Concrete CMS

9.3.9

20 Январь - 270MBNew Features

• Add options to get author name/email to Attribute Display block (thanks JohnTheFish)
  

Behavioral Improvements

• When you command-click (Mac), control-click (Windows) or middle-click your mouse button on Dashboard search tables, the links will now open in a new tab or window.
  
• We now rescan the pagetheme custom class when clearing the cache – this can help if you are actively developing a theme and accidentally install it before defining your theme’s custom class file.
  
• Multilingual stack dropdowns are now more visible and accessible (thanks mlocati)
  
• If you write custom code that filters a user list by a nonexistent group name, we now throw a proper exception that should point you in the right direction.
  
• Improve conversation captcha failure message (thanks JohnTheFish)
  

Bug Fixes

• Fixed error where the “Remove Orphaned Blocks” functionality did not work.
  
• Fixed bug where you could improperly create a topics attribute without a selected top level node, leading to errors when selecting topics in Composer or on the page.
  
• Avoid Undefined array key "optionID" exception in survey block in PHP8 (thanks biplobice)
  
• Removed broken poll/survey pie chart image from survey block view and Dashboard results pages.
  
• Fix memory allocation issue with thumbnail generation and Imagick (thanks ahukkanen)
  

Developer Updates

• Cleaned up old code in Page List block (thanks biplobice)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/939-release-notes

9.3.8

9 Декабрь 2024 - 270MBBehavioral Improvements

• We now check whether is_featured is an event or page attribute and that it’s indexed properly before allowing you to filter the Event List or Page List blocks (thanks mlocati, ccmEnlil)
  
• When editing a locale-specific Stack in a multilingual website, we will now show that stack as a new segment in the breadcrumb (thanks mlocati)
  

Bug Fixes

• Fixed incorrect site tree being set when adding external links under a different multilingual site tree than the root (thanks mlocati)
  
• Fix invalid permission key to solve error on update files via REST API (thanks hissy, mlocati)
  
• Fixed error when importing files from the incoming directory f you have a subfolder or file with no suffix under application/files/incoming under PHP 8 (thanks mlocati)
  
• Fixed incorrect stack being returned when referencing stack by name but a multilingual-specific version of the stack exists (thanks mlocati, SvanteArvedson)
  
• Fixed: Fixed width and height for images in CkEditor doesn't work (thanks mlocati)
  
• Fixed: Document Library - Sorting does not work within Subfolders
  
• Fix exporting area layout column when area is null (thanks mlocati)
  
• Fixed error that could occur if you returned null when implementing your own entity manager entity location registries in your package controller (thanks JohnTheFish)
  
• Fixed inability to customize a board slot.
  

Developer Updates

• You can now specify package-specific options when installing packages in CIF XML (thanks mlocati)
  
• API improvements to the StackList object (thanks mlocati)
  
• Page::getByPath can now except a as well as a site tree and return all pages in all multilingual site trees therein (thanks mlocati)
  
• Added getExternalProfileURL to the External Concrete authentication method controller (thanks mlocati)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/938-release-notes

9.3.7

13 Ноябрь 2024 - 270MB9.3.7

Bug Fixes

• Fix broken file manager under PHP8 introduced in 9.3.6 (thanks mlocati)
  
• Fix Undefined variable error on PHP8 on editing top navigation bar that could occur under certain circumstances (thanks hissy)
  

9.3.6

New Features

• Added the ability to specify a custom filename pattern for downloading files from the file manager. Available placeholders are {title}, {extension} and {filename} (thanks SashaMcr)
  
• Added the ability to set the default file manager column and sort order (thanks SashaMcr)
  

Behavioral Improvements

• CSV Export of Users now uses the “DateTime Format” for CSV options as defined in the Dashboard (thanks SashaMcr)
  
• Added width/height to image slider (thanks ajenkins-dev)
  
• Improved and refactored RSS displayer controller and view code (thanks SvanteArvedson)
  
• Improved performance of the Express Entry List block (thanks hissy)
  
• Miscellaneous performance improvements (thanks hissy)
  
• Fixed: Security Headers are not set when the full page is cached (thanks marcokuoni)
  
• Added more useful information to the Environment Information report (thanks JohnTheFish)
  
• Added more useful information about Block Types to the Block Types Dashboard page (thanks JohnTheFish)
  

Bug Fixes

• When a page is re-edited, topics in the child level of the topic attribute disappear (thanks hissy)
  
• Re-instate Dorset as an English County (thanks ajenkins-dev)
  
• Fixed: RSS displayer view function duplicates the received RSS posts (thanks SvanteArvedson)
  
• Fixed bug where custom styles applied to the Main area on a page would cascade into any stacks that were placed using the editor on the page.
  
• Fixed: Atomik documentation creation dies when not installed with full content
  
• Fixed: Fix: top navigation bar shows unapproved version of pages (thanks hissy)
  
• Fixed bug when editing an Express object with a results folder that was deleted (thanks dimger)
  
• Fix Accordion controller.php to allow pretty URLs in description field (thanks jbender0)
  
• Fix login with OAuth when there are attributes to be fulfilled (thanks mlocati)
  
• Fixed situation where choosing to filter a page list by a topic category didn’t work (only topics worked) (thanks hissy)
  
• Fixed bug where CMS UI tooltips weren’t displaying properly in non-Bedrock themes.
  
• Fixed: "Uploaded" header is active when I open a Choose File modal, but "Name" should be active instead (thanks hissy)
  
• Fixed error private messages mailbox if a message is received from a user who has been deleted (thanks wtflm)
  
• Fixed: Topics Filter UI Element in Event List Block does not re-populate properly.

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/937-release-notes

9.3.5

3 Октябрь 2024 - 270MBNew Features

• Added a Dashboard page for “File Chooser Options” on which you can configure the file chooser tab you want to be the default (thanks Mesuva)
  
• Added a new checkbox to enable “hreflang” on multilingual websites to the Multilingual Setup page (thanks leal-k)
  

Bug Fixes and Improvements

• Replaced some uses of “concrete5” with Concrete throughout the codebase (thanks mlocati)
  
• Added width and height attributes to the image block and to some image thumbnails in order to reduce layout shift on load (thanks katalysis)
  
• Fixed some bugs that could occur when saving topic and Express attribute types (thanks alecbiela)
  
• Fixed issue where Auto-Nav and Express Form blocks couldn’t be edited or previewed reliably in global areas.
  
• Checkbox for Exclude from Nav attributes are now translated properly (thanks leal-k)
  
• Fixed bug where the “Schedule” button in the composer page schedule dialog did nothing.
  
• Fixed bug in Top Navigation Bar block where clicking on items with sub-pages would not take you to the page.
  
• Fixed bug where block help dialog was not shown in Firefox (thanks alecbiela)
  
• Fixed: Unsetting form redirect destination throws error
  
• Fixed: Incorrect variable name in Youtube block
  
• Fix typo in DeleteGroupCommandHandler.php (thanks mlocati)
  
• Fixed: Cannot remove email notification from Form Block (thanks lea-k)
  
• Fixed: Swagger interactive API console fails to update page except for Super-admin
  
• Fixed bug in topic attribute export if no value was set (thanks RLHawk1)
  

Developer Updates

• Add Support for Javascript "module" and "importmap" types to the Asset System (thanks alecbiela)
  
• Improved output of the LatestMigrationTest unit test (thanks mlocati)
  
• Tweaks to API documentation (thanks dimger)
  
• List pages and view page children API methods now require canViewPage permission instead of canViewPageInSitemap.

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/935-release-notes?pk_vid=536bdf1d64d57b7e1727973218115324

9.3.4

(релиз безопасности)
11 Сентябрь 2024 - 270MBSecurity Updates

• Fixed CVE-2024-8291 Stored XSS in Image Editor Background Color by sanitizing output of "Save Background Image Colour" in file thumbnail dashboard single page with commit dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and commit 12183 for version 9. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting HackerOne 921527.
  
• Fixed CVE-2024-7398 Stored XSS Vulnerability in Calendar Event Addition Feature with commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 for version 8 and commits 12183 and 12184 for version 9. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting HackerOne 2400810.
  
• Fixed CVE-2024-8660 Stored XSS in in the "Top Navigator Bar" block with commit 12128. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Prior to the fix,a rogue admin could add a malicious payload. Since "Top Navigator Bar" output was not sufficiently sanitized, the payload could be executed when targeted users visited the home page. This does not affect Versons below 9 since they do not have the Top Navigation Bar Block. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
  
• Fixed CVE-2024-8661 Stored XSS in the "Next&Previous Nav" block with commit 12204 for version 9 and with commit ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 for version 8. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
  

New Features

• Added the ability to search pages by their cache settings in the advanced page search (thanks SashaMcr)
  

Behavioral Improvements

• Added Discord to Social Links (thanks RLHawk1)
  
• We now require the redirect URL when adding a new API integration (thanks mlocati)
  
• Canonical URL is now validated when saving (thanks hissy)
  

Bug Fixes

• Fixed some errors in the Add block dialog on the Stacks Dashboard page when running Concrete in strict mode (thanks mlocati)
  
• You can no longer choose Guest or Registered Users as groups to assign to users (which you shouldn’t have been able to do.)
  
• Fixed canonical URL sometimes not included a path to a subdirectory if the Concrete installation is in a subdirectory (thanks biplobice)
  
• Fixed: When selecting a topic to filter ExpressList, the previously selected topic remains (thanks hissy)
  
• c5:package:install CLI command: pass install options to install method (thanks mlocati)
  

Developer Updates

• Top Navigation Bar should work better on non-Bedrock themes (thanks RLHawk1)
  
• Some removals of deprecated Core::make() code from the core.
  
• Enhance c5:package:pack Command to Allow Flexible Output Path Without Requiring Zip File Name (thanks biplobice)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes

9.3.3

(релиз безопасности)
12 Август 2024 - 270MBSecurity

• Fixed CVE-2024-4350 Stored XSS in RSS Displayer with commit 12166 for version 9 and with commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix a rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks m3dium for reporting HackerOne 2479824
  
• Fixed CVE-2024-4353 Stored XSS in Generate Board Name Input Field commit 12151. Prior to the fix, the name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N and a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Concrete versions below 9 are not affected by this vulnerability. Thanks fhAnso for reporting HackerOne 2597394
  
• Fixed CVE-2024-7394 Stored XSS in getAttributeSetName() by sanitizing Board instance names on output with commit 12166 for version 9 and commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix, a rogue administrator could inject malicious code. The Concrete CMS team ranked this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting HackerOne 2463288
  
• Fixed CVE-2024-7512 Stored XSS in Board instances by sanitizing instance names with commit https://github.com/concretecms/concretecms/pull/12151. Prior to the fix a rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected.Thanks m3dium for reporting HackerOne 2486344.
  
• Show a more generic error message in RSS Displayer block if curl is unable to load posts. Thanks m3dium for recommending this in HackerOne 2479824
  
• Concrete v.9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, no CVE is being issued. Thanks Yusuke Uchida for reporting HackerOne 2399192.
  

New Features

• There is now an Add Page button when editing a site in mobile view (thanks hissy)
  

Behavioral Improvements

• Improved installation speed.
  
• Viewing a Dashboard user search preset and exporting will now properly export just the users in those search results (thanks SashaMcr)
  
• Dialogs and panels do not burst out of small screens when editing on mobile devices (thanks hissy)
  
• Allow using "secure" cookies automatically for HTTPS requests (thanks mlocati)
  
• We now display the particular user that owns the writable directories on installation when checking that those directories are writable fails (thanks mlocati)
  
• The Express Form block now uses the email HTML input type for email addresses, enabling better validation (thanks bikerdave)
  
• Changed the hardcoded "items per page" to a configurable setting in the file chooser (thanks SashaMcr)
  
• Fixed: Indexes for text fields removed after refreshing entities (thanks mlocati)
  
• Improved suggested nginx rule for enabling pretty URLs (thanks mlocati)
  
• Switch name of Concrete Monolog Cascade package (thanks bikerdave)
  
• Better output sanitization in Top Navigation Bar block (thanks hissy)
  
• Added additional explanation to the version scheduling interface (thanks KnollElias)
  

Bug Fixes

• Fix: mobile editing menu hadn’t worked in version 9 (thanks hissy)
  
• Fixing error: The remote updater throws: "The directory %s already exists. Perhaps this item has already been installed." when attempting to run the remote updater.
  
• Updated verbiage on old featured theme and featured add-on Dashboard notification blocks, in case they’re installed on some older upgraded sites.
  
• Fixed error on some sites when accidentally including a malformed package in the packages/ directory (thanks mlocati)
  
• Fixed: Custom topic of page list block doesn't get saved (thanks hissy)
  
• Fixed: Calendar Events with Versions created by Deleted Users Cannot be Edited
  
• Fix type of "length" ORM annotation in SearchResult Health entity (thanks mlocati)
  
• Fixed possible errors when using the Switch Language block to switch languages (thanks biplobice)
  
• Fixed errors attempting to link over to the marketplace when the Concrete site in question does not have a public and private marketplace key (thanks pszostok)
  
• Fixed: Share this Page “Print” option does not work.
  
• Removed ID from X sharing service icon, because adding it to the page multiple times could cause W3C validation to complain (thanks quentinnorbert0)
  
• Fixed error where third party library zircote/swagger-php could block installation of Concrete in Composer installations.
  
• Fixed error related to lingering version block entries in the database persisting after they should be deleted under very specific circumstances (thanks bleenders)
  
• Fixed: Error thrown when trying to save user attribute under very specific circumstances (thanks mnakalay)
  
• Fixed: Foreign key constraint violation when deleting users associated with Board InstanceSlotRules
  

Developer Updates

• Translation library parsers can now be customized and extended (thanks mlocati)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes

9.3.2

10 Июнь 2024 - 270MBBug Fixes

• Fixed errors where copying a package after downloading it from the marketplace would throw an error under certain conditions.
  
• Moving a stack from Orphan Blocks into the page 500 (thanks JohnTheFish)
  
• Fixed: Stacks, Containers and Scrapbook blocks makes longer block cache than block cache setting (thanks hissy)
  
• Fixed bug where boolean page attributes that are checked by default show up as checked even if they have previously been saved unchecked (thanks hissy)
  
• Fixed error when using workflow under certain conditions in PHP 8+ (thanks pszostok)
  
• Fixed: If you use advanced log configuration to set your own logger for Channels::META_CHANNEL_ALL, this logger gets applied to all core channels. Therefore you cannot set this at the same time as customising a specific core channel (thanks bikerdave)
  

Developer Updates

• Updated scssphp/scssphp to a newer version, tweaking some output of the theme customizer (thanks mlocati)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/932-release-notes

9.3.1

(основная версия)
20 Май 2024 - 270MB9.3.1

Behavioral Improvements

• 9.3.0 automatically checked and configured a canonical URL on installation, in order to improve marketplace connection reliability. This is not actually necessary, as initial marketplace connections do not require a canonical URL to function, so this behavior has been reverted to pre-9.3.0.
  
• When encountering a problem downloading a package, we now report the error in a nicer presentation.
  
• If the saving of remote data in a Concrete Site data object in the marketplace fails, it will fail silently and log the error, instead of outputting it.
  

Bug Fixes

• Fixed error when visiting the Dashboard Extend package under PHP 7.
  
• Fixed some minor marketplace connection errors when not running in UTC.
  
• Fixed bug where package showed up as ready to download from the marketplace even when it was already installed
  

9.3.0

New Features

• Support for the brand-new marketplace found at market.concretecms.com, featuring auto-connect, free trials on Concrete SAAS, Composer support for packages, a modern website and much more.
  
• Added support for webp images as the default thumbnail type when Concrete auto-generates thumbnails (thanks parasek)
  
• Added lazy loading as an option for the Image block (thanks parasek)
  
• Added an option to keep file manager folders at the top of the list of contents (instead of intermingled with files) (thanks hissy)
  
• When deleting user groups, users are now presented with an option as to what to do with child groups. (thanks mlocati)
  
• Make thumbnails generated by Image Helper SEO-friendly (thanks parasek)
  
• Atomik is now built on Bedrock 1.5 (Bootstrap 5.3)
  
• Dashboard theme is now built on Bedrock 1.5 (Bootstrap 5.3)
  

Backward Compatibility Notes

• There has been some refactoring to the core class loaders and autoloaders. If you work with the autoloader directly or have extended the built-in Symfony autoloader classes, verify your changes work properly.
  
• The core themes now rely on Bootstrap 5.3 (Bedrock 1.5).
  

Behavioral Improvements

• Added a config value to toggle default behavior of "Keep Live Version Approved"-Toggle-Button (thanks marcokuoni)
  
• Added a confirm dialog box when cancelling out of the in-page rich text editor (thanks Mesuva)
  
• If users are prompted to save the username and password on install, the proper credentials will be saved for the admin user (thanks mlocati)
  
• Add attribute key handle next to attribute key name in the page type composer form add dialog (thanks parasek)
  
• Allow for setting/altering the User Logged by the Logging Service (Thanks haeflimi)
  
• File manager detail page now reloads when the file is swapped (thanks mlocati)
  

Bug Fixes

• Fixed: CKEditor Maximize plugin breaks editing when used in a dialog (thanks mlocati)
  
• Bug fixes and improvements to Boards (thanks marcokuoni)
  
• Fixed blank screen that showed when adding blocks to the composer page type form on first load (thanks parasek)
  
• Fixed bug where custom styles applied to a global area didn’t work.
  
• Fixed: When a page is re-edited, topics in the child level of the topic attribute disappear (thanks hissy)
  

Developer Updates

• Significant improvements to the core autoloaders (thanks mlocati)
  
• The Dashboard and CMS are now using Bedrock 1.5 (built from Bootstrap 5.3) as their basis. This should be minimally invasive, but if some third party packages are not displaying properly, please verify that their markup conforms to Bootstrap 5.3.
  
• Removing trailing / from HTML header elements (thanks marcokuoni)
  
• Developers can now specify CLI shortcuts for fields added to their tasks, when they’re run via the CLI (thanks KnollElias)
  

9.2.9

Behavioral Improvements

• Added notifications into the interface about the new marketplace coming in Concrete CMS 9.3.0.
  
• Changed the field type for API integration redirect URIs from string to text, enabling better support for multiple redirect URIs.
  
• Broken Express objects will no longer attempt to be indexed, leading to errors on upgrade (thanks hissy)
  
• Removed the arbitrary 256MB upload limit when using the drag and drop file uploader. Increased to 4GB. (Note: limits based on PHP configuration are still in place – if your site is configured to have a lower limit than this for uploading this will not increase it.)
  
• Removed “concrete5” from the system help messages.
  

Bug Fixes

• Fixed bug where Add Pages/Navigate Sitemap icon was displayed in the Dashboard to users who didn’t have permission to actually do either of those operations.
  
• Fixed: QueuedReindexPageCommand failed when express entry detail block exists (thanks hissy)
  
• Fixed: Page List Custom Topics Category Filtering Not Working after 9.2.2 (thanks hissy)
  
• Fixed: Page Type Display Pages Beneath Page setting doesn't work (thanks hissy)
  
• Fixed: getPageIndexScore (unused in stock Concrete but perhaps used in certain configurations) would cause an error under PHP 8 if the score was undefined (thanks JohnTheFish)
  
• Fixed inability to add custom CSS classes with colons in them, which certain CSS frameworks like Tailwind require.
  
• Fixed: When multisite is enabled, the Form submission action gets executed on an incorrect page (thanks BSalaeddin)
  
• Fixed PHP 8 error for undefined $siteTypeID under certain conditions.
  
• Fixed error when using the calendar block in lightbox mode with a theme that didn’t include lightbox support (thanks hissy)
  
• Fixed: Date Time Widget is no longer translated.
  
• Fixed bug where user’s may not be prompted to validate their email address when user validation is required (thanks donaier)
  
• Fixed deprecation error "Decrement on bool" in page statistics (thanks mlocati)
  
• Minor fixes for PHP 8 compatibility (thanks shahroq)
  
• Removed obsolete line from search block controller save method (thanks shahroq)
  
• Fixed typo in ConfigServiceProvider (thanks biplobice)
  

Developer Updates

• SEOCanonical Class Add getIncludedQuerystringParameters (thanks ccmEnlil)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/931-release-notes

9.2.8

(релиз безопасности)
3 Апрель 2024 - 270MBSecurity

• Created CVE-2024-2753 Stored XSS on the calendar color settings screen and fixed it with commit 11988 Prior to the fix, a rogue administrator could put malicious javascript on the Concrete CMS color setting screen which would have would have been triggered by and affected users who accessed the color settings screen. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N Thank you Rikuto Tauchi for reporting HackerOne 2433383.
  
• Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search Filter and fixed it with commit 11988 for version 9 and commit 11989 for version 8. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and hence could create a search filter with the malicious code attached. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Guram (javakhishvili) for reporting HackerOne 949443
  
• Created CVE-2024-3179 Stored XSS in the Custom Class page editing and fixed it with commit 11988 for version 9 and commit 11989 for version 8. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any non alphanumeric characters in this CSS class. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for reporting HackerOne 918129.
  
• Created and fixed [CVE-2024-3180] (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS could be executed by a rogue administrator adding malicious code to the link-text field when creating a block of type file. Fixed with commit 11988 for version 9 and commit 11989 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for reporting HackerOne 903356
  
• Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete Team fixed this with commit 11988 for version 9 and commit 11989 for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142
  

Bug Fixes

• Fixed bug where c5:info console command would fail when run on a Concrete webroot if that webroot was not yet an installed Concrete site.
  
• Fixed bug where logout link in toolbar would not work when user was logged in as an editor who could not view the Dashboard (thanks ounziw)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes

9.2.7

(релиз безопасности)
7 Март 2024 - 270MBSecurity

• Fixed CVE-2024-2179 Stored XSS in the Name field of a Group type with commit 11965. A rogue administrator could inject malicious code into the Name field of a Group type which might be executed when users visit the affected page because of insufficient validation of administrator provided data. The Concrete CMS Security team scored this 2.2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting HackerOne 2383192.
  

Behavioral Improvements

• Improved display of certain UI elements when Concrete was used with non-Bedrock/Bootstrap themes.
  
• Back to Website button in Dashboard now uses the vanity URL instead of the cID URL (Thanks JohnTheFish)
  
• Add db charset and collation to environment report (thanks JohnTheFish)
  

Bug Fixes

• Fixed: Time selector in the calendar event dialog not showing all times.
  
• Fixed: Undefined array key "value"' in /concrete/attributes/date_time/controller.php under PHP 8.
  
• Fixed: Undefined array key 0' in /concrete/blocks/calendar_event/controller.php:224 under PHP 8.
  
• Fix pagination not working in clipboard side panel (thanks quentinnorbert0)
  
• Fix double encoding when displaying page template name (thanks quentinnorbert0)
  
• Fixed inability to clear date/time attributes using the built-in HTML datepicker clear link.
  
• Fixed bug when attempting to do an advanced search by time in the Logs (thanks Quentin-Gach)
  
• Fixed error where including an ampersand in your site name would cause it to be displayed as & in your site browser title.
  
• Fixed: Undefined property: Concrete\Block\Survey\Controller::$cID' in /concrete/blocks/survey/controller.php:206 under PHP 8.
  
• Fixed: Undefined variable $fID' in /concrete/single_pages/download_file.php:23 under certain conditions in PHP 8.
  
