Back-ported two security related changes from the upstream versions.
Correctly convert date strings depending on their rgxp format (see #7721).
Update news and calendar feeds from the content view (see #7679).
Do not generally encode stand-alone ampersands (see #7684).
Restore some globals when catching the unused argument exception (see #7659).
Correctly set the CSS classes in the jQuery accordion and do not try to mess with its ARIA handling (see #7622).
Handle language fragments without trailing slash when redirecting (see #7666).
Trigger the load_callback upon saving in "override all" mode (see #7670).
Ensure a unique language file array in the Automator class (see #7687).
Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See CVE-2015-0269 for more information.
Handle variables and functions when importing style sheets (see #7448).
Fix an infinite recursion problem in the FilesModel class (see #7588).
Romanize style sheet names (see #7526).
Add the username to the "account has been locked" log entry (see #7551).
Consider the suhosin.memory_limit when raising the PHP limits (see #7035).
Added two missing exclude flags in the tl_page data container (see #7522).
Send an UTF-8 charset header in the die_nicely() function (see #7519).
Correctly validate dates in the Widget class (see #7498).
Back port the fixes from #7475 and #7473.
Send the same cache headers for cached and uncached pages (see #7455).
Fix the current() expects parameter 1 to be array issue (see #6739).
Correctly replace the *_teaser insert tags (see #7488).
Adjust the last and previous login labels (see #7426).
Unset the postUnsafeRaw cache in Input::setPost() (see #7481).
Fixed a potential directory traversal vulnerability.
Fixed a severe XSS vulnerability. In this context, the insert tag flags
base64_encode and base64_decode have been removed.
Handle nested insert tags in strip_insert_tags().
Correctly store the model in Dbafs::addResource() (see #7440).
Send the request token when toggling the visibility of an element (see #7406).
Always apply the IE security fix in the Environment class (see #7453).
Correctly handle archives being part of multiple RSS feeds (see #7398).
Correctly handle 0 in utf8_convert_encoding() (see #7403).
Send a 301 redirect to forward to the language root page (see #7420).
Always pass a DC object in the toggleVisibility callback (see #7314).
Correctly render the "read more" and article navigation links (see #7300).
Consider the useSSL flag of the root page when generating URLs (see #7390).
Fixed the FAQ sorting in the back end (see #7362).
Added the Widget::__isset() method (see #7290).
Correctly handle dynamic parent tables in the DC_Table driver (see #7335).
Correctly shortend HTML strings in String::substrHtml() (see #7311).
Updated MooTools to version 1.5.1 (see #7267).
Updated swipe.js to version 2.0.1 (see #7307).
Use an .invisible class which plays nicely with screen readers (see #7372).
Handle disabled modules in the module loader (see #7380).
Fixed the "link_target" insert tag.
Updated the ACE editor to version 1.1.6 (see #7278).
Fix the Database::list_fields() method (see #7277).
Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
Allow floating point numbers in "number" input fields (see #7257).
Do not adjust the start time of past events (see #7121).
Reset the image margins if it exceeds the maximum image size (see #7245).
Reset $blnPreventSaving when a model is cloned (see #7243).
Do not reload after storing CURRENT_ID in the session (see #7240).
Correctly validate the page number of the versions menu (see #7235).
Handle underscores in the Google+ vanity name (see #7241).
Correctly handle the rem unit when importing style sheets (see #7220).
Fix two issues with the extension repository theme.
Use DOMDocument::loadXML() instead of DOMDocument::load() (see 7192).
Specify the font size in rem for modern browsers (see #7209).
Make sure the default language file is loaded in the DCA extractor (see #7202).
Do not add unpublished FAQs to the XML sitemap (see #7210).
Preserve new lines when replacing simple tokens (see #7178).
Always prevent saving if PageModel::loadDetails() is executed (see #7199).
Use === to compare password hashes (see #7175).
Correctly mark GET parameters as used (see #7185).
Correctly apply the "disabled" attribute to input unit fields (see #7147).
Correctly check the permission to edit multiple files (see #7157).
Correctly handle other MySQL character sets (see #7140).
Correctly recognize Opera Mobile in the Environment class (see #5869).
Fix the grid offset for articles (see #7166).
Restore the basic entities in the source editor (see #7170).
