Fix the save callback in the back end password module (see #429).

Invalidate the user sessions if a password changes (see CVE-2019-10641).

Correctly check the permission to move child records as non-admin user.

Prevent information disclosure in the back end (see CVE-2018-20028).

Prevent arbitrary code execution through .phar files (see CVE-2018-17057).

Correctly reset the autologin data upon logout (#8868).

Remove support for deprecated user password hashes (see #8889).

Fix an XSS vulnerability in the system log (see CVE-2018-10125).

Check the registry for table prefixed queries (see contao/core-bundle#1161).

Improve the folder hashing performance (see #8856).

Reset the autologin hash if the username or password changes (see #8843).

Correctly encode the sitemap URLs (see #8849).

Also pass $this in the "customizeSearch" hook (see #8841).

Quote reserved words in database queries (see #8813).

Require ircmaxell/password-compat to remain compatible with PHP 5.4.

Fix an XSS vulnerability in the newsletter module (see CVE-2018-5478).

Do not remove old subscriptions not related to the channels (see #8824).

Backport the password algorithm changes from Contao 4 (see #8820).

Prevent SQL injections in the back end search panel (see CVE-2017-16558).

Filter multi-day events outside the scope in the event list (see #8792).

Correctly show multi-day events if the shortened view is disabled (see #8782).

Correctly handle unencoded data images in the Combiner (see #8788).

Do not add a suffix when copying if the "doNotCopy" flag is set (see #8610).

Use the module type as group header if sorted by type (see #8402).

Always show the "show from" and "show until" fields (see #8766).

Encode the username when opening the front end preview as a member (see #8762).

Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).

Improve the accessibility of the CAPTCHA widget (see #8709).

Fixed the iOS scrolling bug in the simple modal script (see #8708).

Correctly cache the unique keys in the SQL cache (see #8712).

Revert the Punycode library changes (see #8693).

Prevent endless loops in the book navigation module (see #8665).

Limit the maximum size of dimensionless SVGs in the back end (see #8684).

Correctly handle custom namespaces when combining DCA files (see #8682).

Also check the X-Forwarded-Proto header when determining HTTPS (see #8691).

Correctly support 64 character template names everywhere (see #6819).

Updated the Punycode library to version 2 (see #8693).

Correctly use the en dash in the calendar modules (see #8690).

Remove the UTF-8 BOM when combining files (see #8689).

Do not add the CORS headers in the install tool (see #8681).

Correctly move folders with an "@" in their name (see #8674).

Correctly redirect to the last page visited upon login (see #8632).

Back port the e-mail extraction improvements (see #8679).

Only show error messages to authenticated users in the install tool (see #8666).

Always show the modal windows in full height (see #8631).

Support cross domain requests when rebuilding the search index (see #8597).

Correctly store numbers with leading zero in the Config class (see #4035).

Delete an old search entry if the new URL is more canonical (see #8647).

Also make Folder::$dirname an absolute path again (see #8325).

Support using namespaces and use statements in DCA/config files (see #8635).

Correctly handle SVGZ files in the file manager (also fixes #8624).

Revert the download element changes (see #8620).

Handle non-numeric values when calculating the image margin (see #8617).

Correctly generate the download elements in the back end (see #8620).

Prevent an endless redirect loop if the page alias is "/" (see #8560).

Correctly parse German dates with two digit years in MooTools (see #8593).

Correctly add new resources to the user/group permissions (see #8583).

Trigger the auto-submit function in the date picker (see #8603).

Call the load callback when loading page/file picker nodes (see #7702).

Update SwiftMailer to version 5.4.5 (fixes CVE-2016-10074).

Correctly show running repeated events in the event list (see #8588).

Improve the PHP 7.1 compatibility.

Keep the root nodes order in the page selector (see #8577).

Do not output invalid option values in widget error messages (see #8594). Thanks to Pascal Gerundt for finding and reporting the issue.

Correctly parse english dates in MooTools (see #8573).

Only evaluate hasDetails() and hasText() upon the first call.