• Fixed error when attempting to log values that were non-scalar (thanks JohnTheFish)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/927-release-notes

9.2.6

(релиз безопасности)
15 Февраль 2024 - 270MBSecurity

• Fixed CVE-2024-1245 Stored XSS in file tags and description attribute with commit 11927 Administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page in version 9 before 9.2.5. A rogue administrator could put malicious code into the file tags or description attribute and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions below 9. Thanks Poto Gabor for reporting Hackerone 2309264.
  
• Fixed CVE-2024-1246 Reflected XSS in Image URL Import Feature with commit 11927. There is insufficient validation of administrator provided data in version 9 before 9.2.5. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9. Thanks cupc4k3 for reporting Hackerone 2337524
  
• Fixed CVE-2024-1247 Stored XSS in “Role Name” field with commit 11927. There is insufficient validation of administrator provided data in version 9 before 9.2.5. A rogue administrator could inject malicious code into the "Role Name" field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks cupc4k3 for reporting Hackerone 2337519.
  

Backward Compatibility Notes

• If you have implemented your own bulk editing interface using the Attribute\Key\Component\KeySelector\ControllerTrait class, you’ll need to modify your canEditAttributeKey method to include the object as its second parameter. See concrete/controllers/dialog/page/bulk/properties.php for an example. (This is not common.)
  

9.2.6

Big Fixes and Changes

• Removed some extraneous and unnecessary files from the ckeditor js/ directory.
  
• Fixed “CKEditor is not secure” notice when loading CKEditor.
  
• Fixed 400 (Bad Request) on download image from detail popup.
  

9.2.5

Highlights

• Added an “Ignore Permissions” field to the Top Navigation Bar block (thanks SashaMcr)
  

Big Fixes and Changes

• We now show Doctrine development mode in our environment information reports (thanks JohnTheFish)
  
• If your Concrete installation is configured to use less than the recommended amount of RAM, console commands will now warn you that they might behave erratically.
  
• Removing a block control from the Composer form will now remove all the output controls in page defaults.
  
• Stylesheets output by the style customizer now append the ccm_nocache value, ensuring that clearing the site’s cache and other upgrade operations will properly force CSS files to be refreshed (thanks danklassen)
  
• Improve the display of the Express Forms Dashboard page (thanks shahroq)
  
• Removed direct reference to $_REQUEST parameter in the search block view template (thanks shahroq)
  
• File folder ID is now present in the response for all file REST API operations.
  
• File identifier is now available on the File Manager Details page, along with a note specifying this must be used for API calls.
  
• Fixed redirect to home page that happened when attempting to edit page type defaults.
  
• Fixed error when attempting to edit a Composer output control block that had been divorced from a page type and page template (thanks JohnTheFish)
  
• Fixed error complaining about undefined chooseCalendar field when installing Atomik theme documentation.
  
• Fixed bug where viewing a saved search in of an Express object and then exporting the CSV would export all values, not just those included in the saved search.
  
• Fixed: When performing a full content swap, there were some occasions where not all frontend pages were removed (thanks mlocati).
  
• Fixed bug where Twitter/X social icon was not displaying properly in Safari/iOS.
  
• Fixed issue where Atomik skins were not using the proper colors defined by the customizer and were instead using Bootstrap defaults.
  
• Reverting update that changed the name of an Express object if it was re-named in the frontend Express form block, as it had unintended consequences.
  
• Fixed "Access denied" error when trying to add an attribute from the properties menu in the page search dashboard as a non-super-admin.
  
• Fixed: Express DateTime attribute can save with incorrect timezone when user timezone is set.
  
• Fix: uninstalling package task failed when process or scheduling still exists (thanks hissy)
  
• Fixed error where editing advanced block settings multiple times in a row without reloading the browser would result in an error.
  
• Fixed: Default summary template could throw errors if page descriptions were undefined in PHP 8.
  
• Fixed bug where summary templates for calendar events might not be properly populated on the first event creation.
  
• Fixed bug where setting a custom skin on a page version would be reset to the default skin when the next version of the page was created.
  
• Fixed error where Tags block was never refreshed when adding a new property to it in a previous version.
  
• Fixed: Unable to uncheck "Ignore page permissions" option on save Page List (thanks SashaMcr)
  
• Fixed: Unable to uncheck "enable pagination" option on save express entry list block (thanks shahroq)
  
• Fixed "Undefined array key 0" when viewing page with empty Attribute with Topic Tree (thanks shahroq)
  
• Fixed bug that rendered the upload file REST API endpoint broken.
  
• Fixed Cannot install concrete 9.2.4 with composer and php8.2
  

Developer Updates

• CKEditor updated to 4.22.1.
  
• Bedrock updated to 1.4.14.
  
• formatSize() now supports sizes beyond gigabytes (thanks mlocati)
  
• Added an auto-populated SCSS variable named concrete-theme-path that will contain the relative path to the current Concrete theme, allowing developers to reliably use background images in SCSS files with the customizer while still supporting themes that may shift locations or be installed in subdirectories of websites. See https://forums.concretecms.org/t/theme-development-compiling-sass-files-including-paths/6292/4 for implementation details.
  
• Add parentID as an optional parameter to Node::getByName (thanks krebbi)

Подробнее: https://documentation.concretecms.org/9-x/developers/introduction/version-history/926-release-notes

9.2.4

11 Декабрь 2023 - 250MBBehavioral Improvements

• New X social icon now defaults to a more reasonable size if used in a theme that doesn’t specify how large it should be.
  
• New X social icon now inherits the color of its parent links.
  

Bug Fixes

• Fixed bug where certain required attributes were not added to the page search index attributes table, leading to errors under certain conditions (when choosing “Desktop” as login destination)
  
• Fixed error where swapping an image used in image block for another type of file causes an exception.
  
• Fixed error where the updater could fail under PHP 8 under certain specific circumstances (thanks mlocati)
  
• Bug fix: Can't delete a user who has associated AnnouncementUserView entities (thanks bikerdave)
  
• Fixed weird errors with bulk file set assign where the wrong sets would be assigned, and certain operations wouldn’t work properly without clicking the checkboxes beforehand.

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/924-release-notes

9.2.3

(релиз безопасности)
6 Декабрь 2023 - 250MB9.2.3

Behavioral Improvements

• Renamed Twitter to “X” in the social networking and social sharing services.
  
• Health: add a link from reports to the "Start a New Report" page (thanks mlocati)
  
• Logs with long paths in their messages no longer display beneath the Dashboard panel in the Logs report.
  
• Packages are now alphabetically sorted in the Dashboard listing interface (thanks JohnTheFish)
  
• Add the package name and version to the package install success message (thanks JohnTheFish)
  
• Translate package name in update message (thanks JohnTheFish)
  

Bug Fixes

• Fixed error when saving a layout preset under PHP 8.
  
• Fixed importing IP access log channels (thanks mlocati)
  
• Fixed issue when importing trees and tree nodes when used with custom classes in packages.
  
• Fixed: we export three custom styles for blocks and areas that we don’t import (thanks mlocati)
  
• Fixed bug where if a file folder was added as a favorited and then deleted in the file manager the user would receive errors when using the file chooser.
  
• Fixed weird behavior when using the content exporter to export pages with scrapbook pasted blocks in them (thanks mlocati)
  
• Fixed importing RSS displayer blocks under certain conditions from CIF XML (thanks mlocati)
  
• Bug fixes to CIF XML files (thanks mlocati)
  
• Fixed: Topic List block: Add missing titleFormat to exported CIF (thanks mlocati)
  
• Bug fixes to importing tree node types (thanks mlocati)
  
• Bug fixes to importing site type skeletons (thanks mlocati)
  
• Fix bug in c5:translate –fill (thanks mlocati)
  
• Bug fixes to editing page types under PHP 8 in certain conditions (thanks mlocati)
  

Developer Notes

• The X social networking service icon is provided as an SVG - meaning that your theme may need to be updated to properly style SVGs as well as font icons when displaying “Share this Page” or “Social Networking” service icons.
  
• Cleanup of CIF XML files (thanks mlocati)
  
• Improvements to the Xml service class (thanks mlocati)
  
• We now accept boolean-like values when importing booleans from CIF XML files (thanks mlocati)
  

Security

• Fixed CVE-2023-44762 Reflected XSS in Tags with commit 11764 This vulnerability only affects only Concrete version 9.2 through 9.2.2 since the file this touches is in Bedrock, using a custom library the project wrote for version 9.2.0.
  
• Fixed CVE-2023-44764 Stored XSS in Concrete Site Installation in Name parameter with commit 11764.
  
• Fixed CVE-2023-48652 Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit with commit 11764 An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated. The Concrete CMS Security team scored this 6.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. This does not affect versions below 9. Thanks Veshraj Ghimire for reporting.
  
• Fixed CVE-2023-48651 by updating Update Dialog endpoints to only accept Post requests with tokens included with commit 11764 Prior to fix Cross Site Request Forgery (CSRF) to delete files vulnerability is present at /ccm/system/dialogs/file/delete/1/submit. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L This does not affect versions below 9. Thanks Veshraj Ghimire for reporting.
  
• Fixed CVE-2023-48653 Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit by updating Dialog endpoints to only accept Post requests with tokens included with commit 11764 for 9.2.3. Prior to fix, an attacker can force an admin to delete events on the site because the event ID is numeric and sequential. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Thanks Veshraj Ghimire for reporting.
  
• Fixed CVE-2023-48650 Stored XSS in Layout Preset Name with commit 11764 in 9.2.3 and commit 11765 in 8.5.14. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N Thanks Solar Security CMS Research, with d0bby, wezery0, silvereniqma in collaboration for reporting!
  
• Fixed CVE-2023-49337 Stored XSS on Admin Dashboard via /dashboard/system/basics/name with commit 07b4337 The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N Thanks Ramshath MM for reporting H1 2232594. This vulnerability is not present in Concrete 8.5 and below.
  

9.2.2

New Features

• Added a Switch Language option to the Top Navigation Bar, allowing the navigation bar to present a list of site languages and facilitate switching between them for the given page (thanks hissy)
  

Behavioral Improvements

• Express Detail block now has support for getSearchableContent: pages that contain this block will have that block’s content properly added to the search index.
  
• We now display the minimum and maximum username length when adding users in the Dashboard (thanks ounziw)
  
• Prevent loading full tree views when not needed, improving performance with large topic trees in topic attributes, large file manager trees on Dashboard user and file manager pages.
  
• Add package name and version to the message displayed after a package update (thanks JohnTheFish)
  
• Improvements to clarity in field layout when resetting a user’s password from the Dashboard (thanks iampedropiedade)
  
• Page List block outputs canonical path only when ccm_paging_p is 2 or greater (thanks ccmEnlil)
  
• Site-wide attributes will now be grouped by set if sets have been enabled for site attributes (thanks parasek)
  
• Added links to the images in the Atomik blog summary templates.
  
• Updating some automatically created directories to use the proper directory permissions (thanks mlocati)
  
• Clicking the labels of the checkboxes in the Rich Text Editor Settings Dashboard page will not check the appropriate checkbox (thanks mlocati)
  

Bug Fixes

• Fixed bug where page attributes were added to the attribute index immediately upon saving, even if the version they were joined to had not yet been approved.
  
• Fixed bug where announcements might not have been displayed to certain users who should see them.
  
• Fixed bug when using advanced permissions in file manager with File Uploader access entity under certain conditions.
  
• Fixed bug in the Atomik theme where a board would error if certain properties on a page were not set.
  
• Fixed bug in advanced permissions that made it impossible to select a custom date/time range for a permission access entity.
  
• Fixed: Page with gallery block breaks if deletes an image from the File manager.
  
• jQuery UI is no longer required to use the core date/datetime attribute (thanks hamzaouibacha)
  
• Fixed: Help block for related topics on page list form is incorrect (thanks ccmEnlil)
  
• Fixed: Can't delete a user who is favoriting a folder in the file manager (thanks mlocati)
  
• Fixed error where Page not found after updating URL slug of a page in composer.
  
• Improved compatibility with PHP 8.2 and greater.
  
• Fixed: ResponseAssetGroup::requireAsset required "core/rating" but "core/rating" is not a valid asset group handle
  
• Fixed: Feature Link block: Undefined variable $buttonColor error on PHP8
  
• Removed directory selector from File manager add file dialog because it could slow things down significantly.
  
• Fixed bug where certain marketplace files would be marked as incompatible with the current version when they were not actually incompatible under PHP versions lower than 8.
  
• Fixed Undefined variable $calendarID with PHP 8 when working with calendar boards configuration under PHP 8.
  
• Fixed bug where Multi-site default site attributes at the Site Type level were not working.
  
• Fixed: --env command option is ignored on v9 (thanks jscott-rawnet)
  
• Fixed issue where users who were granted the ability to edit page type drafts were not actually able to publish those drafts.
  
• Link settings in an image block will now export properly when using the Migration Tool (thanks hissy)
  
• Fixed issue where if you’re filtering by a topic using custom code, similarly named topics would return objects assigned to both topics (thanks pszostok)
  
• Fix error when an invalid file is passed into the download file single page (thanks JohnTheFish)
  
• Fixed bug where nested groups would show HTML for their breadcrumbs when viewed in the user group search in the user advanced search.
  
• Fixed some instances where the CollectionSearchIndexAttributes table might be updated based on the latest version instead of the approved version (thanks biplobice)
  
• Fixed concrete/attributes/email/controller.php:33 Undefined array key "value" (thanks mlocati)
  
• Fixed: PHP 8 deprecation warnings on login page (thanks mlocati)
  
• Remove HTML from user_group attribute form.
  
• Prevents PHP8 undefined key exception in Snippet::getByHandle() (thanks bikerdave)
  
• "Invalid or Empty Node passed to getItem constructor." error on adding express form in certain languages (thanks hissy)
  
• Bug fixes to the download file page under PHP8 (thanks JohnTheFish)
  
• Fix error when logging in as another user with multisite enabled under PHP8.
  
• Fixed Undefined variable $user on /login/session_invalidated under PHP 8 (thanks hissy)
  
• Fixed bug where certain users may not have been able to dismiss announcements.
  
• Fixed issue where "Subpage Permissions" setting is ignored when draft pages are inherited from defaults (thanks hissy)
  
• Add missing t() in "Edit Page List" block view so it can be translated (thanks mlocati)
  
• Fixed bug when trying to use Calendar summary templates to select a specific sub-set of summary templates as available for a particular event.
  
• Fixed errors when accessing Express attribute keys programmatically if they had the phrase “get” at any point in them.
  
• Load fresh version object instead of cached one when running update (thanks pszostok)
  
• Fixed: Express Form Block's Form Name doesn't get changed after first setting (thanks hamzaouibacha)
  
• Sanitize the output of the Accordion block title field (thanks ismeashim)
  
• We now properly sanitize the output of files uploaded through Express Forms.
  
• Updated to Guzzle 7.8, remediating INSERT ISSUE HERE!!!
  
• Updated League OAuth2 Server dependency to 8.4.2 to fix security issue.
  
• Better sanitization of Plural handles in Express objects.
  
• Better sanitizing of Custom labels in Express objects.
  

Developer Improvements

• Added new capabilities for custom theme documentation pages (pages that use site page types and page templates for support elements, but still live in the documentation pages area.)
  
• Made ReindexPageCommand fully synchronous, and added a new QueueReindexPageCommand that is asynchronous for use when developers want to queue a page for reindexing asynchronously.
  
• Added new console command concrete:theme:activate and concrete:theme:activate-skin.
  
• Added the ability to affect the new page’s display order and page path when using the on_page_duplicate event.
  
• Enhance DeleteGroupCommand to customize its handling of sub-groups (thanks mlocati)
  
• Developers can now override the PageItem and Navigation classes within the Top Navigation Bar using custom code if they choose to do so (thanks danklassen)
  

Security

• Updated the Guzzle HTTP library to 7.8 to ensure Concrete CMS is not vulnerable to Guzzle CVE-2023-29197 Thank you Danilo Costa for reporting H1 2132287
  
• Fixed Directories could be created with insecure permissions since file creation functions gave universal access (0777) to created folders by default. Excessive permissions could be granted when creating a directory with permissions greater than 0755 or when the permissions argument was not specified. The Concrete CMS Security team scored this 6.6 with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Thanks tahabiyikli-vortex for reporting H12122245. Thanks Mlocati for providing the fix. Fixed in commit 11677
  
• Fixed stored XSS on the Concrete Admin page by sanitizing uploaded file names. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Thanks @akbar_jafarli for reporting H1 2149479. Fixed in commit 11695
  
• Fixed CVE-2023-44761 Admin can add XSS via Data Objects with this commit
  
• Fixed CVE-2023-44765 Stored XSS Associations (via data objects) with commit 11746

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes

9.2.1

(основная версия) (релиз безопасности)
13 Июль 2023 - 250MB9.2.1

Highlights

• Added a thumbnail property to the Feature and Feature Link block types (thanks katalysis)
  
• File manager image editor now supports full screen mode (thanks mlocati)
  

Improvements

• Reinstated the ability to attach accounts to external authentication providers on the My Account page.
  
• Use User->isRegistered() instead of User->isLoggedIn() throughout Concrete (Thanks mlocati)
  
• Top Navigation Bar now honors replace_link_with_first_in_nav custom attribute (thanks danklassen)
  
• Top Navigation Bar block can now use the site name for branding text if no custom branding text is defined in the block.
  
• Dashboard image editor is now larger (thanks mlocati)
  
• Minor display improvements
  
• First weekday in calendar is now defined by the locale instead of being hard-coded to Sunday (thanks mlocati)
  
• Page Selector and User Selector attributes now work better when used with Express label entry display masks/labels.
  
• Image editor in Dashboard now reloads an image detail page when an asset is edited (thanks mlocati)
  
• Display more details when explaining why a package cannot be installed due to problems in the package controller (thanks mlocati)
  
• Dashboard File Details page now reloads when versions are changed (thanks mlocati)
  
• Improved appearance of Express Entry Details block.
  
• Added optional alphabetical sort to to block type sets using a configuration option (see here: https://github.com/concretecms/concretecms/pull/11292) (thanks mnakalay)
  
• Dates displayed in Site Health reports are now properly localized (thanks mlocati)
  
• Logs Dashboard page now reloads when logs are cleared (thanks mlocati)
  
• Content replacement should be slightly faster when dealing with large amounts of block records.
  

Bug Fixes

• Many additional stricter code fixes under PHP 8.2 (thanks mlocati)
  
• Fixed: Express form with file upload attributes results in multiple copies of a file in the file manager.
  
• Fixed inability to do Board instance editing of individual slots.
  
• Fixed inability to view site health reports under certain conditions.
  
• Fixed bug where selecting “Force file to download” in a block would result in being unable to un-check and save the setting at a later point (thanks mlocati)
  
• Fixed bug where conversations were not getting a unique ID when being created, leading duplicate conversations when being added.
  
• Fixed some misnamed migrations (thanks mlocati)
  
• Bug fixes to redirect response in GenericOauthTypeController (thanks mlocati)
  
• We now properly pass the type object to the authentication type controllers upon instantiation (thanks mlocati)
  
• Fixed errors importing files in the incoming directory (thanks JeRoNZ)
  
• OAuth service provider: avoid deprecated methods, display errors properly (thanks mlocati)
  
• Fixed bug where adding an attribute to a page via the attributes panel would clear out select attribute options set against that page if they existed.
  
• Fixed: Using the feature block, if the icon is not selected, an exception occurs with PHP 8.x due to an undefined array index (thanks JeRoNZ)
  
• Fixed: Can't bulk edit attributes on page search v9.2 (thanks mlocati)
  
• Fix View pages using a specific block type (thanks mlocati)
  
• Fixed Social links stacking instead of displaying inline (thanks nikkiklassen)
  
• Fixed: Health Check - "Consider enabling logging on tasks." incorrect link
  
• Fixed: If a page doesn't have the tags attribute attached to it but has a Tags Block you will get this error when accessing that page (thanks mlocati)
  
• Fixed some errors when detaching OAuth2 accounts (thanks mlocati)
  
• We now properly pass the item object to user interface menu controllers (thanks mlocati)
  
• Multilingual - Exception when try to reload strings (thanks mlocati)
  
• Fixed: Fixed attempt to read property "pTemplateID" results in null under some very rare circumstances.
  
• PHP 8 Fix: Fix warnings when viewing /dashboard/reports/logs (thanks mlocati)
  
• Fixed error when searching Logs by their severity level in the Dashboard (thanks lemonbrain-mk)
  
• Fixed bug where Express object added to the API was unavailable in the API if it had been added via the in-page form builder.
  
• Fix Undefined property error on PHP 8 in WorkflowAccess class (thanks hissy)
  
• Fixed error when attempting to use the Closure password validator (thanks gregheafield)
  
• Fix Undefined array key "scheme" in redis drivers (thanks mlocati)
  
• Fixed inability to revert page to draft (thanks JeRonZ).
  
• Fixed Feature and Feature Link block types not exporting their files or importing them properly when used with the Migration Tool.
  
• Fixed: Pages with theme defined preset layouts crash when editing if the theme is changed (thanks JeRoNZ)
  
• Fix accessing undefined array index in dialog/block/design.php under certain conditions (thanks mlocati)
  
• Fix ckeditor language path & remove declaration variable $useLanguage (thanks hamzaouibacha)
  
• Fixed error when using sitemap selector that nodes in the unexpanded areas would not be selected when those areas were expanded (thanks deanL-zuiderlicht)
  
• Declare width, height and size in ccmi18n_filemanager object is used in ConcreteFileChooser component so it’s properly localized (thanks hamzaouibacha)
  
• Currently active geolocation library is now properly highlighted. (thanks mlocati)
  
• When given a list of topic node ID's such as tid:54,tid:56, the method updateAttributeValueFromTextRepresentation() only imports the last ID in the list when importing content (thanks JohnTheFish)
  

Developer Improvements

• Fixed: The email validation with the EmailValidator class gets passed even if it contains emojis (thanks biplobice)
  
• Developers can now define the minimum PHP version required for a Concrete package with the getPhpVersionRequired in their package controllers (thanks mlocati)
  
• Developers can now specify if certain block content fields ought to be run through the content importer replaceContent method, by including them in the $btExportContentColumns protected array in their block controller.
  
• Fix support for C5_ENVIRONMENT_ONLY env variable (thanks mlocati)
  
• Move the on_user_logout event at the end of the logout (thanks mlocati)
  
• Upgrade primal/color third party color parsing library for better PHP 8 compatibility (thanks mlocati)
  
• Add on_before_user_logout, enable customization of post-logout URL (thanks mlocati)
  
• icon-bar class now included in the Navigation fallback asset so themes that the Top Navigatiaon Bar block will support it when using fallback assets.
  
