Standardize the fallback behavior of the downloads/gallery element (see #6662).
Correctly hide duplicated elements in the module wizard (see #6826).
Fix the mediabox "imgBackground" option (see #6866).
Strip double quotes in the options wizard (see #6919).
Strip the insert tag flags before passing the tag name to the hooks (see #6860).
Catch Swift exceptions when sending form data via e-mail (see #6941).
Update the back end date picker to version 2.2.0.
Update ACE to version 1.1.3.
Check for reserved article aliases before validating the alias name (see #6978).
Store the UUID of uploaded files in the session (see #6986).
Only assume a moved file or folder for new resources (see #6907).
Correctly strip the file extension in the File
class (see #6968).
Remove the menu when Swipe.kill()
is executed (see #6861).
Consider the protocol when embedding YouTube videos (see #6900).
Fixed a critical vulnerability of the install tool (see #6855).
Filter disabled groups in the registration module in the front end (see #6757).
Work around a bug in SimplePie with the "skip items" option (see #6107).
Fix the Swipe "continuous" option if there are exactly two slides (see #6812).
Apply addslashes()
to strings in the Config
class (see #6808).
Do not empty all fallback fields in sorting mode 4 (see #6498).
Do not allow template names to be longer than the DB fields (see #6819).
Correctly set the start time of a multi-day event (see #6802).
Correctly handle OR queries in the listing module (see #6344).
Use a monospaced font for the plain text newsletter preview (see #6790).
Adjust the vScrollTo()
offset if the paste hint is visible (see #6478).
Add the "href" values for active breadcrumb menus to the template (see #6796).
The file/page tree widget did not work properly in "edit multiple" mode (#6788).
Preserve the referer ID when clicking the "switch to edit" button (see #6127).
Encode e-mail addresses in the "explanation" form field (see #6771).
Use a placeholder image if no thumbnail can be created (see #6754).
Pass additional arguments to the "replaceInsertTags" hook (see #6672).
Correctly initialize the Session
class (see #6747).
Do not use Input::setGet()
in the event modules (see #6733).
Correctly shorten the CSS background
property (see #6709).
Do not use UNION SELECT
when searching for parent pages (see #6704).
Disable zlib.output_compression
when sending files to the browser (see #6717).
Consider the event time in the event list module (see #6719).
Make the newsletter recipient address available in the template (see #5782).
Correctly handle Unicode characters in Validator::isGooglePlusId
(see #6707).
Fixed the arguments of two CalendarEventsModel
methods (see #6781).
Pass the "tableless" flag to the "form_message" template (see #6772).
Update the swipe.js
script so the "continuous" option works (see #6762).
Improve the Search::removeEntry()
method (see #6785).
Correctly set the cookie path in the front mode in debug mode (see #6723).
Point to Frontend::addToUrl()
in front end templates (see #6736).
Do not stop the cron job execution after the first interval.
Fix another weakness in the Input
class and further harden the deserialize()
function. Thanks to Martin Auswöger for his input.
Further harden the deserialize()
function and the Input
class (see #6724).
Correctly load the parent pages in the navigation modules (see #6696).
Correctly encode URLs with GET parameters in the syndication links (see #6683).
Do not pass POST data to the deserialize()
function, so it is not vulnerable
to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).
Allow any character in passwords, especially the less-than symbol (see #6447).
Purge the image cache if a file is being renamed (see #6641).
Preserve tags in custom CSS definitions (see #6667).
Make the swipe CSS selectors more specific (see #6666).
Correctly optimize floating-point numbers in style sheets (see #6674).
Updated the Russian translation of the TinyMCE "typolinks" plugins (see #6224).
Do not create multiple stylect layers upon Ajax changes.
Some DCAs were missing the "rem" unit (see #6634).
Correctly trim the SQL statements in the Database
class (see #6623).
Fix some broken back end icons (see #6214).
Show a hint in the news archive menu if there are no items (see #5888).
Prevent the back end tool tips from exceeding the screen width (see #6639).
Support the Google+ vanity name in addition to the numeric ID (see #6454).
Correctly detect Android tablets in the Environment
class (see #5869).
Correctly resolve the module dependencies (see #6606).
Correctly unset the PHP session cookie depending on its parameters.
Fixed the XHTML variant of the comments form (see #5675).
Correctly assign articles to columns (see #6595).
Correctly merge the CSS classes in the Hybrid
class (see #6601).
Correctly resize the mediaboxAdvanced in IE11 (see #6504).
Set the correct status header for cached files (see #6585).
Correctly set the empty value depending on the DB field (fixes #6550, #6544).
Prevent saving of detached models (see #6506).
Correctly determine the ACE editor's height (see #6578).
Always fall back to English if a language does not exist (see #6581).
Correctly display repeated events in the event list (see #6555).
Correctly show the available layout columns in the article module (see #6548).
Correctly show the "read more" link in the news list modules (see #6439).
Updated html5shiv to version 3.7.0 (see #6543).
Support browsers with both mouse and touch support in the back end (see #6520).
Correctly handle multiple RadioTable
widgets on the same page (see #6389).
Fixed two issues with the SQL cache (see #6507).
Do not require a redirect page for newsletter channels (see #6521).
Use the related field instead of id
in the model query builder (see #6540).
Correctly support insert tags nested in shortened "iflng" tags (see #6509).
Do not require a foreign key to define a relation in the DCA (see #6524).
Use UUIDs as parent IDs in Dbafs::addResource()
(see #6532).
Correctly set the default language (see #6533).
Correctly update the order fields in the database updater (see #6534).
Do not override the "href" property in addImageToTemplate()
(see #6468).
Correctly handle URLs if page aliases are disabled (see #6502).
Handle UUIDs in Model::getRelated()
(see #6525).
Hide records with only one version from the "changed elements" overview.
Use an auto-resizing textarea to store CSS selectors.
Updated the ACE editor to version 1.1.2.
Prevent the ACE editor from overlapping the modal window (see #6497).
Use the default back end theme when running in safe mode (see #6505).
Updated TinyMCE to version 3.5.10 to fix the IE11 issues (see #6479).
Optionally override the repository tables when importing a template (see #6470).
Only do the UUID conversion once even if the Database\Updater
helper methods
are called multiple times (see #6481).
Correctly toggle the mobile/desktop view (see #6227).
Correctly detect UUIDs in the "file" insert tag (see #6472).
Correctly assign images to FAQs (see #6465).
Improved the speed and memory footprint of the news archive menu (see #6463).
Removed CalendarEventsModel::findBoundaries()
(see #6467).
Handle UUID strings in the UUID related FilesModel
methods (see #6445).