Releases: textpattern/textpattern
Releases · textpattern/textpattern
v4.5.2
- Maintenance release with bug fixes, no security implications.
- Fix
<txp:link_to_prev>
,<txp:link_to_next>
,<txp:prev_title>
, and<txp:next_title>
tags for setups with web server and database server in different time zones. - Avoid "undefined variable" error while bulk-editing form types.
- Developer: Use actual callback instead of hard-coded function to render 'View' link. Pass reference to partials meta data into partial callbacks as
$rs['partials_meta']
. - Developer: Escape
<script>
tags inscript_js()
. Use jQuery indom_attach()
.
v4.5.1
- Maintenance release with bug fixes, no security implications.
- Default front-side template: Remove duplicate search input field.
- Textile: Use 'named groups' syntax
?P<group>
for b/c with older PCRE libary versions. - Hive admin-side theme: Modernizr v2.6.2.
- Prevent fatal aborts from error-handling during version upgrades.
- Unregister all globals in multi-site setups.
- Prevent deletion of used stylesheets from UI.
- Offer all supported units in the tag builder for
<txp:file_download_size />
. - Developer: New events
authors_deleted
,categories_deleted
,css_deleted
,discuss_deleted
,file_deleted
,forms_deleted
,thumbnail_deleted
,links_deleted
,articles_deleted
,page_deleted
,sections_deleted
.
v4.5.0
- Minimum system requirement: PHP 5.2.
- Modern default site theme (responsive, HTML5, CSS3).
- Choice of HTML5 or XHTML document type as a preference.
- Textile 2.4.1. See full changelog at http://textpattern.com/textile-changelog.
- User interface realignment and clean-up.
- Additional admin theme (Hive).
- Beautified setup process.
- Write, Plugin and Section panels save some changes without page refreshes (AJAX).
- WordPress import tool imports image media attachemnts as article images, can use 'utf8' or 'latin1' source databases.
- New advanced preference "Login info email address" allows to define a 'From:' address from which a new user's login info is sent.
- Check for new Textpattern version moved from Preferences to Diagnostics panel.
- Removed raw PHP support in pages and articles.
- Plugin status is preserved across plugin updates.
<txp:link_to_prev>
and<txp:link_to_next>
adhere to the sort order set by<txp:article>
.- Deprecated
escape
attribute for<txp:search_term />
. - Removed
align
attribute for<txp:image />
,<txp:thumbnail />
,<txp:article_image />
. <txp:css />
accepts a comma-separated list of style-sheet names for thename
attribute.<txp:txp_die />
: New attributeurl
. Specifies location target for HTTP stati 301, 302, 307.<txp:article_custom>
,<txp:file_download_list>
preserve sorting order fromid
attribute.<txp:images />
preserves sorting order from article image ids.<txp:file_download>
may be used as a container tag.<txp:comment_form />
: New attributespreviewlabel
,submitlabel
,rememberlabel
,forgetlabel
.- New
<txp:author_email>
tag. <txp:linklist />
accepts a comma-separated list of link ids in the newid
attribute.<txp:images />
uses the sort order of images from theid
attribute if present.- Developer: Introduce
gTxtScript()
to help with the l10n of client-side strings. - Developer: Introduce
txpspecialchars()
as a recommended HTML5-safe alternative tohtmlspecialchars()
. - Developer: New events
article_saved
,article_posted
,comment.saved
,article_ui'.'partials_meta
,'article_ui'.'validate_save
,image_ui'.'fullsize_image
,image_ui'.'thumbnail_image
,admin_criteria'.'author_list
,admin_criteria'.'author_list
,admin_criteria'.'css_list
,admin_criteria'.'discuss_list
,admin_criteria'.'file_list
,admin_criteria'.'form_list
,admin_criteria'.'image_list
,admin_criteria'.'link_list
,admin_criteria'.'list_list
,admin_criteria'.'log_list
,admin_criteria'.'page_list
,admin_criteria'.'section_list
(NB:image_ui'.'image_edit
andimage_ui'.'thumbnail_edit
changed). - Developer: Introduce
textpattern.Relay
, a pub/sub hub for client-side events. - Developer: Introduce
txpAsyncForm
(a jQuery plugin for asynchronous posts from forms) andtxpAsyncHref
(a jQuery plugin for asynchronous posts from links) - Developer: Introduce
safe_escape()
,Constraint()
andValidator()
classes plus their descendents,callback_event_ref()
,theme::announce_async()
. - Developer: Restrict plugin type '3' to load only at non-AJAX requests. Introduce plugin type '4' to be loaded on the admin side for both AJAX and non-AJAX requests. Introduce plugin type '5' to be loaded on the public side and on the admin side for both AJAX and non-AJAX requests.