Cache the PageModel::findPublishedFallbackByHostname() results (see #8544).

Correctly redirect to the website root page (see #8552).

Continue rebuilding the search index if there are errors (see #8541).

Correctly "toggle select" nodes that are loaded via Ajax (see #8535).

Show running events in the event list again (see #8497).

Correctly calculate the maximum length of tl_files.name (see #8536).

Correctly add the headline if a content element is versionized (see #8502).

Optimize the DCA sorting filter for date fields (see #8485).

Do not show version entries of deleted files (see #8480).

Redirect the empty URL depending on language and alias name (see #8498).

Apply specialchars() to widget attributes (see #8505).

Updated the Ace code editor to version 1.1.9.

Handle special characters in passwords when creating an admin user (see #8512).

Queue the requests when rebuilding the search index (see #8449).

Handle special character passwords in the "close account" module (see #8455).

Handle broken SVG files in the Image and File class (see #8470).

Reduce the maximum field length by the file extension length (see #8472).

Fall back to the field name if there is no label (see #8461).

Do not assume NULL by default for binary fields (see #8477).

Correctly render the diff view if not the latest version is active (see #8481).

Update the list of countries and languages (see #8453).

Correctly set up the MooTools CDN URL (see #8458).

Also check the URL length when determining the search URL (see #8460).

Only regenerate the session ID upon login.

Check if a reader page is protected when generating a sitemap (see #8416).

Support all characters but =!<> and whitespace in simple tokens (see #8436).

Check the user's permission when generating links in the picker (see #8407).

Handle forward pages without target in the navigation modules (see #8377).

Stop the event recurrence if the upper boundary is reached (see #8445).

Show upcoming events if the first occurrence is in the past (see #8447).

Update MooTools to version 1.5.2.

Provide the same template variables for downloads and enclosures (see #8392).

Handle %n when parsing date formats (see #8411).

Fix the module wizard's accessibility (see #8391).

Correctly initialize TinyMCE in sub-palettes in Firefox (see #3673).

Validate form field names more accurately (see #8403).

Correctly show the ctime, mtime and atime of a folder (see #8408).

Correctly index changed pages (see #8439).

Always store the UUID of an uploaded file (see #8421).

Strip soft hyphens when indexing a page (see #8389).

Update mediaelement.js to version 2.21.2 (fixes CVE-2016-4567).

Validate the settings when loading a recurring event (see #8286).

Also check for the back end cookie when loading from cache (see #8249).

Unset "mode" and "pid" upon save and edit (see #8292).

Always use the relative path in DC_Folder (see #8370).

Use the correct empty value when resetting copied fields (see #8365).

Remove the "required" attribute if a subpalette is closed (see #8192).

Correctly generate the feed links in a multi-domain setup (see #8329).

Correctly calculate the maximum file size for DropZone (see #8098).

Do not adjust the start date of a multi-day event (see #8194).

Versionize and show password changes (see #8301).

Make File::$dirname an absolute path again (see #8325).

Store the full URLs in the search index (see contao/core-bundle#491).

Standardize the group names in the checkbox widget (see #8002).

Prevent models from being registered twice (see #8224).

Prevent horizontal scrolling in the ACE editor (see #8328).

Correctly render the breadcrumb links in the template editor (see #8341).

Remove the role attributes from the navigation templates (see #8343).

Do not add role="tablist" to the accordion container (see #8344).

Correctly handle files with uppercase file extensions (see #8317).

Correctly pass the channel ID to the newsletter list template (see #8311).

Do not encode the database password (see #8314).

Fixed adding new folders in the file manager (see #8315).

Always trigger the "isVisibleElement" hook (see #8312).

Do not change all sessions when switching users (see #8158).

Do not allow to close fieldsets with empty required fields (see #8300).

Make the path related properties of the File class binary-safe (see #8295).

Always allow to navigate to the current month in the calendar (see #8283).

Correctly validate and decode IDNA e-mail addresses (see #8306).

Do not add the debug bar resources if hideDebugBar is enabled (see #8307).