Correctly build the breadcrumb trail in the style sheets module (see #7132).
Do not associate the "use SSL" option with sitemaps only (see #7163).
URL encode the pipe character in the Google web font URL (see #7120).
Handle double quotes in the title attribute of the <link> element (see #7124).
Use the save_callback when generating multiple aliases (see #7114).
Update SwiftMailer to version 5.2.1 (see #7110).
Correctly handle double quotes in comments (see #7102).
Ignore hidden files when building the internal cache (see #7098).
Correctly pass the insert ID of the undo record (see #6234).
Replace insert tags in external redirect targets (see #6765).
Also apply the font settings to the ACE element (see #7103).
Show the placeholder image in the "edit file" dialog if the original image exceeds the maximum dimensions supported by the GD library (see #7032).
Preserve whitespace before <textarea> tags when minifying code (see #7087).
Restore the PHP 5.3 compatibility of the listing module (see #7078).
Do not offer to drop tables or fields if the safe mode is active (see #7085).
Correctly detect binary fields during theme export (see #7079).
Make $this->locationLabel available in the event list (see #7030).
Correctly set the root page title (see #7023).
Only show the sort hint if there is more than one element (see #6935).
Try to raise the PHP limits upon file synchronization (see #7035).
Correctly urlencode folder names in the file manager (see #6925).
Update MooTools to version 1.5.0 (see #6924).
Allow for up to 13 characters in Validator::isEmail() (see #6950).
Only fall back to the default option if there is no POST data (see #6899).
Do not override the event start time in Events::addEvent() (see #6701).
Correctly detect binary fields during theme import (see #6852).
Do not urldecode twice in DC_Folder (see #6840).
Standardize the fallback behavior of the downloads/gallery element (see #6662).
Correctly hide duplicated elements in the module wizard (see #6826).
Fix the mediabox "imgBackground" option (see #6866).
Strip double quotes in the options wizard (see #6919).
Strip the insert tag flags before passing the tag name to the hooks (see #6860).
Catch Swift exceptions when sending form data via e-mail (see #6941).
Update the back end date picker to version 2.2.0.
Update ACE to version 1.1.3.
Check for reserved article aliases before validating the alias name (see #6978).
Store the UUID of uploaded files in the session (see #6986).
Only assume a moved file or folder for new resources (see #6907).
Correctly strip the file extension in the File class (see #6968).
Remove the menu when Swipe.kill() is executed (see #6861).
Consider the protocol when embedding YouTube videos (see #6900).
Fixed a critical vulnerability of the install tool (see #6855).
Filter disabled groups in the registration module in the front end (see #6757).
Work around a bug in SimplePie with the "skip items" option (see #6107).
Fix the Swipe "continuous" option if there are exactly two slides (see #6812).
Apply addslashes() to strings in the Config class (see #6808).
Do not empty all fallback fields in sorting mode 4 (see #6498).
Do not allow template names to be longer than the DB fields (see #6819).
Correctly set the start time of a multi-day event (see #6802).
Correctly handle OR queries in the listing module (see #6344).
Use a monospaced font for the plain text newsletter preview (see #6790).
Adjust the vScrollTo() offset if the paste hint is visible (see #6478).
Add the "href" values for active breadcrumb menus to the template (see #6796).
The file/page tree widget did not work properly in "edit multiple" mode (#6788).
Preserve the referer ID when clicking the "switch to edit" button (see #6127).
Encode e-mail addresses in the "explanation" form field (see #6771).
Use a placeholder image if no thumbnail can be created (see #6754).
Pass additional arguments to the "replaceInsertTags" hook (see #6672).
Correctly initialize the Session class (see #6747).
Do not use Input::setGet() in the event modules (see #6733).
Correctly shorten the CSS background property (see #6709).
Do not use UNION SELECT when searching for parent pages (see #6704).
Disable zlib.output_compression when sending files to the browser (see #6717).
Consider the event time in the event list module (see #6719).
Make the newsletter recipient address available in the template (see #5782).
Correctly handle Unicode characters in Validator::isGooglePlusId (see #6707).
Fixed the arguments of two CalendarEventsModel methods (see #6781).
Pass the "tableless" flag to the "form_message" template (see #6772).
Update the swipe.js script so the "continuous" option works (see #6762).
Improve the Search::removeEntry() method (see #6785).