• Add ability to column at a specific position (thanks biplobice)
  
• Added new MemoryOutput class for tasks for diagnostic purposes (thanks mlocati)
  

9.2.0

Security Fixes

• Fixed CVE-2023-28477 Stored XSS on API Integrations via name parameter. Prior to fix While adding API Integrations on concrete cms, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id. Concrete CMS Security team CVSS scored this 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N. Thanks Veshraj Ghimire for reporting H1 1753684 and providing the fix. Fixed in commit
  
• Fixed CVE-2023-28476 Stored XSS on Tags. Prior to fix there was no sanitation when adding tags on uploaded files. Concrete CMS Security team scored this 4.5 with CVSS v3.1 AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N. Thanks Veshraj Ghimire and Ashim Chapagain for reporting H1#1767949 and providing the fix. Fixed in commit
  
• Fixed: CVE-2023-28475 Reflected XSS on the Reply form by ensuring msgID is sanitized. Concrete CMS Security team scored this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. Thanks Bogdan Tiron from Fortbridge for reporting H1 1772092. Fixed in commit #11279
  
• Fixed CVE-2023-28474 Stored XSS on Saved Preset. Prior to fix, there was no sanitation when saving presets on search. Concrete CMS Security team scored this 3.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N Thanks Veshraj Ghimire for reporting H1 1768494 Fixed in commit
  
• Fixed CVE-2023-28472 Secure and Http only attributes are now set for ccmPoll cookies. Concrete CMS Security team scored this 3.4 with CVSS v3.1 vectorAV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N Fixed in commit #11000
  
• Fixed CVE-2023-28473 possible Auth bypass in the jobs section. Concrete CMS Security team scored this 2.2 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N Thanks Adrian Tiron from Fortbridge for Reporting H1 1772230. Fixed in commit #11118
  
• Fixed moment.js CVE-2022-24785. Concrete now pulls in updated versions of moment.js Concrete CMS Security team scored this 2.2 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Thanks Fortbridge for reporting. Fixed in commit 11085
  
• Fixed: CVE-2023-28471 XSS on container name. Prior to fix, there was no sanitization on the container name resulting in stored XSS. Concrete CMS Security team scored this 2.0 with CVSS v3.1 vectorAV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N Thanks Ashim Chapagain for reporting H1: 1866111] and providing Concrete CMS Pull request #11209
  

Backward Compatibility Notes

• The user autocomplete quickSelect method now defaults to showing user avatars and including usernames and email addresses (if the site is configured to use usernames). This is likely desired for an administrative component but if you’re using quickSelect on the frontend you may wish to restrict this behavior. Consider modifying your usage of quickSelect to use the AUTO_MINIMUM constant and enable/disable user avatars as you like.
  
• Bootstrap Select has been deprecated. It is still shipping with Bedrock but will be removed in a subsequent version update. Update your code to use new Concrete select components instead.
  
• The encryption service (unused by the core) has been removed; there is no replacement built into the core but many third party libraries are available in packagist.
  
• The v-date-picker and v-calendar Vue components have been removed. They are attractive but they are simply too large to include in the JavaScript that powers Concrete. They have been replaced with native solutions. It is unlikely that you’ve included these components in custom code, but if you have you’ll need to import them into your JavaScript bundles yourself.
  
• The vue toggle Vue component has been removed. It was too large to include in the Concrete CMS JavaScript bundle. If you need this functionality use Bootstrap Switches, which are now included and available.
  

Highlights

• Refinements to the in-page editing experience: better highlight of editable blocks and areas, better delineation of containers, layouts and in-page areas, better hit areas for draggable blocks and much more.
  
• New “Site Health” Hub: run reports against your site to ensure that its optimally configured. Extensible reports engine ships with the ability to check site for production status settings, cache settings, unauthorized JavaScript and more. Learn more at https://www.youtube.com/watch?v=K76xk1E6hPE
  
• Complete 1.0 REST API with coverage of major Concrete CMS features, including pages, users, files, Express objects and more.
  
• Added production modes to the Dashboard - tell Concrete whether this copy is in development, staging or production mode. Useful when running security health checks, or automatically displaying a staging notice to admins or visitors on a staging copy of a site.
  
• Added the ability to view and retry failed queue messages within the Dashboard and through the use of a command line tool. (https://www.loom.com/share/83530934986940b98f74ebe108e49c6e)
  
• Added a button to clear all running processes in case any get stuck.
  
• Adds ability to configure Composer form sets to be collapsable (thanks Mesuva)
  
• Adds option to filter events in Event List by Past, Future or All Events (thanks katalysis)
  
• Adds option to change sort order by Most Recent First or Oldest First (thanks katalysis)
  
• Added new password strength meter to user creation and password changing Dashboard pages (thanks shahroq)
  
• Added new URL Slug Dashboard page to the SEO section, where you can change settings related to URL slugs (thanks hissy)
  
• We no longer fall back to using the super admin’s email address as the default address if certain specific addresses aren’t set; instead we use a new config value “default email address”, settable in config code and from the Dashboard email options page (Thanks mlocati)
  
• Added the ability to specify several allowed IP addresses to avoid triggering logout on IP address change. Added user-specific IP address overrides as well (thanks mlocati)
  
• Improvements to user experience when passwords are reset for users by administrators, either for a single user, or for all users in the site (mlocati). Users will no longer have to enter their email addresses twice, and will no longer be told that they’re in the “forgot password” user flow, when they’re actually in the manual reset user flow.
  
• Added the ability to force user passwords changes every X days (thanks mlocati)
  
• Added the ability to mark a password as reset from a Dashboard user detail page (thanks mlocati)
  
• Add more info in user details dashboard page (thanks mlocati)
  
• Added a new full page caching setting that determines the lifetime of the page based on the blocks on the page (thanks hissy)
  
• Defaulted file manager and file manager component in chooser to sorting by name ascending for more consistent behavior.
  
• New user avatar editor component in My Account and Dashboard.
  
• Added a config option to disable asciify for uploaded files (thanks hissy)
  

Improvements

• Improved display of View Page as User panel.
  
• Using group paths when group operations are logged instead of group names (thanks mlocati)
  
• Activating the Elemental or Atomik themes after installation will install required supported templates.
  
• Added min fields to page list block number fields (thanks ccmEnlil)
  
• Core guest, registered and admin groups once again forced to be created with the proper initial IDs (thanks mlocati)
  
• New conversations message notifications now appear in Waiting for Me.
  
• Top Navigation Bar block now correctly links to the multilingual home pages, and includes nav-path-selected CSS classes on parent pages of active pages.
  
• Top Navigation Bar now honors nav target custom attribute (thanks ccmEnlil)
  
• API Integrations can limit which Concrete CMS product areas they cover via custom scopes.
  
• Add missing for attribute to checkbox label of option list attribute (thanks Mesuva)
  
• SMTP config page: don't send the SMTP password to the clients (thanks mlocati)
  
• Fix UI of "Update Languages" dashboard page (thanks mlocati)
  
• Heartbeat backend call updates “Online Now” user property (thanks mlocati)
  
• Add option to disable asciify on generate url slug (thanks hissy)
  
• Performance improvement: All global areas’' blocks no longer loaded on every page load (thanks mnakalay)
  
• Fixed: Breadcrumb block doesn't respect replace_link_with_first_in_nav attribute (thanks hissy)
  
• Fixed error where Express Entry List criteria in the block were being shown twice.
  
• Changed image slider URL field from textarea to text input for better display and less ability to mess up input by putting in newlines (thanks nikolai-nikolajevic)
  
• Dashboard Environment Information page now wraps its content properly (thanks JohnTheFish)
  
• Fixed error where containers when used on page would block that page from engaging in automated full-page caching (thanks hissy)
  
• Added date/time of previous login to Welcome back dashboard and account screens.
  
• File title is now included when searching via the file manager file/folder interface.
  
• Much improved, more uniform appearance to select pickers and combo boxes when using autocomplete functionality.
  
• Better block caching settings for certain core block types (thanks
  
• Added additionally indexes throughout (thanks jlucki)
  
• Performance Improvement: Avoid getting same attribute values multiple times (thanks hissy)
  
• Added a new publish notification if a page has a publish end date that is earlier than the current date (and is therefore closed) (thanks hissy)
  
• Alias pages are no longer included in sitemap.xml.
  

Bug Fixes

• Fixed: Express Form Block submission cannot be edited (thanks mnakalay)
  
• Fixed bug: Viewing versions of a page with permissions does not work
  
• Fixed bug: Page preview fails if page is protected
  
• Fixed bug: Unable to view mobile preview, page versions panel detail, custom design before publish the page
  
• Fixed bug where unapproved conversation messages were being sent to subscribers.
  
• Fixed bug where advanced search dialogs in the Dashboard weren’t accurately showing default search and sort order selections.
  
• Add the missing user param on page_version_approve event (thanks chauve-dev)
  
• Fix sorting results of FolderItemList by file title when only full group by SQL mode is enabled (thanks mlocati)
  
• Many bug fixes to searchable lists.
  
• Bug fixes to Tags attribute that fixes inability to remove tags, other problems.
  
• Fixed: For draft pages, the destination is the Drafts directory if you create the page in another language.
  
• Fixed inability to use query parameter ccm_order_by broken with block express_entry_list (thanks mnakalay)
  
• Fixed issue where editing a JPEG using the image editor would save that file with the JPEG extension but the file behind the scenes was actually a PNG.
  
• Fixed Calendar block not being properly localized.
  
• Fix issue under PHP8 when saving select/option attributes with no selected values (thanks Mesuva)
  
• Fixed bug where tag block showing tags on a specific page did not limit properly.
  
• Fixed /concrete/single_pages/download_file.php:23 Undefined variable $fID under PHP 8.
  
• Fixed inability to set home folder when editing a user in the Dashboard.
  
• Fixed: [V9][Bug] Order by FileSet not working in Document Library Block (thanks mnakalay)
  
• Fixed: "select fileset" dialog in file manager doesn't retain file set values (thanks mnakalay)
  
• Fixed error registering users with email validation under PHP 8.
  
• Exporting users now checks the permission of the access user export permission.
  
• When running validate-schema via the console no more errors are reported (thanks biplobice)
  
• Fixed errors regarding titleFormat in multiple blocks under PHP8
  
• Fixed error when placing site into maintenance mode.
  
• Fixed: Dashboard user attributes always required when present and empty even if not required when editing attributes
  
• Fixed: If ID of the Home page isn't 1, we can't manage access rights to site
  
• Image attribute causing js error in composer and attribute panel (thanks mlocati)
  
• Fixed bug where marking a page description as required in composer made it impossible to approve the page version even when description was specified.
  
• Fixed error when hiding username on new registration form under PHP 8.
  
• Fixed error using layout sliders on non-Bedrock themes.
  
• Many small errors and code incompatibilities fixed in group notifications (thanks mlocati)
  
• Fix handling of page removal when deleting a calendar event (thanks mlocati)
  
• Fixed PHP errors when using Legacy Form block with PHP 8 (thanks mlocati)
  
• Fixed some exceptions in BlockController when using PHP8 (thanks biplobice)
  
• Fixed Wrong params order in the call of View::element(), under elements\workflow\edit_type_form_required.php (thanks BSalaeddin)
  
• Fixed bug where removing orphaned blocks that are part of page defaults for a page template deletes them from all pages of that type (thanks hissy)
  
• Fixed error when using Check Automated Groups task.
  
• Fixed error when saving page type order in the Page Type Order and Group Dashboard page under PHP 8 (thanks hissy)
  
• Fixed error when visiting URL of deleted private message: Undefined property: Concrete\Core\User\PrivateMessage\PrivateMessage::$uID
  
• Fixed: Tags Block Ignores Display Limit
  
• Fixed JavaScript error in version 9 themes when using address attributes.
  
• Fixed: Presets transparent less variable are replaced by colors when upgrading to concrete version 9 (thanks apaccou)
  
• Fixes in browsers where certain asynchronous operations could result in a popup saying “undefined” when navigating away from a page
  
• Fixed: Attempting to delete the "social block" gave displayOrder error under PHP 8.1.
  
• Fixed: Bugfix: Bulk update for page attributes only saves first selected page (thanks lvanstrijland)
  
• Fixed misnamed spam allowlist parameter that could result in spam allowlist functionality not working for all configurations (thanks gantanikhiliraj)
  
• Fixed some bugs in conversations under PHP 8.
  
• Fixed error displaying languages in Dashboard Breadcrumb dropdown on Global Areas Dashboard page when multilingual is enabled.
  
• Fix undefined array key when exporting Express entries on PHP 8 (thanks JeffPaetkau)
  
• Fixed: Get an antispam library by handle breaks under PHP 8 (thanks mnakalay)
  
• Fixed: Undefined variable $selectedTemplate" error on design panel when editing single pages in PHP 8 (thanks hissy)
  
• Fixed error when a user has no rights to do settings on express, but can edit the entities (under PHP 8) (thanks Lemonbrain)
  
• Fixed: HTML block breaks composer interface on PHP 8.1 (thanks hissy)
  
• Fixed Unable to install with MariaDB 10.10+ (thanks mlocati)
  
• Fixed: Adding Core Property 'Text' to Express Form Causes Error under PHP 8.
  
• Fixed occasional errors that could occur if a config file is written twice in rapid succession (thanks JohnTheFish)
  
• Fixes to the user registration email template (thanks jlucki)
  
• Add cache lock to fix potential race condition with attribute keys (thanks jlucki)
  
• Fixed: Legacy form dashboard view "Undefined array key ..." under PHP8
  
• Fixed: Undefined array key "ptComposerOutputControlID" error on page type default page after removing a composer control under PHP 8
  
• Fixed behavior where if a custom file storage was set as default it was not selected when adding new folders (thanks hissy)
  
• Document library block forcing download of files outside default storage location (as attachment)
  

Developer Updates

• Bedrock updated to 1.4, which includes support for Bootstrap 5.2 and many other updates.
  
• Numerous minor PHP dependency updates
  
• New Group selector Vue component (Thanks mlocati)
  
• New ConcreteSelect, ConcreteUserSelect, ConcretePageSelect and other components.
  
• Developers can now add to the list of email addresses displayed on the System Email Addresses Dashboard page for their custom add-ons (thanks mlocati)
  
• Display the php-cs-fixers applied when the phpcs CLI command applies fixes (thanks mlocati)
  
• FancyTree deprecated errors no longer displayed in Sitemap (thanks mlocati)
  
• Theme developers may add required additional content XML for their theme in content.xml in the theme root - it will be installed if (and only if) the theme is activated.
  
• Added an option to hide usernames from the user picker component (thanks mlocati)
  
• Add the setupSiteInterfaceLocalization in the controller method in ResponseFactory.php (thanks chauve-dev)
  
• Deprecate Ajax::isAjaxRequest (thanks mlocati)
  
• Removed more instances of “concrete5” in favor of “Concrete CMS”
  
• Guzzle PHP Library updated to 7.5.
  
• Concrete now supports Doctrine ORM 2.14.x+
  
• Fixed error when running method getPermissionObject from the BlockController class.
  
• Many minor PHP dependency version updates.
  
• Minor improvements to antispam service (thanks mnakalay)
  
• Updates to block controller code to future-proof for PHP 9 (thanks mlocati)
  
• moment.js has been updated to the latest stable version. This file could sometimes trigger insecurity warnings.

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/921-release-notes

9.1.3

(релиз безопасности)
17 Январь 2023 - 200MB9.1.3

Behavioral Improvements

• Made the legacy_salt functionality easier to read
  

Security

• CVE-2022-43693 Added "state" parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43686 Improved performance of "forever" cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43556 Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @_akbar_jafarli_for reporting HackerOne report #1696363.
  
• CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
  
• Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
  

9.1.2

New Features

• Added “Exclude Current Page” option to the Page List block (thanks ccmEnlil)
  
• Added new “Upload Settings” Dashboard page to configure file upload settings, including chunking, chunk size, and parallel streams (thanks mlocati).
  

Behavioral Improvements

• WebP images now supported by the file manager. WebP images will show up with the proper extension and thumbnail (assuming the browser supports them). File extension added to the file manager list view.
  
• Many minor UI fixes throughout Dashboard pages and edit dialogs (thanks shahroq)
  
• Improved display of Environment information Dashboard page: larger window of text.
  
• Removed ability to approve versions of drafts – because they need to be published first.
  
• If a folder is specified as the root folder of a document library, uploaded files will be placed in this folder if uploaded through the document library.
  
• Nicer version history view in add-on update screen (thanks biplobice)
  
• Much improved scrolling of page when dragging blocks into the page using the Atomik theme.
  
• Fixed weird Chrome behavior where sometimes dialog windows would have a fully opaque black background.
  
• Added the ability to toggle passwords when adding a user or change your user’s password (thanks shahroq)
  
• API Integrations Dashboard page now more suitable for situations where many integrations exist. Supports search, pagination, etc…
  
• Add a pull down menu to set datetime format for CSV exports (thanks hissy)
  
• Hide username on edit profile when it is not required on registration (thanks hissy)
  
• Allow for saving Hero Image Blocks without Image while avoiding the current datatype Exception (thanks haeflimi)
  
• Mercure overhauled to default all Concrete events to private (for better security).
  
• Added additional configuration methods to Server-Sent Events (Mercure) to allow for more advanced configuration use cases.
  
• Fixed display of CMS when wrapping areas in text-align styles.
  
• Added environment hostname and name to Environment page (thanks shahroq)
  
• Improvements to Event List block edit dialog.
  
• Improved display of navigation in the Express Dashboard pages (thanks shahroq)
  
• Improvements to the Concrete user input component (thanks mlocati)
  
• By default, login will take you to the home page of your site (this can be changed from the Login Destination Dashboard page, if desired.)
  

Bug Fixes

• Fixed bug where automated groups were not working properly.
  
• Fixed bug where users could not change the custom template of a block in a Stack.
  
• Fixed custom options forms not showing properly in third party Captcha packages
  
• Fixed error editing Hero Image block in PHP 8+ when title format had not been set.
  
• Fixed bugs under PHP 8+ when configuring advanced properties of advanced permissions.
  
• Fixed: Background Color of a custom skin can no longer be cleared but destroy the custom skin itself
  
• Fixed: Adding layout throws error in console "Cannot read properties of undefined (reading 'closest')" in v9.1.1
  
• Fixed display issues and content issues in the Help panel.
  
• Added some better content in the help panel.
  
• Fixed bug where Copy languages feature copied all pages instead of only pages that have not been associated.
  
• Fixed: Setting Atomik Top Navigation Bar Color to transparent breaks theme cusomiser
  
• Fixed bug in Atomik sample content where blog posts weren’t showing up because they were going in with dates that were too old.
  
• Fixed bug where only the super user could assign user groups or remove user groups through the bulk editing interface.
  
• Fix/error in reindex contents task with Page Objects when pages are in the trash/don’t have a public date (thanks deek87)
  
• Fixed error in breadcrumb block rendering when parent pages were unapproved (thanks hissy)
  
• Fixed bug where editing block visibility at certain device breakpoints via custom design was not working (thanks deek87)
  
• Fixed bug where clearing the site’s cache may lead to an error when using custom cache drivers like Redis (thanks chauve-dev)
  
• Fixed bug where “page topics” filtering option in Event List block didn’t work and didn’t present a list of topics.
  
• Fixed bug where large images added via the Content block would burst out of the Atomik theme.
  
• Fixed bug where images saved in the database with UUID placeholders didn’t display properly (can happen when using the migration tool with version 9)
  
• Fixed bug where calendar block would not display properly on older themes.
  
• Fixed bug where pages would not validate in the w3c validator due to a closing </link> tag being present.
  
• Fixed error when adding an Event List block where topic attributes were present under PHP 8.1 (thanks TMDesigns)
  
• Fixed error when changing locale on Multilingual Setup page (thanks jocomail78)
  
• File upload chunking now works again (if enabled) (thanks mlocati)
  
• Fixed: “Your Computer” tab initially empty when swapping files in the file manager (thanks mlocati)
  
• Fixed bug where filtering by topic tree in the Event List block didn’t show a topic tree to choose from.
  
• Fixed miscellaneous bugs in Event List block edit dialog.
  
• Fixed ability to edit certain content in the rich text editor in the Accordion block.
  
• Fixed interaction where adding a layout and then cancelling would hide the area the layout was added to until the page was reloaded.
  
• Fixed gallery block error where a gallery referencing a deleted image would cause an Exception (thanks JeffPaetkau)
  
• Fixed: In php 8 when signed in as a non super user an error occurs when accessing the /dashboard/extend/update page due to $mi not being defined (thanks danklassen)
  
• Fixed dialogs/block/design.php - Line 12 has an extra closing php tag (thanks ConcreteOwl)
  
• Fixed Back button not taking you anywhere when viewing an Express entry that was owned by another Express entry.
  
• Fixed bug on Organize page types Dashboard page under PHP 8.1.
  
• Fixed error adding basic workflow in PHP 8.1.
  
• Fixed error editing groups under PHP 8 (thanks hissy)
  
• Fixed "An exception occurred while executing 'insert into CollectionVersionBlocks" when changing page template.
  
• Fixed: When using PHP8 if you turn Advanced Permissions on then try to add Block Permissions you're met with this error.
  
• Fixed: Setting nothing to Items Per Page option of Express Entry List causes an error
  
• Fixed: Incorrect tag namespace for multilingual sitemap generation (thanks gregheafield)
  
• Fixed: Page Selector Attribute - Search& Indexing broken (thanks haeflimi)
  
• Bug fixes for Page List block under PHP 8.1 (thanks ccmEnlil)
  
• Fixed: Express Form Block E-Mail notification doesn't respect form field Order
  
• Fixed: Express Form Block E-Mail notification – URL to entries doen't work and leads to empty page
  
• Fixed error when updating file sets in PHP8+ (thanks ccmEnlil)
  
• Fixed errors when using Server-Sent events introduced in 9.1.0
  
• Fixed bug when using magic method in form helper to create previously undefined form input types (thanks JohnTheFish)
  
• Fixed bug where page list block would offer the number of entries as the rss feed title if the block was being edited.
  
• Fix LaminasCacheDriver does not set TTL properly (thanks hissy)
  
• Fixed: Saving Page with Legacy Attribute Error with PHP8
  
• Fixed ugly styling for authentication when logging in via Oauth2
  
• Fixed community authentication (community.concretecms.com) - now it works again.
  

Backward Compatibility Notes

• Tweaked Auto-Nav block controller to fix issue with Community Store breadcrumb custom template.
  

Developer Updates

• Private properties in Select Attribute Controller updated to be protected (thanks biplobice)
  
• MessageBusManager library improvements for extension
  
• Update the URL of the Doctrine XML repository/GitHub Pages (thanks mlocati)
  
• Any custom integrations using Mercure (likely very few, if any) should be checked over – Mercure system has been completed overhauled, including an update to Symfony Mercure 0.61.
  
• Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)
  
• Let translators swap file extension and file type (thanks mlocati)
  
• Added ability to pass class to tabs method (thanks shahroq)
  
• Form helper __call magic method can now output form types that have dashes in them (thanks mlocati)
  
• Add an option to the DeleteGroup command to skip deleting groups with users
  
• Added application/pdf to the types of files that can be used with view_inline (thanks hissy)

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes

9.1.1

(основная версия)
16 Июнь 2022 - 200MB9.1.1

Behavioral Improvements

• Enhancement: adding the ability to pass association ID through request and pick it up in the form
  
• Adding associations to Express form notifications
  
• Top Navigation Bar block now honors the nav_target custom attribute, if it exists (thanks ccmEnlil)
  

Bug Fixes

• Fixed bug in /ccm/system/upgrade script on PHP 8.1 (thanks ccmEnlil)
  
• Fixed upgrade inconsistencies that could cause problems for installers like Softaculous
  
• Fixed Accordion Block: when the initial state set to 'all items open' or 'all items closed' the collapsed state is not always correct (thanks danklassen)
  
• Fixed compatibility with PHP 8.1 when installing with Composer.
  
