Phorum-5.2.13 released
Posted by Thomas Seifert
Phorum-5.2.13 released August 25, 2009 07:15PM |
Admin Registered: 22 years ago Posts: 9,240 |
We are happy to announce our latest stable release Phorum-5.2.13.
It is a bug fix release over 5.2.12 fixing some issues found, adds some hooks and events to the event logging module.
Some deep change involves the html module:
The bundled HTML module has been deprecated and removed from the distribution. We have done this, because that module was, by nature, very susceptible to cross site scripting (XSS) attack issues. We have been patching that module over time to get rid of reported XSS issues, but recently one was discovered for which we did not see a reliable way to patch it in the existing code base.
Because we do understand that there are admins that already are running the HTML module on their site, we wrote a new HTML module, based on the HTML Purifier library. This library does a great job at "washing" message bodies to make displaying of HTML code safe. Because of the size of this library (and frankly: because we hate HTML enabled messaging ;-) we distribute this new version of the HTML module separately and do no longer bundle it in the Phorum distribution.
To upgrade the HTML module, delete your existing "mods/html" folder from the Phorum tree. After that, install the new HTML module from this thread. Please report any bugs that you might find in the new module to the mentioned thread.
You can download this new release from our downloads page.
This is the excerpt from the changelog:
Thomas Seifert
It is a bug fix release over 5.2.12 fixing some issues found, adds some hooks and events to the event logging module.
Some deep change involves the html module:
The bundled HTML module has been deprecated and removed from the distribution. We have done this, because that module was, by nature, very susceptible to cross site scripting (XSS) attack issues. We have been patching that module over time to get rid of reported XSS issues, but recently one was discovered for which we did not see a reliable way to patch it in the existing code base.
Because we do understand that there are admins that already are running the HTML module on their site, we wrote a new HTML module, based on the HTML Purifier library. This library does a great job at "washing" message bodies to make displaying of HTML code safe. Because of the size of this library (and frankly: because we hate HTML enabled messaging ;-) we distribute this new version of the HTML module separately and do no longer bundle it in the Phorum distribution.
To upgrade the HTML module, delete your existing "mods/html" folder from the Phorum tree. After that, install the new HTML module from this thread. Please report any bugs that you might find in the new module to the mentioned thread.
You can download this new release from our downloads page.
This is the excerpt from the changelog:
2009-08-25 23:03 ts77 * fixed last-modified header for css.php/javascript.php (closing #881, thanks to Markus Fischer) 2009-08-25 19:38 mmakaay * Make sure that the doomed "magic_quotes_runtime" setting is disabled in PHP. Otherwise, data that is retrieved from the database could be crippled by the magic quote handling. 2009-08-16 23:33 mmakaay * Added a "no longer bundled" list to the Modules API. Modules that are no longer included in the Phorum distro can be registered in this list. If Phorum finds an enabled module that is no longer bundled with Phorum and that has a version that is lower than the version as configured in the list, it will suggest the admin to upgrade the module to the separately distributed version. This feature was added for informing admins about the HTML module that recently was removed from the distro. 2009-08-16 23:31 mmakaay * Removed the HTML module from the core distribution. Administrators that want to enable HTML code in the forum messages will have to download the HTML module from now on. URL: [www.phorum.org] 2009-08-16 22:27 ts77 * moved css.php and javascript.php to use the phorum_cache instead of their own file-based approach (closing #878, thanks to Markus Fischer for the notice) 2009-08-16 15:38 ts77 * added okmsg for the general settings page, still with reload to reinit the settings (fixing #861, thanks to Markus Fischer) 2009-08-15 22:22 mmakaay * Fixed a bug in the bbcode tokenizer code that could lead to unexpected parsing results. 2009-08-15 16:50 ts77 * adding hooks for pm_delete, pm_delete_folder (fixing #871, thanks to Markus Fischer) 2009-08-15 16:33 ts77 * fixing some warnings in stress_test script (fixing #872,#873, thanks to Markus Fischer) 2009-08-15 16:27 ts77 * added name attribute to module settings links for better testability (fixing #875, thanks to Markus Fischer) 2009-08-01 11:03 mmakaay * Added a new event to the Event Logging module: User sends a private message. 2009-07-28 10:48 mmakaay * Fixed bug #865: Don't log errors if the silence operator @ is used. Thanks to Markus for both the bug report and the patch that fixes the issue. 2009-07-27 15:42 mmakaay * - Added a new logged event: User requests a new password. Thanks to CBiLL for the idea. This feature requires a new hook that is only available in Phorum 5.2.13 and up. - Modified the failed login event: if the username that was used is known to Phorum, then the user_id is set for the event. This way, failed login events can be filtered by the username as long as an existing username was used. Thanks to CBiLL for the idea. - Fixed a bug: with event logging programmatically suspended, not all hooks returned the correct data. This feature is not widely used (if at all), so there is no real user impact. 2009-07-27 14:24 mmakaay * Added a new hook (for logging purposes): password_reset. 2009-07-27 10:39 mmakaay * Fixed #864: the HTML feed always showed "(-1 replies)" at the end of the feed page.
Thomas Seifert
Sorry, only registered users may post in this forum.