• Security: add missing escape in SQL query (admin side).
• Security: safer use of txp_login cookie + nonce (note: users are logged out after upgrading!).
• Security: fixed XSS vulnerability (thanks DSecRG) and input validation in setup script.
• Security: fixed local file include vulnerability (publisher only) in textpattern/index.php (thanks DSecRG and Victor).
• Security: fixed XSS vulnerability and parameter value overflow in comments preview (thanks DSecRG).
• Security: escape request method as shown on logs tab (thanks Victor).
• Changed tag: <txp:thumbnail /> allows non-JS links to the full-size image.
• Changed tag: <txp:article_custom /> allows comma-separated lists for category, section and author attributes (thanks Manfre).
• Changed tag: <txp:linklist /> allows comma-separated list for category attribute.
• Changed tag: <txp:file_download_list /> allows comma-separated list for category attribute.
• Changed tag: <txp:recent_articles /> allows comma-separated lists for category and section attribute.
• Changed tag: <txp:related_articles /> allows comma-separated list for section attribute.
• Changed tag: <txp:search_result_excerpt /> allows a custom "break" attribute defaulting to an ellipsis.
• Deprecated tag: <txp:sitename /> replaced by <txp:site_name />.
• Deprecated tag: <txp:request_uri /> replaced by <txp:page_url />.
• Deprecated tag: <txp:s /> replaced by <txp:page_url type="s" />.
• Deprecated tag: <txp:c /> replaced by <txp:page_url type="c" />.
• Deprecated tag: <txp:q /> replaced by <txp:page_url type="q" />.
• Deprecated tag: <txp:id /> replaced by <txp:page_url type="id" />.
• Deprecated tag: <txp:pg /> replaced by <txp:page_url type="pg" />.
• Deprecated function: escape_output(), use htmlspecialchars() instead.
• Deprecated function: gAtt() (and getAtt()), use lAtts() instead.
• Deprecated variable: $txpcfg['txpath'], use constant txpath instead.
• New tag: <txp:if_search_results>.
• New tag: <txp:search_term />.
• New languages: Croatian, Korean, Português (Brasil), Serbian (Latin + Cyrillic), Turkish and Vietnamese (thanks: Filip Baraka, Alexsander Albert Santana, Vladimir Siljkovic, Süleyman Şentürk, Quang Anh Do).
• Developer: using add_privs() for admin-side plugins is now required (used to be optional for publisher-only plugins).
• Developer: dmp() prints debug output to a file in the temporary directory according to preferences. Define 'txpdmpfile' for the file name.
• Developer: Added modified and status to global $thisarticle array.
• Developer: Added is_logged_in() function to check on the public side if the visitor is logged in on the admin side.
• Speed: less SQL queries (-2 for individual article pages, -1 for other pages).
• Speed: recent_comments tag (thanks Manfre) and admin side comments list only uses 1 query.
• Added 'password reset' functionality (with confirmation email) on the login screen.
• Update to jQuery 1.2.2 as a default JavaScript library.
• Fix textile list incompatibility with PHP 5.2.4 (and higher).
• Fix http-auth when using lighttpd or (mostly) apache+fcgi.
• Fix HTTPS protocol check for ISAPI with IIS.
• Fix use of article tags on a sticky article page.
• Pages, categories and styles cannot be accidentally deleted if they are used on other tabs.
• Corrections in the tag builder.
• Refrain from showing sticky articles from non-frontpage sections in search results.
• Enable separate search section for messy URL mode.
• Many, many minor improvements, see: http://dev.textpattern.com/log/development/4.0?action=stop_on_copy&rev=2802&stop_rev=2471.