• Fixing bug where Express entries with multiple associations could not be filtered accurately in advanced search
  
• Fixing bug where submitted values do not persist in Express association forms
  
• Fixed: Changing the page template of a draft breaks block versioning (thanks jaromirdalecky)
  
• Fixed: Duplicating file as non-super admin does not work due to permissions key (thanks danklassen)
  
• Fixed: core search block: the form tag has two class attributes
  
• Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)
  
• Fixed default format of color picker control
  

Developer Updates

• Laminas cache laminas/laminas-cache-storage-adapter-memory library updated to 2.0 in order to restore compatibility with PHP 8.1 when installing via Composer
  
• Fixed: Block::isOriginal() returns opposite value (thanks jaromirdalecky)
  

9.1.0

New Features

• Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
  
• Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
  
• Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
  
• Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
  
• Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
  
• Added new Security Policy page in the Dashboard (thanks hissy)
  
• Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
  
• Improvements and refinements to Dashboard file details screen in desktop and mobile views.
  
• Added the ability to move a file folder in the Dashboard file manager.
  
• Added the tree view back to the Groups Dashboard page.
  
• Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/911-release-notes

8.5.19

(релиз безопасности)
11 Сентябрь 2024 - 200MBSecurity Updates

• Fixed CVE-2024-8291 Stored XSS in Image Editor Background Color by sanitizing output of "Save Background Image Colour" in file thumbnail dashboard single page with commit dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and commit 12183 for version 9. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting HackerOne 921527.
  
• Fixed CVE-2024-7398 Stored XSS Vulnerability in Calendar Event Addition Feature with commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 for version 8 and commits 12183 and 12184 for version 9. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting HackerOne 2400810.
  
• Fixed CVE-2024-8661 Stored XSS in the "Next&Previous Nav" block with commit 12204 for version 9 and with commit ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 for version 8. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting HackerOne 2610205

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes

8.5.18

(релиз безопасности)
12 Август 2024 - 200MBSecurity

• Fixed CVE-2024-4350 Stored XSS in RSS Displayer with commit 12166 for version 9 and with commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix a rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks m3dium for reporting HackerOne 2479824
  
• Fixed CVE-2024-7394 Stored XSS in getAttributeSetName() by sanitizing Board instance names on output with commit 12166 for version 9 and commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix, a rogue administrator could inject malicious code. The Concrete CMS team ranked this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting HackerOne 2463288
  
• Show a more generic error message in RSS Displayer block if curl is unable to load posts. Thanks m3dium for recommending this in HackerOne 2479824
  

Bug Fixes

• Fixed bug where boolean page attributes that are checked by default show up as checked even if they have previously been saved unchecked (thanks hissy)
  
• Fixed some issues when attempting to use Redis to store session under certain conditions (thanks mlocati)

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes

8.5.17

20 Май 2024 - 200MBBehavioral Improvements

• Added notifications into the interface about the new marketplace coming in Concrete CMS 9.3.0.
  

Bug Fixes

• Backported fix from Concrete CMS 9: CollectionSearchIndexAttributes table is updated without approving the page version (thanks hissy)

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/8517-release-notes

8.5.16

(релиз безопасности)
29 Апрель 2024 - 200MB8.5.16

Security

• Created CVE-2024-2753 Stored XSS on the calendar color settings screen and fixed it with commit 11988 Prior to the fix, a rogue administrator could put malicious javascript on the Concrete CMS color setting screen which would have would have been triggered by and affected users who accessed the color settings screen. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N Thank you Rikuto Tauchi for reporting HackerOne 2433383.
  
• Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search Filter and fixed it with commit 11988 for version 9 and commit 11989 for version 8. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and hence could create a search filter with the malicious code attached. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Guram (javakhishvili) for reporting HackerOne 949443
  
• Created CVE-2024-3179 Stored XSS in the Custom Class page editing and fixed it with commit 11988 for version 9 and commit 11989 for version 8. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any non alphanumeric characters in this CSS class. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for reporting HackerOne 918129.
  
• Created and fixed [CVE-2024-3180] (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS could be executed by a rogue administrator adding malicious code to the link-text field when creating a block of type file. Fixed with commit 11988 for version 9 and commit 11989 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for reporting HackerOne 903356
  
• Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete Team fixed this with commit 11988 for version 9 and commit 11989 for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142
  

8.5.15

Behavioral Improvements

• Ignore E_USER_NOTICE and E_USER_DEPRECATED errors (thanks mlocati)
  
• Do not combine CAPTCHA JS because it fails to load in some cases (thanks JeRoNZ)
  
• Removed some extraneous and unnecessary files from the ckeditor js/ directory.
  

Bug Fixes

• Fixed “CKEditor is not secure” notice when loading CKEditor.

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/8514-release-notes

8.5.14

(релиз безопасности)
6 Декабрь 2023 - 200MB8.5.14

Bug Fixes

• We continue to support TLS 1.2 in Zend Mail (thanks hissy, mlocati)
  

Security

• Fixed CVE-2023-48653 Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit by updating Update Dialog endpoints to only accept Post requests with tokens included with commit 11765 for 8.5.14. Prior to fix, an attacker can force an admin to delete events on the site because the event ID is numeric and sequential. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Thanks Veshraj Ghimire for reporting.
  
• Fixed CVE-2023-48650 Stored XSS in Layout Preset Name with commit 11765 in 8.5.14. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N Thanks Solar Security CMS Research, [d0bby](with https://hackerone.com/d0bby), wezery0, silvereniqma in collaboration for reporting!
  

8.5.13

Behavioral Improvements

• CKEditor included version has been updated to the latest version 4.22.1 (thanks hissy)
  
• Updating some automatically created directories to use the proper directory permissions (thanks mlocati)
  

Bug Fixes

• Fixed bug where Express association control would be required if present in form even if the admin hadn’t marked it as required (thanks yildirimmurat)
  
• Fixed link to user profile from Communty authentication (thanks mlocati)
  
• Fixed some instances where the CollectionSearchIndexAttributes table might be updated based on the latest version instead of the approved version (thanks biplobice)
  
• Fixed: Gettext uses deprecated array_key_exists() which throws a ConversionException on PHP 7.4 (thanks 1stthomas, mlocati)
  
• We now properly sanitize the output of files uploaded through Express Forms.
  
• Backward Compatibility Notes
  

Developer Updates

• Avoid installing commerceguys/addressing 1.4+ because it’s incompatible with PHP 7.3 (thanks mlocati)
  

Security

• Better sanitization of Plural handles in Express objects.
  
• Better sanitizing of Custom labels in Express objects.
  
• Updated to Guzzle 6.5.8 to ensure Concrete CMS is not vulnerable to Guzzle CVE-2023-29197 Thank you Danilo Costa for reporting H1 2132287
  
• Fixed Directories could be created with insecure permissions since file creation functions gave universal access (0777) to created folders by default. Excessive permissions could be granted when creating a directory with permissions greater than 0755 or when the permissions argument was not specified. The Concrete CMS Security team scored this 6.6 (Medium) with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Thanks tahabiyikli-vortex for reporting H12122245. Thanks Mlocati for providing the fix. Fixed in commit 11739
  
• Fixed CVE-2023-28477 stored XSS on API Integrations via the name parameter in the 8.5 version. Previous fix was in version 9 only. Prior to the fix, while adding API Integrations on Concrete CMS, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id. The Concrete CMS Security team scored this 5.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N Thanks Veshraj Ghimire for reporting H1 1753684 and providing the original fix. See commit
  
• Fixed CVE-2023-44761 Admin can add XSS via Data Objects with this commit PLEASE report vulnerabilities directly to the Concrete Team so that we can fix them to make Concrete safer for all.
  
• Fixed CVE-2023-44765 Concrete was vulnerable to stored XSS in Associations (via data objects). Fixed with commit PLEASE report vulnerabilities directly to the Concrete Team
  
• Fixed CVE-2023-28475 Concrete was vulnerable to reflected XSS on the Reply form because msgID was not sanitized in the 8.5 version. Previous fix was in version 9 only. Concrete CMS Team ranked this 4.2 (medium) With CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks again Bogdan Tiron for the discovery. Fixed with commit
  
• Fixed stored XSS on the Concrete Admin page by sanitizing uploaded file names. Fixed in commit 11739. Concrete CMS Security team scored this 3.5 (low) with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Thanks @akbar_jafarli for reporting H1 2149479.
  
• Fixed CVE-2023-28819 in version 8.5. Previously remediated in Concrete 9.1. Concrete was vulnerable to stored XSS in uploaded file and folder names since Concrete CMS was rendering data without sanitizing it. The Concrete CMS Security team scored this 3.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. Thanks solov9ev for reporting H1 1472270. Fixed with commit 11749
  
• Fixed CVE-2023-28472 in version 8.5 by updating the Survey Block Controller. We added support for the concrete.session.cookie.cookie_secure value to the ccmPoll cookie (which developers can set to true if they want to use secure cookies. This was previously done in Concrete 9.2. Concrete CMS Security team scored this 3.4 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N Fixed with commit 11749
  
• Fixed CVE-2023-28473 possible Auth bypass in the jobs section in version 8.5. This was previously remediated in Concrete 9.2. Concrete CMS Security team scored this 2.2 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N Thanks Adrian Tiron from Fortbridge for Reporting H1 1772230. Fixed with commit 11749.

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/8514-release-notes

8.5.12

(релиз безопасности)
17 Январь 2023 - 200MB8.5.12

Bug Fixes

• Fix ZendCacheDriver does not set lifetime properly (thanks hissy)
  
• Made the legacy_salt functionality easier to read
  

Developer Updates

• Private properties in Select Attribute Controller updated to be protected (thanks biplobice)
  
• Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)
  
• Security Fixes
  
• See our security release blog post for more information about security fixes.
  

Medium

• CVE-2022-43693 Added "state" parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43686 Improved performance of "forever" cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43556 Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @_akbar_jafarli_for reporting HackerOne report #1696363.
  

Low

• CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  
• CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
  

Not Ranked

• Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
  
• Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
  

8.5.11

Bug Fixes

• Fixes for PHP 5.5 compatibility
  

8.5.10

Bug Fixes

• Fixes for PHP 5.5 compatibility
  

8.5.9

Bug Fixes

• Fixed inability to upload files when file chunking is disabled.
  
• Fixed bug that prevented file chunking from also working.
  
• Reverted code that accidentally made the core require PHP 5.6+ in some situations.
  

8.5.8

Behavioral Improvements

• JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
  
• Renamed concrete5 to Concrete CMS and Concrete during the installation process.
  
• Nicer version history view in add-on update screen (thanks biplobice)
  

Bug Fixes

• Fixed error that would occur if you deleted an Express entry and then attempted to reorder that same entry on the page before reloading (thanks biplobice)
  
• Fixed error where users, files and sites weren’t being reindexed when running the index_search_all job.
  
• Fixed error where copying conversation blocks out from page defaults made them all one instance of the same conversation (thanks hissy)
  
• Validating Express, User and Page attribute types now works when used with Composer and Expres (thanks hissy)
  
• Fixed bug in Redis caching backend when saving a primitive value.
  
• Fixed: when using the Express Form block, and a file is uploaded through the form, it creates two versions of the file, which are seemingly identical (thanks 1stthomas)
  
• Fixed: Clear old page versions in all site trees when running remove page versions job (thanks Ruud-Zuiderlicht)
  
• Fixed bug where OAuth2 and sign in as user functionality could lead to someone unintentionally joining their user account to a different account.
  
• Render single pages like 404, 403, login, register in default site locale (thanks hissy)
  
• Fixed: : error message doesn't display when upload file failed via drag & drop (thanks hissy)
  
• Fixed invalid and unhelpful displaying on marketplace connection failures during certain conditions (thanks JohnTheFish)
  
• Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
  
• Fixed: Multilingual copy site tree with alias pages (thanks hissy)
  
• Fix migration bug on fix overlapping start end dates when custom page publishing dates had been set in some cases (thanks hissy)
  
• Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)
  

Security Fixes

• CKEditor updated from 4.16.2 to 4.18.0 (thanks hissy)
  
• Remediated CVE-2022-21829 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
  
• Remediated CVE-2022-30117 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
  
• Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
  
• Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
  
• Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: \ old browsers only. When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

8.5.7

(релиз безопасности)
15 Ноябрь 2021 - 200MBBug Fixes

• Fixed issue where remote updater would read the entire update into memory, leading to potential out of memory errors when updating the core.
  
• Fixed error when setting global calendar permissions in the Dashboard.
  
• Fixed issue where reset users weren’t properly notified when logging in that their passwords needed to be changed (thanks hissy)
  
• Fixed: reCAPTCHA timout after 2min (thanks JeffPaetkau)
  
• Fixed: fatal error on upgrade french version 8.5.5 to 8.5.6, "2 plural forms instead of 3" (thanks mlocati)
  
• Fixed error with rich text conversation editor not working (Thanks hissy)
  
• Fixed issue with URLs being case sensitive in some internationalization cases (thanks dimger)
  
• Fixes to topic attribute search index content (thanks hissy)
  
• Maintenance mode now returns the 503 HTTP error code when running (thanks hissy)
  
• Fix Call to a member function isDefault() on null" error on the site upgraded from 5.7 when using the migration tool (thanks hissy)
  
• Fixed issue where rich text attribute type wasn’t showing a full toolbar (note: in the future we want to make this an option, and strongly recommend users use this smaller, sanitized toolbar – but it should be an option, not the default.)
  
• If a file has a password in the file manager, you will not be able to view it inline in the rich text editor.
  
• Fixed: Changing database charset in dashboard throws error: call to a member function add() on null (thanks myq)
  

Library Updates

• Bump CKEditor from 4.16.1 to 4.16.2 (thanks hissy)
  

Security

• Fixed CVE-2021-22966 - Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a bulk update permission security check. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Credit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )" This fix is also in Concrete version 9.0.0
  
• Fixed CVE-2021-40101: Admin users must now provide their password when changing another user’s password from the Dashboard.Concrete CMS security team CVSS scoring is 6.4 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. Credit for discovery: "S1lky”. This fix is also in Concrete version 9.0.0
  
• Fixed CVE-2021-22968: A bypass of adding remote files in Concrete CMS File manager lead to remote code execution. We added a check for the allowed file extensions before downloading files to a tmp directory. Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N Thanks Joe for reporting! This fix is also in Concrete version 9.0.0
  
• Fixed CVE-2021-22951: “Unauthorized individuals could view password protected files using view_inline”. Concrete CMS now checks to see if a file has a password in view_inline and if it does we don’t render the file. Concrete CMS security team CVSS scoring is 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Credit for discovery: "Solar Security Research Team". This fix is also in Concrete version 9.0.0
  
• Follow up fix for CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option. We were informed the fix put into version 8.5.6 was not sufficient. Thanks "Solar Security Research Team". We now check to see if a file has a password in view_inline and, if it does, we don’t render the file. Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N This fix is also in Concrete version 9.0.0
  
• Fixed CVE-2021-22967: insecure indirect object reference (IDOR); an unauthenticated user was able to access restricted files by attaching them to a message in a conversation. To remediate this, we added a check to see if a user has permissions to view files before attaching the files to a message in "add / edit message”. The Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Thanks Adrian H for reporting! This fix is also in Concrete version 9.0.0
  
• Fixed CVE-2021-22969 : SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys. To fix this, Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS. The Concrete CMS team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Discoverer: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices. This fix is also in Concrete version 9.0.0
  
• Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 9.0.1

Подробнее: https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

8.5.4

(основная версия)
10 Июнь 2020 - 200MB8.5.4

Bug Fixes

• Fixing update errors that can happen (Update causes exception): https://github.com/concrete5/concrete5/issues/8729 (thanks mlocati)
  
• 8.5.3 incorrectly enabled multisite extensions that aren’t ready until version 9. These are disabled in 8.5.4.
  
• Fix certain occasions where editing pages would result in composer being unable to load blocks. Fixes error “Unable to load block into composer” (Note: this will fix the issue for pages going forward, but existing pages with this error will not be resolved.)
  

8.5.3

New Features

• Added the ability to display the version status on the results page of a Page Search (thanks biplobice)
  
• Added the ability to log API requests via a Dashboard setting (thanks Kaapiii)
  
• Add phone and email to social links (thanks mlocati)
  
• The YouTube Video block now supports lazy loading. (Thanks MrKarlDilkington)
  
• Behavioral Improvements
  
• Moves the custom block template selector from the advanced tab to buttons (thanks Mesuva)
  
• YouTube block: Delete 'show video infomation' option and change option name of showing related videos (thanks yuuminakazawa)
  
• Return a response object instead of exiting after saving a block (thanks mlocati)
  
• Fixed: We don't have to generate thumbnails if the image is in the private storage location (thanks hissy)
  
• Fixed potential errors that could result when adding invalid regular expressions into the Google authentication type whitelist/blacklist (thanks mlocati)
  
• When you uncheck “include attribute in search index” then the columns will be fully removed from the search indexing tables (thanks mlocati)
  
• Update OAuth password check to use PasswordHasher class (thanks Mesuva)
  
• CKEditor: turn off 'Edit Source' before submit (thanks mlocati)
  
• Fix issue with sitemap generation in multilingual sites (thanks dimger)
  
• concrete5 handle the session garbage collection if a server isn’t going to do it (thanks mlocati)
  
• Select Multiple now works from within the file manager again (thanks deek87)
  
• When the user opens "Schedule Publishing" dialog, show a warning message if there is another scheduled version (thanks hissy)
  
• Add "Cancel Scheduled Publish" button in "Publish Pending" dialog (thanks hissy)
  
• Show a logout view to logged in users on the login page
  
• More logging during OAuth attach/detach attempts.
  
• Added a unique page ID class to each page for page targeting (thanks Shahroq)
  
• Added a blacklist of file extensions to ensure that developers can’t easily add PHP to a list of uploadable file types (thanks mlocati)
  
• Improves to logout speed under certain circumstances (thanks kkyusuke)
  
• Calendar block height set to auto for better display in small width areas (thanks nakazanaka)
  
• Fixed: getUserAccessEntityObjects returns guest if no session found (thanks biplobice)
  
• The Refresh Token grant is now available for OAuth2 APIs (thanks kkyusuke)
  
• Use local date time format in CSV (thanks hissy)
  
• Faster and safer duplication of FAQ/Image Slider blocks (thanks mlocati)
  
• Added an exception in case there's no template file to render (thanks iampedropiedade)
  
• Added raw and samesite options to cookie (thanks iampedropiedade)
  
• Improve distinction between log severity icons (thanks JohnTheFish)
  

Bug Fixes

• Fixed inability to save blocks or do much of anything on Chrome 83 (relates to Chrome 83 behavioral change) (thanks bikerdave)
  
• Fixing not sending password to RedisArray in session and cache drivers (thanks deek87)
  
• Fixed bug where unnecessary localized stacks are generated when adding stacks to a multilingual site (thanks hissy)
  
• Fixed: 8.5.2 - Chunked file uploads generate multiple files in the backend (thanks ahukkanen)
  
• Fix flat sitemap in the trash view (thanks hamzaouibacha)
  
• Fixed: Given a calendar event that was starting yesterday and ends tomorrow. It's a strange behavior if this event doesn't show up today in the calendars "events list" block (thanks core77)
  
• Fixed multiple issues with user groups (thanks deek87)
  
• Failed to upload avatar on user account page because of ccm_token error (thanks deek87)
  
• Fix file manager issue with number of items per page (thanks biplobice)
  
• Fixed: Thumbnails broken for storage locations outside web root (thanks hissy)
  
• Fixed: Unable to detach google account at My Account page due to null exception (thanks deek87)
  
• Fixed inability to move multiple pages at once in certain situations (thanks wordish)
  
• Unable to paste the screenshot into content block (thanks deek87)
  
• Fixed: Failing block validation denies any further access to that block if you cancel editing (thanks jlucki)
  
• Fix user-selector events firing more than once (thanks deek87)
  
• Fixed: CSS of Free-Form Layouts (or 'Custom Layouts') isn't loaded if the visitor is not logged in (thanks Ruud-Zuiderlicht)
  
• Fixed inability to insert a link in Rich Text editor custom attributes in the Dashboard context (thanks mlocati)
  
• Fixed XSS issue where admin could insert tags into image slider titles.
  
• Fix error caused by invalid sort direction.
  
• Build youtube embed url with the league url class to fix issues when malicious admin uses invalid URLs.
  
• Fixed: [Bug] Single pages lose their path if location is resaved in sitemap or composer. (thanks dimger)
  
• [Fix] Image block hover option doesn't work for responsive images using the picture tag (thanks biplobice)
  
• Fixed error when the sortBy column isn't exists on the advanced search result (thanks biplobice)
  
• Fixed: Setup on Child Pages updates all pages of the type, not the type / template combination (thanks danklassen)
  
• Fixed: getUserAccessEntityObjects returns guest if no session found (thanks deek87)
  
• Fixed: The folder name is null when you create it with name '0' (thanks biplobice)
  
• Fix setting the emails subject a second time with an undefined variable (thanks Kaapiii)
  
• Fixed: 404 does not work in multi language case (thanks Kaapiii)
  
• Fixed: CKEDITOR errors shown in console (thanks mlocati)
  
• BC Fix: Make it so routes can echo their output (thanks mlocati)
  
• Fix token error on flag_conversation_message (thanks guyasyou)
  
• Fix document library block error when file node type is other than File or FileFolder (thanks biplobice)
  
• Fixed: Unable to save layout if it contains a Form block (thanks mlocati)
  
• Fix Fix initializing country/province link (thanks mlocati)
  
• Avoid exception on express attribute form during certain edge cases (thanks biplobice)
  
• HackerOne security fixes (thanks mlocati)
  
• Fix error on submitting workflow request to a deleted user (thanks hissy)
  
• Fix height/width of edit folder permissions dialog (thanks deek87)
  
• php 7.2 fix for updating a conversation message (thanks danklassen)
  
• Replying to a conversation does not clear editor (thanks danklassen)
  
• Don't check POSIX permissions of API public key on Windows (thanks mlocati)
  
• Fixing draggable zone on filemanager to only accept file/folder nodes (thanks deek87)
  
• Fixed: Currently in version 8.5.x sites that have been upgraded from 5.7 sites, you can no longer replace files (thanks deek87)
  
• Fixed upgrading from 5.7 under certain database circumstances (thanks mlocati)
  
• Fix wrong translatable strings placeholders (thanks mlocati)
  
• Fixed: Loading malformed html into a content block does some funky stuff (thanks mlocati)
  
• Fix H1 report 753567 (thanks hissy)
  
• Aliases are now shown in the Dashboard menu (thanks Ruud-Zicherlicht)
  
• make c5:package:uninstall --trash not throw exception if there wasn't a problem (thanks nklatt)
  
• Fix: Creating folders in the file manager doesn't create them in the right place
  
• Fixed: Deleting a Form block instance for an Existing Express Entity Form can delete the original entity (thanks dimger)
  
• Avoid error on save page list block options with empty custom topic node (thanks hissy)
  
• FIxed bug in alphabetizing multilingual sections (thanks biplobice)
  
• Fixed bug where public date/time page property wasn’t being properly validated if it was marked as required in a composer form (thanks matt9mg)
  
• Fixed potential YouTube block exception (thanks matt9mg)
  
• Fixed: select filterByAttribute can return all results (thanks matt9mg)
  
• Fixed order of parameters in some implode() methods (thanks shahroq)
  
• Fixed PHP errors raised when calling View::action() method of an attribute (thanks mlocati)
  
• Fixed certain block type errors in advanced permissions and stacks (thanks mlocati)
  
• Fixed: CLI update fails if there is a package dependency such as MultiStep Workflow add-on
  

Developer Improvements

• Allow nested containers in custom theme layout presets (thanks jneijt)
  
• Allow the AuthorFormatter class to be overridden (thanks danklassen)
  
• Update concrete5 Translation Library (thanks mlocati)
  
• Code cleanup and improvements (thanks mlocati)
  
• [Fix] Config command with env option (thanks biplobice)
  
• Correctly set express entity package reference during import (thanks olsgreen)
  
• Added new buildRedirect method for easily creating redirects that honor the framework middleware from within controller methods (thanks mlocati)
  
• We now test installation and upgrades within Docker in our unit test suite (thanks mlocati)
  
• Update punic to 3.5.1 (thanks mlocati)
  
• Add the ability to easily inject custom Config drivers (loaders/saves) and implement Redis drivers.
  
