Skip to content
Permalink
master-v2
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
6394 lines (5282 sloc) 505 KB

Release Notes for Craft CMS 2.x

2.9.2 - 2020-03-06

Security

  • Added the sameSiteCookieValue config setting. (#4462)

2.9.1 - 2020-02-06

Fixed

  • Fixed a bug where the mcrypt_compat library was accidentally removed. (#5602)

Changed

  • Updated the mcrypt_compat library to 1.0.11.

2.9.0 - 2020-01-31

Changed

  • Updated Yii to 1.1.22.

2.8.0.2 - 2019-12-19

Fixed

  • Fixed a PHP error that occurred when editing an element with a Matrix field that had a nested Number field on PHP 7.4. (#5353)

2.8.0.1 - 2019-12-16

Fixed

  • Fixed an error that occurred when editing a custom field. (#5343)

2.8.0 - 2019-12-14

Added

  • Added PHP 7.4 compatibility.

Changed

  • Craft now requires PHP 5.5 or later.
  • Updated Twig to 1.42.4.

2.7.10 - 2019-07-24

Security

  • The preserveExifData config setting is now also applied on image upload, not just on transform.

2.7.9 - 2019-06-18

Fixed

  • Fixed a bug where users could not assign additional user groups to their own account if their permission to do so was granted by another user group they belonged to.

Security

  • Craft now redacts potentially sensitive values from the console output when running in Dev Mode.

2.7.8 - 2019-04-02

Changed

  • Updated Yii to 1.1.21.
  • Updated PhpMailer to 5.2.27.
  • Updated Litemoji to 1.4.4.
  • Updated mcrypt_compat to 1.0.9.

2.7.7.3 - 2019-03-26

Fixed

  • Fixed a bug where you could get incorrect cookie values.

2.7.7.2 - 2019-03-25

Changed

  • Updated Yii to 1.1.20.4.

2.7.7.1 - 2019-03-25

Fixed

  • Fixed another bug where CSRF validation was broken on servers running PHP 5.x.

2.7.7 - 2019-03-23

Fixed

  • Fixed a bug where CSRF validation was broken on servers running PHP 5.x.

Changed

  • Updated Twig to 1.38.4.

2.7.6 - 2019-03-15

Fixed

  • Fixed a bug where IOHelper::cleanFilename() could return inconsistent results.

Changed

  • Objects can no longer be unserialized from cookies.
  • Update Yii to 1.1.20.2.

2.7.5 - 2019-02-15

Changed

  • Suspended users are no longer shown when viewing pending or locked users. (#3556)

Fixed

  • Fixed a SQL error that could occur when merging two elements together if MySQL was set to a case-sensitive collation. (#3539)
  • Fixed a bug where element indexes wouldn’t return to the previous sort selection after the search input was cleared. (#3548)
  • Fixed a bug where password-reset email send errors weren’t being properly reported on the login page if the preventUserEnumeration config setting was enabled.
  • Fixed a bug where Edit User pages weren’t reporting email send errors when the “Send password reset email” option was chosen. (#3549)
  • Fixed an error that would occur when calling RelationsService::saveRelations() if $targetIds contained any empty values. (#3850)

Security

  • Fixed XSS vulnerabilities.
  • URLs are no longer allowed in users’ first or last names.

2.7.4 - 2018-11-27

Fixed

  • Fixed a PHP error that could occur in some cases when calling CategoriesService::getAllGroupIds() and getAllGroups() when getGroupById() had been called previously with an invalid category group ID.

Security

  • Update jQuery File Upload to 9.28.0.

2.7.3 - 2018-10-23

Changed

  • Single sections’ entry types’ handles are now updated to match their section’s handle whenever the section is saved. (#2824)
  • Animated GIF thumbnails are no longer animated. (#3110)
  • Craft now throws an exception if an asset is uploaded successfully but its record can’t be saved.
  • Updated jQuery Touch Events to 2.0.0.
  • Updated Garnish to 0.1.29.

Fixed

  • Fixed a bug where the Dev Mode indicator strip wasn’t visible on Chrome/Windows when using a scaled display. (#3259)
  • Fixed bug where an error would be logged if IOHelper::clearFolder() was called on an empty folder.

2.7.2 - 2018-08-24

Changed

  • Updated Garnish to 0.1.27.

Fixed

  • Fixed a PHP error that occurred on servers running PHP 5.4 - 5.5.

