- CSRF vulnerability in Finder, discovered by Christian Bortone
- Added new translations
- Fixed Google reCAPTCHA
- Added Google reCAPTCHA for user registration and blog comments
- Fixed
isValidFilenamemethod in FinderController
- Fixed browser autocomplete on login page
- Fixed module renaming on update
- Open redirect vulnerability on login page, discovered by zhihua.yao from DBAPPSecurity
- Administrator profiles can only be managed by administrators
- Fixed Facebook App ID meta tag
- Fixed Gravatar for Blog comments
- Fixed active menu matching
- Fixed version displayed during extension updates
- Fixed overwriting of config defaults
- Fixed node selection for extensions
- Fixed form validation (Safari, Firefox and IE)
- Fixed replay attack with password reset links when debug toolbar is enabled, discovered by SecureLayer7
- Fixed Vue Warnings in Debug Bar
- Fixed URL replacement to undefined when using pagination (IE, Opera)
- Stored XSS in email templates, discovered by Raphael de la Vienne
- Fixed self update command
- Fixed an localisation issue which could lead to JS crashes (e.g. finder)
- Fixed internalization route in maintenance mode
- Fixed admin logout if an route alias exists
- Fixed location widget settings
- Make re-login modal available in front end by default
- Permission to access admin area now includes the right to use the site in maintenance mode
- Fixed JS error during user role sorting
- Fixed unintentional duplication of dashboard widgets in rare cases
- Fixed re-login in maintenance mode for certain API routes
- Fixed login interceptor to not intercept CORS requests
- Twig debug mode
- Float filter for request arguments
- Fixed wrong user role assignment in very rare cases (SQLite)
- XSS vulnerabilities at 404 page, discovered by Onur Yilmaz (https://www.netsparker.com)
- XSS vulnerabilities at login page, discovered by Raphael de la Vienne and Luuk Spreeuwenberg
- SQL injection vulnerability, which can be misused by users with admin privileges, discovered by Raphael de la Vienne and Luuk Spreeuwenberg
- Fixed asset upload
- Added node's access check
- Fixed access check for user and site settings
- Fixed admin dashboard for Safari private window
- Fixed a situation where a node could be assigned as its own parent
- Fixed backend password recovery
- Fixed user approval if verification is activated as well
- Fixed user verification state
- Parse MySQL Port from hostname in installer
- SSL support for location widget
- Improved widget visibility settings
- Redirect to extensions/themes overview after install and activation from marketplace
- Changed signature of setup command
- Fixed touch support in backend
- Fixed superfluous request caching
- Fixed widget settings validation
- Fixed relative date for languages without plural
- Fixed non expiring local storage
- Fixed style and script helper for use in Twig templates
- Fixed notice when og:image in site meta settings not defined
- Added OpenGraph image option for site nodes
- Added file extension check for storage uploads
- Added maintenance logo option
- Added cache break for language file
- Smoothed packages updates
- Optimized .htaccess
- Fixed save shortcut in Firefox
- Fixed reordering in site tree
- Fixed missing territory data
- Fixed redirect after login
- Fixed missing initial active state at pagination
- Fixed duplicated request occasionally caused by pagination
- Temporarily fixed menu params bug
- Fixed blank widget settings page
- Fixed missing marketplace icons
- Fixed RFC 3986 encoding of static URLs
- Fixed render params
- Fixed CLI command enables extensions
- Fixed db prefix check in installer
- Fixed different prefixes with SQLLite
- Fixed SQLite collations
- Removed Guzzle dependency
- CLI setup command requires admin password to be specified
- Fixed missing extension icons
- Dashboard: Use drag handle
- Fixed wrapping sidebar if content in main column is to large
- Fixed adding of new images in editor
- Added OpenGraph and Twitter Cards
- Added CLI command to setup Pagekit installation
- Added redirect after login to user settings
- Added view.init event
- Added global params object to view
- Added file picker
- Added support for script tag attributes 'defer' and 'async'
- Transfer widget and menu positions on theme change
- Image-, video-, link-picker: Preserve existing attributes
- Video-picker: Switched from shortcodes to html representation
- Video-picker: Improved URL matching
- Link preview: Support for html
- Editor preview: Remove script and style tags
- Installer: SQLite is now default
- Installer: Show SQLite only if available
- SelfUpdater: Check new requirements before update
- Removed system messages from template.php
- Fixed info page for high directory depths
- Fixed overflow container in modals
- Fixed password reset link
- Fixed canonical links
- Added filter cache for lists and searches
- Remember last finder position and view setting
- Added pagination cache and pagination links
- Added changelog to update view
- Added extension dependency update command for developer
- Added prefer-source option to package install and update command
- Added filter and ordering highlighting
- Bundled Pagekit installer
- Updated to Symfony 3.0