• Fix phpdoc of the \Concrete\Core\Form\Service\Validation::test() (thanks biplobice)
  
• Fixed bug where update process wouldn’t use the interface LongRunningMigrationInterface to increase timeout (thanks mlocati)
  
• Add ForeignKeyFixer and c5:database:foreignkey:fix CLI command (thanks mlocati)

Подробнее: https://documentation.concrete5.org/developers/introduction/version-history/854-release-notes

8.5.2

3 Октябрь 2019 - 200MBHighlights

• You can now control the number of results in the file manager from the file manager directly without loading the advanced search dialog
  
• You can now delete all entries from an existing Express object without deleting the object.
  
• Update CKEditor from 4.11.1 to 4.12, add Placeholder plugin
  
• Add the ability for each Express Form block to have its own from address
  
• Added the ability to set a background color for thumbnails and for use with the image editor
  
• Added the ability to search attributes when adding attributes to the page composer form
  
• The Page Attribute block can now use custom templates
  
• Add GUI to configure trusted headers received by a proxy
  
• Add dashboard page to change database character set / collation
  
• ReCaptcha is now included as a captcha option in the core
  
• You can now include page aliases in searches in the Dashboard advanced page search
  
• Allow email sending enable/disable from the dashboard
  
• Make it configurable whether or not to ignore page permissions for RSS feeds
  
• Added the ability to show captions by default for the YouTube block
  
• Added the ability to display the version status on the results page of a Page Search
  
• Added a new install theme console command
  

Improvements

• Add MySQL version and SQL_MODE to environment information
  
• Removed the extraneous exception stack trace when the MySQL connection fails during installation
  
• Added support for right-to-left languages in the concrete5 translate UI
  
• Fix error where sitemap panel would show up even if the user has no access to add pages or to the sitemap.
  
• Improved uniformity between search interfaces in the Dashboard and dialogs for things like files, pages. Miscellaneous display bug fixes for search interfaces.
  
• Add the author column on express entries CSV export
  
• Added file read route to the rest api
  
• Use the HTTP 303 code for downloading files instead of HTTP 302
  
• Simplify the error message when copying a file to folder
  
• Added Choose New File to the top of the file selector menu to help users confused by the “Replace” option further below
  
• If the form redirects to a thank you page, pass the entry id so that the page can interact with the entry if desired.
  
• We now separate titles and content of installation errors if you encounter them (thanks mlocati).
  
• In the desktop draft block, deleting a draft now no longer redirects you to the home page
  
• Improved reliability when uploading large files into the file manager
  
• RSS feed URL slugs can now have hyphens in them
  
• Added rel=noopener noreferer to different places in the core where we link to external pages, enabling better process management
  
• Added Twitch Social Link
  
• Composer and block editing will no longer log you out while you are editing for a long period of time
  
• Remember me 2 weeks value is now configurable
  
• Routing system now handles response objects returned by any controller on_start
  
• Add a config key to support script-specific locales
  
• Added the ability to disable checking for core and package updates when using concrete5 via composer
  
• Improvements to the display of the feature block icon selector
  
• PageTypeDefaults::SetupOnChildPages: Make Update forked blocks optional
  
• Reduced the number of errors Doctrine complains about when inspecting the mapipng information for the core entity classes
  
• Spelling errors fixed in certain error messages
  
• Set quoted-printable encoding for outgoing emails for better compatibility
  
• Improvements to how the My Account menu was displayed in certain themes
  
• Don't ask to preserve old page path of external URLs
  
• When creating external links, the URL slug we generate is now based off the name of the link instead of the link
  
• Better localization in edit mode of calendar, by including localized version of moment.js
  
• Brought back the ability to drag a file immediately into the file manager and have it begin uploading
  
• Add asset version number to cache bursting query string
  
• Show only the message when we have in case of UserMessageException
  
• Fixed - SEO issue: tag ignores any actions of page/block controller
  
• Attribute controllers can now define the “No Value” text
  
• Reduced size of bundled bootstrap libraries; removed missing references to glyphicon font file
  

Bug Fixes

• Fixed bug where XSS could be passed through to the select form helper under certain conditions.
  
• Fixed bug when using the document library when MySQL has ONLY_FULL_GROUP_BY enabled
  
• Fixed bug where additional cancel and submit search buttons were showing up in advanced search dialogs.
  
• "Order Entries" page is not installed on upgrading from version 7
  
• Fixed buggy behavior when searching by associations in Express.
  
• Fixed: Search Presets in dialog not actually submitting
  
• Fixed: Bugs with search presets not being deletable, searching JS errors when working with search presets
  
• Fixed bug with autoplay not starting in YouTube block due to https://developers.google.com/web/updates/2017/09/autoplay-policy-changes
  
• Fixed bug when Express form sends notification with an image/file attribute and it’s not filled out
  
• Add new Italian Province: South Sardinia
  
• Fix error where adding an image or a file to composer would complain about it not being present, even if it was.
  
• Fixed error where file usage dialog did not work with files linked in the content block
  
• Fixed bug where navigating directly to dispatcher.php would throw PHP errors.
  
• Fixed error where global password reset didn’t require typing the confirm code.
  
• FIxed inability to unapprove a page version in the versions menu
  
• Fixed: Password Requirements dashboard page was not installed via 8.5.0 & 8.5.1 fresh install
  
• Fixed bug where clicking publish on a composer page draft could still create an extra version in some cases
  
• Fixed: ccmAuthUserHash cookie and "Stay signed in" functionality allows user impersonation if hash table is leaked
  
• Remove Guest from "Group to enter on registration" options
  
• Fixed: Copy page does not change the mpRelationID of the new page
  
• Fixed error with user attribute not calling its method on the correct user object, leading to strange results
  
• Fixed: If you dropped an image into the rich text description of an FAQ entry, when you went back to edit the entry, the image didn't show up
  
• Fixes error where Download file does not show up for files that aren’t images
  
• Fixed: $c->getPageWrapperClass
  
• Fixed: UI: Can not select topic in large tree on Page Search
  
• Fixed error in Redis cache backend: Password set in config is not sent Redis connection process
  
• Fixed untranslated text in the Event List block
  
• Fix showing empty error message when a problem occurred using Setup on Child Pages
  
• Fixed error where bumping the concrete5 version number without changing a version_db number wouldn’t re-trigger an upgrade.
  
• Fixes issue with broken links to files in textarea
  
• Check $search_path is set and string in search block view
  
• Fixed errors in full page caching under multisite setups.
  
• Fixed errors in full page caching with blocks that used special parameters – the page was saved properly but it would replace the contents of the pages without parameters
  
• Fixed: 8.5.2RC1 - Adding external link with URL "/" breakes the whole site
  
• Fix error on delete user who has express enties
  
• Fix: calendar feed parameter and validation
  
• Fixed: Calendar events displayed only on starting month when they span multiple months
  
• Fixed bug with rich text editor not exporting content properly
  
• Fixed bug where we displayed an error when browsing directly to /dashboard/system/environment/entities/update_entity_settings
  
• Fixed bug where users who first created would be deactivated if automatic deactivation based on last login were turned on and they hadn’t yet logged in yet.
  
• Fixed: blocks added to stacks that use JavaScript or CSS assets in their view templates were not working when the block was cached.
  
• Fixed errors in localization class not including the Config class
  
• Fixed login error complaining about Groups being a reserved word under Percona MySQL 8.0
  
• Fixed issue where in page list block, missing input validation results in mysql-error
  
• Fixed: Default Express Entry List search functionality does not allow for searching for multiple fields simultaneously
  
• Fixes bug where Express form answers were emailed in a random order, rather than in the order they displayed in the form
  
• Login page will now no longer let you render parts of authentication type forms if those types are not enabled.
  
• Fixed bug where images or files added to front-end forms wouldn’t be included in the email notification about those forms.
  
• Fixed bugs and cleaned up code in the Workflow classes
  
• Prevent leading/trailing commas from triggering errors in Legacy Form block
  
• Fixed bugs when arranging stack proxy blocks in pages as a non-super user with advanced permissions enabled
  
• Blocks no longer remain in their target area if there was something about the move operation that failed
  
• Fixed multiple bugs when working with the HTML Upload interaction type in the image/file attribute
  
• Fix the layout of the search fields in "Page Report" page
  
• Fixed: Migration to ut8mb4 incomplete due to problems with schema
  
• Fixed bug where the hovering image in a file manager window didn’t disappear when clicking on the image record
  
• Fix inability to connect to marketplace on sites behind SSL when that site is also behing a proxy like Cloudflare
  
• Fixed: All Day Events are not determined correctly
  
• Fix calendar block issues with all-day events
  
• Fixed inconsistencies when using Ctrl key to deselect images in the file manager
  
• Fix some issues installing content with the content XML format by disabling request cache during XML installation
  
• Fixed Issues when removing Custom Workflow Types
  
• Fixed Issues when adding Workflows that have custom workflow types.
  
• Refactored Workflow Types Class to use newer code.
  
• Upgrading jQuery UI to 1.12.1 and downgrading jQuery to 1.12.2 to fix security issue (
  
• Fixed bug when clicking on folders in Document Library
  
• Fixed: When you add a datetime attribute into the search form, you'll get a JavaScript error.
  
• Fixed: When paging through versions in stacks or on a page, clicking version doesn't show menu
  
• Fixed errors when sorting attributes, inability to sort attribute sets as a regular administrator and not the super user
  
• Fixed: When opening existing repeated events, selected days were not selected.
  
• Fixed: Unpublished repeated events get published after deleting part of events.
  
• Bug fixes when updating a site from 5.7
  
• Fixed warnings when sending mail with the intl extension enabled
  
• Fixed entity not found exception when retrieving author of a file when the author had been deleted
  
• Fixed StorageLocationFactory::fetchByName should return an instance
  
• Miscellaneous cleanup in URL Resolver classes
  
• Fixed null pointer exception when user attempted to view calendars in the Dashboard but didn’t have permission access to the first calendar retrieved
  
• Bug fixes when upgrading from previous versions of concrete5
  
• Fixed bug where account menu was floating underneath the concrete5 toolbar (thanks mlocati).
  
• Fixed problems overriding the Express form context registry
  
• Fix block templates that edit the scope variables within the block view
  
• Fixed bug where default contact form in Elemental wasn’t set to store its form data in the backend, only to email it.
  
• Fix H1 Report 643442

Подробнее: https://documentation.concrete5.org/developers/background/version-history/852-release-notes

8.5.1

9 Апрель 2019 - 200MBFeature Updates

• Added the ability to filter logs by time (thanks biplobice)
  

Behavioral Improvements

• Improved translation of user logging in multilingual environments. (Thanks katzueno )
  
• Improvements to code quality and reduction in suppressed errors (thanks mlocati)
  
• improvements to using multiple user selectors on a page; miscellaneous bug fixes to user selector (thanks haeflimi)
  
• improvements to installation on a cluster where site home page ID may not be 1. (Thanks mlocati)
  
• Improved file size of app.css; removed unnecessary and broken CSS.
  
• Simplify the warning when the database does not fully support utf8mb4 (thanks mlocati)
  

Bug Fixes

• Fixed error where external form actions were not working.
  
• Fix Exception already used in CharsetCollation\Manager (thanks mlocati)
  
• Fixed error where move/copy didn’t work in site map flat view (thanks biplobice)
  
• Fix resuming copy language tree operation (thanks mlocati)
  
• Fixed inability to run some user bulk actions in the Dashboard.
  
• Fixed JavaScript error when changing default calendar colors in the Dashboard.
  
• Fixed error in API where authenticated requests could pass through to read any API route.
  
• Fix error on package uninstall while remove the package directory is checked (thanks biplobice)
  
• Hide publish now button on versions of pages when user doesn’t have permission to publish (thanks hissy)
  
• Make sure custom thumbnails have upscaling enabled (https://github.com/concrete5/concrete5/pull/7697)

Подробнее: https://documentation.concrete5.org/developers/background/version-history/851-release-notes

8.5.0

(основная версия)
18 Март 2019 - 200MBПодробнее: https://documentation.concrete5.org/developers/background/version-history/850-release-notes

8.4.2

9 Август 2018 - 200MBBehavioral Improvements

• Added filtering and pagination to the Waiting for Me workflow notification list.
  
• Better unsetting/removal of data when users are deleted (useful for GDPR compliance). More details here: https://github.com/concrete5/concrete5/pull/6693
  
• Delete unused filesystem files and thumbnails when a file version is removed
  
• We have removed the Flash-based avatar editor in favor of a JavaScript-based component
  
• Fix typos in Google Maps API check
  
• Do not link to non active page in content block
  

Bug Fixes

• Fixed error linking to marketplace addon and theme pages on the Connected to Community Pages; Fixed inability to click through to marketplace detail add-on or theme pages in the Dashboard
  
• Fixed inability to download free add-ons through the marketplace Dashboard pages.
  
• Fixed inability to install new block types via the Block Types Dashboard page
  
• Fixed bug where multiple workflows wouldn’t fire if the user could automatically approve the first one.
  
• Fixed inability to ctrl-click or command-click file manager results to select them in bulk
  
• Fixed error getting temporary directory when running generate sitemap job
  
• Fixed: 8.4.0 - An exception occurred while executing 'INSERT INTO UserWorkflowProgress (uID, wpID) VALUES (?, ?)' with params [null, \"25\"]:\n\nSQLSTATE[23000]: Integrity constraint violation: 1048 Column 'uID' cannot be null
  
• Fixed bug in migrating data where sites already had the Page Selector add-on installed, and some attribute values were null (Doctrine\DBAL\Exception\ForeignKeyConstraintViolationException)
  
• Fixed inability to upgrade to 8.4.1 from 5.7.5.13.
  
• Fix JavascriptLocalizedAsset::getAssetContents when concrete5 is installed in subdirectory
  
• Fix infinite redirection visiting existing dirs when seo.trailing_slash is false
  
• Fixed: Duplicated seo.trailing_slash definition
  
• Made it impossible to store XSS in calendar event names.
  

Developer Updates

• Lots of code cleanup surrounding username and email validation, added a new Username and Email validator
  
• Add public properties to next_previous block controller
  
• Add CLI command to refresh database entities
  
• Updated Translation Library

Подробнее: https://documentation.concrete5.org/developers/background/version-history/842-release-notes

8.4.1

(основная версия)
3 Август 2018 - 200MB8.4.1

Feature Updates

• Added the ability to automatically deactivate users based on how long it’s been since they’ve logged in.
  
• Added the ability to save search presets for users and pages and Express objects. (thanks marvinde)
  
• Added the ability to sort block types and block type sets in the Dashboard (thanks mlocati)
  
• Add support for theme-color meta tag in the Basics settings section of the Dashboard (thanks mlocati)
  
• Allow upscaling images for thumbnails based on thumbnail type (thanks mlocati, jneijt)
  
• Add tooltips to the plugins listed on the Rich Text Editor page in the Dashboard that describe what they do (thanks mlocati)
  
• The Page Selector attribute is now integrated into the core (thanks marvinde)
  
• Added a Draft List block type to the Waiting for Me screen in the Desktop (thanks marvinde)
  
• Added a command line script to generate sitemap.xml (thanks mlocati)
  

Behavioral Improvements

• Reworked Add Content Panel Functionality: Make it so that clicking again on the plus/add panel closes the panel (like all others.), If a user option/clicks the panel when opening it, activate the blue/pinned/locked functionality. Clicking to close the panel closes the panel and removes this functionality (thanks marvinde)
  
• Use UI localization context in concrete5 toolbar & account menu (thanks mlocati)
  
• Fixed: Whoops report is confusing the reporting with the original error when adding or updating blocks that fail (thanks mlocati)
  
• Version approved date is now shown in the approved version panel (thanks marvinde)
  
• Fixed: Language Switcher's language text should display in their native language (thanks mlocati)
  
• We now highlight localized stacks that have been created to override global stacks in a multilingual website (thanks mlocati)
  
• Make marketplace error handling more consolidated and handle timeouts
  
• Set links color in jquery ui dialogs (thanks mlocati)
  
• Better support for with MySQL 8 (thanks mlocati)
  
• Support for multiple Page List blocks on a page (thanks marvinde)
  
• Fix handling of JavascriptLocalizedAsset URL & path (thanks mlocati)
  
• Don't try to get package lists when concrete5 is not installed in language-install CLI command (thanks mlocati)
  
• Reduce concurrency problems in FileSystemStashDriver::storeData (can be a problem when clearing a cache on a high traffic site) (thanks mlocati)
  
• Added a link to the concrete5 Slack channel on the installation screen (thanks mlocati)
  
• Added a link to the concrete5 Sack channel in the welcome screen (thanks mlocati)
  
• Improved performance in route resolution (thanks mlocati)
  
• Avoid long timeouts when checking the Google API Key in Google Maps block (thanks mlocati)
  
• Avoid warning in Securimage::check when no captcha token is received (thanks mlocati)
  
• Add $subject to form email templates to make it easier to customize (thanks katzueno)
  
• Add option to not create session cookies in multilingual sites (thanks mlocati)
  
• Changed Redactor to CKEditor in the Conversations Rich text editor
  
• Add ability to change social network icon via config (thanks goesredy)
  

Bug Fixes

• Fixed irritating bug where adding multiple express form controls of the same type in a row would cause an error and require form controls to be added and re-saved before proceeding (thanks JeffPaetkau!)
  
• Fixed error when trying to login using certain third party authentication types (thanks fabian)
  
• Fixed: File Manager - Duplicate and blank search presets created when creating multiple search presets without page refresh (thanks marvinde)
  
• Fixed bug where Next/Previous block might skip pages under certain conditions (thanks gfischershaw, mlocati)
  
• Fixed: C5 8.4.0 - Unable to select root page (home) when adding a new page in sitemap on a multilingual site
  
• Specifying the items per page for an express entity now works.
  
• Fixed: 8.4, File Manager in versions, "Invalid file version" when removing old item (thanks mlocati)
  
• Fixed Call to a member function generate() on null at index.php/dashboard/extend/update
  
• Fixed bug resolving proper Multilingual Section from browser locale under certain situations (thanks mlocati)
  
• Fix HackerOne issue 277479 (thanks mlocati)
  
• Fixed: Copy page moves cID instead of copy in MultilingualPageRelations table (thanks 1stthomas)
  
• Fixed Express Bug: Argument 1 passed to DashboardFormContext::setLocation() must be an instance of TemplateLocator, boolean given
  
• Fixed exception thrown when accessing index.php/ccm/system/accept_privacy_policy directly.
  
• Fixed: Deleting theme error does not have a method 'getPackageItems
  
• Fixed out of memory error happening on non-US systems when a broken legacy package is included in the packages directory (thanks mlocati)
  
• Fixed errors with the Page List block not properly filtering by date options (thanks gfischershaw)
  
• Fixed 8.4.0RC2 - Search presets cannot be deleted in bulk (as the context menu suggests
  
• Fix a bug where the file manager's breadcrumb is behind the search form (thanks marvinde)
  
• Fixed inability to disable CKEditor plugins (thanks mlocati)
  
• Fix setTrustedProxies for Symfony 3.3.0 (thanks mlocati)
  
• Fixed: FileFolder::getNodeByName and duplicated folder names (thanks mlocati)
  
• Fix setting the "required" attribute of the privacy agreement on install page (thanks mlocati)
  
• Actually add translatable strings extracted from config files to Translations instance (thanks mlocati)
  

Developer Updates

• Much improve sitemap.xml generation routine, including better memory usage, better ability for extension, and cleaner code (thanks mlocati)
  
• General code cleanup (thanks mlocati)
  
• Add "withKey" feature to configuration (thanks mlocati)
  
• Add Thumbnail Type events (thanks a3020)
  
• Fix returning file objects in Exception classes (thanks a3020)
  
• Added on_block_output event (thanks a3020)
  
• Added a debug option in the Dashboard to report PHP NOTICE errors (thanks mlocati)
  
• Bring back the setNameSpace() method in ItemList (thanks marvinde)
  

8.4.0
Feature Updates

• Added ability to specify custom thumbnail types per file sets (e.g. if a file is in the Header file set, the Header thumbnail type will be generated for it, otherwise it will not.) (thanks mlocati)
  
• Calendar block has new agenda views for year list, month list, week and day (thanks MrKarldilkington)
  
• Added a System Email Addresses Dashboard page that lets you set the default email addresses – previously this had to be done in config code (thanks MrKarlDilkington)
  
• Added bulk user commands: activate, deactivate, delete, remove from group and add to gorup (thanks JeRoNZ)!
  
• If a site is connected to the concrete5.org marketplace, any packages installed on the site will have their language files automatically downloaded from translate.concrete5.org (thanks mlocati)
  
• Adds search header to express entity selector for selecting express entities against pages, users, files, etc… (thanks sjorssnoeren)
  
• Added the ability to specify an end date for page publishing.
  
• Added the ability to delete individual Log entries (thanks marvinde, mlocati)
  
• Added new “Start Time” option to YouTube block; YouTube block will also respect “Start Time” if specified in the YouTube URL (thanks jlucki)
  
• Added a new Reset Edit Mode Dashboard page that allows all currently checked-out pages to be checked in and edit mode to be restored on them.
  
• Updated CKEditor to 4.9.1 (thanks MrKarlDilkington)
  
• Added a new image slider navigation option in the image slider block: “None” (thanks biplobice)
  
• Added the ability to edit topic tree names (thanks gutigrewal)
  
• Added the ability to unapprove an approved version through the versions menu.
  

Behavioral Improvements

• We now only set sessions when you attempt to login or use custom session code, in order to reduce the number of sites that set cookies for GDPR.
  
• Added a data collection notice to installation, added a banner to Dashboard for GDPR compliance.
  
• Massive improvements to image handling in the core, (thanks mlocati!). Full details found here: https://github.com/concrete5/concrete5/pull/6415
  
• ItemList: always included ordered-by columns in select statement (thanks mlocati)
  
• Folded registration email notification preferences into the System Email Addresses Dashboard page (thanks biplobice)
  
• Much better localization and translation support in the newly introduced calendar components (thanks mlocati)
  
• We will now inhibit the execution of automatic updates/installations if one is currently in progress (thanks mlocati).
  
