Version 2.2.21 - Sherbrooke ------------------------------- Core - General - Fixes BR 12714 inherited content Fields from a base templates are missing in child templates (backend edit); - Fixes BR 12713 Pages extended of a page base can't be edited, if they don't contain a {content} tag; - Fixes a typo in class ErrorPage: missing line break after #[\AllowDynamicProperties] directive; Version 2.2.20 - Saguenay ------------------------------- Core - General - Compatibility fixes for PHP 8.2 and 8.3; - Smarty upgraded to version 4.5.2 (latest of the stable 4.5.x branch); - Made some changes to keep backward compatibility with previous versions of Smarty; - Fixed BR #12683: we now truncate the item_name at 50 characters; - Moved php files with functions to a specific folder tidying up for further changes; - Deprecated cms_html_entity_decode: scheduled to be removed; PHP native html_entity_decode now supports UTF-8 properly; - Fixed BRs #12677 and #12703: UDTs errors are now handled more gracefully - the error being triggered is shown on the popup; - News module is no longer mandatory; - New module added to core (UserGuide); - Installer now supports optional modules (News and UserGuide); - MenuManager is no longer installed back on upgrades; Content Manager 1.1.13 - Fixed a typo in admin_editcontent.tpl; CmsJobManager 1.0.0 - Considered a stable release, version is now 1.0.0; - Compatibility fixes for PHP 8.2 and 8.3; DesignManager 1.1.11 - Compatibility fixes for PHP 8.2 and 8.3; FilePicker 1.0.8 - BR #12671 - fix FilePicker prefix error; MicroTiny 1.6.5 - Compatibility fixes for PHP 8.2 and 8.3; - Removed mt_jsbool as it is not needed any longer and was breaking Smarty compatibility; Navigator 1.0.11 - Compatibility fixes for PHP 8.2 and 8.3; News 2.51.13 - Compatibility fixes for PHP 8.2 and 8.3; - News is now an optional module, no longer installed by default; UserGuide 1.0.0 - Initial release; Phar Installer Not SET - Compatibility fixes for PHP 8.2 and 8.3; - Supports core optional modules selection on advanced mode (currently News and UserGuide); - Modified Smarty 4.2.1 enough to work with PHP 8.3; - Regular Phar doesn't support Windows at this point while Expanded Phar does; Version 2.2.19 - Selkirk ------------------------------- Core - General - BR #12647 - Wrong default action value in get_pageid_or_alias_from_url - FR #12638 - ability to add CSP headers on the backend: currently weak restrictions: self with script-src and script-src-elem set to unsafe-inline (optionally set on config admin_csp_header); - BR #12661 - fix page_selector allow_all parameter and set default to false; Content Manager 1.1.12 - BR #12635 - Apply button is shown for non-existing page; - BR #12474 Taking the default page down by accident through the content type; File Manager 1.6.16 - BR #12659 - FileManager upload Warning bug fix; FilePicker 1.0.7 - BR #12621 - FilePicker upload bug; - BR #12659 - FilePicker upload Warning bug fix; Navigator 1.0.10 - BR #12528 Navigator call doesn't clear excluded prefixes in some situations Version 2.2.18 - Apex ------------------------------- Core - General - Fallback function CMSMS\strftime. PHP Intl extension still recommended. The fallback solves issues on hosts that don't install it by default and don't allow users to install it. Version 2.2.17 - Iqaluit ------------------------------- Core - General - BR #12529 - Cacheable Pages have Bad Header Last-Modified; - BR #12543 - Lib file corrections; - BR #12618 - HasChildren() is broken; - BR #12587 - can't uninstall modules; - Compatibility fixes for PHP 7, 8.0 and 8.1; - Smarty upgraded to version 4.2.1; Note: Smarty 2 syntax is still supported, but deprecated - Add function CMSMS\strftime to replace deprecated PHP function. PHP Intl extension recommended to support this. - Enabled use of PHP functions trim,ltrim,rtrim in smarty templates - PHPMailer upgraded to version 6.6.0. - fixes BR #12529 Cacheable Pages have Bad Header Last-Modified; - added module's support for arrays in parameters; - Fixes to cms_mailer class mainly in terms of proxy design pattern getters and setters and autotls settings; - Smarty security policies changes: due to some modifications in the way updated Smarty now behaves, all static classes need to be registered for its use to be allowed in templates. Content Manager 1.1.10 - Differentiate new page from cloned page. - Compatibility fixes for PHP 7, 8.0 and 8.1. Design Manager 1.1.10 - BR #12545 - Module: DesignManager typo info on top file. - fixes typo BR #12545 - Compatibility fixes for PHP 7, 8.0 and 8.1. FilePicker 1.0.6 - BR #12539 - Module FilePicker 1.0.5 files corrections. - Compatibility fixes for PHP 7, 8.0 and 8.1. Module Manager 2.1.9 - BR #12541 - Module ModuleManager 2.1.8 : corrections + compatible php 7.1.0 to 8.1.4. News 2.51.12 - BR #12543 - Lib file corrections. - Compatibility fixes for PHP 7, 8.0 and 8.1. FileManager 1.6.13 - Compatibility fixes for PHP 7, 8.0 and 8.1. Version 2.2.16 - Truro ------------------------------- Core - General - BR #12370 - Admin Log-Download : now downloading