Skip forward pages entirely in the book navigation module (see #5074).

Do not add the X-Priority header in the Email class (see #8298).

Fix an error message in the newsletter subscription module (see #7887).

Determine the search index checksum in a more reliable way (see #7652).

Prevent the autofocus attribute from being added multiple times (see #8281).

Respect the SSL settings of the root page when generating sitemaps (see #8270).

Read from the temporary file if it has not been closed yet (see #8269).

Always use HTTPS if the target server supports SSL connections (see #8183).

Adjust the meta wizard field length to the column length (see #8277).

Correctly handle custom mime icon paths (see #8275).

Only log errors that have been configured to get logged (see #8267).

Show the 404 error page if an unpublished article is requested (see #8264).

Correctly count the URLs when rebuilding the search index (see #8262).

Ensure that every image has a width and height attribute (see #8162).

Set the correct mime type when embedding SVG images (see #8245).

Handle the "float_left" and "float_right" classes in the back end (see #8239).

Consider the fallback language if a page alias is ambiguous (see #8142).

Fix the error 403/404 redirect (see contao/website#74).

Re-add the $blnFixDomain argument to keep backwards compatibility.

Always fix the domain and language when generating URLs (see #8238).

Fix two issues with the flexible back end theme (see #8227).

Added new versioning hooks (see #8168).

• "oncreate_version_callback" (supersedes "onversion_callback")
• "onrestore_version_callback" (supersedes "onrestore_callback")

Correctly toggle custom page type icons (see #8236).

Fix the domain in all article, news, event and FAQ insert tags (see #8204).

Update mediaelement.js to version 2.19.0.1 (see #8217).

Correctly render the links in the monthly/yearly event list menu (see #8140).

Skip the registration related fields if a user is duplicated (see #8185).

Correctly show the form field type help text (see #8200).

Correctly create the initial version of a record (see #8141).

Correctly show the "expand preview" buttons (see #8146).

Correctly check that a password does not match the username (see #8209).

Check if a directory exists before executing mkdir() (see #8150).

Do not link to the maintenance module if the user cannot access it (see #8151).

Show the "new folder" button in the template manager (see #8138).

Correctly determine the protocol delimiter in Idna::encodeUrl().

Handle relative URLs when following redirects in the Request class (see #7799).

Correctly handle empty UUIDs when comparing versions (see #7971).

Remove the "required" attribute when setting up TinyMCE (see #8131).

Fix the domain when forwarding in the page controllers (see #8123).

Use the feed URL instead of the base URL for enclosures (see #8116).

Fix the <time> tags and standardize the event templates (see #8012).

Handle empty href attributes in the book navigation (see #8104).

Do not store e-mail addresses in the newsletter (un)subscription log.

Correctly encrypt fields upon registration (see #8110).

Correctly render required single checkboxes in the back end (see #7731).

Correctly store multi select menus if no value is selected (see #7760).

Prevent recursion when rendering 403/404 pages (see #8060).

Map the FileTree widget to FormFileUpload in the front end (see #8091).

Preserve the user input when loading image meta data (see #8108).

Show the "toggle all" buttons in "edit multiple" mode (see #5622).

Disable the gallery pagination if the images are sorted randomly (see #8033).

Set the correct empty value when copying elements (see #8064).

Correctly hide forward pages with no public subpages (see #8054).

Correctly render the page picker if the value starts with # (see #8055).

Correctly render the "group" option in the radio button and checkbox widgets.

Correctly set the ID when toggling fields via Ajax (see #8043).

Support call, sms and app hyperlinks when converting relative URLs (see #8102).

Correctly check if a folder is protected when loading subfolders.

Correctly check the synchronization status when copying or moving files.

Adjust the code to be compatible with PHP7 (see #8018).

Correctly show the UUID in the back end file manager popup (see #8058).

Do not add the back end language in the meta wizard (see #8056).

Do not add excluded files to the DBAFS if they are edited in the file manager.

Add the |flatten insert tag flag to handle arrays (see #8021).

