OIS 5.3

As generated by AppGini 22.12

For full change log, please refer to AppGini change log

OIS 5.1

Various xss valunerabilities fixed.

OIS 5.0

Fix low severity stored XSS vulnerability in admin area reported on hunter.dev (low severity because it needs to be combined with an CSRF attack in order to be effective -- otherwise, an admin has no motive to XSS himself!)

OIS 4.9

• Add page for viewing slow/error queries to admin area.
• Fix CSRF vulnerability in admin/pageDeleteGroup.php, admin/pageDeleteMember.php and admin/pageDeleteRecord.php

OIS 4.8

• Fix SameSite value of remember_me cookie for future compatibility with browsers.
• Re-order admin utilities menu for better organization.
• Add pageQueryLogs.php to view log of slow and error queries for debugging (Admin area > Utilties menu > Query logs)
• Add 'nothing' table icon (useful when you want no icons for a table)
• Refactor tablename_view to delegate code for applying membership permissions to DataList.
• Add DataList::applyPermissionsToQuery() and DataList::fieldIsDateTime().
• Refactor various parts of DataList.
• Fix filtering query error for non-admin users that don't have full view permissions.
• Add logSlowQuery() and logErrorQuery() functions to help diagnose problematic queries executed by sql().
• Refactor sql() function by separating dieErrorPage() and openDBConnection().
• Add new options to the $o array passed to sql() to suppress logging if set to true: 'noSlowQueryLog' and 'noErrorQueryLog'.
• Add CSS classes .signed-in-as and .username to the 'Signed in as ..' text and the username link in the navigation bar for easier scripting.
• Fix issue where TVDV page with 0 records in TV has missing date pickup components.
• Render read-only checkboxes in DVP in all cases.
• makeSafe(): return an empty string for 0-length inputs without further checks.
• UX fix: don't automatically sign out a user when they access a table they have no access to.
• Show 'table access denied' error if user is accessing a DV record they don't have access to, rather than a blank page.
• Fix issue with empty lookup values for lookup fields of short char/varchar datatype.
• CSS rule to hide empty email links.
• Show "Don't rename uploaded files" and "Delete files from server when removed from record" options in image options window.
• checkMemberID.php: change the way availability is reported to prevent minifying services that strip comments from ruining the result.
• Render read-only (rather than editable) check-boxes in DVP.
• Enable auto-increasing rich editor height for long content.
• Add more randomness to generated file names by randomly seeding microtime() to hinder brute force filename guesses.
• Sanitize filterer_* against reflected XSS in 'Add new' form.
• Misc syntax fixes.

OIS 4.7

• Fix issue with displaying printable invoice items.

OIS 4.6

Sanitize date parameters against reflected XSS.

OIS 4.5

• Add .sum CSS class to sum row and each sum cell in TV.
• Fix tooltip appearance in admin/pageRebuildFields
• Fix PHP8 error on filtering lookup fields.
• Fix sorting bug in admin/pageViewRecords.php
• Filter data when exporting to CSV to prevent CSV injection in Excel.
• Sanitize group description in groups list page
• Fix localStorage clearing issue that leads to disabling enabled shortcut keys

OIS 4.4

• Fix nicedit height issue
• Fix bug where keyboard shortcuts become disabled after closing a modal window.
• Fix potential CSV injection issue when exporting CSV file and opening in Excel, CVE-2021-27839 (Thanks for Jinson Varghese Behanan from Astra Security who found this vulnerability :)
• Fix low impact potential XSS issue in admin/pageViewGroups.php

OIS 4.3

Fix 'no direct access allowed' in CSV import page.