2.7.1 - 2018-08-23

Changed

  • Craft now throws an exception when validating a custom field that is missing its field type, rather than allowing a PHP error to occur.

Fixed

  • Fixed a PHP error that occurred when compiling templates with {% cache %} tags, on servers running PHP 7.2.

2.7.0 - 2018-07-31

Added

  • Added PHP 7.2 compatibility.
  • Added phpseclib/mcrypt_compat as a shim for Mcrypt compatibility for people running PHP 7.2+.

Changed

  • When uploading a file to an Assets field, Craft will automatically sort the file list to show the latest uploads first. (#2812)
  • Updated Twig to 1.35.4.
  • Updated Yii to 1.1.20.
  • Updated Garnish to 0.1.26.
  • Updated svg-sanitize to 0.9.0.
  • Updated LitEmoji to 1.4.1.

Fixed

  • Fixed a bug where Dropdown fields on an element index view could show an incorrect selected value in limited circumstances.
  • Fixed a bug where JsonHelper::sendJsonHeaders() was overriding the Cache-Control header even if it had already ben explicitly set. (craftcms/element-api#74)

2.6.3019 - 2018-06-29

Fixed

  • Fixed a bug where dropdowns in the Control Panel weren’t pre-selecting the correct value.

2.6.3018 - 2018-06-25

Changed

  • Updated Garnish to 0.1.24.
  • From now on the root folder for Local Asset Sources will be created, if it doesn't exist.
  • Leading/trailing whitespace characters are now stripped from element titles on save. (#3020)
  • The PHP Info utility no longer displays the original values for settings and only the current environment value. (#2990)

Fixed

  • Fixed a bug where Craft would show a nag alert in the Control Panel when the licensed edition wasn’t cached.
  • Fixed a bug where Dropdown fields could show an incorrect selected value in limited circumstances.
  • Fixed a PHP error that would occur when trying to access Asset Sources from the command line.

2.6.3017 - 2018-06-05

Changed

  • Improved the contrast of success and error notices in the Control Panel to meet WCAG AA requirements. (#2885)
  • Craft will no longer discard any preloaded elements when setting the with param on an ElementCriteriaModel, fixing a bug where disabled Matrix blocks could show up in Live Preview if any nested fields were getting eager-loaded. (#1576)
  • email.beforeSendEmail events now have a sent parameter, which can be set to true if a plugin has sent the email, and EmailService::sendEmail() should return true. (#2917)
  • Improved the performance of element queries when a lot of values were passed into a param, such as id, by using IN() and NOT IN() conditions when possible. (#2937)
  • Updated Redactor to 2.13.
  • Updated Garnish to 0.1.23.

2.6.3016 - 2018-05-15

Added

  • Added the preserveCmykColorspace config setting, which can be set to true to prevent images’ colorspaces from getting converted to sRGB on environments running ImageMagick.
  • Added the transformGifs config setting, which can be set to false to prevent GIFs from getting transformed or cleansed. (#2845)

Changed

  • Edit User pages will now warn editors when leaving the page with unsaved changes. (#2832)
  • Rich Text fields with the “Clean up HTML?” setting enabled now convert non-breaking spaces to normal spaces.
  • Error text is now orange instead of red. (#2885)
  • Updated Garnish to 0.1.22.

Removed

  • Removed ConfigService::getActivateAccountPath().
  • Removed ConfigService::getSetPasswordPath().
  • Removed ConfigService::getCpSetPasswordPath().

Fixed

  • Fixed an error that occurred when saving a Single entry over Ajax. (#2687)
  • Fixed a bug where the id param was ignored when used on an eager-loaded elements’ criteria. (#2717)
  • Fixed a bug where email verification links weren’t working for publicly-registered users if the registration form contained a Password field and the default user group granted permission to access the Control Panel.

2.6.3015 - 2018-04-06

Changed

  • Craft no longer displays an alert in the Control Panel if the currently installed edition is lower than the licensed edition.

Fixed

  • Fixed some UI issues with the upgrade modal.

2.6.3014 - 2018-04-04

Changed

  • Renamed the Personal edition to “Solo”.
  • Updated Redactor to 2.12.