• Improved support when using MySQL 8 (thanks mlocati)
  
• Improvements to the interactive installation process defaults (thanks mlocati)
  
• Fixed errors when the update process may require long time, because of many migrations need to be executed or because a migration requires long time to be executed, and the PHP execution may reach its maximum time limit (thanks mlocati)
  
• Improvements to the coding of the installation process (thanks mlocati)
  
• Automatically set maintenance mode during core updates (thanks mlocati)
  
• Apply nowrap white space on private message box status column (https://github.com/concrete5/concrete5/pull/6350) (thanks biplobice)
  
• Send 500 code instead of 200 on creating an error response (https://github.com/concrete5/concrete5/pull/6350) (thanks hissy)
  
• Optimizations to UserList classes and group search (thanks deek87)
  
• Improvements and optimizations to the auto rotate image processor (thanks mlocati)
  
• We now return. 404 response when requesting an invalid tool (thanks mlocati)
  
• Improvements to the update process when the calendar add-on was migrated to the new built-in calendar.
  
• Fixed: Dashboard Sitemap Tree Deleting items should refresh Trash (thanks marvinde)
  
• Fixed: In sitemap, when you delete a page, plus sign doesn't appear next to the trash can 'til after page reload (thanks marvinde)
  
• Do not automatically upgrade the core in maintenance mode (thanks mlocati)
  
• Fixed: When deleting a layout, the message "Are you sure you wish to delete this block?" is shown (https://github.com/concrete5/concrete5/issues/6289)
  
• Improvements to SNS authentication, Facebook authentication specifically (thanks biplobice, deek87). More details here: https://github.com/concrete5/concrete5/pull/6018
  
• Better database encoding when databases don’t use UTF-8 by default (thanks upline-pro)
  
• Use Selectize for Data Source element select multiple inputs (thanks MrKarlDilkington)
  
• Removed old unused Newsflow code (thanks mlocati)
  
• Highlight Default Page Template in Defaults and Output for Page Type (thanks MrKarlDilkington)
  
• Fixed exception filling logs on invalid file (https://github.com/concrete5/concrete5/issues/6449#issuecomment-366931290)
  
• Fixed inability to use theme editor CSS classes in CKEditor when using in the Dashboard and non-pages (Thanks MrKarlDilkington)
  
• Consider text/plain images as SVG images (thanks mlocati)
  
• Add block type name to delete block modal message (thanks MrKarlDilkington)
  
• Actively discouraging certain CLI commands when run as root (thanks mlocati)
  
• Show different message when public profile option isn't changed (thanks biplobice)
  
• Added cache to core area layout block.
  
• Improve performance of file manager in certain editor configurations (thanks hissy)
  
• Allow layout presets to optionally have no container element defined (thanks MrKarlDilkington)
  
• Better ADA compliance: adding for=”” attributes to label tags in login forms, forgot password forms, all core attributes and express form attributes.
  
• Add aria attributes and title to Social Links block links and icons (thanks MrKarlDilkington)
  
• The dropdown area on the Add Content menu is now clickable (thanks marvinde)
  
• Removed useless 'More Details' link from package upgrade page (thanks a3020)
  
• Help prevent block form and file manager modals from blending in with background page content (thanks MrKarlDilkington)
  
• Added a link to the concrete5.org privacy policy from the login page where backgrounds are pulled from concrete5.org.
  
• Fixed some errors searching express objects in the Dashboard in some cases (https://github.com/concrete5/concrete5/pull/6601) (thanks hissy)
  
• Add alt attribute to generic thumbnail icons to increase accessibility in Document Library block (thanks MrKarlDilkington)
  
• Fix handling of package dependency errors (Thanks mlocati)
  
• Suggestion: Stays at draft page after "Save and Exit" on Composer (thanks marvinde)
  

Bug Fixes

• Fixed multiple bugs that arose because actually removing a multilingual section via the Dashboard didn’t delete the pages in the site tree.
  
• Fixed error where full page caching was still connecting to the database.
  
• Fix block dragging in edit mode – it wasn’t scrolling the page in certain browsers (https://github.com/concrete5/concrete5/issues/6321) (}thanks mlocati)
  
• Fixed: no longer using client side code for rating messages (https://github.com/concrete5/concrete5/pull/6337) (thanks mlocati)
  
• Fixed bug in survey block where page the survey was on was missing (thanks marvinde)
  
• Fix issue where updating page defaults on a multilingual site wouldn't push blocks out to all pages in all locales
  
• Fixed: Adding file selector to form fails on element with special characters (thanks jneijt)
  
• Fixed bug where pages duplicated would lose custom block cache settings on the resulting pages.
  
• Fixes issue when a file with multiple versions is the cursor (thanks deek87)
  
• Fixed: JS Cache combined with "use strict" breaks core javascript (thanks mlocati)
  
• Fixed: z-index issue when selecting Calendar Events categories (thanks MrKarlDilkington)
  
• Fixed bug where pages duplicated would lose custom grid container settings on the resulting pages.
  
• Add missing folder icon in Document Library block (thanks MrKarlDilkington)
  
• Fixed Error in core_area_layout when activating block cache in 8.4RC2 (thanks mehl)
  
• Fix error with folder item list returning too many items when filtering by multiple file sets
  
• Fixed bug where replying to messages when logged in would cause replies to show up multiple times before a page refresh (thanks marvinde)
  
• Fixed bug where applying custom styles to a global area’s blocks would not refresh those styles without a full browser reload.
  
• Fixed: we now sanitize the alt text in avatars (https://github.com/concrete5/concrete5/pull/6339) (thanks Remo)
  
• Sanitize output on folder names (https://github.com/concrete5/concrete5/pull/6341) (thanks Remo)
  
• Fixed error running command line utilities when a concrete5 installation has been updated through the Dashboard.
  
• Fix missing closing h3 tag in Calendar Event block (thanks hissy)
  
• Fixed missing CSRF token when deleting a conversation message (https://hackerone.com/reports/87729)
  
• Warnings when attempting to install concrete5 on a database that will make the table names lowercase (thanks mlocati)
  
• Fixed: Unmapping a locale page, removes the mapping for all locales (thanks Seanom)
  
• Fixed: Wrong language used in a single page controller (thanks mlocati)
  
• Fix H1 309466 (thanks mlocati)
  
• Better permissions checking on Express entry list results in custom Express objects and Express forms.
  
• Fixed bug with queues and queueable jobs where one job running might start executing the jobs of another process (thanks ahukkanen)
  
• Fixed bug where you couldn’t unset a “More Details” calendar event page link in the calendar event edit popup.
  
• Fixed: Google map - multiple API calls if Check API clicked multiple times (thanks MrKarlDilkington)
  
• Fixed: Delete user attribute values on user delete (thanks marvinde)
  
• Removed unnecessary paragraph tags in output of FAQ block (thanks djkazu)
  
• Fix: https://www.concrete5.org/community/forums/customizing_c5/8.3.1-symphony-error
  
• Fixing some cases where exporting form results to CSV could result in a 404 error under advanced and custom permission use cases.
  
• Fixed: Creating a page alias in another site tree does not modify the siteTreeID
  
• Sanitize the link of external pages in the sitemap (https://github.com/concrete5/concrete5/pull/6346/) (thanks mlocati)
  
• Fixed: PageList topic filtering MySQL error (mode ONLY_FULL_GROUP_BY) (thanks mlocati)
  
• Fixed minor XSS vulnerability in unused $step GET parameter (thanks jordanlev)
  
• Fixed: "Schedule Publishing" dialogs are not removed when adding page (thanks marvinde)
  
• Fix locale and language of MultilingualPageRelations when site locale changes (thanks mlocati)
  
• https://github.com/concrete5/concrete5/issues/6490 (thanks marvinde)
  
• Fixed Minor Bug: "Move to Folder" in Filemanager and not selecting a target causes exception
  
• Fixed: Deleting a File Leaves it Selected in Form (thanks marvinde)
  
• Fixed: Applying a theme to a site in the Dashboard only does it to a single multilingual tree
  
• Fixed: Unable to add new options to select attribute in composer under PHP 7.2
  
• Fixed Access Denied bug when editing blocks with validation errors under certain conditions (https://github.com/concrete5/concrete5/issues/6425) (thanks marvinde)
  
• Fixed: The file manager's breadcrumb appears on the full sitemap page (thanks marvinde)
  
• Fixed: Possibility to crash calendar event list if number of events is not specified
  
• Sanitize the output of page short description in the pages panel (https://github.com/concrete5/concrete5/pull/6347) (thanks mlocati)
  
• Fix: area layout using preset not deleted after deleting area layout (thanks mlocati)
  
• Fix migration to version 8 when MultilingualPageRelations contains invalid data (thanks mlocati)
  
• Fixed: Unable to decode session object after updating profile information and using database sessions on certain multilingual installations.
  
• Fix: The file manager's breadcrumb appears on the full sitemap page (thanks marvinde)
  
• Fixed: Running an advanced search on Express forms can produce error in PHP 7.2.
  
• Fixed error when upgrading from 5.7 with custom address attribute countries (thanks mlocati)
  

Developer Updates

• Add support for the "media" attribute for CSS resources (thanks marvinde)
  
• Added on_locale_add, on_locale_delete and on_locale_change events (thanks dimger)
  
• Add on_block_before_render event (thanks a3020)
  
• Old page statistics code has been removed (thanks a3020)
  
• Add on_block_duplicate event (thanks a3020)
  
• Removed inline JavaScript from Google Maps block view layer (thanks Remo)
  
• Updated to jQuery 1.12.4 (thanks MrKarlDilkington)
  
• You can now specify default block templates by a particular page type (thanks haeflimi) (see details here: https://github.com/concrete5/concrete5/pull/6456)
  
• Added a console command to rerun certain migrations (thanks mlocati)
  
• Add a configuration key to set the Composer autosave idle timeout (thanks mlocati)
  
• Update responsive-slides asset from 1.54 to 1.55 (thanks apaccou)
  
• Add c5:is-installed CLI command (thanks mlocati)
  
• Updated the fullcalendar JavaScript library to version 3.8 (thanks MrKarlDilkington)
  
• Updated Punic Unicode library to 3.0.1 (thanks mlocati)
  
• dispatch a additional event when File Sets are deleted (thanks haeflimi)
  
• Added phpdoc comments for better API documentation (thanks mlocati, AdamBassett)
  
• Updated Imagine image procesing library to 0.7 (thanks mlocati)
  
• Updated Symfony components to 3.4.7
  
• JavaScript is now fully testable (thanks mlocati)
  
• Let FileFolderManager filter by file extensions, improve FileManager service (thanks mlocati)
  

8.3.2

Feature Updates

• Updated CKEditor rich text editor component to 4.8.0
  

Behavioral Improvements

• Improvements to coding standards and PHP documentation
  
• Scan the SRC directory within the application for translatable strings
  
• Fixed users being able to delete core and active themes
  
• Removal of inline block JavaScript to facilitate more performant websites
  
• Certain text field database indexes will be preserve across the upgrade process, leading to better performance
  

Bug Fixes

• Express Entity attribute type was not installed due to a bug in 8.3.0 and 8.3.1. This is now fixed.
  
• Improvements to the upgrade process: fixes to missing database tables under certain conditions
  
• Fixed bug where blocks were not having their output added to the output cache, leading to general slowness, and a slow Dashboard Welcome page.
  
• Fixed fatal error on higher traffic websites complaining about timeouts, broken cache files.
  
• Fixed: The current "check for updates" dashboard page doesn't report the latest version because of a bug in the cache reading/writing process
  
• Fixed: Updating preset layouts destroys database structure which can result in severe errors
  
• Fixed: filterByTopic / MySQL 5.7 compatibility
  
• Fixed bug where Geolocators table wasn’t created when upgrading from 8.2.1.
  
• Fixed: Page duplicated from Versions menu doesn't contains IsDraft state, gets published under drafts.
  
• Fixed http://www.concrete5.org/developers/bugs/8-3-1/exception-on-login-page-when-mobile-theme-switcher-is-active-and
  
• Fixed issue with no blocks displaying on PHP 7.2
  
• Fixed Youtube block video issues with showinfo and loop
  
• Removed stray tag in topic list block view template
  
• Fix directory name in extract package strings
  
• Fixed: Form submission notifications throw an error on the Waiting for Me page if the form data object is deleted.
  

Developer Improvements

• UserSelector::selectMultipleUsers can now accepted square brackets in its name, enabling it to be used with custom attributes
  
• Move the post-login URL management to a service class
  

8.3.1

Feature Updates

• Added support for upgrading from older versions of concrete5. Now you may upgrade from 5.7.5.13 all the way to 8.3.1, and from any version in between.
  
• Added the ability to search form results in the Dashboard.
  
• Added support for importing and exporting Express entities and their entries to the Migration tool.
  
• Added the ability to sort by custom display order to the Express Entry List block
  

Behavioral Improvements

• Delete empty global area record when clearing cache (should speed up a sure)
  
• Add more information on workflow notification popup window
  
• Code cleanup and improvements
  
• Miscellaneous code cleanup
  
• Multilingual sitemap now remembers which tree you were viewing last, will open to that language in Dashboard Sitemap.
  
• Improvements to pages panel sitemap when used in a multilingual site.
  
• Added a link from a form results Dashboard view over to its Express data object editor in the system and settings page.
  
• Improvements to block/area box-shadow styling when using the design editor
  
• Do not allow folder names to be null in file manager
  
• Simplified the public registration settings form in Dashboard
  
• Moving and updating files in the file manager will now update the modification date of the containing folder
  
• Made file inspectors more robust so that broken images or other issues don’t cause them to die
  

Bug Fixes

• Fixed bug where block action URLs for blocks in global areas would not work, leading to an inability to edit bugs like the Express Form when the block is in a global area.
  
• Fixes #6135 when editing a survey block would delete existing options
  
• Fixed: When adding new options to existing options in a survey block, they are saved with a display order starting at 0 so the order is not respected
  
• Fixed: Next/Previous showing unapproved pages
  
• Fix: All drafts or no drafts are listed in "Add Pages and Navigate Your Site" panel
  
• Fixed bug where publishing pages in composer using in-page sitemap wouldn’t show languages in a multlingual site.
  
• Fixed: Dashboard's Update pages has been moved, and now link is still unchanged and get 404
  
• Fixed bug where blocks that register view assets (like JS and CSS that they require) do not output those assets when the block is pasted throughout the site using the clipboard
  
• Fixed bug where errors could occur when submitting an Express Form with incomplete values (failing validation) and having an option list attribute in the same form.
  

8.3.0

Major New Features

• The core team’s Calendar add-on is now available in the core! It’s much improved from the version in the marketplace. It includes:
  
• The ability to add multiple calendars to your site
  
• Join pages to calendar events
  
• Calendar events are a separate data model from pages.
  
• Custom attributes on calendars
  
• Event List, Calendar and Calendar Event blocks
  
• Calendar and Calendar Event custom attributes.
  
• Detailed permissions at the calendar level.
  
• Workflow integration with calendar events.
  
• Version control for calendar events (!)
  
• A powerful recurring event model that works even with event versioning.
  
• Additionally, the core team’s Document Library add-on is now available in the core! The Document Library add-on lets you easily place a list of files on the front-end of your website. Filter by folder or file set, provide a simple search interface, control the styling of results and more.
  

More New Features

• New GeoLocation Framework available, along with an included plugin from geoPlugin); geolocate site visitors and get information about where they’re coming from. Ability to automatically populate address attributes from geolocation information. More here: https://github.com/concrete5/concrete5/pull/5837
  
• New command line utilities to clear IP blacklists, and dialogs to do the same
  
• You can now edit multilingual locates you add through Multilingual Setup
  
• Conversation block - toggle display of social sharing links and code update
  
• Added the ability to customize CKEditor toolbar groups via the configuration file, without overriding PHP classes. An example of a customized config file that controls editor/toolbar groups can be found here: https://gist.github.com/MrKarlDilkington/5a14cf2c8aca511c8c9d2026e07b297c
  
• Added the ability to turn the Select attribute (now called “Option List” into a list of radio buttons.)
  
• Mobile Dashboard menu now includes subpages.
  
• Improved appearance of CKEditor rich text editor; now closer to concrete5’s UI
  
• Allow users to add tags to site pages
  
• Make username and confirm password display/hide configurable for registration form from dashboard
  
• Improvements to CSV export and import of data.
  

Behavioral Improvements

• Added the ability to search by users not in a group to the Dashboard user search interface.
  
• Added the ability to see the date of last login to the Dashboard user search interface.
  
• Added an icon to notice level logs in the Dashboard logs interface.
  
• Added logging into cache clearing.
  
• Added ability to open links in Image block in a new window
  
• Add date created to csv export for express entities
  
• Feature block: increase the preview icon size
  
• Let users configure the thumbnail generation strategy via UI
  
• Thumbnails for PNG images are now PNG files and not JPEG files
  
• UI tweaks and code improvements to External Form block
  
• Add option to retain thumbnails when clearing cache from command line
  
• Cosmetic improvements to upload dialog
  
• Show current language when showing when showing hreflang (https://github.com/concrete5/concrete5/pull/5868)
  
• Reset answer type form after adding question
  
• PageList and Page List block - sort pages by date modified
  
• Removed exception throwing from invalid SQL order by provided by user – instead it will be ignored.
  
• You can now search multilingual trees through the page search interface in the Dashboard.
  
• Retina/High DPI thumbnails are now controlled via config value that can be disabled
  
• Improve image rendering in ImageEditor for browsers that supports it
  
• Make Basic Workflow Notification From Address and Name configurable
  
• Fix position of dropdown menu in blacklist dashboard page
  
• Miscellaneous small performance improvements and optimizations
  
• Better error message when saving attributes
  
• Fixed package restore after failed package update
  
• Refactoring and cleanup of installation process
  
• Add Pager Pagination page number
  
• File manager is now more mobile friendly.
  
• Improvements to the date attributes custom text mode setting
  
• captcha improvements https://github.com/concrete5/concrete5/pull/6036
  
• Allow customizing the headers of the email attachments
  
• Hide block and area design features if disabled
  
• Much better performance when grabbing page drafts on a live site.
  

Bug Fixes

• Fixed bug where cache directory and thumbnail cache was cleared any time an override cache was cleared. (Note: this fixed an issue with the new asynchronous thumbnail generation strategy that left thumbnails unable to rebuild.)
  
• Dashboard mobile menu works again.
  
• Fixed user account menu not showing account operations like Edit Profile, Edit User Picture unless the user was a user with access to the dashboard.
  
• Fixed issue when using the Page Selector and choosing an alias the original would be selected instead
  
• Fixed: Survey Dashboard page broken.
  
• Fixed: Empty file & image blocks get exposed when block cache is enabled after quitting edit mode without doing anything
  
• Fixed bug where topic order wasn’t being saved properly in the topic trees
  
• Fixed bug where new drafts had the locale of the default site tree, in multilingual sites. Fixed bug where they could not be duplicated into a new part of the site properly.
  
• Fixed checkbox attribute not honoring settings when editing attributes with values.
  
• Fixed: Error on file_manager_detail thumbnail creation (no height set on installation.)
  
• Fixed: Saving and re-editing content won't allow you to edit links
  
• Fixed bug where searching express entities by a many association wasn’t selecting the entries on returning to the form.
  
• Fixed: Multilingual redirect based on browser locale not always working
  
• Fixed bug where CSS and JS provided by block view templates was wrong in certain situations
  
• Fixed bugs where thumbnails were removed from the cache directory even when that setting wasn’t checked
  
• Fixed inability to search in “all pages” in Dashboard Page search in a particular multilingual site tree.
  
• Fix the site tree filter of MultilingualPageList in multilingual/page_report
  
• Fixed in ability to create page from multilingual page report
  
• Fixed http://www.concrete5.org/community/forums/internationalization/multilingual-site-error-after-upgrade-to-8.2
  
• Fixed inability to post results to a different page when using the search block
  
• Fixed: Editing Express Entries uses the default view form instead of the edit form.
  
• Snippets in CKEditor work again (along with improved performance) - thanks mnakalay
  
• Fixed bug in Express where entities listed in an association could not be clicked into from associated entities.
  
• Fixed: Conversation block generates ccm_addHeaderItem error when not logged in
  
• Fixed error when adding attribute from a package into a Form block.
  
• Prevent uncaught type error when editing links in CKEditor
  
• Fix multiple files showing up when browsing folders in the file manager as the non admin user.
  
• Fixed: Global Password reset process fails when email registration is enabled
  
• Fixed possible errors when rescanning files are stuck in the queue and they no longer exist.
  
• Following an expired Forgot password token no longer gives you a message about it being an ‘Unexpected Error’
  
• Fixes a bug with using Group Sets in the "Approve or Deny" permission on the Workflows settings screen for a workflow
  
• Fixed: When duplicating a file, two copies of it gets created
  
• Fixed possible XSS in stored URL locations dialog
  
• Fixed: When we adding a new Storage Location that's set as as the default one, we currently end up having two default storage locations in the database
  
• Image Block: checkbox formatting and prevents the "Open link in new window" value from always being true *Fixed: FAQ block: Entries with " are not properly saved
  
• Fixed: Upgrade 5.7.5.13 to 8.2.1 fails on duplicate key
  
• Fixed error message “Unable to get permission key for view_edit_interface” showing up when an invalid block was specified in an edit interface.
  
• Fixes duplicating a duplicated file in a folder
  
• Fixed bug where duplicated files weren’t duplicate thumbnails
  
• Fixed bug where CSV files exported from Express sometimes didn’t have a filename (only an extension)
  
• Fixed issue with existing ratings not being populated in edit mode
  
• Calls to getContents (a wrapper for the HTTP client) now honor the $timeout argument
  
• Faster file rescan when using image constraints
  
• Prevent image upload resizing of SVG files
  
• Fixed: It is not possible to make default / main language invisible for a group and show another language sitemap
  
• Fix saving "thumbnail is built" in ThumbnailMiddleware
  
• Fixed bug with uncaught exception in authentication types.
  
• Fixed: Adding a new page via the sitemap with a required user prevents the page from being created
  
• Fixed bug where folders and files were showing up as translatable in translate site interface.
  
• Fixed bug where concrete5 couldn’t be installed on versions of PHP 5.5 before 5.5.21.
  
• Fixed: Disable intelligent search for marketplace when setting warrants it.
  
• Page Templates can now be uninstalled from packages that install them
  
• Show only accessible languages in switch_language blocks
  
• Fix to allow strings to be passed to getThumbnail method
  
• Fix clearing cache but keep thumbnails on Windows
  
• Fixed https://github.com/concrete5/concrete5/issues/5798
  
• Incorrect CSRF token validation no longer throws an exception in the legacy form.
  
• Miscellaneous bug fixes to asynchronous thumbnail generation strategy.
  
• https://github.com/concrete5/concrete5/pull/5968
  
• Fixed: Avatar upload should use global jpeg quality settings
  
• Fixed: File Manager - Advanced search Customize Results don't persist
  
• Fixed: Password url lifetime doesn't work for different hash type
  
• Fixed: File Manager - Replaced files are not resized to match the image uploading resize dimension
  
• Fixed display bug when editing conversation messages.
  
• fix inline edit detection for blocks pasted from the clipboard
  
• Fixed: Upgraded concrete5 caused duplicated results of topic filter
  
• Miscellaneous content exporter fixes
  
• Fixed inability to hard code a block’s custom template in a theme template file and provide that custom template in the theme.
  
• fixes bug where fill records were orphaned when deleting a file set.
  
• Fix hacker One report #243865
  
• Sanitized display value for file nodes
  
• Prevent XSS in group badge description
  
• Fixed User date attribute can cause error on profile page
  
• fixed: When trying to save an edited video block you get the error An invalid form control with name='width' is not focusable.
  
• fixes filterByBlockType on PageLists so that it works with strict versions of mySQL.
  
• Fix W3C HTML Validator Error for Meta Canonical
  
• Fix possible self-xss on installation screen.
  
