Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 28 million developers.Sign up
- Fixed a self-induced XSS via the user's display name, reported on HackerOne.
HTTP/1.1in response headers.
Fixed dead code in Skyport landing.
- HackerOne #181210:
.onionURLs. If this malfunctions, there is a
nonzero risk of MITM attack (because HTTPS wasn't enforced on
- HackerOne #181225:
Prevent phishing attacks via pages opened with
- HackerOne #181315:
Consistently use binary-safe string functions.
- Cryptographically associate account recovery tokens with the row ID
of the user who requested the reset. This means that updating the
userid column of an existing recovery token will not allow you to
login as the arbitrary user.
Allow users, groups, blog post categories, author profiles,
and series to be deleted.
You can now configure how emails are sent out. All of the options
currently provided by Zend\Mail.
All CMS Airship cookies send a Same-Site header (strictly). This
adds another layer of resilience against CSRF attacks.
Implemented a framework for importing data (i.e. password hashes)
into a CMS Airship project. This will allow users to log in with
their old password, when Airship only knows the old password hash.
In addition to being able to change the name of a blog category or
author, you can also update the slug (and optionally create a
redirect from the old slug to the new one).
You can now override the footer text.
Implemented a View History feature for Blog Posts.
You can now create user accounts from the Bridge.
- Update Gregwar/RST to v1.0.3 to prevent LFI attacks.
Fixed a few bugs that caused the installer to fail in weird ways
during a fresh install (i.e. for Docker users).
If you don't specify a subheader in the blog config, nothing will be
If an author's biography is empty, the "About the Author" section
will not be displayed. In a future version, we may change this
behavior to be dependent on the status of a checkbox rather than the
non-emptiness of the biography field.
Hide "Uncategorized" from the right menu if there are no blog posts
without a category.
Fixed issues with date/time handling that broke post editing.
Fixed the regular expression in the
requiredattribute that caused
browsers to prevent form submission.
The "default format" is now respected by the forms that support
different input formats.
Created a button to purge the caches.
- Hid the link to view blog post history, as that feature was
overlooked. We'll implement it in version 1.4.0.
- Some image types can be viewed directly instead of always forcing a
download. The enforcement logic is a whitelist (that gadgets can
Also, this runs an autorun script that was overlooked in preparing the v1.3.0 update. If you had broken symlinks for the new Motifs, this will fix it automatically.
- Significant UI/UX improvements.
- Redesigned the Bridge UI to be more suitable for a control panel.
- The left menu in the Bridge is now collapsable, but automatically
opens the sections which indicate your current location in the
- Update Halite to 2.2.0.
- Added a
WhiteListfilter, which is a strict typed alternative to
Extension developers can now make their motifs configurable by
We no longer display the database password on the databases page.
This has always only been accessible to administrators, but now it
is write-only from the web interface.
If an exception is thrown by the part of code that loads the logger,
and the database driver was selected, it will no longer silently
produce a white screen.
You can now control the date/time a blog post is published.
Added the "slug" field to the "Create New Blog Post" form.
- In addition to expiring after a set period of time, account recovery
URLs can only be used once. This fixes this feature by making it in
line with the expected behavior.
- Bootstrap (JS/CSS framework) was removed, as we don't use it.
- Dependency update (e.g. HTMLPurifier 4.8.0).
- Added logic to the Airship updater to attempt to run
(if we can) if an update includes a