Firefox PHP

Phorum-5.2.13 released

Posted by Thomas Seifert 
Phorum-5.2.13 released
August 26, 2009 01:15AM
We are happy to announce our latest stable release Phorum-5.2.13.
It is a bug fix release over 5.2.12 fixing some issues found, adds some hooks and events to the event logging module.

Some deep change involves the html module:
The bundled HTML module has been deprecated and removed from the distribution. We have done this, because that module was, by nature, very susceptible to cross site scripting (XSS) attack issues. We have been patching that module over time to get rid of reported XSS issues, but recently one was discovered for which we did not see a reliable way to patch it in the existing code base.

Because we do understand that there are admins that already are running the HTML module on their site, we wrote a new HTML module, based on the HTML Purifier library. This library does a great job at "washing" message bodies to make displaying of HTML code safe. Because of the size of this library (and frankly: because we hate HTML enabled messaging ;-) we distribute this new version of the HTML module separately and do no longer bundle it in the Phorum distribution.

To upgrade the HTML module, delete your existing "mods/html" folder from the Phorum tree. After that, install the new HTML module from this thread. Please report any bugs that you might find in the new module to the mentioned thread.

You can download this new release from our downloads page.

This is the excerpt from the changelog:
   2009-08-25 23:03  ts77
	* fixed last-modified header for css.php/javascript.php (closing
	  #881, thanks to Markus Fischer)

   2009-08-25 19:38  mmakaay
	* Make sure that the doomed "magic_quotes_runtime" setting is
	  disabled in PHP. Otherwise, data that is retrieved from the
	  database could be crippled by the magic quote handling.

   2009-08-16 23:33  mmakaay
	* Added a "no longer bundled" list to the Modules API. Modules that
	  are no longer included in the Phorum distro can be registered in
	  this list. If Phorum finds an enabled module that is no longer
	  bundled with Phorum and that has a version that is lower than the
	  version as configured in the list, it will suggest the admin to
	  upgrade the module to the separately distributed version. This
	  feature was added for informing admins about the HTML module that
	  recently was removed from the distro.

   2009-08-16 23:31  mmakaay
	* Removed the HTML module from the core distribution. Administrators
	  that want to enable HTML code in the forum messages will have to
	  download the HTML module from now on. URL:

   2009-08-16 22:27  ts77
	* moved css.php and javascript.php to use the phorum_cache instead
	  of their own file-based approach (closing #878, thanks to Markus
	  Fischer for the notice)

   2009-08-16 15:38  ts77
	* added okmsg for the general settings page, still with reload to
	  reinit the settings (fixing #861, thanks to Markus Fischer)

   2009-08-15 22:22  mmakaay
	* Fixed a bug in the bbcode tokenizer code that could lead to
	  unexpected parsing results.

   2009-08-15 16:50  ts77
	* adding hooks for pm_delete, pm_delete_folder (fixing #871, thanks
	  to Markus Fischer)

   2009-08-15 16:33  ts77
	* fixing some warnings in stress_test script (fixing #872,#873,
	  thanks to Markus Fischer)

   2009-08-15 16:27  ts77
	* added name attribute to module settings links for better
	  testability (fixing #875, thanks to Markus Fischer)

   2009-08-01 11:03  mmakaay
	* Added a new event to the Event Logging module: User sends a
	  private message.

   2009-07-28 10:48  mmakaay
	* Fixed bug #865: Don't log errors if the silence operator @ is
	  used. Thanks to Markus for both the bug report and the patch that
	  fixes the issue.

   2009-07-27 15:42  mmakaay
	* - Added a new logged event: User requests a new password. Thanks
	  to CBiLL for the idea. This feature requires a new hook that is
	  only available in Phorum 5.2.13 and up. - Modified the failed
	  login event: if the username that was used is known to Phorum,
	  then the user_id is set for the event. This way, failed login
	  events can be filtered by the username as long as an existing
	  username was used. Thanks to CBiLL for the idea. - Fixed a bug:
	  with event logging programmatically suspended, not all hooks
	  returned the correct data. This feature is not widely used (if at
	  all), so there is no real user impact.

   2009-07-27 14:24  mmakaay
	* Added a new hook (for logging purposes): password_reset.

   2009-07-27 10:39  mmakaay
	* Fixed #864: the HTML feed always showed "(-1 replies)" at the end
	  of the feed page.

Thomas Seifert
Phorum Development Team /
Custom Phorum and general software development
worry-free Phorum Hosting
Sorry, only registered users may post in this forum.

Click here to login