Skip to content

Latest commit

 

History

History
508 lines (386 loc) · 25.1 KB

CHANGELOG.md

File metadata and controls

508 lines (386 loc) · 25.1 KB
Raw

Change log

4.4.57 (2021-08-23)

  • Correctly encode HTML comments, <script> and <style> tags (see #3333).
  • Add support for namespaced attributes (see #3330).
  • Fix the "iflng" and "ifnlng" insert tags (see #3332).
  • Do not show the urlattr flag for rgxp url fields (see #3331).
  • Improve compatibility with JSON in attributes (see #3328).
  • Do not encode special characters if no tags are allowed (see #3327).

4.4.56 (2021-08-11)

  • Prevent privilege escalation with the form generator (CVE-2021-37627).
  • Prevent PHP file inclusion via insert tags (CVE-2021-37626).
  • Prevent XSS via HTML attributes in the back end (CVE-2021-35955).

4.4.55 (2020-12-04)

  • Trigger the onload_callback when featuring news (see #2531).
  • Trigger the onload_callback in the "password" and "change password" modules (see #2471).
  • Handle Composer 2 when reading the installed.json file (see #2470).
  • Evaluate unknown simple tokens (see #2453).
  • Use binary comparison when looking for aliases in the database (see #2427).

4.4.54 (2020-10-07)

  • Correctly detect unknown options (see #2360).
  • Support legacy console scripts in the initialize.php (see #2344).

4.4.53 (2020-09-25)

  • Fix picker for providers with insert tags (see #2353).
  • Correctly protect new folders (see #2340).

4.4.52 (2020-09-24)

  • Prevent insert tag injections in forms (CVE-2020-25768).
  • Fix picker deselecting filtered elements (see #2296).
  • Consider symlinks when saving the localconfig.php (see #2209).
  • Do not reindex pages with the same checksum (see #2276).
  • Correctly generate the name for hidden field in select menu (see #2275).
  • Fix the limit toggler behavior in "select multiple" mode (see #2268).
  • Fix the stop time in the DB queries (see #2255).
  • Correctly generate nested folder URL aliases (see #2129).
  • Correctly find published pages in the findSearchablePages() method (see #2217).
  • Use a temporary status code to redirect to the language root (see #2216).
  • Preserve unknown options in select and checkbox widgets (see #2215).
  • Use the active record in the protectFolder() callback (see #2194).
  • Handle the subject query string when encoding/decoding e-mails (see #2191).
  • Add a List-Unsubscribe header to newsletters (see #2189).
  • Add an index to tl_form_field.invisible (see #2192).
  • Add the assets URL to non-combined files (see #2180).
  • Fix returning a potential wrong image dimension from cache (see #2166).
  • Show the SQL import error message (see #2163).

4.4.51 (2020-08-10)

  • Correctly apply custom CSS in the ContentModule class (see #2082).
  • Make cookies secure if the request is secure (see #2117).
  • Show the module type if name is not available (see #2107).
  • Use getClassFromTable() in the Model::createModelFromDbResult() method (see #2075).
  • Pass the column to the getArticle() method in the ContentArticle class (see #2076).
  • Show the filename in the versions overview (see #2034).
  • Correctly generate the filter menu if the breadcrumb menu is active (see #2036).
  • Add the CSV mime type and set Content-Type in File::sendToBrowser() (see #2020).
  • Fix the textarea height (see #2004).
  • Fix the search highlighting performance (see #2001).
  • Add a useful exception when a hook class is invalid/missing (see #1949).

4.4.50 (2020-07-09)

  • Correctly symlink the TCPDF config file in the monorepo (see #1868).
  • Correct "user" to "member" or "visitor" (see #1601).
  • Use the filesize units translation in search results (see #1910).
  • Fix back end layout problems in various browsers (see #1824).
  • Remove the redirect status type from the 403 and 404 page (see #1810).
  • Skip invalid UTF-8 path names in the file manager (see #1825).
  • Prevent arbitrary column renaming in the schema update (see #1731).
  • Correctly generate the "first" and "last" class for articles and elements (see #1803).
  • Reset the lock timeout and login count when resetting a password (see #1724).
  • Correctly track if the container config files exist (see #1772).
  • Fix notices for empty database result sets (see #1741).

4.4.49 (2020-05-13)

  • Do not flush the template output buffer (see #1728).
  • Add a "rawValue" property to the TextArea class (see #1714).
  • Deprecate the "group" option in the query builder (see #1704).
  • Set "information_schema_stats_expiry=0" in MySQL 8 (see #1700).
  • Do not set the X-Mailer header in emails anymore (see #1688).
  • Skip the "initializeSystem" hook if the temp folder does not yet exist (see #1685).
  • Do not randomly encode email addresses (see #1687).
  • Improve the search query performance (see #1678).
  • Add rel="noreferrer noopener" to external targets (see #1415).

