- Security: add missing escape in SQL query (admin side).
- Security: safer use of
txp_login
cookie + nonce (note: users are logged out after upgrading!). - Security: fixed XSS vulnerability (thanks DSecRG) and input validation in setup script.
- Security: fixed local file include vulnerability (publisher only) in
textpattern/index.php
(thanks DSecRG and Victor). - Security: fixed XSS vulnerability and parameter value overflow in comments preview (thanks DSecRG).
- Security: escape request method as shown on logs tab (thanks Victor).
- Changed tag:
<txp:thumbnail />
allows non-JS links to the full-size image. - Changed tag:
<txp:article_custom />
allows comma-separated lists for category, section and author attributes (thanks Manfre). - Changed tag:
<txp:linklist />
allows comma-separated list for category attribute. - Changed tag:
<txp:file_download_list />
allows comma-separated list for category attribute. - Changed tag:
<txp:recent_articles />
allows comma-separated lists for category and section attribute. - Changed tag:
<txp:related_articles />
allows comma-separated list for section attribute. - Changed tag:
<txp:search_result_excerpt />
allows a custom "break" attribute defaulting to an ellipsis. - Deprecated tag:
<txp:sitename />
replaced by<txp:site_name />
. - Deprecated tag:
<txp:request_uri />
replaced by<txp:page_url />
. - Deprecated tag:
<txp:s />
replaced by<txp:page_url type="s" />
. - Deprecated tag:
<txp:c />
replaced by<txp:page_url type="c" />
. - Deprecated tag:
<txp:q />
replaced by<txp:page_url type="q" />
. - Deprecated tag:
<txp:id />
replaced by<txp:page_url type="id" />
. - Deprecated tag:
<txp:pg />
replaced by<txp:page_url type="pg" />
. - Deprecated function:
escape_output()
, usehtmlspecialchars()
instead. - Deprecated function:
gAtt()
(andgetAtt()
), uselAtts()
instead. - Deprecated variable:
$txpcfg['txpath']
, use constanttxpath
instead. - New tag:
<txp:if_search_results>
. - New tag:
<txp:search_term />
. - New languages: Croatian, Korean, Português (Brasil), Serbian (Latin + Cyrillic), Turkish and Vietnamese (thanks: Filip Baraka, Alexsander Albert Santana, Vladimir Siljkovic, Süleyman Şentürk, Quang Anh Do).
- Developer: using
add_privs()
for admin-side plugins is now required (used to be optional for publisher-only plugins). - Developer: dmp() prints debug output to a file in the temporary directory according to preferences. Define 'txpdmpfile' for the file name.
- Developer: Added
modified
andstatus
to global$thisarticle
array. - Developer: Added
is_logged_in()
function to check on the public side if the visitor is logged in on the admin side. - Speed: less SQL queries (-2 for individual article pages, -1 for other pages).
- Speed: recent_comments tag (thanks Manfre) and admin side comments list only uses 1 query.
- Added 'password reset' functionality (with confirmation email) on the login screen.
- Update to jQuery 1.2.2 as a default JavaScript library.
- Fix textile list incompatibility with PHP 5.2.4 (and higher).
- Fix
http-auth
when using lighttpd or (mostly) apache+fcgi. - Fix HTTPS protocol check for ISAPI with IIS.
- Fix use of article tags on a sticky article page.
- Pages, categories and styles cannot be accidentally deleted if they are used on other tabs.
- Corrections in the tag builder.
- Refrain from showing sticky articles from non-frontpage sections in search results.
- Enable separate search section for messy URL mode.
- Many, many minor improvements, see:
http://dev.textpattern.com/log/development/4.0?action=stop_on_copy&rev=2802&stop_rev=2471
.