• Better conversation message sanitization when using the rich text editor conversation editor.
  

Developer Updates

• Added the ability to specify package dependencies in a package controller
  
• Updated Laravel Config dependency to 5.2.x.
  
• Improvements to command line/composer integration in Windows
  
• Lots of minor updates to third party libraries.
  
• Simple syntax for obtaining an error message by field: https://github.com/concrete5/concrete5/pull/5939
  
• Support for handling multiple entity managers in a package
  
• Add support to foreign keys in attribute index tables
  
• Content Interchange Format can now associate attribute categories to existing attribute types
  
• Allow converting an error list to plain text
  
• Added API methods for easily adding a country and state/province selector (used by the address attribute type.)
  
• Fixed namespace when generating migrations.
  
• raise event when page not found is shown
  

Backward Compatibility

• Captcha updates make affect backward Compatibility.

Подробнее: https://documentation.concrete5.org/developers/background/version-history/841-release-notes

8.1.0

(основная версия)
27 Июнь 2017 - 200MB8.1.0
New Features

• The Form block can now display output from an existing Express entity object, as well as create a new custom form from scratch.
• Multilingual sites can output for related pages by setting the site.sites.default.multilingual.set_alternate_hreflang config variable to true (thanks mlocati!)
• You can now hide the footer My Account menu with a setting in the Profiles Dashboard page (thanks mlocati)

Behavioral Improvements

• Much improved time zone support; fixes a number of bugs, inconsistencies, tests for database and PHP time zone matching (thanks mlocati)
• Updated CKEditor to 4.6; much better CKEditor appearance and button wrapping behavior (thanks MrKarlDilkington!)
• More reliable URL slug generation JavaScript (thanks seebaermichi)
• Make welcome background image cover full width and height (thanks MrKarlDilkington)
• DateTime widget - change default displayed past years from 10 to 100 (thanks MrKarlDilkington)
• Fixed; File Manager Upload does not reflect most recently uploaded files if user doesn't select "View Uploaded"
• Improved thumbnail generation when using the BasicThumbnailer classes – better support for page caching while generating thumbnails, throttling and better performance when generating thumbnails.
• Added toolbar tooltips, defaulted to true but with options to disable in Accessibility settings (thanks seebaermichi)
• Share This Page block now includes full request URI, making it easier to share pages with custom URL parameters (thanks HamedDarragi)
• Image Slider block now includes option for both bullets and arrows (thanks Siton-Design)
• Fixed Resize images client side using 2x downsampling on upload results in jagged images (thanks MrKarldilkington)
• Page Attribute Display block delimiter option works with topics (thanks MrKarlDilkington)
• Add a semi colon to separate JS scripts in cache
• Page Type Form shows its icons at all times, appears nicer (thanks MrKarlDilkington)
• Miscellaneous style improvements (thanks ramonleenders, MrKarlDilkington)
• Escape translations to prevent JavaScript errors because of containing apostrophes (thanks Ruud-Zuiderlicht)
• Upgrade improvements and bug fixes
• When moving a file from one storage location to another the thumbnails will also be moved (thanks Mnkras)
• Increased max amount of size slider (thanks MrKarlDilkington)

Express Bug Fixes

• Fix success error when submitting Express Form with two forms on a page.
• Fixed bug where Express many to many associations weren’t named correctly, so working with them programmatically didn’t work.
• More reliable deletion of express objects when they have associations to other objects"
• Fixed Express Entities can't be used in a form unless the user is an administrator
• Fixed Script error when express attribute edited in dashboard form results

Other Bug Fixes

• Removed dummy autoloader added to bootstrap/app.php (shouldn’t affect any applications, but shouldn’t be there anyway.)
• Permissions fixed in the file manager.
• Fixed incorrect characters displaying when dragging a stack icon (thanks katzueno)
• Fixed Embedding CKEditor in single pages triggers fatal error when CSS and JavaScript Cache is enabled
• Fixed bug where some sites could start rendering -1/ in their paths when editing the home page.
• Fixed double submit bugs when forms or external forms were placed on the home page.
• Fixed errors that would occur when moving or copying aliases
• Fixed http://www.concrete5.org/developers/bugs/8-0-3/404-for-the-dashboard-page-cmsindex.phpdashboardhome/
• Fixed Dashboard file manager menu clipping on in folders without a lot of files (thanks MrKarlDilkington)
• Fix exception being thrown when the workflow requester was deleted (thanks jaromirdalecky)
• Better permissions protection on file manager with File Uploader access entity; better permissions protection on moving files in file manager.
• Fixed PageList::filterByPath returning no pages when working on multilingual sections (thanks OlegsHanins)
• Minor localization issues with Punic calendar library fixed (thanks ahukkanen)
• Fixed File manager file menu does not reflect accurate file after moving files
• Fixed bug where sitemap selector widget didn’t select pages (thanks Mesuva)
• Fixed: Page types with attributes throw errors when copied
• Fixed: Validate Password tokens don’t reset when email is changed (thanks Mnkras)
• Fixed Manual global cache time is displayed wrong on page cache settings (thanks mlocati)
• Fixed delete file storage location ERROR
• Fix filtering of topics in page list block when filtering by topic category
• Fixed FAQ - Delete Entry breaks the Save button (thanks MrKarlDilkington)
• Fixed Invalid block type handle exception during upgrade from 5.7.5.13 to 8.0.3 on sites where the RSS DIsplayer block was removed.
• Fixed: Setting a select attribute default value for page types results in foreign key constraint error in composer
• Fixed: Default Page Attributes do not persist
• Fixed bugs where discarding page drafts might cause page blocks to no longer be editable in composer.
• Fixed: Page Attribute default value not set in composer view
• Fixed exception when dealing with Oauth in bindUser method in some setups.
• Updated Zend Mail component to 2.7.2 to fix security issues.
• Fixed: https://www.concrete5.org/developers/bugs/8-0-3/author-attribute-is-very-tall-when-editing-attributes-from-the-d/
• Added CSRF protection to Forgot Password (thanks Mnkras)
• Fixed Page Attribute - Issue with deleting Rich Text Attribute
• Fix unsanitized file set name displayed in add to sets dialog.

Developer Updates

• A new search indexing service provider is available, enabling the use of third party search platforms rather than built-in MySQL search for pages. Currently relatively low level and offering our single MySQL implementation, it nevertheless is a good start for adding support for other services like Elasticsearch, Solr and more.
• Developers can implement getPackageTranslatableStrings() in their package controller in order to specify custom strings to add to the translation repository.
• Bug fixes in custom package entity manager configurations (thanks Kaapiii)
• Miscellaneous code commenting (thanks Mnkras)
• Upgrade Monolog to v1.22.0 (thanks mlocati)
• Upgrade Punic to 1.6.4, fixes certain incompatibilities with Symfony Intl.

8.0.3
This was a bug fix release.

8.0.2
This was a bug fix release.

8.0.1
This was a bug fix release.

8.0
New Features

• Express: Extensible, Custom Data Objects that can be created by Editors. Easily search, sort, manage permissions on and display these objects in the front-end and the Dashboard.
• User Desktops: a fully customizable landing page for users when they login to the system, available even if user profiles are not. Functions within the Dashboard or outside of it.
• Revamped Waiting for Me: can include a large number of notification types (like user signup, workflow, form submissions, private messages, concrete5 updates and more) and is extendable by third parties.

Block Improvements

• Completely overhauled Form block: now powered by Express, form block fields are attribute-based. This means they can be added to with new attributes. Additionally, you can intersperse text with form controls. The Form block creates Express entities in the Dashboard, which you can grant permissions to, related to other entities, and more.
• More control over page defaults – ability to choose whether to delete all blocks based on defaults or just the unforked versions, and the ability to publish updates to page defaults over previously forked versions of defaults blocks.
• Added the ability to add a delimiter to multiple items displayed by the Page Attribute Display block (thanks cryophallion)
• Add topic, tag, and date filtering to the Page Title block (thanks MrKarlDilkington)
• Add an option to list pages at the current level in Page List (thanks juhotalus)
• Fix image slider composer view (thanks ob7)

Page Improvements

• Page versions can now be scheduled for approval in the future.

File Improvements

• Revamped file manager, with support for folders, better support for saved searches, and more.
• Automatically generated thumbnails now work with storage locations (thanks Mnkras)
• New attractive file type icons that better match concrete5’s current UI (thanks Freepik – http://www.flaticon.com/authors/freepik)
• SVG files now will create thumbnails when uploaded if the system has ImageMagick installed (thanks mlocati)

Stack Improvements

• Stack Folders: Stacks now support folders, which should enable developers to use stacks more efficiently.

Dashboard Improvements

• Dashboard Favorites are now Chooseable via the Bookmark Icon in the Dashboard Header

User Improvements

• User approval is now handled through the use of concrete5 workflow. Enable workflows on user activation to control how users register for your concrete5 site. Control which administrators can edit which users. (thanks Mainio!)
• All user passwords can be globally reset from the Dashboard. Users will have to reauthenticate immediately, and change their password immediately.

SEO Improvements

• There are now separate tracking codes for header and footer locations (thanks MrKarlDillkington, mlocati)

Multilingual

• Multilingual stacks and global areas work nicely with folders.
• Drafts now use the target page location property to determine their locale and language, allowing you to create related drafts for different languages.
• Multilingual sites now appear as their own trees in a tabbed sitemap, rather than within the main site.

Permissions/Workflow Improvements:

• Waiting for Me Workflow List now shows all workflow types instead of just Pages, is fully extendable, more attractive, and available outside of the Dashboard via Desktop Block.

Attribute Updates

• Added Telephone, URL and Email Address attributes
• Image/File attribute now has an "HTML Input" display mode.
• Text attributes now have a placeholder as an option (thanks avdevs)
• Custom attributes can now be globally applied to your site, and easily accessed By Calling \Site::getSite()->getAttribute(‘attribute_handle’);

Other Improvements

• Updated installation process; more attractive, gives users something to do while installation is ocurring, added the ability to specify canonical URL and session handler during installation (thanks mlocati)
• If a site is running on an updated core, the database migrations will automatically be run (saves potential database until the update has to be run manually)
• The command line installer now features an interactive mode when used with -i
• Better checking of .htaccess status when updating pretty URLs (thanks mlocati)
• You can now add page redirects for the home page (thanks edtrist)
• Code cleanup and optimization (thanks a3020, mlocati, Korvinszanto)
• Invalidate browser cache when CSS files are edited (thanks joostrijneveld)
• Switch Site name and page title on default (thanks katzueno)
• We added ID back to the custom style panel for blocks (thanks MrKarlDilkington)
• Improvements to composer autosave behavior.
• We now use relative URLs when the canonical URL isn’t set.
• Nicer display of image slider in edit mode (thanks Siton-Design)
• Fixed linking to twitter tweets so they don’t redirect (thanks clarkwinkelmann)

Bug Fixes

• Big thanks to olsgreen for fixing a long standing bug with page edit mode checking and timestamps, leading to a fix of buggy edit mode behaviors like layouts not rendering post add, edit mode not being respected, etc...
• Bug fixes to Image Slider (thanks MrKarlDilkington)
• https://www.concrete5.org/developers/bugs/5-7-5-8/file-manager-edit-image-doesnt-work-when-jscss-cache-is-on-becau/ (thanks mlocati)
• Fixed bug where custom styles in stacks weren’t showing up if the stack was added to the front-end (thanks olsgreen)
• Added CSRF Tokens to Legacy Form Block (thanks ryantyler)
• Tiny issue: Add missing "/" in $title end tag (thanks Siton-Design)
• Fix issue to generate thumbnail of vertical long image (thanks hissy)
• Fix: loop Setting not working in youtube block (thanks jordif)
• Fix: Switching from a theme with grid support to one without grid support errors out (thanks olsgreen)
• Bug fixes with thumbnail creation logic when the width of the image exactly matches the width of the thumbnail (thanks Mesuva)

Developer Updates

• Big update to Doctrine internals (thanks Kaapiii!)
• Symfony components updated to version 3.
• Font Awesome icon set updated to version 4.5.
• Search block URLs support URL Resolver so they can be overridden (thanks ahukkanen)
• Completely new translation subsystem, with better support for language contexts, and an improved API (thanks ahukkanen and mlocati)
• Bootstrap components updated to 3.3.7.
• Updated Laravel Dependency Injection Component to version 5.
• Zend Framework libraries updated to their latest versions
• Added on_form_submission event for Legacy form (thanks Jozzeh)
• Additional commands added to command line tool (thanks mlocati)
• jQuery UI updated to 1.11.4

Подробнее: http://documentation.concrete5.org/developers/background/version-history/810-release-notes

5.7.5.13

18 Март 2019 - 80MBBug Fixes

• Fixed insecure use of non-random str_shuffle when creating user tokens
  
• Improvements to update process for version 8.
  
• Works again properly on PHP 5.3.
  
• Fixed bug that made upgrading impossible on PHP < 5.5.9.
  
• Fixed page not found error when clicking on a topic list to filter the page list in the blog.
  
• Controller bug fixes and security updates.
  
• Once again, Environment Information is now available in the Dashboard.
  

Developer Updates

• Added jQuery Select to Dropdown menu support in the Dashboard; just add data-select=”bootstrap” to your select menus.

Подробнее: http://documentation.concrete5.org/developers/background/version-history/57513-release-notes

5.7.5.9

23 Август 2016 - 80MBNew Features

• Rescan files through the file manager now scans 5 at a time, works through the queue.
• Added option to ignore page permissions to the Page List block
• Dutch language is now included (Thank you Ramonleenders)

Behavioral Improvements

• When rescanning files, if there are image upload handlers like constrain image or JPEG quality processing, these will run again (allowing you to bulk rescan and constrain large images that have been uploaded through the file manager.)
• More reliable theme css caching (thanks fabian)
• Installed packages will now have their strings included in the "Translate Site" interface.
• Add WCAG label to Share This Page default view (thanks uimatters)
• When you create a new page through the multilingual page panel, the new page's approved version is unapproved, allowing administrators time to edit the page's language to reflect the new section of the site.

Bug Fixes

• Google Maps now requires an API key – this functionality has been added to the Google Maps block (thanks MrKarlDilkington)
• Fixed bug where composer deleted old page versions on published pages.
• Fix namespace of UserInfo (thanks jaromirdalecky)
• Conversation block can now be appropriately translated based on the area of the site it appears in (thanks lehik)
• Image Slider bug fixes (these were not included in the previous update.)
• Fixes minor security vulnerability with pagination parameters
• "Edit Page Type Drafts" page type permission now controls who can access a particular page draft (as it should have).
• AutoNav ignore exclude Nav wasn't working when set programmatically (thanks fabian, rikzuiderlicht)
• More reliable theme customization caching (thanks fabian)
• Fixed bug: Permissions Bug: Completely new admins get 404 on first draft creation
• Image slider block: Fix smaller than full size slides to center on page (thanks cryophallian)

Developer Updates

• Added event for modifying page meta tags and title attribute in header_required.php (thanks mlocati)
• More reliable adding of pages programmatically (will automatically strip composer output controls from pages created programmatically)
• Adds events for add, edit, and delete for blocks on a page

Подробнее: http://documentation.concrete5.org/developers/background/version-history/5759-release-notes

5.7.5.8

23 Май 2016 - 80MB

• German, Japanese and Russian languages are now included
• Image Slider Bug Fixes
• Using blank alt tags in Image Slider, Image and Content blocks if no alt is provided, rather than the HtmlObject default "#" ones.

Подробнее: http://documentation.concrete5.org/developers/background/version-history/5758-release-notes

5.7.5.7

28 Апрель 2016 - 80MBNew Features

• Nice column view for thumbnail image browsing (Thanks MrKarlDilkington)
• Added Max Width as an option to the Image Slider block (thanks cryophallion)
• Added configuration option concrete.misc.require_version_comments (defaulted off) to enable the requiring of version comments (thanks mlocati)

Behavioral Improvements

• Improved performance and API for parallax scrolling
• Better support for rich text editor and file manager permissions when the user using the rich text editor and the file manager isn't an administrator.
• Custom styles that are set on composer control output blocks will now be inherited when those blocks are published to a page. (thanks olsgreen)
• Added support for site names in a multilingual site (thanks mlocati)
• Site localization strings are now loaded after core and package localization strings (thanks mlocati)
• Added ability to set override meta keywords from a particular page (thanks katz)
• Facebook authentication uses curl verify peer setting (thanks jaromirdalecky)
• Allow filter select attribute using NOT LIKE through comparison (thanks Ruudt)
• Code cleanup (thanks mlocati, a3020)
• Image slider CSS fixes (thanks robkovacs)
• Use correct target in page list links (thanks ojalehto)
• Add “Required” label to required composer form controls (thanks MrKarlDilkington)
• Prevent empty span from displaying if no title is entered in Page Attribute Display block (thanks Mr
• If an AJAX error occurs during page composer editing, auto-save is now disabled (thanks hissy)
• Cosmetic improvements to marketplace item listings
• Composer custom templates now can be included in packages.
• Preserve original URL when login is needed (thanks mlocati)
• Developers can now add pages under the dashboard that aren't single pages (thanks herent)
• "Disable Scroll Wheel" option on Google Maps block works on mobile now (thanks hissy)
• Translation tool improvements
• Added DOM Extension to official installation requirements (thanks ChrisHougard)
• Swiss Provinces included in Location List (thanks appliculture/mlocati)
• Location Lists are now translatable (thanks mlocati)
• AutoNav performance improvements (thanks littleibex)
• https://www.concrete5.org/community/forums/5-7-discussion/feature-request-add-filename-colum-option-to-file-manager/

Bug Fixes

• Fixed bug where full page caching would rebuild a page every time it was viewed, instead of viewing from cache.
• Fixed issue where Upgrade Doesn't Complete Fully When Upgrading from a Previous Upgrade (thanks mlocati)
• Fixed hanging that could occur on login when attaching specific users to advanced permissions
• Fixed bug where the table "BasicWorkflowProgressData" could not be inserted into when publishing page edits
• Fixed HTML block clears saved entities on edit (thank acliss19xx)
• Bug fix: multiple workflow on same page causes errors (thanks hissy)
• Avoid InvalidArgumentException with Page Attribute Display block when showing images with both width and height set to zero (thanks hissy)
• Fixed bug with displaying rating attribute values as stars.
• Fixes Zend Queue bug (Empty Trash, etc...) in PHP 7.
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-6/bootstrap-styles-not-properly-scoped-within-.ccm-ui/#812586 (thanks allybee)
• Fix custom styling with additional file storage location types (thanks hissy)
• Fixed http://www.concrete5.org/developers/bugs/5-7-5-6/userlist-filter-by-group/
• Updated JShrink to fix an issue where minified/compiled JavaScripts used by the asset system would break if comments were included after JS code (thanks 1stthomas)
• Fixed bug where blocks in global areas couldn’t be reordered on the front-end (thanks ojalehto)
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-6/magnific-popup-ipad-bug-fixed-in-latest-version/ (thanks MrKarlDilkington)
• Fixed https://www.concrete5.org/community/forums/usage/squashed-images-mobile-view/ (thanks MrKarlDilkington)
• Fixed: Stack content isn't indexed in the search index (thanks ottovirtanen)
• Fix file url in form results when using a non-public file storage location (thanks ottovirtanen)
• Fixed http://www.concrete5.org/developers/bugs/5-7-5-6/choose-user-not-working/ (thanks mlocati)
• Fixed image slider in theme listings in the marketplace Dashboard
• Fixed https://github.com/concrete5/concrete5/pull/3702 (thanks mlocati)
• Avoid sitemap.xml error on Search Console (thanks hissy)
• Fixed html entities not being preserved in content block (thanks acliss19xx)
• Fix some untranslated messages (thanks hissy)
• Fixed issue where Topic List block returns User Groups
• Fixed inability to create a page named "0" (thanks hissy)
• Fix translated placeholders on storage location paths (thanks ojalehto)
• Fixed issue with thumbnails in the file manager looking too large.
• fixed misnamed gc_maxlifetime session cookie option making it impossible to configure this value in custom configurations (thanks simoneast) Bugfix: RSS feeds get cached indefinitely (thanks simoneast)
• Fixed extra UL tags and invalid placement in topic list block.
• Fixed: page_list block produces invalid HTML5 for RSS link (thanks derykmarl)
• Fixing the wrong link in dashboard/blocks/types to marketetplace listing page (thanks katzueno)
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-6/javascriptlocalizedasset-loads-asset-with-base_url-resulting-in-/ (thanks mlocati)
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-6/setup-of-security.trustedproxies.ips-done-too-late-in-concretebo/ (thanks hissy)
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-6/error-on-conversation-with-deleted-users/ (thanks mlocati)
• https://github.com/concrete5/concrete5/pull/3701 (thanks katzueno)
• Fixed: feature block wasn't pulling paragraph correctly in editmode (Thanks jaredfolkins)
• Fixed Error when accessing "Manage Presets" php7 (thanks mlocati)
• Fixed Display error messages on Concrete password change (thanks Ruud-Zuiderlicht)
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-6/applying-border-radius-requires-non-zero-border-width/#814380 (thanks mlocati)
• Fix: unable to redirect to home on submit form block (thanks hissy)
• Fixed padding and display of toolbar (it was off by a pixel) (thanks zanedev)
• Fixed https://github.com/concrete5/concrete5/pull/3673 (thanks jaromirdalecky)
• Bug fixes to Download Report when users have been deleted (Thanks hissy)
• Developer Updates
• Updated Magnific Popup to 1.1.0
• Improvements to the command line tools (thanks mlocati)
• Added c5:exec CLI command (thanks mlocati)
• update Picturefill to current version 3.0.2 (stable) (thanks MrKarlDilkington)
• add config value to set file manager results per page (thanks MrKarlDilkington)
• Added File Zip Service (thanks mlocati)
• Allow the passing of Page Template handles for Page Type adding/updating (thanks cryophallion)

Backward Compatibility Notes

• Updating Magnific Popup 1.1.0 drops support for Magnific Popup in IE7.