Correctly set the cookie path in the front mode in debug mode (see #6723).
Point to Frontend::addToUrl() in front end templates (see #6736).
Do not stop the cron job execution after the first interval.
Fix another weakness in the Input class and further harden the deserialize()
function. Thanks to Martin Auswöger for his input.
Further harden the deserialize() function and the Input class (see #6724).
Correctly load the parent pages in the navigation modules (see #6696).
Correctly encode URLs with GET parameters in the syndication links (see #6683).
Do not pass POST data to the deserialize() function, so it is not vulnerable
to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).
Allow any character in passwords, especially the less-than symbol (see #6447).
Purge the image cache if a file is being renamed (see #6641).
Preserve tags in custom CSS definitions (see #6667).
Make the swipe CSS selectors more specific (see #6666).
Correctly optimize floating-point numbers in style sheets (see #6674).
Updated the Russian translation of the TinyMCE "typolinks" plugins (see #6224).
Do not create multiple stylect layers upon Ajax changes.
Some DCAs were missing the "rem" unit (see #6634).
Correctly trim the SQL statements in the Database class (see #6623).
Fix some broken back end icons (see #6214).
Show a hint in the news archive menu if there are no items (see #5888).
Prevent the back end tool tips from exceeding the screen width (see #6639).
Support the Google+ vanity name in addition to the numeric ID (see #6454).
Correctly detect Android tablets in the Environment class (see #5869).
Correctly resolve the module dependencies (see #6606).
Correctly unset the PHP session cookie depending on its parameters.
Fixed the XHTML variant of the comments form (see #5675).
Correctly assign articles to columns (see #6595).
Correctly merge the CSS classes in the Hybrid class (see #6601).
Correctly resize the mediaboxAdvanced in IE11 (see #6504).
Set the correct status header for cached files (see #6585).
Correctly set the empty value depending on the DB field (fixes #6550, #6544).
Prevent saving of detached models (see #6506).
Correctly determine the ACE editor's height (see #6578).
Always fall back to English if a language does not exist (see #6581).
Correctly display repeated events in the event list (see #6555).
Correctly show the available layout columns in the article module (see #6548).
Correctly show the "read more" link in the news list modules (see #6439).
Updated html5shiv to version 3.7.0 (see #6543).
Support browsers with both mouse and touch support in the back end (see #6520).
Correctly handle multiple RadioTable widgets on the same page (see #6389).
Fixed two issues with the SQL cache (see #6507).
Do not require a redirect page for newsletter channels (see #6521).
Use the related field instead of id in the model query builder (see #6540).
Correctly support insert tags nested in shortened "iflng" tags (see #6509).
Do not require a foreign key to define a relation in the DCA (see #6524).
Use UUIDs as parent IDs in Dbafs::addResource() (see #6532).
Correctly set the default language (see #6533).
Correctly update the order fields in the database updater (see #6534).
Do not override the "href" property in addImageToTemplate() (see #6468).
Correctly handle URLs if page aliases are disabled (see #6502).
Handle UUIDs in Model::getRelated() (see #6525).
Hide records with only one version from the "changed elements" overview.
Use an auto-resizing textarea to store CSS selectors.
Updated the ACE editor to version 1.1.2.
Prevent the ACE editor from overlapping the modal window (see #6497).
Use the default back end theme when running in safe mode (see #6505).
Updated TinyMCE to version 3.5.10 to fix the IE11 issues (see #6479).
Optionally override the repository tables when importing a template (see #6470).
Only do the UUID conversion once even if the Database\Updater helper methods
are called multiple times (see #6481).
Correctly toggle the mobile/desktop view (see #6227).
Correctly detect UUIDs in the "file" insert tag (see #6472).
Correctly assign images to FAQs (see #6465).
Improved the speed and memory footprint of the news archive menu (see #6463).
Removed CalendarEventsModel::findBoundaries() (see #6467).
Handle UUID strings in the UUID related FilesModel methods (see #6445).
Applied some minor fixes to the database installer.
Split the routines to convert database fields to UUIDs into separate methods:
Database\Updater::convertSingleField($table, $field)Database\Updater::convertMultiField($table, $field)Database\Updater::convertOrderField($table, $field)
Correctly show the folder protection status in the file picker (see #6433).