Fixed

  • Fixed a bug where Rich Text fields weren’t respecting the toolbarFixed Redactor config option.
  • Fixed a bug where Rich Text fields would not honor the imageTag config setting when inserting an image.
  • Fixed a bug where the modifyAssetFilename hook was being run twice on asset upload. (#2624

Security

  • The preventUserEnumeration config setting is now applied to locked user accounts.
  • Fixed a bug where an exception could expose a partial server path in some circumstances.

2.6.3013 - 2018-03-23

Removed

  • Removed support for transferring a Craft license to the current domain. (Domain transfers can be done from Craft ID now.)
  • Removed support for transferring a Commerce license to the current Craft license, or unregistering a Commerce license from the current Craft license. (Plugin license registration can be done from Craft ID now.)

Fixed

  • Fixed a PHP error that could occur on case-sensitive file systems when loading RSS feeds. (#2514)
  • Fixed a PHP error that would occur when trying to use POP as an email protocol in Settings → Email in the Control Panel.
  • Fixed a PHP error that would occur when trying to delete an Asset with an ID that didn't exist.
  • Fixed a bug where any URL segments that only contained the number 0 were ignored, on paginated requests.

2.6.3012 - 2018-02-27

Changed

  • Craft now throws an exception if it detects that a max_input_vars error occurred. (#876)
  • Improved styles to support 5 levels of nested user permissions. (#2467)

Fixed

  • Fixed a bug where entry version data was not including newly-created Matrix block IDs, so they would be re-created from scratch when loading the version. (#2498)
  • Fixed an error that could occur if an email template included any Twig filters with a single underscore.
  • Fixed a bug where lightswitch inputs could trigger a change event when they didn’t actually change. (#2494)

2.6.3011 - 2018-02-21

Changed

  • Reverted the fix to (#2433) as it broke backwards compatibility.

Fixed

  • Fixed an error that occurred when displaying run charts in some cases.

2.6.3010 - 2018-02-20

Changed

  • The Control Panel now sets the origin-when-cross-origin referrer policy. (#2436)
  • Rich Text fields no longer parse reference tags that aren’t within a href or src attribute when displaying their form input, so the tags don’t get lost when the element is re-saved. (#1643)

Fixed

  • Fixed a bug where run charts (e.g. the New Users widget) would always show zero results if MySQL wasn’t configured with time zone data. (#2433)
  • Fixed a bug where the New Users widget would show 8 days worth of data when its Date Range setting was set to “Last 7 days” or “Last week”.
  • Fixed a bug where the New Users widget could be missing some data if the browser time zone wasn’t the same as the system time zone.

2.6.3009 - 2018-02-13

Added

  • Added StringHelper::encenc() and decdec().
  • Added the |encenc Twig filter.

Changed

  • The first column on user index tables is now labeled “User”, and there are now always dedicated “Username” and “Email” columns available. (#2417)

Fixed

  • Fixed a bug where Craft would not save newly-assigned license keys if a craft/config/license.key file existed, even if it didn’t contain a valid license key.
  • Fixed a bug where the “Save” button wasn’t visible on custom field layout tabs on Edit User pages.
  • Fixed a bug where Craft would issue unsaved data warnings when leaving edit pages, if the form data had been modified from the jQuery(document).ready() event. (#2428)

Security

  • Email passwords are now encrypted in email settings forms.

2.6.3008 - 2018-02-06

Changed

  • The Edit User page now shows the Permissions tab for users that have the “Assign user groups” permission, even if they don’t have the “Assign user permissions” permission.
  • Users with the “Assign user groups” permission no longer need explicit permission to assign a user group, if they already belong to it. (#2087)
  • Matrix blocks’ “Delete” option is now listed before all of the “New [Block Type] above” options. (#2400)

2.6.3007 - 2018-01-31

Fixed

  • Fixed some jQuery deprecation errors in the Control Panel.
  • Fixed a bug where Control Panel panes with sidebars weren’t expanding to the height of their content. (#2379)

2.6.3006 - 2018-01-30

Changed

  • Updated jQuery to 3.3.1 and added the jQuery Migrate plugin to maintain backwards compatibility with jQuery 2.
  • Tab and field names in Field Layout Designers are no longer displayed in all-uppercase. (#2360)
  • Fields in Field Layout Designers now have tool tips that reveal their handles. (#2360)
  • Asset thumbnails can now only be generated on Control Panel requests by logged-in users.
  • The Control Panel now prevents referrer information from being sent when following links, on supporting browsers.
  • Links within the Control Panel that point to a different hostname now open in a new window. (#1206)

Fixed

  • Fixed a bug where Tags fields weren’t getting any spacing between their field labels and inputs. (#2361)
  • Fixed a bug where Tags fields were encoding special characters on tag creation, and double/triple-encoding tag names in the UI. (#2369)
  • Fixed a bug where Craft might not delete elements for locales that they no longer support if Dev Mode is enabled.