- Developer: Run custom post-update code from
txpath.'/update/custom/post-update*.php'
if thisglob()
exists. - Developer: Include custom code like page-caches before the page is assembled by setting
$txpcfg['pre_publish_script']
to a valid filename. - Developer: Modified plugin type '1': Load only on non-AJAX requests on the admin-side.
- Developer: Additional plugin types '4' (admin-side, only for AJAX requests), and '5' (public side; admin-side, only for AJAX requests).
- Security: Admin-side disallows framing, sends
"X-Frame-Options: SAMEORIGIN"
header. - Security: The
txp_login
cookie is set with aHttpOnly
attribute. - Security: Fixed a persistent XSS vulnerability in Textile discovered by Mauro Gentile.
- Security: Fixed a XSS vulnerability in the setup process discovered by Jonathan Claudius of Trustwave SpiderLabs.
- Security: Fixed a persistent XSS vulnerability in the access log panel discovered by Sasha Zivojinovic.
- Bug and security fixes.
- jQuery 1.7.2.
v4.4.1
- Security: Add admin-side CSRF protection measures. Updates are highly recommended. Thanks, Neal Poole.
- Upload of SWF images requires
image.create.trusted
privilege (applies to publisher, managing editor, copy editor, and designer roles). <txp:file_download_size />
improved from both i18n and l10n viewpoints.- Developer: CSRF protection API in
bouncer()
,form_token()
andtInput()
. - Developer: CSRF token included in output from
form()
,aLink()
,eLink()
,dLink()
, andwLink()
functions. - phpass 0.4 / genuine.
- jQuery 1.6.1.
v4.4.0
- Security: Fix several vulnerabilites. Updates are absolutely recommended for sites running any older version. Thanks, Neal Poole.
- Passwords are case-sensitive.
- Hotlink protection for files: Downloads from a web-accessible
/files
directory are inhibited. The/file_download/$id/example.foo
route is the only valid way to access downloadable files. Requires an Apache webserver and usage of the sample.htaccess
file. - Empty
<txp:variable></txp:variable>
container sets a variable's value to""
. - WordPress import tool fixed for WP 3.x.
- Context bug in messy mode fixed.
get_pref()
now honours per-user prefs in all cases.- Developer:
txp_validate()
accepts a$log
parameter to discern between 'real user login' vs. 'just validating credentials' usage. - Developer:
sendAsyncEvent()
accepts parameter$format
. - Developer: Introducing
escape_js()
andsend_script_response()
. - Developer: Taghandler functions must not contain upper case letters.
- Developer: Taghandler functions must not be defined within a
<txp:php>
element. - Developer: phpass 0.3 / genuine for password portability, hashing, stretching, and salting. Old-style passwords will be migrated upon a user's first login. Persistent hash values in database are incompatible with previous versions.
- jQuery 1.5.1.
v4.3.0
- Security: Fixed two XSS vulnerabilities (thanks Jorge Hoya and High-Tech Bridge). Updates are recommended.
- New Textpattern logo by courtesy of Philipp Schilling (belipe,
http://www.psgd.de
). Happy retirement to The Carver! - Feature: Optional alternate URL for static image resources. Defined in constant
ihu
. - Feature:
/category
and/author
lists for all content types, with conditionals and pagination. - Feature: Optional top-level 'Home' tab for dashboard plugins.
- Feature: File titles.
- Feature: Multiple categories/sections in feeds via
http://example.com/rss/?category=foo,bar§ion=baz,omg
andhttp://example.com/atom/?category=foo,bar§ion=baz,omg
. - New tags:
<txp:images />
,<txp:image_info />
,<txp:image_url />
,<txp:image_date />
,<txp:if_thumbnail />
. - New tags:
<txp:link_author />
,<txp:image_author />
,<txp:file_download_author />
. - Changed: Verbose semantic admin-side markup.
- Changed: Explicit 'Create new $thing' button for pages and styles.