Check for excluded folders in the back end file popup (see #8003).

Fixed a wrong option name when initializing sortables (see #8053).

Translate UUIDs to paths in the parent view header fields.

Trigger the options_callback for the parent view header fields (see #8031).

Correctly create the initial version of a member without username (see #8037).

Improve the performance of the debug bar (see #7839).

Correctly output the event details in the event_list template (see #8041).

Only modify empty href attributes in the nav_ template (see #8006, #8038).

Correctly show the group headlines in the repository DB updater (see #8020).

Improve the e-mail regex to also match the new TLDs (see #7984).

Ensure that the database port is not empty (see #7950).

Remove the left-over usages of $this->v2warning (see #8027).

Support the hasDetails variable in the event reader (see #8011).

Correctly handle dimensionless SVG images (see #7882).

Correctly fill in the image meta data in news, events and FAQs (see #7907).

Enable the strictMath option of the LESS parser (see #7985).

Consider the pagination menu when inserting at the top (see #7895).

Use en-dashes in event intervals (see #7978).

Store the correct edit URL in the back end personal data module (see #7987).

Adjust the breadcrumb trail when creating new folders (see #7980).

Use $this->hasText in news and event templates (see #7993).

Convert the HTML content to XHTML when generating Atom feeds (see #7996).

Correctly link the items in the files breadcrumb menu (see #7965).

Handle explicit collations matching the default collation (see #7979).

Fix the duplicate content check in the front end controller (see #7661).

Correctly parse dates in MooTools (see #7983).

Register the related models in the registry (see contao/core-bundle#333).

Correctly escape in the findMultipleFilesByFolder() method (see #7966).

Override the tabindex handling of the accordion to ensure that the togglers are always focusable via keyboard (see #7963).

Correctly generate the news and event menu URLs (see #7953).

Check the script when storing the front end referer (see #7908).

Fix the back end pagination menu (see #7956).

Handle option callbacks in the back end help (see #7951).

Fixed the external links in the text field help wizard (see #7954) and the keyboard shortcuts link on the back end start page (see #7935).

Fixed the CSS group field explanations (see #7949).

Use ./ instead of an empty href (see #7967).

Correctly detect Microsoft Edge (see #7970).

Respect the "order" parameter in the findMultipleByIds() method (see #7940).

Always trigger the "parseDate" hook (see #4260).

Allow to instantiate the InsertTags class (see #7946).

Do not parse the image src attribute to determine the state of an element, because the image path might have been replaced with a data: string (e.g. by the Apache module "mod_pagespeed").

Revert some of the PhpStorm code inspector changes (see #7937).

Add a StringUtil class to restore PHP 7 compatibility (see contao/core-bundle#309).

Fix the Validator::isEmail() method (see contao/core-bundle#313).

Strip tags before auto-generating aliases (see #7857).

Correctly encode the URLs in the popup file manager (see #7929).

Check for the comments module when compiling the news meta fields (see #7901).

Also sort the newsletter channels alphabetically in the front end (see #7864).

Disable responsive images in the back end preview (see #7875).

Overwrite the request string when generating news/event feeds (see #7756).

Store the static URLs with the cached file (see #7914).

Correctly check the subfolders in the hasAccess() method (see #7920).

Updated the countries list (see #7918).

Respect the notSortable flag in the parent (see #7902).

Round the maximum upload size to an integer value (see #7880).

Make the markup minification less aggressive (see #7734).

Filter the indices in Database::getFieldNames() (see #7869).

Back-ported two fixes from the upstream versions.

Updated TinyMCE to version 4.1.10.

Updated respimage to version 1.4.0.

Updated jQuery to version 1.11.3.

Updated Colorbox to version 1.6.1.

Consistently sanitize the names of uploaded files (see #7852).

Fixed loading cached pages with both a mobile and desktop layout (see #7859).

Omit the index.php fragment if the request string is empty (see #7757).

Adjust the edit URLs in the versions menu in "edit multiple" mode (see #7745).

Do not cache the login module if there is an error (see #7824).