2.6.3005 - 2018-01-23

Changed

  • Users’ field layouts can now have multiple tabs. (#892)
  • Assets fields now fail validation if a file was not uploaded successfully.

Fixed

  • Fixed a bug where replacing an Asset file would not delete the existing file in some cases.

2.6.3004 - 2018-01-16

Added

  • Added the onBeforeAuthenticate event. (#1161)
  • Added support for most Emoji characters in Plain Text fields, for servers running PHP 5.4 or later. (#1753)
  • Added LitEmoji 1.3.

Changed

  • Redactor’s toolbar is not fixed anymore. (#1745)

2.6.3003 - 2018-01-09

Fixed

  • Fixed some unexpected behavior when deleting a Matrix block for a field that had recently been made translatable. (#2245)
  • Fixed a bug where the Settings → Users → Fields page wasn’t warning users when leaving the page with unsaved changes. (#2265)
  • Fixed a bug where Dropdown and Radio Buttons fields were displaying their selected option’s value, rather than label, in element index tables. (#2282)
  • Fixed attribute:* and -attribute:* search queries when the default subRight search term option was enabled. (#2270)
  • Fixed a bug where native <select> menu options weren’t getting white backgrounds in Firefox or Internet Explorer on Windows 7 when using a Classic theme with a custom window color. (#2272)

2.6.3002 - 2018-01-02

Fixed

  • Fixed a bug where password reset URL prompts were showing the macOS keyboard shortcut on Windows computers. (#2258)
  • Fixed an error that broke Edit Entry HUDs.

2.6.3001 - 2018-01-02

Changed

  • URL patterns defined in craft/config/routes.php can now begin with a verb (e.g. POST some/path) to restrict the route to a specific request type.
  • Edit Entry pages for entries without a user-defined title now show the Title field anyway if it has any validation errors. (#2242)
  • Updated Twig to 1.35.0.
  • Updated SimplePie to 1.5.1.
  • Updated PEL to 0.9.6.
  • Updated svg-sanitize to 0.8.2.

Fixed

  • Fixed a bug where a PHP error could occur when accessing Category elements through a console command.
  • Fixed a bug where some IOHelper methods could create a folder with zero permission under specific circumstances.
  • Fixed some unexpected behavior when deleting a Matrix block for a field that had recently been made translatable, if the owner element hadn’t been resaved yet. (#2245)

Security

  • Fixed a Remote Code Execution vulnerability for people that have permissions to upload Assets in the Control Panel.
  • Fixed a vulnerability where image cleansing was not working for uploaded JPG files under specific conditions.

2.6.3000 - 2017-12-07

Changed

  • Craft.MatrixInput JavaScript objects are now accessible via $('.matrix').data('matrix'). (#2156)

Fixed

  • Fixed a race condition that could cause a PHP error when quickly saving multiple tasks.
  • Fixed a bug where ArrayHelper::stringToArray('0') would return an empty array instead of array('0'). (#2144)
  • Improved the performance of some queries to the templatecaches tables.

Security

  • Fixed a vulnerability that made it possible to access sensitive files.

2.6.2999 - 2017-11-29

Fixed

  • Fixed PHP 5.3 compatibility.

2.6.2998 - 2017-11-28

Changed

  • <select> inputs in the Control Panel now get the same custom styling in Firefox and IE/Edge that Chrome and Safari get.
  • Updated PhpMailer to 5.2.26.
  • Improved the performance of some queries to the templatecaches tables when the globally cache tag parameter was used with large amounts of data. (#2110)
  • Plugin settings values are now run through ModelHelper::packageAttributeValue() before getting saved, so things like DateTime objects get converted to JSON-safe values before getting JSON-encoded. (#2114)

Fixed

  • Fixed a bug where Craft would think that Rich Text field values had changed, even when they hadn’t, when leaving an edit page. (#2098)
  • Fixed a bug where Assets fields with large thumbnails were overlapping the following field in element editor HUDs. (#1802)
  • Fixed a bug where uppercase non-ASCII characters were not getting converted to their correct ASCII equivalents for element slugs, if the limitAutoSlugsToAscii config setting was enabled. (#2096)
  • Fixed a bug where Craft would re-install updates after reverting them.