- Changed:
<txp:image />
and<txp:article_image />
acceptwidth
and/orheight
attribute. - Changed:
<txp:search_input />
accepts amatch
attribute. Possible values:exact
,any
orall
(default). - Changed:
<txp:css />
accepts aname
attribute. Attributen
is deprecated. - Changed:
<txp:image_index />
accepts acategory
attribute. Attributec
is deprecated. - Changed:
<txp:breadcrumb />
accepts aseparator
attribute. Attributesep
is deprecated. - Changed:
<txp:if_plugin />
accepts aversion
attribute. Attributever
is deprecated. - Changed:
<txp:if_custom_field />
accepts avalue
attribute. Attributeval
is deprecated. Added attributesmatch
andseparator
. - Changed:
<txp:feed_link />
,<txp:link_feed_link />
,<txp:popup />
,<txp:search_input />
accept aclass
attribute. - Changed: Use percent-encoding in URLs as a RFC-1738-compliant fallback for languages lacking a suitable transliteration array.
- Changed: Silence
E_STRICT
warnings in 'live' production mode. - Removed: 'Friendly' CSS editor.
- Developer:
pluggable_ui()
in the images tab. - Developer: Stylesheets are stored as plain text in the database - no more base64-encoding.
- Developer: Textpacks, a method to install i18n strings from uploaded text files and from plugins.
- Developer:
article_format_info()
,link_format_info()
, andget_groups()
convenience functions. - Developer: i18n strings are not loaded while Textpattern renders the public-side style sheet.
- Textile 2.2 adds support for note lists, definition lists, thead, tbody, tfoot, table summary, table caption, table colgroup, glyphs for fractions, degrees and plusminus et cetera.
- jQuery 1.4.3.
- Incutio XML-RPC Library 1.7.4.
v4.2.0
Note: Version 4.1.0 was assigned to the experimental 'crockery' branch and never officially released.
- Feature: Extendable admin-side themes. 'Classic' and 'Remora' theme contained in the core package, user-contributed themes available from
http://textgarden.org/layouts/?c=txp-admin
. - Feature: Capability for multi-site file system layouts (thanks: Sam Weiss).
- Feature: Role-based permission checks for images, links and files.
- Feature: Save various pane toggle states.
- Feature: Store author of links and files.
- Feature: Automatic adjustment for DST (requires PHP 5.2+, fall back to manual adjustment for servers running older PHPs).
- Feature: Timezone selector in preferences (requires PHP 5.2+, GMT-based selector as a fallback).
- Feature: Default event preference setting (thanks: Mary).
- Fixed: PHP 5.3 compatibility (thanks: Mary).
- Fixed: When a user is deleted, reassign her assets.
- Fixed: Tag builders for
<txp:category />
and<txp:section />
. - Fixed: Bogus "Article tags cannot be used outside an article context" warning in
<txp:else />
-branch of<txp:if_keywords>
. - Fixed: Removed superflous
&
encoding for article titles in<txp:recent_comments />
. - Fixed:
<txp:expires>
usesclass
andwraptag
attributes as intended. - New tag:
<txp:link_id />
(thanks: Rick Siletti). - New tag:
<txp:yield />
. - Changed: Article timestamp is left untouched for 'draft', 'pending', or 'hidden' articles published into the future.
- Changed:
<txp:file_download_list />
tag accepts a comma-separated list of file ids in a newid
attribute (thanks: Rick Silletti). - Developer:
pluggable_ui()
serves as a base for custom admin-side user interface panels, see new*_ui
events below. - Developer: New events
log_it
,plugin_lifecycle
,plugin_prefs
,txp_die
,article_ui
,author_ui
,category_ui
,file_ui
,image_ui
,link_ui
,prefs_ui
,section_ui
. - Developer: Per-user preferences.
- Developer: Increased maximum plugin code size to
MEDIUMTEXT
(16 MiB). - Developer: Increased maximum preferences value size to
TEXT
(64 KiB). - Developer: Core support for unlimited custom fields (thanks: Gerhard Lazu).
- Developer: Thumbnail dimensions are stored in the image table.
- Developer: Sending requests to the admin-side with URL parameter
app_mode
set toasync
suppress any default admin-side output. Think AJAX. - Developer: Cached plugins are loaded in natural sort order.
- Developer: Deprecated
cleanfInput()
,escape_output()
,escape_tags()
,getAtt()
,gAtt()
, andinput()
functions. These will be removed in next release. - Developer: Plugins can flag their interest in lifecycle events (install, uninstall, activate, deactivate). See
http://svn.textpattern.com/development/4.x-plugin-template/
. - Developer: Optional capability to jump to a plugin's options from the plugin tab. See
http://svn.textpattern.com/development/4.x-plugin-template/
- jQuery 1.3.2.
v4.0.8
- Fixed: Current section/category is overwritten in
<txp:section_list>
and<txp:category_list>
(container or form mode). - Fixed: Registration and notification mails are not sent in PHP safe mode.