Correctly handle encrypted rows (see #7815).

Only create a new version in the personal data module if something actually changed (see #7415).

Also fire the "modifyFrontendPage" hook when loading from cache (see #7457).

Fixed several minor issues with the registration module (see #7816).

Update the revision date if a member updates their personal data (see #7818).

Do not allow to restore versions in the back end user settings (see #7713).

Use the timestamp of an element to initialize its first version (see #7730).

Hide the "edit header" button if there are no editable fields (see #7770).

Make the "form_submit" templates overwritable again (see #7854).

Correctly inherit empty page permissions (see #6782).

Decode the GET parameters before setting them in the Input class (see #7829).

Fixed the "specified value 't' is not a valid email address" error (see #7784).

Correctly set data- or ng- attributes in the widgets (see #7772).

Correctly display the headline in the template editor (see #7746).

Make Validator::isValidUrl() RFC 3986 compliant (see #7790).

Fixed switching between the page and file picker in the URL wizard (see #5863).

Make the "the old password is incorrect" message translatable (see #7793).

Fix copying multiple items in parent view (see #7776).

Disable the "compare template" icon for folders (see #7802).

Fix the field order in the template diff view (see #7808).

Validate the coordinates in the Image::setImportantPart() method (see #7804).

Only add order fields of binary fields in the DCA extractor (see #7785).

Select multiple checkboxes by holding down the SHIFT key (see #7781).

Show versions even if there is only one (see #7730).

Loosely check the suhosin.memory_limit setting (see #7696).

Support specifying the database key length (see #7771).

Check for ASCII strings in the utf8_romanize() function (see #7748).

Controller::replaceInsertTags() is now public static.

Restore the removed attributes of the "picture_default" templates (see #7752).

Moved the insert tag logic into a separate class.

Show the upload limits in the file manager (see #7389).

Also export the image meta data when exporting themes (see #7480).

Improve the model registry (see #7725).

The templates now use short open tags.

Add a front end module to change the password (see #7418).

Allow to copy and move newsletter recipients across channels (see #7570).

Added the "newsListCountItems" and "newsListFetchItems" hooks (see #7694).

Added the "compileArticle" hook (see #7686).

Added the "picture" insert tag (see #7635 and #7718).

Stop ignoring notices by defaut now that the error level is configurable.

Updated respimage to version 1.3.0.

Updated jQuery UI to version 1.11.4.

Updated mediaelement.js to version 2.16.4.

Updated Colorbox to version 1.6.0.

Updated jQuery to version 1.11.2.

Updated HTML5Shiv to version 3.7.2.

Updated DropZone to version 3.12.0.

Updated the Ace code editor to version 1.1.8.

Also convert image links in TinyMCE to {{file}} insert tags (see #7581).

Support copying multiple records in the list view (see #7499).

Do not strip opening arrow brackets when stripping tags (see #3998).

Simplify the moo_mediabox templates (see #7521).

Always return the model in the File and Folder classes (see #7567).

Consistently ignore hidden system files (see #7536).

Make the calendar model available in the templates (see #7388).

Render the 404 page if the request contains an invalid date format (see #7545).

Always render the 404 page if a news/event/FAQ alias is invalid (see #7238).

Prevent calling a page via ID if there is a page alias (see #7661).

Use closures to lazy-load content elements in the news/event list (see #7614).

Optimized the database queries (see #7450 and #7710).

Add a log entry if a back end user switches to another account (see #7441).

Optionally use the ProxyRequest class in the automator (see #7681).

Add a unique index for member usernames, too (see #7701).

Add a diff view for custom templates (see #7599).

Added the "postAuthenticate" hook (see #7493).

Pass $arrFields as fourth argument in the "prepareFormData" hook (see #7693).

Return a boolean value in the *User::authenticate() method (see #7497).

Make count, page and keywords available in the search module (see #7577).

Added the "getPageStatusIcon" hook (see #7556).

Improve the cache handling for empty URLs (see #7618).

Improved the IDE compatibility (see #7634).