the log honors all filters but doesn't process paging - BR #12437 - Installer won't allow "<" symbol in database password - BR #12457 - Event Manager empty list when mysql mode only_full_group_by - BR #12484 - Cannot exit after Run UDT - BR #12495 - MySQL 8.0.2+ breaks groups without table prefix - BR #12499 - adminlog.tpl Wrongly formed date - BR #12500 - NameQuote function does not work properly - BR #12504 - Function call notification. - Fixed an issue with specific characters in a content block tab name breaking the editor - Adjust regex's incompatible with PCRE2 - Avoid deprecated strftime() - deploy new replacement function locale_ftime() and new modifier-plugin localedate_format - A number of fixes for PHP 8 compatibility Admin Search v1.0.6 - BR #12443 - Admin Search fails on some searches with default mysql mode only_full_group_by (mysql 5.7.5+). - Removed license and copyright notices from module help text. - Escaping the search input field values. - More content object attributes are searched. - User Defined Tags can be searched. - Only places a user has permission to search are shown in the filter list (cached!). Content Manager v1.1.9 - Fix menu text/title setting. FileManager v1.6.12 - BR #12435 - Replacing an image file in filepicker doesn't update thumbnail. FilePicker v1.0.5 - FR #12483 - Additional FilePicker Help for usage as Content Block. Navigator v1.0.9 - BR #12456 - Navigator breadcrumbs with default page hidden from menu causes PHP notice. Search v1.53 - Added 'Manage Search' permission; - BR #12391 - Core search issue page/entry titles that start with numbers; Phar Installer v1.3.15 - Fixed BR #12437 - Installer won't allow "<" symbol in database password; - Added Russian lang file to installer; - use locale_ftime() instead of deprecated strftime(); - escape name of groups table, to prevent reserved-word conflict when table-prefix is empty; - alterations to the links in final step: we now privilege links to CMSMS channels of contact and support; Version 2.2.15 - Bonaventure ------------------------------- Core - General - BR #12287 - Admin shortcuts popup refers to IRC. - BR #12292 - showbase parameter of metadata tag doesn't accept boolean value. - BR #12303 - No date displayed in the admin + category id not incremented. - BR #12305 - Removing actual Destination Page breaks Destination Page dropdown in Internal Page Link pages. - BR #12311 - log_performance_info - undefined variable: queries. - BR #12313 - 5 Stored XSS vulnerabilities in Settings - Content Manager. - BR #12317 - XSS on Settings News Module. - BR #12325 - Several XSS vulnerabilities. - BR #12335 - User pref admin homepage not properly displayed under certain conditions. - BR #12337 - GetContentBlockFieldInput $adding always false. - BR #12338 - Allow http/2 responses. - BR #12357 - Filepicker dropzone size issue. - FR #12345 - More user friendly admin session handling (partly implemented). - FR #12349 - Swap tabs on System Maintenance page. - Browsing to the main admin page in a new browser tab during a running session won't redirect to login form anymore. - (Error) messages in OneEleven won't dismiss on click. - Fix to Admin redirection after login on Windows platform. - Fix to the module API redirection to support arrays in parameters. FileManager v1.6.12 - Dropzone improvement like core FilePicker. FilePicker v1.0.5 - BR #11673 - FilePicker will not show svg images, when in the Content Manager. - BR #12312 - Stored XSS vulnerability in File Picker. News v2.51.11 - Minor code fix to encoding title content. - BR #12322 - Stored Cross-Site Scripting. Minor, because it can only be performed by a person that has access rights to the Admin panel. - BR #12325 - Several XSS vulnerabilities. Design Manager v1.1.9 - Minor fixes for PHP warnings\notices; Module Manager v2.1.8 - BR #12291 - Reflected Cross site scripting - BR #12324 - Stored Cross-Site Scripting. Minor, because it can only be performed by a person that has access rights to the Admin panel. - Increased the Download Chunk Size field size to 4. MicroTiny v2.2.5 - BR #12351 - Escaping translation strings in tinymce_config.js. Search v1.52 - FR #11886 - Include module and modulerecord fields for content pages. Phar Installer v1.3.13 - Fixes to the reload button: now prevents browser's caching - BR #11591 - fixed: Phar installer doesn't work with OPCache enabled Version 2.2.13 - Moosomin ------------------------------- Core - General - Explicitly add a function or two to the allowed functions in PHP secure mode. DesignManger v1.1.7 - Fix a warning in PHP 7.3+ FileManager v1.6.10 - Fix minor XSS vulnerabilities in FileManager. News v2.51.8 - Fix a security issue in the default action with the idlist param (This version was also separately released in the forge) Version 2.2.12 - Osoyoos ------------------------------- NOTICE: Due to the nature of the security issue fixed in FileManager after upgrading you should change your database password. Core - General - Fix warning in cms_html_entity_decode FileManager v1.6.9.1 - Security fixes for view action.