Security

  • Fixed an XSS vulnerability in the Control Panel.

2.6.2997 - 2017-11-08

Fixed

  • Fixed a bug where Craft was saving entries when attempting to switch the entry type.

2.6.2996 - 2017-11-08

Added

  • Added UserGroupsService::getAssignableGroups().
  • Added UserPermissionsService::getAssignablePermissions().

Changed

  • The “Assign user groups and permissions” permission has now been split into “Assign user permissions” and “Assign user groups”, and the latter now has nested permissions for each of the user groups. (#2087)
  • Users with the “Assign user permissions” permission are no longer allowed to grant new permissions to user accounts that they themselves don’t already have. (#915)
  • If a user is not yet activated, but they have a password set on the account, then admins will no longer see the “Copy Activation URL” user administration option.

Fixed

  • Fixed a bug where DateTimeHelper::wasYesterday() was returning whether the timestamp was yesterday in UTC rather than in the system time zone. (#2086)
  • Fixed a bug where the autocomplete menu in Tags fields would sometimes not go away.
  • Fixed a bug where Craft would mistake users/sendPasswordResetEmail requests for users/login requests, if the Forgot Password form was submitted from the same path as the loginPath config setting.

2.6.2994 - 2017-10-31

Added

  • Added HttpRequestService::isSingleActionRequest().

Changed

  • Updated Imagine to 0.7.1.3, which now preserves image IPTC data when preserving EXIF data. (#2034)

Fixed

  • Fixed a bug where it was possible for logged-out users to access offline sites.
  • Fixed a bug where front-end URLs that were generated in the Control Panel were not getting trailing slashes if the addTrailingSlashesToUrls config setting was enabled.
  • Fixed a bug where some element rows might have not been deleted when they should have, if multiple elements were saved in a single request.
  • Fixed a PHP error that occurred when updating Craft on environments running PHP 7.1 and where ZipArchive wasn’t installed.
  • Fixed a PHP 7.1 compatibility issue when uploading some JPEGs while preserving EXIF data, on environments using GD.

2.6.2993 - 2017-10-18

Added

  • Added the preserveExifData config setting, which determines whether EXIF data should be discarded when transforming an image (defaults to false).

Changed

  • Client accounts are now allowed to access the edition upgrade modal.
  • Added an $ensureTempFileExists argument to UploadedFile::getInstanceByName(), which will cause the method to return null if the matching file had already been moved out of its temp location (defaults to true).
  • Added an $ensureTempFilesExist argument to UploadedFile::getInstancesByName(), which will filter out any files that have already been moved out of their temp locations (defaults to true).

Fixed

  • Fixed a PHP error that occurred if an empty array was passed to the relatedTo element criteria parameter.
  • Fixed a PHP error that occurred when uploading a file to an Assets field on the front-end. (#2018)
  • Fixed a bug where HttpRequestService::getQueryStringWithoutPath() wasn’t including duplicate param names in the returned string. (#2041)
  • Fixed a bug where Categories fields weren’t automatically adding all of a category’s ancestors when selecting a nested category, if any of its ancestors were disabled. (#2035)

2.6.2992 - 2017-10-13

Changed

  • Reduced the chance of a deadlock occurring on sites that have a high concurrent volume of element writes.
  • Updated Redactor II to 2.11.

Fixed

  • Fixed a bug where any plugin that listened to the onEndRequest event would be ignored.
  • Fixed a bug where assets uploaded to an Assets field by a front-end form would not get related to the element being saved if setContentFromPost() was called more than once. (#2018)
  • Fixed a bug where it was not possible to create tags with multiple words. (#2036)

2.6.2991 - 2017-09-29

Fixed

  • Fixed a MySQL error that could occur when saving a disabled element with a column value that was too large for its database column.
  • Fixed a PHP warning that could occur when submitting a non-numeric value for a Number field, on servers running PHP 7.
  • Fixed a bug where color inputs were really narrow in Safari 11. (#2010)
  • Fixed some buggy behavior on structured element index views when collapsing/expanding elements, if no elements had been collapsed before.

Security

  • Fixed an XSS vulnerability.

