Fix XSS vulnerability in pagination page number.
Rotate session ID after successful login.
Switch to auto-escaping of all template variables (see below).
#2772 Scrub admin description fields.
#2791 Front end improvements:
Improved 403 message, especially for private reports.
#2511 Mobile users can now filter the pins on the
/around map view.
#2366 Maintain whitespace formatting in email report/update lists.
#2525 Improve keyboard accessibility.
#2542 Report form now indicates that details are kept private if report is made in a private category.
Upgrade jquery-validation plugin.
#2540 Pass ‘filter_category’ param to front page to pre-filter map.
Remove on-map Permalink.
#2631 Darken front page step numbers, and improve nested heading structure.
#2631 Set report title autocomplete to off to prevent email autocompleting.
#2518 Add map filter debouncing to reduce server requests.
#2675 Add XSL to RSS feeds so they look nicer in browsers.
#2736 Add per-report OpenGraph images.
#2394 Display GPS marker on /around map.
#2359 Use nicer default photo upload message.
#2358 Remove pan control from mobile widths.
#2865 Use category groups whenever category lists are shown.
#2702 Display map inline with duplicate suggestions on mobile.
#2668 Improved try again process on mobile.
#2863 Improve messaging/display of private reports.
#2884 Add a web manifest and service worker.
#2220 Also check filter_category for category choice.
#2893 Reduce duplicate Permalink.updateLink calls when zooming map.
#2824 Hide ‘provide extra information’ preamble when no visible fields are present.
#2619 Change ‘locate me automatically’ to ‘use my location’.
#2615 Include ‘submit’ button at very bottom of report form when signing in during report
Provide ARIA roles for message controller box.
Add new roles system, to group permissions and apply to users.
#2483 Contact form emails now include user admin links.
#2608 Allow categories/Open311 questions to disable the reporting form.
#2599 Improve category edit form.
#2469 Allow editing of category name.
#1398 Allow non-superuser staff to use 2FA, and optional enforcement of 2FA.
#2701 Add optional enforced password expiry.
#2705 Store a moderation history on admin report edit.
#2722 Add user admin log page.
#2722 Allow report as another user with only name.
#2781 Allow staff users to sign other people up for alerts.
#2783 Group categories on body page.
#2850 Add admin UI for managing web manifest themes.
#2792 Add a new "staff" contact state.
#2891 Store staff user when staff make anonymous report.
#2802 Record first time fixed/closed update sent to reporter in email.
Pre-filter ‘all reports’ by area for inspectors
show open311 failure details in admin report edit page.
#2468 New features:
Categories can be listed under more than one group
#2475 OpenID Connect login support.
#2523 Heatmap dashboard.
#2675 Allow anonymous submission by a button, optionally per-category.
Prevent creation of two templates with same title.
#2471 Fix bug going between report/new pages client side.
#2484 Don't include private reports when searching by ref from front page.
Set fixmystreet.bodies sooner client-side, for two-tier locations.
#2498 Fix front-end testing script when run with Vagrant.
#2514 Handle missing category when sending open311 reports
#2502 Fix label associations with category groups.
#2541 Hide category extras when duplicate suggestions shown.
#2588 Hide duplicate suggestions when signing in during reporting.
#2588 Retain extra data if signing in during reporting.
#2588 Have duplicate suggestion and assets coexist better.
#2589 Don't include lat/lon of private reports in ‘Report another problem here’ link.
#2605 Allow contact send method to be unset always.
#2622 Fix z-index stacking bug that was causing unclickable RSS icons on /alert page.
#2624 Fix issue with inspector duplication workflow.
#2678 Fix removal of cached photos on moderation.
#2696 Checking of cached front page details against database.
#2696 Inconsistent display of mark private checkbox for staff users
Clear user categories when staff access is removed.
#2815 Only trigger one change event on initial popstate.
#2862 Fix error when hiding a user's updates with no confirmed updates.
#2898 Sort reporting categories in display order.
#2704 Do not clear asset attributes on category change.
Upgrade the underlying framework and a number of other packages.
#2473 Add feature cobrand helper function.
Add front-end testing support for WSL.
#2514 Allow cobrands to disable admin resending.
#2553 Sass variables for default link colour and decoration.
#2538 Make contact edit note optional on staging sites.
Store email addresses report sent to on the report.
#2730 Add configuration for setting Content-Security-Policy header.
#2759 Add banner on staging website/emails, and STAGING_FLAGS option to hide it.
#2784 #2820 Do not hard code site name in database fixture.
#2794 Ensure OS dependencies are kept updated in development environments.
#2886 Enhance inactive scripts to act per-cobrand, or full deletion.
#2827 Open311 improvements:
Support use of 'private' service definition to mark reports made in that category private.
#2488 Ensure any reports fetched in a category marked private are also marked private on the site.
#2488 Add new upload_files flag which sends files/photos as part of the POST service request.
#2495 Allow description in email template with placeholder.
#2470 Do not store display-only extra fields on new reports.
#2560 Support receiving updates from external source.
#2521 Improve JSON output of controller.
unset external_status_code if blank in update.
#2573 Add support for account_id parameter to POST Service Request calls.
Do not overwrite/remove protected meta data.
#2598 Spot multiple groups inside a element.
#2641 Always update problem state from first comment
#2832 Backwards incompatible changes:
The FixMyStreet templating code will now escape all variables by default. If you need to output HTML in a variable directly, you will need to escape it with the
safe filter, e.g.
[% some_html | safe %].