we have just released CMSimple_XH 1.6.3. Updating is strongly recommended. This release fixes several bugs and brings some improvements:
- fixed CSRF vulnerability
- added mitigation against backdoors
- removed checking of server variables for valid UTF-8, which could have caused the installation to be unaccessible (reported by Olaf)
- fixed bug, where XH_Backup failed to be PHP 4 compatible
- fixed regression bug (r1269), where internal filebrowser blocked external ones
- fixed bug, where corrupted config file triggered fatal PHP error
- fixed bug, where some external URLs were converted to ?print in the print view (reported by Olaf)
- fixed regression bug (r1035), where filebrowser POST forms did not work on some servers
- fixed bug, where "integrated plugin menu" didn't force view mode
- fixed bug, where $mtx entries with underscores were not recognized
- fixed spurious error message when saving page data tab without Ajax
- fixed bug, where plugin menu wasn't usable on some touch devices
- fixed limitation, where start page had to be published
- made admin menu adaptable to viewport width (sugg. by Termin)
- improved reporting of fatal errors
- Filebrowser: improved error reporting and performance
- updated jQuery4CMSimple to 1.5.3
- updated TinyMCE to 3.5.11
- updated Utf8_XH to 0.5.5
- added "emergency" template
- added full language names to language menu
- added possibility to manually trigger a "normal" backup
- added client side HTML5 form validation for the mailform
- added system check for BOMs
- introduced XH_wantsPluginAdministration(), XH_formatDate(), XH_lockFile(), XH_Li
- internal improvements: switched to Composer, refactoring, added unit-tests
As usual you have the following options:
- For new installations use the full installation package.
- For updating from CMSimple_XH 1.6.2 use the update package and follow the update instructions
- For updating from CMSimple_XH 1.6 use the update package and follow the update instructions. Note, that we have moved the folders css/ and javascript/ to core/css/ resp. core/js, so you should delete the old folders manually after the update.