Correctly protect newly created folders (see #6432).
Correctly generate HTTPS URLs in the sitemap (see #6421).
Added the missing "sqlGetFromDca" hook (see #6425).
Support CSS selectors up to 1022 charachters long (see #6412).
Support UUIDs in FilesModel::findByPk(), FilesModel::findById() and
FilesModel::findByMultipleById() to be backwards compatible.
Set the correct empty value depending on the database field type (see #6424).
URL decode image paths when exporting to PDF (see #6411).
Do not add news and event URLs to the sitemap if the target page is exempt from the sitemap (see #6418).
Allow special characters in Validator::isUrl() (see #6402).
Sort the list of available modules (see #6391).
Standardize the user home directoy name upon registration (see #6394).
Correctly handle "enum" fields in the database installer (see #6387).
Do not load a page from cache if a user is (potentially) logged in.
Skip empty locale strings when building the language cache.
Slightly increased the contrast in the back end.
Fixed the ACE version number and added an inverted theme (see #6101).
Correctly handle "includeBlankOption" and numeric columns (see #6373).
Correctly detect IE11 in the Environment::agent() method (see #6378).
Disable the maintenance mode if a back end user is logged in (see #6353).
Correctly detect Android tablets in the Environment class (see #5869).
Create a new version if an element type changes (see #6363).
Purge the internal cache in the install tool (see #6357).
Add all resize modes to the TinyMCE thumbnail image screen (see #6362).
Correctly add the parameters to the TinyMCE thumbnail image (see #6361).
Disable HTML5 form validation in "select multiple" mode (see #6354).
Convert binary UUIDs to their hex equivalents in the diff view (see #6365).
Do not allow to create website root pages outside the root level (see #6360).
Updated jQuery to version 1.10.2 and jQuery UI to version 1.10.3 (see #6367).
Correctly link to FAQs using the "faq" insert tag.
Correctly mark checkboxes and radio buttons as mandatory (see #6352).
Add the "onclick" event to the "select all" checkbox (see #6314).
Only show the news/event source options if the user is allowed to access the fields required to configure those options (see #5498).
Added the "getAttributesFromDca" hook (see #6340).
Add the "maintenance mode" and automatically enable it when an extension is installed, upgraded or removed (see #4561).
Correctly handle "toggle visibility" and drag and drop requests via Ajax.
Correctly display nested wrapper elements (see #5976).
Added the "isVisibleElement" hook to determine whether an element is visible in the front end (see #6311).
Handle tables without keys in Database::listFields() (see #6310).
Allow FAQ categories without a redirect page (see #6226).
Create a new version of a record if a sorting field changes (see #6285).
Show the teaser text of redirect events in the event list (see #6315).
Support the "autocomplete", "autocorrect", "autocapitalize" and "spellcheck" attributes in the Widget class, so they can be set in the DCA (see #6316).
Added some validation logic to the Result::data_seek() methods (see #6319).
Model::__callStatic() now also supports "countBy" (see #5984).
// new magic method
$count = PageModel::countByPid(3);
// will be mapped to
$count = PageModel::countBy('pid', 3);Updated mediaelement.js to version 2.13.1 (see #6318).
Correctly handle slashes and empty strings in the TinyMCE link tab.
Order the template list alphabetically (see #6276).
Simplified the "iflng" insert tags (see #6291). You can now omit every closing
{{iflng}} tag but the last one, e.g.:
{{iflng::de}}Hallo Welt{{iflng::en}}Hello world{{iflng}}
Updated Colorbox to version 1.4.31 (see #6309).
Create new UUIDs when duplicating files or folders (see #6301).
Correctly handle booleans, null and empty strings in the Validator (see #6287).
Correctly assign the user's home directory (see #6297).
Move the "create IDE compat file" logic to a command line script (see #6270).
Added a model registry (thanks to Tristan Lins) (see #6248).
Added the "compileFormFields" hook (see #6253).
Append the article ID to the CSS ID if there is no alias (see #6267).
Use a PHP variable for the user agent in the back end (see #6277 and #3074).
Updated TCPDF to version 3.0.38 (see #6268).
Correctly show the "toggle page status" icon (see #6282).
Use a "show details" button in the file manager (see #6262).
Use the micro clearfix hack in the CSS framework (see #6203).