- Fixed: Error message upon article save from MySQL 5 in 'strict' mode.
- Fixed: Timeout during 'clean URL test' causes WSOD in diagnostics tab.
- Partly fixed: Search result excerpt breaks HTML entities.
- Changed tag:
<txp:if_section>
without a name attribute is nowTRUE
on a section page (old behaviour is preserved on upgrades). - Changed tag:
<txp:if_category name="">
is nowFALSE
on a category page (old behaviour is preserved on upgrades). - Changed tag:
<txp:link_url />
escapes its output. - Changed tag:
<txp:file_download_list />
useswrap tag
,break
, andlabel
attributes consistently like other tags. - Speed: faster plugin loading from the database.
- Diagnostics tab: ignore line endings when checking for modified files and show full paths.
- Pages tab: allow 'default' page to be deleted if not used by a section.
- Developer: Fall back to standard page/permlink behaviour if
custom_url_func()
returnsFALSE
. - Developer:
set_pref()
accepts an optionalposition
parameter.
v4.0.7
- Parser: full nesting support, allowing unlimited nesting of identical tags.
- Parser: attribute values are parsed when enclosed in single quotes.
- Parser: unquoted attribute values are deprecated and will result in warnings when site status is not set to 'live'. Fix your templates and use double quotes to delimit attribute values.
- Feature: Expiry time for articles, accompanied by related tags.
- Speed: various components of the parsing process have been optimized, which compensates the impact of increased parser complexity, resulting in slightly faster parsing speed.
- New tags:
<txp:expires />
,<txp:if_expired>
,<txp:if_expires>
. - New tag:
<txp:if_keywords>
. - New tags:
<txp:if_first_section>
,<txp:if_last_section>
. - New tags:
<txp:if_first_category>
,<txp:if_last_category>
. - New tag:
<txp:if_variable>
. - New tag:
<txp:modified />
. - New tag:
<txp:rsd />
specifies the Really Simple Discovery endpoint for XML-RPC clients. - New tag:
<txp:variable />
. - Changed tag:
<txp:article />
can be used as a container tag. - Changed tag:
<txp:article />
allows new attributeswraptag
andbreak
. - Changed tag:
<txp:article_custom />
can be used as a container tag. - Changed tag:
<txp:article_custom />
allows new attributeswraptag
andbreak
. - Changed tag:
<txp:article_custom />
allows comma separated list forid
attributes (this doesn't imply a sort order). - Changed tag:
<txp:category />
appliesclass
attribute to the<a>
element when wraptag is empty. - Changed tag:
<txp:category_list />
can be used as a container tag. - Changed tag:
<txp:category_list />
accepts achildren
attribute which limits the list depth to one level below the parent category when set to0
. - Changed tag:
<txp:file_download_list />
can be used as a container tag. - Changed tag:
<txp:if_article_id />
defaults to the current article'sid
. - Changed tag:
<txp:linklist />
can be used as a container tag. - Changed tag:
<txp:recent_comments />
can be used as a container tag. - Changed tag:
<txp:recent_comments />
allows new attributeoffset
. - Changed tag:
<txp:search_input />
allows new attributehtml_id
to set the form'sid
. - Changed tag:
<txp:section />
applies theclass
attribute to the<a>
element whenwraptag
is empty. - Changed tag:
<txp:section_list />
can be used as a container tag. - XML-RPC: server now included in main TXP package, disabled by default.
- Articles tab: added 'article image' and 'keywords' as search criteria.
- Categories tab: categories cannot be accidentally deleted if they are still in use.
- Write tab: Concurrent article edit warning
- Write tab: WYSIWYG preview for draft/pending/hidden articles.
- Images tab: added 'alternate text' and 'caption' as search criteria.
- Images tab: multi-edit functionality (delete, change category).
- Images tab: setting both thumb
width
andheight
to zero or empty values disables auto-thumbnailing. - Links tab: multi-edit functionality (change category).
- Files tab: multi-edit functionality (delete, change category).
- Users tab: multi-edit functionality (delete, reset password, change privilege).
- Users tab: sortable and paginated author list.
- Users tab: 'last login' shown in author list.
- Plugins tab: User-selectable plugin load order.
- Plugins tab: sortable and multi-edit functionality (change order/status, delete).
- More verbose 'First Post' article with basic instructions and helpful links.