4.4.48 (2020-04-02)

  • Correctly execute kernel events for initialize.php (see #1410).
  • Ensure that the login icons are always visible in Firefox (see #1611).
  • Add a 5 seconds timeout to the CAPTCHA widget (see #1560).
  • Hide unsynchronized folders in the picker (see #1571).
  • Consistently use "news feed" and "calendar feed" instead of "RSS feed" (see #1567).
  • Correctly check the permissions to create new FAQs (see #1566).
  • Fix duplicate version numbers (see #1564).
  • Only index successful responses (see #1559).
  • Allow comparing against any template if a prefix is unknown (see #1555).
  • Check if DBAL connection is available from .env configuration (see #1547).
  • Correctly handle URL suffix when redirecting page IDs (see #1503).
  • Revert the document.write() changes (see #1424).

4.4.47 (2020-02-17)

  • Replace document.write() in the back end templates (see #1329).
  • Fix the initial table sorting in the "table" content element (see #1315).
  • Improve the Contao\Database\Result class (see #1287).
  • Fix the top navigation overflow (see #1302).
  • Fix checking for binary strings in the version comparison (see #1294).
  • Correctly find unactivated members (see #1258).
  • Urlencode the path returned by the "file::uuid" insert tag (see #1268).
  • Fix the custom response status code in Symfony 3.4 (see #1204).

4.4.46 (2019-12-17)

  • Prevent information disclosure in the back end (see CVE-2019-19712).
  • Prevent unrestricted file uploads (see CVE-2019-19745).
  • Set img width/height attributes as an aspect ratio (see #940).
  • Always warm the English language cache (see #1040).
  • Check if a template exists when inheriting templates (see #1016).
  • Use the status code 307 to redirect on the logout page (see #1041).
  • Sort the custom layout sections by their position (see #1042).
  • Correctly trigger kernel response events when handling exceptions (see #1020).
  • Do not catch Swift exceptions when submitting forms (see #1017).
  • Correctly compare order fields in the diff view (see #1002).

4.4.45 (2019-11-04)

  • Reduce the number of DB queries in the picture factory (see #921).
  • Hide the breadcrumb menu if the node is not within the given path (see #888).
  • Also export the media type(s) when exporting style sheets (see #905).
  • Only hide newsletter channels without redirect page in the web modules (see #907).
  • Quote the identifiers in the back end filter menu (see #906).
  • Use a monospace font in the diff view (see #904).
  • If there are no unsynchronized folders, do not show an info message (see #897).
  • Distinguish between XML and HTML sitemap (see #879).
  • Re-index array of modules after unset keys to prevent inconsistencies (see #834).

4.4.44 (2019-10-01)

  • Prevent regular users from enabling the template editor for themselves (see #749).
  • Use the robots metadata to determine whether to add a page to the XML sitemap (see #501).
  • Do not versionize the file name and path (see #694).
  • Update the comments notification URL if it has changed (see #373).
  • Hide the "generate aliases" button if the alias field has not been enabled (see #771).
  • Show only the active columns in the module wizard (see #765).
  • Fix the pagination menu in the versions overview (see #752).
  • Reset unique fields when restoring a version (see #698).

4.4.43 (2019-09-05)

  • Handle renamed files in the version overview (see #671).
  • Hide the username if the initial version is auto-generated (see #664).
  • Set the e-mail priority if it has been given (see #608).
  • Also show the breadcrumb menu if there are no results (see #660).
  • Correctly replace literal insert tags (see #670).
  • Increase the alias field lengths (see #678).
  • Retain origId in chained alias elements (see #635).
  • Check if the theme preview image exists (see #636).

4.4.42 (2019-08-15)

  • Fix the shift key checkbox selection in the picker (see #578).

4.4.41 (2019-07-16)

  • Correctly hide running events in the event list.
  • Correctly apply the sorting flags in the list and parent view (see contao/core-bundle#1536).
  • Purge the search index when a page alias changes (see #472).
  • Show only newsletter channels with redirect page in the newsletter list module (see #494).
  • Use scssphp/scssphp instead of leafo/scssphp (see #506).
  • Hide empty legends in the member_grouped.html5 template (see #514).

4.4.40 (2019-05-21)

  • Ignore the query string when marking pages as "active" (see #480).
  • Do not cache file downloads in the HTTP cache (see #460).
  • Fix the "Recreate the symlinks" maintenance task (see #462).
  • Do not inherit cache timeouts on error pages (see #231).

4.4.39 (2019-04-30)

  • Prevent SQL injections in the file manager search (see CVE-2019-11512).
  • Correctly handle dates in the news bundle (see #436).
  • Also show future news items if the "show all news items" option is selected (see #419).

4.4.38 (2019-04-10)

  • Correctly copy multiple events into an empty calendar (see #427).
  • Correctly check the permissions to create form fields (see #414).
  • Fix the save callback in the back end password module (see #429).
  • Correctly handle dates in the calendar bundle (see #428).

4.4.37 (2019-04-09)

  • Invalidate the user sessions if a password changes (see CVE-2019-10641).