- Hide Trash menu from Site node picker
- Deny cross site redirects after login and logout
- Session Cookie uses HttpOnly flag now
- Nicer login, registration and profile pages
- Nicer update notification on dashboard
- Improved ORM Metadata cache breaker
- Reenabled Packagist for zip uploads
- Fixed username validation in installer and backend (#513)
- Fixed widget settings
- Fixed embedded Youtube videos (#533)
- Fixed Gravatar retina resolution
- Fixed Gravatar mutual exclusion
- Fixed Finder thumbnails for file names containing HTML special chars
- Fixed distinguish Pagekit instances at same domain
- Fixed selecting items at site tree and widget settings
- Fixed image picker in editor now keeps class attributes
- Fixed ExceptionHandler response
- Fixed an issue which could lead to an open_basedir restriction exception
- Fixed registration verification mail
- Fixed user authenticated role assignment
- Fixed package upload zip verification
- Fixed single quote issue by using RFC4627-compliant JSON within embedded script tags (#551)
- Increased package installation speed by disabling usage of Packagist repository (Pagekit API now provides a subset of required Packagist dependencies)
- Prepared self updater for bundled versions of Pagekit
- Show login modal for unauthorized ajax requests
- Added events to DebugBar
- Added current route info to DebugBar
- Added request switcher to DebugBar
- Updated requirements
- Enforce reinstall of packages (#479)
- Allow comment posting for 'authenticated' users by default (#518)
- Fixed auto updater
- Fixed "Add" new roles (#512)
- Fixed package upload
- Cleanup package dependencies (#488)
- Fixed installation without PDO_MYSQL (#516)
- Added version cache break for JS and CSS
- Added 'storage:' file path
- Updated Vue-Resource
- Improved handling of Gravatar images
- Fixed admin panel for IE
- Fixed system messages
- Fixed editor preview handles Vuejs markup
- Fixed redirects on login and logout
- Added options in video picker
- Switched to Vuejs 1.0
- Optimized site tree
- Optimized user settings
- On widget copy, theme settings are copied too
- Fixed password edit on user view
- Added widget copy API function
- Added preliminary update notifications to dashboard
- Random string generator uses low strength now (#478)
- Installer error messages use correct locale now
- Canonical routes are absolute now
- Added Twig support
- Resource paths for themes are added by default
- Made type in module definition for extensions/themes obsolete
- Fixed date conversion to ISO8601
- Fixed feed charset and feed title escaping
- Openweathermap.org requires Api key now
- Fixed freezing browser in marketplace
- Added Https for Pagekit API (#415)
- Added site title to browser title
- Added Mysql character set compatibility (#434, #465)
- Added sections tabs in user edit view (#390)
- Site tree adds its leaf node routes first (#420)
- User authentication uses separate table
- Changed config file generation
- Removed usage of environment variables (#428)
- Removed site description
- Removed Pagekit version from generator tag
- Fixed user widget ordering
- Fixed nodes reordering
- Fixed Finder component for non Unix OS's (#448)
- Fixed HttpExceptions returning with Code 500
- Fixed internal URLs not being resolved in feeds (#466)
- Fixed theme updates (#472)
- Fixed extensions and themes view in IE
- Fixed permissions issue on site edit (#471)
- Fixed redirect to login, if failed, due to insufficient user rights
- Added additional system requirements (#410)
- Added link to gitter chat
- By default "display errors" are set to "off"
- Fixed auto login
- Fixed login widget (#423)
- Added site tree
- Added new default theme
- Added new admin panel
- Added data-reactive components with Vue.js
- Added package management using Composer
- Major codebase update
- Added pagination in Blog extension
- Added languages from Transifex
- Updated UIkit to 2.11.1
- Fixed comment status bug
- Fixed reordering menu bug
- Fixed Marketplace grid
- Fixed thumbnail grid in Storage
- Fixed several issues for shared hosters
- Added OAuth API
- Updated library dependencies
- Fixed option cache issue
- Changed requirejs scripts ordering
- Removed 'settings' from extension/theme config, use 'parameters' instead
- Removed GLOB_BRACE for Solaris compatibility
- Fixed Blog/Page url handling
- Fixed Blog extension settings
- Added Marketplace pagination
- Beautified system emails
- Added admin theme font subset latin, latin-ext
- Updated UIkit to 2.9
- Removed username in password reset
- Simple plugin regex
- Fixed Gravatar on https
- Added Finnish, French, Spanish, Russian translations
- Added pagination in user manager
- Changed mod_rewrite check
- Widgets render themselves now
- Changed comments settings in blog
- The app root no longer needs to be writable if the config already exists
- Fixed Comments ordering (blog)
- Fixed Comments auto approval (blog)
- Fixed Finder (Windows)
- Fixed demo data for SQLite versions < 3.7.11
- Fixed language registration for themes and extensions
- Fixed blank renderer in theme skeleton
- Fixed redirect after installation
- Fixed Apache configuration to serve SVG files with correct mime type
- Fixed verify mail action