2.6.2990 - 2017-09-15

Changed

  • Added support for the application/font-woff2 MIME type (.woff2). (#1966)
  • div.matrixblock elements in the Control Panel now have a data-type attribute set to the Matrix block type’s handle. (#1915)
  • Global sets’ global template variables are now available to all templates rendered when the Template Mode is set to site. (#1953)

Fixed

  • Fixed a bug where you could get a PHP error uploading some JPG files on PHP 7.1.
  • Fixed a bug where user photos and site logos/icons were not taking into account the sanitizeSvgUploads config setting.
  • Fixed a CSRF validation error that would occur when attempting to re-login via the login modal in the Control Panel.
  • Fixed a bug where transforms could break sometimes on external asset sources that used path prefix.
  • Fixed a bug where transforms would not be deleted when an Asset was being moved in some cases.
  • Implemented a workaround for PHP bug #74980 that affected some Craft installs running PHP 7.1+.

Security

  • Fixed an XSS vulnerability.

2.6.2989 - 2017-08-15

Added

  • Added the onLockUser event, which fires when a user account is locked.

Fixed

  • Fixed a bug where the PHP and DB versions the Craft Support widget passed to GitHub would not escape tildes (~), potentially having Markdown confuse them for strikethrough markup delimiters.
  • Fixed a bug where it was possible for users to be redirected to a 404 in the Control Panel after logging in. (#1901)
  • Fixed a bug where users would get one extra login attempt than the maxInvalidLogins config setting was set to.

2.6.2988 - 2017-07-28

Changed

  • Added .m2t to the default allowedFileExtensions config setting value.
  • .m2t files are now treated as videos.
  • Images within field instructions are now given a max-width of 100%. (#1868)

Fixed

  • Fixed a PHP error that could occur when logging a deprecation error in DepreactorService.
  • Fixed a bug where Redactor was losing its custom styling in Live Preview and Element Editor modals. (#1795)
  • Fixed a bug where picturefill was not applied to thumbnails within lazy-loaded elements on element index pages.
  • Fixed a visual alignment bug on Tags fields.

Security

  • Fixed a bug where admins could download arbitrary zip files from the server.
  • Fixed a bug where a full server path would be disclosed if you were able to upload a file with a filename larger than 255 characters.

2.6.2987 - 2017-07-14

Changed

  • Added .jp2 and .jpx to the default allowedFileExtensions config setting value.
  • Plugin settings now get set once all plugin classes have been loaded.

Fixed

  • Fixed a PHP error that would occur when a Rich Text field’s settings referenced an asset source that no longer existed.
  • Fixed a PHP error that could occur when using HTML Purifier in a Rich Text field.

Security

  • Fixed an XSS bug in the Control Panel.

2.6.2986 - 2017-06-30

Changed

  • Improved the styling of locale menus on Edit Entry and Edit Categories pages. (#1803)
  • The Control Panel font-family declaration now checks for "Helvetica Neue" in addition to HelveticaNeue. (#1805)

Fixed

  • Fixed a bug where emails that had inner-word underscores would get converted to <em> tags if a HTML body was not provided in the email. (#1800)
  • Fixed a bug where the author of a draft could not delete their own draft if they did not have the “Publish Live Changes” permission.
  • Fixed a Twig error that could occur when editing a locked user account.
  • Fixed a bug where element source labels could get double-encoded.

2.6.2985 - 2017-06-27

Changed

  • DateTime::createFromString() now supports dates formatted with DateTime::ISO8601, which is incorrectly missing the colon between the hours and minutes in the timezone offset declaration (e.g. +0000 instead of +00:00).

Fixed

  • Fixed a bug where users would get an “Invalid Verification Code” error when clicking on the link in a verification email.

2.6.2984 - 2017-06-26

Added

  • Added the sanitizeSvgUploads config setting, which determines whether SVG files should be sanitized on uploads (true by default).

Changed

  • The assets.onReplaceFile event is now fired whenever a file is replaced, not only if it happens using the Replace file Asset action.
  • Updated HTML Purifier to 4.9.3.
  • Updated Redactor II to 2.7.

Fixed

  • Fixed a bug where changing a user account’s email address to one that is already taken would silently fail.
  • Fixed a bug where a validation error would occur when saving two routes with the same URL Pattern in different locales.
  • Fixed a JavaScript error that would occur after sending in a support request from the Craft Support widget.
  • Fixed a bug where Rackspace Asset Sources would corrupt files with trailing whitespaces when downloading them.
  • Fixed a SQL error that would occur when saving a Dropdown or Radio Buttons field if the default option’s value contained quotation marks.
  • Fixed a bug where asset upload prompts would not always reset between uploads.