- Developer:
getTree()
receives an optionaltable
name, returned array containsparent
field. - Developer: New event
pretext_set
. - Developer: new plugin type
3
for admin-only plugins (0=public, 1=admin+public, 2=library). - Developer:
fInput
now useshtmlspecialchars
on thevalue
parameter (previously onlyescape_title
). - Developer:
pagelinkurl()
calls a custom URL handler if present. NB: The custom URL handlers function signature is modified, as an additional flag discerns pagelinks from permlinks. - Developer:
$prefs['searchable_article_fields']
may contain an arrray of column names defining the fulltext-indexed set. A corresponding MySQL fulltext index must be established previously. - jQuery 1.2.6.
- Ability to connect to the MySQL server through SSL.
v4.0.6
- Security: add missing escape in SQL query (admin side).
- Security: safer use of
txp_login
cookie + nonce (note: users are logged out after upgrading!). - Security: fixed XSS vulnerability (thanks DSecRG) and input validation in setup script.
- Security: fixed local file include vulnerability (publisher only) in
textpattern/index.php
(thanks DSecRG and Victor). - Security: fixed XSS vulnerability and parameter value overflow in comments preview (thanks DSecRG).
- Security: escape request method as shown on logs tab (thanks Victor).
- Changed tag:
<txp:thumbnail />
allows non-JS links to the full-size image. - Changed tag:
<txp:article_custom />
allows comma-separated lists for category, section and author attributes (thanks Manfre). - Changed tag:
<txp:linklist />
allows comma-separated list for category attribute. - Changed tag:
<txp:file_download_list />
allows comma-separated list for category attribute. - Changed tag:
<txp:recent_articles />
allows comma-separated lists for category and section attribute. - Changed tag:
<txp:related_articles />
allows comma-separated list for section attribute. - Changed tag:
<txp:search_result_excerpt />
allows a custom "break" attribute defaulting to an ellipsis. - Deprecated tag:
<txp:sitename />
replaced by<txp:site_name />
. - Deprecated tag:
<txp:request_uri />
replaced by<txp:page_url />
. - Deprecated tag:
<txp:s />
replaced by<txp:page_url type="s" />
. - Deprecated tag:
<txp:c />
replaced by<txp:page_url type="c" />
. - Deprecated tag:
<txp:q />
replaced by<txp:page_url type="q" />
. - Deprecated tag:
<txp:id />
replaced by<txp:page_url type="id" />
. - Deprecated tag:
<txp:pg />
replaced by<txp:page_url type="pg" />
. - Deprecated function:
escape_output()
, usehtmlspecialchars()
instead. - Deprecated function:
gAtt()
(andgetAtt()
), uselAtts()
instead. - Deprecated variable:
$txpcfg['txpath']
, use constanttxpath
instead. - New tag:
<txp:if_search_results>
. - New tag:
<txp:search_term />
. - New languages: Croatian, Korean, Português (Brasil), Serbian (Latin + Cyrillic), Turkish and Vietnamese (thanks: Filip Baraka, Alexsander Albert Santana, Vladimir Siljkovic, Süleyman Şentürk, Quang Anh Do).
- Developer: using
add_privs()
for admin-side plugins is now required (used to be optional for publisher-only plugins). - Developer: dmp() prints debug output to a file in the temporary directory according to preferences. Define 'txpdmpfile' for the file name.
- Developer: Added
modified
andstatus
to global$thisarticle
array. - Developer: Added
is_logged_in()
function to check on the public side if the visitor is logged in on the admin side. - Speed: less SQL queries (-2 for individual article pages, -1 for other pages).
- Speed: recent_comments tag (thanks Manfre) and admin side comments list only uses 1 query.
- Added 'password reset' functionality (with confirmation email) on the login screen.
- Update to jQuery 1.2.2 as a default JavaScript library.
- Fix textile list incompatibility with PHP 5.2.4 (and higher).
- Fix
http-auth
when using lighttpd or (mostly) apache+fcgi. - Fix HTTPS protocol check for ISAPI with IIS.
- Fix use of article tags on a sticky article page.
- Pages, categories and styles cannot be accidentally deleted if they are used on other tabs.
- Corrections in the tag builder.
- Refrain from showing sticky articles from non-frontpage sections in search results.
- Enable separate search section for messy URL mode.
- Many, many minor improvements, see:
http://dev.textpattern.com/log/development/4.0?action=stop_on_copy&rev=2802&stop_rev=2471
.