4.4.36 (2019-03-25)

  • Make custom layout section titles and IDs mandatory (see #341).
  • Prevent using reserved layout section IDs in custom layout sections (see #301).
  • Show the video elements headline in the back end preview (see #382).

4.4.35 (2019-02-21)

  • Fix the format selection in the image size widget (see #315).
  • Ignore a .public file in the root files directory (see #286).
  • Correctly load MooTools via CDN (see #318).
  • Do not double decode URL fragments (see #321).
  • Correctly replace insert tags if the page contains invalid characters (see #349).

4.4.34 (2019-01-24)

  • Validate the primary key when registering or saving a model (see #230).
  • Exempt the "page" insert tag from caching (see #284).
  • Correctly sort the tree view records if there is an active filter (see #269).
  • Fix two routing issues (see #263, #264).

4.4.33 (2019-01-16)

  • Support comma separated values in Model::getRelated() (see #257).
  • Do not check the user's file permissions in the template editor (see #224).
  • Do not show pretty errors if "text/html" is not accepted (see #249).
  • Return null in Model::findMultipleByIds() if there are no models (see #266).
  • Restore compatibility with Doctrine DBAL 2.9 (see #256).

4.4.32 (2018-12-19)

  • Correctly check the permission to move child records as non-admin user (see #247).
  • Do not parse form templates twice (see #214).

4.4.31 (2018-12-13)

  • Prevent information disclosure through incorrect access control in the back end (see CVE-2018-20028).

4.4.30 (2018-12-04)

  • Fix a compatibility issue with Doctrine DBAL 2.9 (see #212).

4.4.29 (2018-11-22)

  • Do not convert line breaks in table cells if there are HTML block elements (see #159).
  • Automatically enable image sizes created by regular users (see contao/core#8836).
  • Handle unknown languages in the meta editor (see #127).

4.4.28 (2018-10-31)

  • Correctly rebuild the symlinks in the maintenance module (see #150).

4.4.27 (2018-10-31)

  • Check the member status when sending newsletters (see contao/core#8812).
  • Fix the schema.org markup of the breadcrumb menu (see contao/core-bundle#1561).
  • Allow to set the target directory when installing the web directory (see #142).
  • Correctly render the back end forms in Firefox (see #79).
  • Show the info messages in the DropZone uploader (see #83).

4.4.26 (2018-09-20)

  • Fix an error when creating new pages (see #63).

4.4.25 (2018-09-18)

  • Correctly detect Chrome on iOS in the environment class (see #61).
  • Optimize generating sitemaps (see contao/core#6830).
  • Use min-height for .w50 widgets in the back end (see contao/core#8864).
  • Prevent arbitrary code execution through .phar files (see CVE-2018-17057).

4.4.24 (2018-09-05)

  • Ignore the "uncached" insert tag flag in the unknown insert tags (see #48).
  • Make the ID of the subscription modules unique (see #40).
  • Use the correct table when handling root nodes in the picker (see #44).

4.4.23 (2018-08-28)

  • Replace the Set-Cookie header when merging HTTP headers (see #35).

4.4.22 (2018-08-27)

  • Do not merge the session cookie header (see #11, #29).
  • Update the list of countries (see #12).

4.4.21 (2018-08-13)

4.4.20 (2018-06-26)

  • Make the session listener compatible with Symfony 3.4.12.

4.4.19 (2018-06-18)

4.4.18 (2018-04-18)

  • Fix an XSS vulnerability in the system log (see CVE-2018-10125).
  • Correctly highlight all keywords in the search results (see contao/core-bundle#1461).
  • Log unknown insert tag (flags) in the system log (see contao/core-bundle#1182).

4.4.17 (2018-04-04)

4.4.16 (2018-03-08)

4.4.15 (2018-03-06)

4.4.14 (2018-02-14)

4.4.13 (2018-01-23)

4.4.12 (2018-01-03)

4.4.11 (2017-12-28)

4.4.10 (2017-12-27)

4.4.9 (2017-12-14)

4.4.8 (2017-11-15)

  • Prevent SQL injections in the back end search panel (see CVE-2017-16558).
  • Prevent SQL injections in the listing module (see CVE-2017-16558).
  • Support class named services in System::import() and System::importStatic() (see contao/core-bundle#1176).
  • Only show pretty error screens on Contao routes (see contao/core-bundle#1149).

4.4.7 (2017-10-12)

4.4.6 (2017-09-28)

4.4.5 (2017-09-18)

4.4.4 (2017-09-05)

  • Show the form submit buttons at the end of the form instead of at the end of the page.
  • Do not add the referer ID in the Template::route() method (see contao/core-bundle#1033).
  • Correctly read the newsletter channel target page in the newsletter list (see contao/newsletter-bundle#7).

4.4.3 (2017-08-16)

4.4.2 (2017-07-25)

4.4.1 (2017-07-12)

4.4.0 (2017-06-15)

4.4.0-RC2 (2017-06-12)

4.4.0-RC1 (2017-05-23)

4.4.0-beta1 (2017-05-05)