Security

  • Fixed several XSS vulnerabilities in the Control Panel.

2.6.2983 - 2017-06-09

Changed

  • Date pickers’ “Previous” and “Next” buttons are now represented as arrows. (#1538)
  • Updated Yii to 1.1.19.

Fixed

  • Fixed a bug where doctype and XML declarations were getting stripped out of SVG files on upload. (#1767)

2.6.2982 - 2017-06-07 [CRITICAL]

Changed

  • Updated Redactor II to 2.6.
  • Updated Imagine to 0.7.1.
  • Craft now requires the PHP DOM extension when uploading SVG files.

Security

  • Fixed a potential user enumeration attack vector when authenticating a user.
  • Craft will now sanitize uploaded SVG files to prevent a potential XSS attack vector.

2.6.2981 - 2017-05-31

Changed

  • Improved the readability of field instructions.
  • Updated jQuery Timepicker to 1.11.11.

Fixed

  • Fixed a bug where clicking Enter/Return on a time field with a manually-entered time would change the value to the closest rounded time value. (#1720)
  • Fixed a bug where resaving Elements task would fail in some cases.
  • Fixed a bug where entries’ titles weren’t getting updated automatically after saving a Section, for Entry Types with dynamic titles. (#1728)
  • Fixed a bug where the Get Help widget would check for the existence of the log file path when trying to zip up site templates, if that option was selected.
  • Fixed a bug where the Edit Entry page wouldn’t show the current revision notes for the current entry if it was displaying any validation errors. (#1747)
  • Fixed a bug where the revision dropdown on the Edit Entry page would attribute the current version to the entry author, if version history wasn’t known for the entry. (#1746)

2.6.2980 - 2017-05-13

Fixed

  • Fixed a bug where action requests on the front-end were getting treated like CP requests in the TemplatesService, breaking Live Preview, and possibly other things.

2.6.2979 - 2017-05-12

Added

  • Added the new Craft Support widget.

Changed

  • The Field Layout Designer is now using the default font instead of the Coming Soon font. (#1537)
  • The entry revision dropdown on the edit entry page now shows the who edited the “Current” version along with the time. (#1650)
  • Craft now checks the template mode when it tries to resolve a template for a plugin.

2.6.2978 - 2017-05-02

Fixed

  • Fixed a bug where Title fields on new elements could display the class name of the element by default. (#1685)

2.6.2977 - 2017-05-02

Changed

  • Assets fields no longer attempt to guard against prepValueFromPost() getting called multiple times.
  • Updated Garnish to 0.1.18.

Fixed

  • Fixed a bug where Control Panel breadcrumbs where unclickable when a flash notification was visible. (#1675)
  • Fixed a bug where Assets fields could associate the same image to multiple elements, when saving large batches of elements at once. (#1673)
  • Fixed a bug where HUDs where briefly showing up in the top-left corner of the window before getting repositioned, particularly in Safari. (#1647)
  • Fixed a bug where saving customized element index settings could wipe out all the settings in rare cases.
  • Fixed a bug where elements that don’t have titles were incorrectly passing is empty tests in Twig.

2.6.2976 - 2017-04-27

Changed

  • The _layouts/cp.html Control Panel template now defines the #container element attributes within a containerAttributes block, so they can be overridden or added to from sub-templates. (#1665)

Fixed

  • Fixed a bug where HttpRequestService::getSegments() and getActionSegments() could return an array that started at a non-0 number allowing for a bypass of the XSS vulnerability fix in 2.6.2974.

Security

  • Fixed a bug where it was possible to view the contents of files in the craft/app/ folder via resource requests under certain conditions.
  • Fixed a potential security vulnerability that made it possible to fire off a forgot password email with a modified URL.

2.6.2974 - 2017-04-21

Changed

  • Entry and category edit pages will now show any validation errors attached to the parent attribute.
  • Updated Yii to 1.1.18.
  • Updated Twig to 1.33.2.

Fixed

  • Fixed timezone bug when requesting data for a run chart in \Craft\ChartHelper::getRunChartDataFromQuery()

Security

  • Fixed an XSS vulnerability.

2.6.2973 - 2017-04-17