Version 2.6.0 (April 10th, 2026)
------------------------------------------------------------------------
* Add an option to limit which hosts are accepted as automatically
detected baseURL, serendipity['validBaseHosts']. This is a security
measure for installations that run under multiple domains and also
accept arbitrary host headers.
* Security fix: Attackers could manipulate the mail headers of
notification mails, on some server setups.
Thanks to Marcelo Barbosa for the report.
* Security fix: The domain of the login cookie could be manipulated,
on some server setups.
Thanks to Marcelo Barbosa for the report.
* Rework of the XSRF token protection, it was a replaced with a
check on the Sec-Fetch-Site header. This should eliminate the
timeouts that caused referer error messages on entry previews and
saves.
* Fix: The bootstrap4 theme now sets the serendipity_entry class.
This fixes the lightbox plugins photoswipe mode when using one
gallery per entry and potentially other plugins.
* Provide option for a second factor on login. Currently this
consists of a code sent to the autor's email that has to be entered
on login.
* 2k11 now shows examples for its multiple date format options in the
theme's configuration
* Maintenance action for clearing the template cache now also empties
the internal cache of serendipity and clears all smarty cache
files. It was thus renamed to "clear cache".
* nl2br: Fix an error that occured on some configuration in nl2p mode
on the isolation tags check
* Removed Sourceforge from Spartacus' mirror list, as it caused HTML
to be written to the plugin files instead of the wanted PHP code.
* Removed obsolete Pragma header from some responses, controlling
brwoser cache behaviour. Alternative headers were already set.
* Fix: clean blog's sticky header (that appears when scrolling up)
was positioned with a gap, when it contained too many
navigation links
* Breaking Change: Removed Net/DNSBL.php, Net/CheckIP.php and
pear/net_dns2 from the bundled libs.
* Update Smarty to current v5.6.0 (official support for PHP 8.4)
* Make smarty->entries also available when entry is cached. This
fixes e.g. opengraph tags of the social plugin disappearing.
* Brute force protection for the logins. Logins now only accept 5
login attempts a minute, bound to the user's anonymized IP.
* Show error when uploaded file is too big (PHP ini settings)
* Move 2k11's url validation helper function into the load event, so
loading of jQuery itself can be delayed
* clean blog: Updated to use newer versions of font awesome,
bootstrap and its webfonts. Also hosts those files locally now and
drops the shims for old versions of the Internet Explorer. Add
option for a mastodon profile button.
* Fix CSS based tabs in plugin and media upload area
* Fix tooltips in installer not working and the installer's language
list using the wrong encoding
* Add XSLT shylesheet to the RSS and Atom feed, including a link to an
explainer about how to use feeds
Version 2.5.0 (13.02.2024)
------------------------------------------------------------------------
* Restore compatibility with PHP 7.4
* Remove bundled composer.phar (thanks to hboeck)
* Update composer dependencies (mostly for PHP 8.3 compatibility):
katzgrau/klogger (1.0.0 => 1.2.2)
pear/http_request2 (v2.5.1 => v2.6.0)
pear/net_dns2 (v1.5.3 => v1.5.4)
psr/log (1.0.0 => 1.1.4)
smarty/smarty (v4.3.2 => v4.3.5)
* Fix a PHP notice in User management ("isEditable") (garvinhicking)
* Fix a bug when the p parameter given was set to 0 (@hannob)
* Fix an incompatibility with MySQL 5.7 or later (@mariohommel)
Version 2.4.0 (November 20th, 2022)
------------------------------------------------------------------------
* Fix: Avoid bad number of arguments to sprintf and fix logic error
in spamblock plugin.
* Improve w3c compatibility be encode square brackets of comment
mode links (thanks @hannob)
* Fix: Previewing comments warning threw a warning on PHP 8, when
debug mode on (thanks @hannob)
* Fix: Editor autosave cached was not deleted when saving entry
* Fix: Editor autosave was not on by default, despite the setting
being active by default
* Fix: admin/entries.tpl: fix undefined variable iso2br
* Fix: The calendar plugin threw a warning about $cond['join'] not
existing in some setups
* Fix: Avoid one more situation where responsive image upscaled
a small thumbnail
* Bugfix: Entryproperites plugin no longer insert empty records
for multiple authors (garvinhicking)
* Improve permalink generation performance and enable more unicode
replacements (thanks to mbirth!)
Version 2.3.5 (April 25th, 2020)
------------------------------------------------------------------------
* Fix: CSS: Restrict block display of summary to trackbacks. (#703)
* Fix: Don't strip HTML from comments body in serendipity_plugin_comments
before serendipity_event_unstrip_tags can convert the HTML tags
(being called via frontend_display hook). (#702)
* Fix: [CKE] Don't remove <details> and <summary> elements from
WYSIWYG editor.
* Fix: Don't delete extend properties from the entryproperties
plugin when publishing from dashboard (or sending
delayed trackbacks). (#695)
* Fix: SQL error in serendipity_plugin_history present since we
"don't allow requesting an archive page that doesn't exist"
(2.3.3). (#694)
* Fix: Entry title in backend list of entries was double escaped.
* Fix: Don't drop upgraded_version from local plugin cache.
* Fix: Regular expression in functions_routing.inc.php
* Fix: Truncate extension of media items to 5 chars (which ist the
max length of the corresponding database field). (#609)
Thanks to @mmitch!
Version 2.3.4-beta1 (March 25th, 2020)
------------------------------------------------------------------------
* Security: Fix RCE on Windows.
Thanks to Junyu Zhang <rgdz.eye@gmail.com>!
* Fix: ML: Fixed filename generation when renaming and added
some error messages on rename failures.
* Display source of plugins (Spartacus, bundled or locally installed). |