v0.9.3

XSS vulnerability fixed. Please update.

Security

• Fix an XSS (cross-site-scripting) vulnerability in index.php - CVE-2018-5249

v0.8.5

XSS vulnerability fixed. Please update.

Security

• Fix an XSS (cross-site-scripting) vulnerability in index.php - CVE-2018-5249

v0.9.2

Major security issue fixed. Please update.

Added

• Tag search now supports wildcards *
• New setting privacy.force_login which can be used with privacy.hide_public_links to redirect anonymous users to the login page.
• New setting general.default_note_title used to override default Note: title prefix for notes.
• Add a version hash for asset loading to prevent browser's cache issue

Changed

• The "Remember me" checkbox is unchecked by default
• The default value of the "Remember me" checkbox can be configured under data/config.json.php

Removed

• Remove obsolete PHP magic quote support

Fixed

• Generates a permalink URL if the URL is set to blank
• Replace links to the old GitHub wiki with ReadTheDocs URIs
• Use single quotes in the note bookmarklet
• Daily page if there is no link
• Bulk link deletion with a single link
• HTTPS detection behind a reverse proxy
• Travis tests environment and localization
• Improve template paths robustness (trailing slash)
• Robustness: safer gzinflate/zlib usage
• Description links parsing with parenthesis (without Markdown)
• Templates:
  • Sort the tag cloud alphabetically
  • Firefox social title
  • Improved visited link color
  • Fix jumpy textarea with long content in post edit

Security

• Vulnerability introduced in v0.9.1 fixed.

v0.9.1

The documentation has been migrated to ReadTheDocs:

• https://shaarli.readthedocs.io/
• edits are submitted as pull requests

Added

• Allow bulk link deletion
• Display subtags in the tag cloud
• Add an endpoint to refresh the token
• Add a token on every page
• Add a tag list view for management
• Add Note bookmarklet
• Add creation date when editing a link

Changed

• Documentation:
  • Generate static HTML documentation with mkdocs
  • Host documentation on ReadTheDocs
  • Update documentation structure
  • Update Makefile targets to:
    • Build the docs locally
    • Include the generated docs in the release archives
• Theme:
  • Use the new theme as the default
  • Rename the tag cloud template to tag.cloud.html
  • Display visited links in grey
  • Use only one search form in linklist.html
  • Hide the "search links with these tags" option when an empty searchtags is passed to tag.list.html
• Improve HTTP header handling when hosting Shaarli with Docker behind a reverse proxy
• Searching for tags with an empty value returns untagged links only
• Set Travis environment to precise until the new trusty environment is ready

Removed

• Remove dead Pubsubhubbub code
• Disable the GitHub wiki (see changed/documentation)
• Remove Docker dev image and resources
• Theme:
  • Remove the bottom "Sort by" menu in tag.list.html

Fixed

• Fix file existence check for user.css
• Limit selection to 2k characters when using the bookmarklet
• Fix JS error uncaught type error
• Fix Firefox Social button
• Use pinned PHP dependencies when generating release archives
• Make sure that the tag exists before altering/removing it

Security

• Add a whitelist for protocols for URLs

v0.9.0

This release introduces the REST API, and requires updating HTTP server
configuration to enable URL rewriting, see:

• https://shaarli.github.io/api-documentation/
• https://github.com/shaarli/Shaarli/wiki/Server-configuration

WARNING: Shaarli now requires PHP 5.5+.

Added

• REST API v1
  • Slim framework
  • JSON Web Token (JWT) authentication
  • versioned API endpoints:
    • /api/v1/info: get general information on the Shaarli instance
    • /api/v1/links: get a list of shaared links
    • /api/v1/history: get a list of latest actions
      Theming:
  • Introduce a new theme
  • Allow selecting themes/templates from the configuration page
  • New/Edit link form can be submitted using CTRL+Enter in the textarea
  • Shaarli version is displayed in the footer when logged in
• Add plugin placeholders to Atom/RSS feed templates
• Add OpenSearch to feed templates
• Add campaign_ to the URL cleanup pattern list
• Add an AUTHORS file and Makefile target to list authors from Git commit data
• Link imports are now logged in data/ folder, and can be debug using dev.debug=true setting.
• composer.lock is now included in git file to allow proper composer install
• History mechanism which logs link addition/modification/deletion