Convert binary UUIDs to hex when using it in SQL statements (see #6265).
Convert binary data to UUIDs in DC_Table::show() (see #6257).
Allow to define custom layout sections in the page layout (see #2885).
Added the custom layout sections positions "top" and "bottom" (see #2885).
Use serialized arrays to store order field data (see #6255).
Do not strip leading numbers from file names (see #6189).
Hide the script hint if a user cannot access to the layout module (see #6190).
Correctly generate image links (see #6249).
Added the convenience method PageModel::getFrontendUrl() (see #6184).
Removed the TinyMCE spell checker (see #6247).
Do not show dates in the past if a recurring event has not expired (see #923).
Pass the ID of the tl_undo record to the "ondelete_callback" (see #6234).
Added the "br" insert tag to insert line breaks (see #6143).
Do not alter the order of the UUID chunks (no optimized order).
Make usernames case-sensitive.
Added a system/docs/UPGRADE.md file to document API changes (see #6236).
Send an "X-Ajax-Location" header to redirect upon Ajax requests (see #5647).
Added new DCA table config flags (see #5254):
closed: no new rows can be added at allnotEditable: the rows cannot be editednotDeletable: the rows cannot be deletednotSortable: the order of the rows cannot be altered (new)notCopyable: existing rows cannot be duplicated (new)notCreatable: prevents to create rows but allows to duplicate rows (new)
The closed flag hence is a combination of notCreatable and notCopyable.
Always show the save buttons in the modal windows (see #5985).
Add the CSS classes "first" and "last" to articles/content elements (see #2583).
The form generator now supports defining a minimum input length (see #4394).
If you are running Contao via an SSL proxy server, you can now set the proxy server domain in the back end settings (see #4615).
Allow to alter any button set via the "buttons_callback" (see #4691). This includes any edit, edit multiple, select or upload form and also includes the option to unset or replace the default buttons.
[BC-BREAK] If you have been using the "buttons_callback" in version 3.0 or 3.1, you will have to adjust your code to reflect the changes!
Show the release notes when installing or upgrading an extension (see #5058).
Add an arc_[archive-id] CSS class to all news list items (see #4998).
You can now define a list of trusted proxy server IPs in the back end settings to improve identifying the user's remote address (see #5830).
Use COLLATE utf8_bin instead of varbinary to preserve case-sensitivity.
Back end users can now store their Google+ profile ID, which will then be used
to add a rel="author" link in FAQs and news items (see #4914).
Render the file tree view based on the eval flags "isGallery" and "isDownloads" instead of making it depend on the "type" column (see #5884).
Add tooltips to the preview height togglers (see #6213).
Use translatable error screens wherever the application dies.
Show the 404 page of the language fallback website if the requested language does not exist (see #5709).
Added the "nullIfEmpty" flag to the "eval" section of the DCA (see #6186).
Only cache the languages which are in use (see #6013).
The "file" insert tag now also handles UUIDs (see #5512).
<img src="{{file::bb643d42-0026-ba97-11e3-ccd6e14e1c8a}}" alt="">
The insert tag can also be used in the internal style sheet editor.
Purge the search index if a page is deleted (see #5897).
Pass additional parameters to the "insertTagFlags" hooks (see #5806).
Added a generic Model::findMultipleByIds() method (see #5805).
Updated slimbox to version 1.8 (see #5747).
Show error messages if a user is logged into the install tool (see #5001).
Support using closures as DCA callbacks (see #5772).
$GLOBALS['TL_DCA']['tl_content'] = array
(
'config' => array
(
'onload_callback' => array
(
function($dc) {
// Your custom code
},
array('tl_content', 'showJsLibraryHint')
)
)
);
Templates now support adding callables (see #6176).
$this->Template->sum = function($a, $b) {
return $a + $b;
}
<?php echo $this->sum(3, 4); ?>
Remove the left-over uses of inactiveModules (see #6142).
Consider all extensions when scanning for fileTree fields (see #6058).
Use unique IDs in the database assisted file system (see #5757).
Optionally follow redirects in the Request class.
$request = new Request();
$request->redirect = true;
$request->send("http://domain.tld/script.php");
Add basic authorization support to the Request class (see #6062).
Wrap the SQL statements in the install tool in a scrollable div (see #6100).