Changed

• Docker: enable nginx URL rewriting for the REST API
• Theming:
  • Move user.css to the data folder
  • Move default template files to a subfolder (default)
  • Rename the legacy theme to vintage
  • Private only filter is now displayed as a search parameter
  • Autocomplete: pre-select the first element
  • Display daily date in the page title (browser title)
  • Timezone lists are now passed as an array instead of raw HTML
• Move PubSubHub to a dedicated plugin
• Coding style:
  • explicit method visibility
  • safe boolean comparisons
  • remove unused variables
• The updater now keeps custom theme preferences
• Simplify the COPYING information
• Improved client locale detection
• Improved date time display depending on the locale
• Partial namespace support for Shaarli classes
• Shaarli version is now only present in shaarli_version.php
• Human readable maximum file size upload

Removed

• PHP < 5.5 compatibility
• ReadItYourself plugin

Fixed

• Ignore generated release tarballs
• Hide default port when behind a reverse proxy
• Fix a typo in the Markdown plugin description
• Fix the presence of empty tags for private tags and in search results
• Fix a fatal error during the install
• Fix permalink image alignment in daily page
• Fix the delete button in editlink
• Fix redirection after link deletion
• Do not access LinkDB links by ID before the Updater applies migrations
• Remove extra spaces in the bookmarklet's name
• Piwik plugin: Piwik URL protocol can now be set (http or https)
• All inline JS has been moved to dedicated JS files
• Keep tags after login redirection

Security

• Markdown plugin: escape HTML entities by default

v0.7.1

Security

• Markdown plugin: escape HTML entities by default

v0.8.4

Security

• Markdown plugin: escape HTML entities by default

v0.8.3

Fixed

• PHP 7.1 compatibility: add ConfigManager parameter to anti-bruteforce function call in login template.

v0.8.2

Fixed

• Editing a link created before the new ID system would change its permalink.

v0.8.1

Note: this version will create an automatic backup of your database if anything goes wrong.

Added

• Add CHANGELOG.md to track the whole project's history
• Enable Composer cache for Travis builds
• Save the last edition date for shaares and use it in Atom/RSS feeds
• Plugins:
  • Add an Isso plugin to enable user comments on permalinks
  • Allow defining init functions, e.g. for performing checks and error processing
  • Add a Piwik plugin for analytics.
  • Markdown: add warning notice regarding HTML rendering
• Meta tag to not send the referrer to external resources.

Changed

• Link ID complete refactoring:
  • Links now have a numeric ID instead of dates
  • Short URLs are now created once and can't change over time (previous URL are kept)
• Templates:
  • Changed placeholder behaviour for: buttons_toolbar, fields_toolbar and action_plugin
  • Cleanup {loop} declarations in templates
  • Tools: hide Firefox Social button when not in HTTPS
  • Firefox Social: show Shaarli's title when shaaring using Firefox Social
• Release archives now have the same structure as GitHub-generated archives:
  • archives contain a Shaarli directory, itself containing sources + dependencies
  • the tarball is now gzipped
• Plugins:
  • Markdown: Parsedown library is now imported through Composer
• Minor code cleanup: PHPDoc, spelling, unused variables, etc.
• Docker: explicitly set the maximum file upload size to 10 MiB

Fixed

• Fix the server <self> value in Atom/RSS feeds
• Plugins:
  • Tools: only display parameter description when it exists
  • archive.org: do not propose archival of private notes
  • Markdown:
    • render links properly in code blocks
    • bug regarding the nomarkdown tag
  • W3C compliance
• Use absolute URL for hashtags in RSS and ATOM feeds
• Docker: specify the location of the favicon
• ATOM feed: remove new line between content tag and data

Security

• Allow whitelisting trusted IPs, else continue banning clients upon login failure