Подробнее: http://documentation.concrete5.org/developers/background/version-history/5757-release-notes

5.7.5.6

28 Январь 2016 - 80MBBehavioral Improvements

• Minor improvements to command line utilities (thanks mlocati)
• Default behavior on certain javascript links prevented (thanks ojalehto)
• Fixed: User's avatar's url doesn't change when you change the image (thanks ojalehto)
• Fixed: https://github.com/concrete5/concrete5/pull/3420 (thanks ojalehto)
• Remove New Page link from stacks version history (thanks ojalehto)
• Adjust clear log button to indicate dangerousness of the action (thanks ojalehto)

Bug Fixes

• Fixed inability to publicly register new accounts (received invalid email address errors on valid email addresses.) (thanks JeRoNZ)
• Fixed http://www.concrete5.org/developers/bugs/5-7-5-5/file-manager-broken-after-deleting-a-file-set./ (thanks ojalehto)
• Parallax custom template causes layout design to not be accessible
• Fixed bug in next/previous block where exclude system pages was always set to true (thanks ojalehto)
• Prevent error while adding a new feed without a page type filter (thanks ojalehto)
• Fix incorrect action after renaming a stack (thanks ojalehto)
• PHP7 bug fixes (thanks JeRoNZ)
• Fixed multilingual flag layout(thanks ojalehto)
• Strict error bug fixes (thanks mlocati)

Подробнее: http://documentation.concrete5.org/developers/background/version-history/5754-release-notes

5.7.5.4

14 Январь 2016 - 80MBFeature Updates

• Lots of improvements to the YouTube block, including responsive and widescreen improvements, support for playlist URLs, support for more YouTube options, and code cleanup (thanks Mesuva!)
• Added the ability to start composer page location sitemaps at a certain level in the tree.
• Share this Page block now includes a print option (thanks ojalehto)
• New uploading settings Dashboard page allows administrators to specify a maximum width, height and JPEG level for images uploaded to the file manager. Images will be constrained using client side JavaScript (if available) and server side as a fallback (thanks Mesuva)
• Background size and position added to options in Background Image section of area/block design (thanks MrKarlDilkington)
• Added the ability to set storage locations for files in bulk (thanks hissy)
• Updates to Image Slider block: draggable and collapsible slides, choose whether to animate automatically, slider speed, time between transitions, and whether to pause on hover (thanks MrKarlDilkington)
• Character count added to bulk SEO updater and SEO panel (thanks Mesuva)
• Added "Fit Image" button to Image Editor (thanks MrKarlDilkington)

Behavioral Improvements

• If a user has the ability to approve the workflow on a page that he or she is updating, the workflow will be skipped when submission occurs.
• Better validation of thumbnail types created through the dashboard (thanks mnakalay)
• Security improvement: immediate invalidation of password reset emails upon changed passwords (thanks joemeyer)
• We now use the number form element in the number attribute (thanks Remo)
• Added version comment to workflow email.
• Better caching of Page List blocks (thanks TimDix)
• CSS scope fixes and cleanup (thanks robkovacs)
• Drafts now include the date they were created (thanks MrKarlDilkington)
• Command line utilities will now work with a symlinked core (thanks mlocati)
• An area name is now visible when dragging a block over it
• Better compressed image slider sample images lead to smaller file sizes (thanks MrKarlDilkington)
• Improvement to the Page Defaults editing experience (thanks MrKarlDilkington)
• Added support for system pages to the AutoNav block (thanks joostrijneveld)
• Better support for elements in content blocks (thanks EC-Joe)
• Configuration option added to disable download statistics tracking (thanks EC-Joe)

Bug Fixes

• Custom theme layout presets now honor attributes on containers and columns other than just "class" (data attributes, etc...)
• Fixed error on user password validation on PHP 5.3.3.
• User avatar removal now protected against CSRF attacks.
• Allows the use of custom label text for file selectors (thanks mnakalay)
• Miscellaneous code cleanup and minor bug fixes (thanks joemeyer)
• Fixed infinite redirect issues with certain setups.
• Fixed https://github.com/concrete5/concrete5/issues/3063 (thanks joemeyer)
• Fixed errors when including job sets in packages (thanks joemeyer)
• Fixed bug where uploading files with uppercase extensions would fail in certain situations.
• Fixed bug where image slider block entries with links to internal page would lose those links on edit (thanks acliss19xx)
• Fixed https://github.com/concrete5/concrete5/issues/3300
• Fix newsflow url to Dashboard's update page (thanks concrete5 Japan)
• Fixed: It is not possible to set the color picker to complete transparency in the theme customization options (thanks mlocati)
• Fixed: if you add a picture to a feature paragraph area (or other abstracted string) and go to edit it it doesn't get translated back (thanks joemeyer)
• Fixed: https://github.com/concrete5/concrete5/pull/3214 (thanks frosso)
• Fixed inability to clear background images in page design.
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-3/remove-alias-does-not-work/
• Bug fixes with Dashboard sitemap and page search.
• Fixed: Package description isn't translated before installing the package (thanks mlocati)
• Fixed: Can't vote in a survey if the block caching is turned on (thanks TimDix)
• Fixed https://www.concrete5.org/community/forums/chat/date-navigation-timezone-problem/ (thanks mlocati and WillemAnchor)
• Fixed https://github.com/concrete5/concrete5/issues/3098 (thanks ahukkanen)
• Fixed bug where the Add new page dialog was missing certain translations loaded from Composer (thanks ahukkanen)
• Fixed https://www.concrete5.org/developers/bugs/5-7-5-3/zip-file-download/ (thanks mlocati)
• Fixed bug where filtering by select attribute option values wasn’t working when the options had special characters in them (thanks dsgraham)
• Added X-Frame-Options header option for security purposes (thanks hissy)
• Fixed https://hackerone.com/reports/4934 (thanks joemeyer)
• Fixed mobile theme switcher issues: Elements are loaded from default theme instead of mobile theme, Responsive image settings of mobile theme does not respected (thanks hissy)
• Content import now properly imports area background images (thanks myconcretelab)
• https://github.com/concrete5/concrete5/pull/3106 (thanks mlocati)
• Fixed typo in Password Sent email template (thanks allybee)

Developer Updates

• Code improvements to facilitate concrete5 running on PHP 7 (thanks mlocati)
• New command line installation functionality to support installs in a clustered environment (attaches to existing databases rather than requiring an empty database.)
• New command line utilities for installing and uninstalling packages are now available (thanks mlocati)
• New command line utilities for generating and updating package translation files (thanks mlocati)
• Feature: Add new Conversation Message event (thanks brucewyne)
• Page Theme classes can now provide custom value lists. For information on why you'd want to do this, see this issue: https://github.com/concrete5/concrete5/pull/3031
• New attach mode in command line installer: When the --attach flag is supplied with a concrete5 c5:install call, if the supplied database already has rows we will attach to it rather than failing
• Session API Improvements
• Groups tree Javascript now supports multiple selection (thanks Shotster)
• Package controllers can now define on_after_packages_start() methods which will run after on_start() from ALL installed packages have run. This can be helpful when a particular package requires something from another package, but the original package is executing on_start() before the dependency.
• Tourist tours now have access to showStep method (thanks danielgasser)

Подробнее: http://documentation.concrete5.org/developers/background/version-history/5754-release-notes

5.7.5.3

25 Ноябрь 2015 - 80MBBehavioral Improvements

• Added an "Add Content" guide that goes through the process of adding content to the page, and explains the Add Content panel.
• Improved contrast in the Add Content and Dashboard panels.
• Fixed https://github.com/concrete5/concrete5/issues/2980
• Improvements to image editing experience when using the concrete5 image editor.
• Account private messages no longer assumes profiles are enabled (thanks ounziw)
• Escaped input in form submissions so prevent Excel macros from being embedded in fields (thanks TimDix)
• Links in image slider description will automatically substitute the proper URLs even when changing servers (thanks hissy)
• Added logout link to mobile menu (thanks ojalehto)
• Device visibility classes (hide on desktop, hide on laptop,, etc...) are now disabled when a page is in edit mode.
• Additional page URLs preserve query strings on redirecting to canonical URLs.
• Imported area layouts now support custom styles (thanks myconcretelab)
• Parallax custom template on area design now works with multiple parallax areas on a page (thanks myconcretelab)

Bug Fixes

• Fixed infinite redirect loop with Internationalized Domain Names (thanks EC-Joe)
• Fixed bug where multilingual global areas would sometimes duplicate themselves needlessly, leading to empty global areas
• Fixed hard-to-reproduce duplicate key error in ConversationFeatureDetailAssignments table when using the conversation block throughout your site
• Fixed out of memory errors when uploading large files from the incoming directory (thanks EC-Joe)
• Fixed "When using inline blocks, I can edit other inline blocks" (thanks TimDix)
• Fixed errors with blocks that have assets not having their assets included if those blocks were within a layout. Fixed error with google maps block specifically.
• Fixed error with scrollbar not appearing after file uploaded on the front-end (actually fixed this time.)
• Fixed Adding and Moving a Block in One Step Causes JS Error
• Resolved: Rich text editor adds in random "=" symbols sometimes
• Resolved: Rich text editor wraps selection in when choosing a custom style
• Fixed but where Downloading a file that exceeds the available memory today causes an out of memory issue
• Fixed occasionally bug that resulted in error ""Argument 1 passed to Concrete\Core\Permission\Access\Access::create() must be an instance of PermissionKey, Concrete\Core\Permission\Key\AdminKey given."
• Fixed bug when moving blocks in certain situations (thanks Remo)
• Fixed: Topics attributes marked as required on pages weren’t being properly validated.
• Fixed some minor XSS potential issues with social links (thanks EC-Chris)
• Fixed bug: Internal Links in Feature Blocks Store Absolute URL in Database
• Fixed: config value "concrete.updates.autoupdatepackages" now works again
• Fixed fatal error when enabling package auto updates (thanks EC-Joe)
• Fixed error autoloading packages when working with the command line (thanks EC-Joe)
• Approve changes now shows up when moving blocks in stacks (thanks WillemAnchor)
• Fixed bug where editing permissions in simple permissions mode wouldn’t apply multilingual settings administration to the appropriate groups (Thanks Remo)
• Fixed possible CSRF security issue in Conversations settings dashboard page.
• Fixed free-form layouts that on occasion would break into two rows as widths wouldn’t match properly (thanks wstoettinger)
• Color picker JavaScript now properly escaped so it can be used with PHP array syntax.
• Fixed: If you added a BlockTypeSet but didn't add anything to them it would cause the foreach to error on a null value (thanks joe-meyer)
• Fixed inability to filter lists by multiple select values (thanks markbennett)
• Fixed http://www.concrete5.org/developers/bugs/5-7-5-2/date-attributes-search-method-doesnt-work/ (thanks haeflimi)
• IP Blacklist no longer bans on failed registrations (thanks joemeyer)
• Fixed https://github.com/concrete5/concrete5/issues/3048 (thanks joemeyer)
• Developer Updates
• We now default to the "GD" image processing library for image manipulation. Imagick must be opted into by setting the config value "concrete.file_manager.images.manipulation_library" to "imagick".
• Adds ability to specify wildcard page theme classes by creating an array key with "*" as its key (thanks TimDix)
• Database Entities dashboard page now refreshes package-specific entities as well as application-specific entities.
• Implemented new Validation framework and some useful constraints. Used within password validation.
• API improvements to the Processor class to allow it to be used without a queue.
• Select attribute option API improvements
• Edge case page list sorting fix when adding to the query with addSelect and attempting to sort by the new field, and use pagination as well.

Backward Compatibility Notes

• If you were relying on Imagick image manipulation, you will now be using GD image manipulation unless you manually set "concrete.filemanager.images.manipulationlibrary" to "imagick" within a custom config file.

Подробнее: http://concrete5.org/documentation/developers/5.7/background/version-history/5-7-5-3-release-notes/

5.7.5.2

11 Сентябрь 2015 - 80MBFeature Updates

• You can now filter the Page List block by date, including pages with a public date of today, X days in the past, X days in the future, and a custom date range (thanks TimDix)
• The File block is now available in the Composer view for a Page type (thanks TimDix)
• You can now export the Database Query Log to CSV (thanks TimDix)
• The Cache settings page now gives developers the ability to optionally create CSS source maps from compiled LESS files.
• Version list now shows who approved the version (thanks Katz)
• Added page template to advanced page search.
• New modes for page composer where you can choose target pages from an in-panel sitemap, rather than the popup selector.
• Select custom attribute now uses the Select2 JavaScript library for tagging modes, leading to an improved appearance and nicer code behind the scenes.

Behavioral Improvements

• Improved appearance and information display of controls on the composer form page type dashboard page (thanks TimDix)
• Blocks added to the scrapbook will now honor the original block's cache settings (thanks TimDix)
• Area layouts will now be cached if all the blocks they contain are cached (thanks TimDix) Adds ability to cache Search Block if the block doesn't display results - useful for when placed in header/footer (thanks TimDix)
• Performance improvements in the Assets Subsystem (thanks joe-meyer)
• We now include the "position" property in the search index when using the testimonial block (thanks hissy)
• Better performance when working with bulk files and file sets with a large number of file sets (thanks TimDix and jefharris23)
• Stack blocks now check to see if the blocks within the stack can be cached – if so, they will be cached as well (thanks TimDix)
• Resolved https://github.com/concrete5/concrete5/pull/2911 (thanks Shotster)
• Added error messaging when adding or editing page types and not configuring the publishing settings properly.
• Better error reporting when http:// or https:// omitted from canonical URLs (thanks mnakalay)
• Removed "Meta Keywords" from SEO panel on new installs because it’s not actually something that most search engines like anymore (thanks Mesuva). The attribute is still available and installed.

Bug Fixes

• Fixed bug where layouts with custom widths didn't honor those widths (thanks kaktuspalme)
• Fixed bug where area layouts disappear upon changing layout design changes (thanks TimDix)
• Fixed issue installing on PHP 5.3.9 and earlier (5.7.5.1 was supposed to fix this but did not.)
• When deleting files, some rows were left in child database tables. This has been fixed (thanks EC-Joe)
• Block actions in edit mode (introduced in 5.7.5) now work with blocks in Composer.
• Permission access entity types can now be provided in packages like they could in 5.6.
• Permission keys can now be provided in packages like they could in 5.6.
• Rich text editor toolbar was abnormally large when present in the attributes dialog window. This has been fixed.
• Fixed bug where Image block fails on Elemental when using certain third party file storage location types with no thumbnail types installed (thanks Mnkras)
• We now show a confirmation dialog when discarding page drafts (thanks hissy)
• Fixed bulk SEO Updater not updating the home page.
• Fixed editor tooltips and link edit callouts not displaying when using redactor in a dialog.
• When setting sitewide permissions in simple permissions mode, "Edit Page Type" hadn't been set. It also wasn’t set by default when installing concrete5. This is fixed.
• Fixes Bug with Search Block when resultsURL specified instead of page (thanks TimDix)
• Fixed https://github.com/concrete5/concrete5/pull/2894 (thanks skybluesofa)
• Fixed https://github.com/concrete5/concrete5/issues/2362 (thanks TimDix)
• Fixed Fix Cancel button action on block aliasing dialog (thanks hissy)
• Fixed scrollbar not appearing after file upload (thanks EC-Chris)
• Fixed exception when passing an non-number to ccm_paging_p (thanks SkyBlueSofa)

Developer Updates

• Added custom file import processes for forcing JPEGs, forcing JPEG compression and forcing width/height. Added system for creating custom file import processes and calling them programmatically
• Added the ability to try and use exif rotation data (experimental, toggle on by enabling with the config value concrete.file_manager.images.use_exif_rotation_data)
• Translation improvements (thanks mlocati)
• Added flash message support to page controller. Just call $this->flash('key', 'value') and then a page redirect and the $key will be available from within the target page the same as if it had been set from that target page. (e.g. $this->flash('success', 'Thanks for your submission!'); $this->redirect('/to/new/page'); )
• PageSelector::quickSelect now works again.
• Page Type Validator framework improvements
• Slight fixes to form labels in form block (thanks haeflimi)
• Improvements to permissions content import XML functionality.
• Fix potential data loss when working with packages that had both db.xml files and Doctrine entities (thanks Mainio)
• Content block image placeholders now save all attributes placed on the images in the rich text editor (Thanks TimDix)
• Fixed permissions error rendering "subscribe to conversation" functionality inoperable.
• Improvements for working with PHP7 (thanks mlocati and Mnkras)
• Added additional MIME extensions for new Office file types (thanks RGeelen)
• on_page_get_icon event now works properly (thanks ahukkanen)
• Lots of code quality improvements (thanks joe-meyer and mlocati)
• Fixed https://github.com/concrete5/concrete5/issues/2952 (thanks ahukkanen)
• New console command available: Clear Cache (thanks mlocati)

Developer Backward Compatibility Notes

• The signature of the \Concrete\Core\Page\Type\Validator\ValidatorInterface has changed. If you rely on this interface check your implementations. (Note: if you extend the \Concrete\Core\Page\Type\Validator\StandardValidator you should be fine.)

Подробнее: http://concrete5.org/documentation/developers/5.7/background/version-history/5-7-5-2-release-notes/

5.7.5.1

17 Август 2015 - 80MBBehavioral Improvements

• Better checking for InnoDB database tables than querying INFORMATION_SCHEMA directly.
• Improved accuracy and performance of the parallax scroll area layout custom template.
• Fixed Fatal error when getPageThemeGridFrameworkRowStartHTML() and getPageThemeGridFrameworkRowEndHTML() return nothing

Bug Fixes

• IP Blacklist functionality now works correctly
• Fixed non-functioning image editor when editing image thumbnails.
• Fixed error “PHP Fatal error: Can't inherit abstract function” on PHP 5.3.9 and earlier
• Fixed errors installing and working with concrete5 on MySQL setups with strict tables enabled.
• Fixing tree topic error in flat filter custom template when you have removed the topic tree its linked to
• Fixed misnamed header grid classes in Elemental theme (thanks hdk0016)
• Fixed http://www.concrete5.org/developers/bugs/5-7-4-2/date-type-custom-attributes-was-not-add-default-block/
• Added legacy Image helper class (\Concrete\Core\Legacy\ImageHelper) back. This class had been moved to BasicThumbnailer and was working for all proper usage of the class, but for those instances where the class was hard-coded a the legacy image helper, the class is back for the time being. It will be removed in a subsequent update.

Подробнее: http://concrete5.org/documentation/developers/5.7/background/version-history/5-7-5-1-release-notes/

5.7.5

(основная версия)
12 Август 2015 - 80MBGrid and Layout Improvements

• Page Theme classes can specify layout presets, which can use classes contained in grid frameworks or use their own custom classes.
• Layouts now have design controls available to them, including custom templates and custom CSS classes.
• Added a new custom template "Parallax Image" available to layouts that employ a background image.
• Grid frameworks can now specify hiding classes for responsive breakpoints, which can be controlled through block and area design settings.
• Grid containers that wrap around blocks based on their type can now be disabled or enabled on a per-block basis through the block design palette.
• Added nested support to grid frameworks.

Mobile Improvements

• Completely new Mobile Device Preview panel in the page panel. Preview the current page in a variety of mobile form factors, simulating user agent, and even rotating the device.

Multilingual Improvements

• Global areas and stacks are now multilingual: if you have multiple language areas in your site, stacks and global areas you add will have separate instances for each language, and the appropriate stack contents will be displayed on the appropriate pages with no hacks.
• You can scan a multilingual section for all links and references to multilingual pages, and if those pages exist outside the current tree, they will be remapped into the current tree. (i.e after you copy a multilingual tree, you can rescan its links so they don’t point to the original tree.)

Other Feature Updates

• Elemental now provides two layout presets – Left Sidebar and Right Sidebar.
• You can now set an RSS feed to be filtered by a particular topic
• You can now add an image to an RSS feed
• If you register a site that requires approval before logging in, you will receive an email letting you know this is the case (thanks ounziw)
• You can now turn off help via a checkbox in the Dashboard on the Accessibility page.
• The file block now contains an option to force download (thanks Mesuva)
• Next/Previous Block now supports reverse ordering options (thanks UziTech)
• You can now run concrete5 jobs from the command line using concrete/bin/concrete5 c5:job (thanks ChrisHougard!)
• You can now choose the background image for full-image background pages with the 'concrete.white_label.background_url' config option (thanks myconcretelab)
• Redactor rich text editor has been updated to version 10.2.2,. fixing many bugs and adding some small features.
• Adds support to adjust trusted proxy ips and settings through Config values (thanks timdix)

Behavioral Improvements

• Login page now much easier to theme. Should look nice in stock Elemental theme. More generic language and hides the authentication type list of only one authentication type is enabled. No more background image when attempting to re-skin login page in another theme.
• File manager import incoming now has a checkbox to select all files (thanks MeyerJL)
• Table cells in rich text editor have a minimum width of 55 pixels (thanks KarlDilkington)
• Group set names can now contain multibyte characters (thanks hissy)
• More rich text editor plugin interfaces are translatable (thanks mlocati)
• Fixed Typography selector fails on save if it is used without font selection (thanks ojahleto)
• Permissions are properly checked when displaying the publish button and the delete button in composer (thanks hissy)
• Editing page defaults no longer prompts you to save or approve your changes, since changes to page defaults are immediately live (they are not versioned.)
• Improved performance of full page caching (thanks EC-Chris)
• Improvements to session handling when the session directory exists outside of an open_basedir restriction (thanks acohin and mlocati)
• Page attributes are now grouped in sets on the page type defaults attributes screen (thanks EC-Joe)
• Form block now highlights errors on specific fields when they aren’t filled in properly (thanks timdix)
• Fixed bug that caused areas to have problems if they were converted in code from GlobalArea to Area and vice versa (thanks joe-meyer)
• Fix: can't override install options by config file (thanks mlocati and hissy)
• Better dialog message when the user can not select files (thanks hissy)
• Display last used authentication type if authentication fails (thanks ChrisHougard)
• Authentication types that rely on mcrypt use a more reliable random number generator (thanks thomwiggers)
• You can now export logs to CSV files from the Dashboard page (thanks timdix)
• If the package contains a theme that's currently active on the site, the package uninstallation can't occur
• Gravatar user avatars now honor the passed aspect ratio parameter when using a custom aspect ratio (thanks joostrijneveld)
• Fixed https://github.com/concrete5/concrete5/issues/2522

Bug Fixes

• Fixed broken list element HTML on dashboard pages when no child pages existing in a certain section. (thanks jaromirdalecky)
• Lots of configuration cleanup, removal of unused configuration values (thanks mlocati)
• Fixed bug where a deleted block type could cause problems for scrapbook blocks that referenced blocks of that type (thanks MeyerJL)
• Fix Base table or view not found: MultilingualSections error when installing in a language other than English
• Fixed bug where there could be only one basic workflow assignment (thanks hissy)
• Miscellaneous UI improvements (thanks mitchray)
• Lots of miscellaneous bug fixes to community points and badges
• Removed old unused timezone constants and replaced with proper configuration values (thanks mlocati)
• Fixed bug where Blocks on global areas don't prevent full page caching with the setting "On - If blocks on the particular page allow it (thanks TimDix)
• The global configuration value for JPEG compression wasn’t being accessed properly, was ignored. This is fixed (thanks mlocati)
• Email service had been ignoring the default configured name (thanks mlocati)
• Use \Exception and translate line in BannedWord (thanks mlocati)
• Fixed error when saving a type with underline option unchecked in theme customization (thanks ojahleto)
• Fix If you change an Attributes name, those changes do not take effect on the Composer Edit form. You need to delete the attribute and add it again (thanks EC-Joe)
• Fixing bug in topics where topics of multiple words would all be capitalized
• Configuration options are more reliably displayed when using caches like PHP opcache, APC, etc.. (thanks mlocati)
• External links are properly outputted in page list blocks now (thanks GlennSchmidt)
• Fixed Fixing ipv4 to ipv6 address bugs (thanks MeyerJL)
• Fixed error editing testimonial blocks when the image of the testimonial had been removed from the file manager (thanks edbeeny)
• Fixed error where certain checkbox attributes were being imported as defaulting to checked, when they shouldn’t have been.
• Fixed bug where running \Page::getByID on startup with a page you're currently editing breaks edit mode (thanks EC-Joe)
• Fixed https://www.concrete5.org/community/forums/5-7-discussion/image-slider-links/#752359
• Responsive images served by the picture tag now work in IE9 (thanks mitchray)
• Surveys in global areas are now properly displayed on the survey results dashboard page (thanks EvgeniySpinov)
• Fixed inability to select topics to create under a new topic tree.
• Fixed validation incorrectly claiming a file attribute didn’t exist when checking a page in from edit mode (thanks mitchray)
• Fixed bug with broken URL in testimonial block (thanks KarlDilkington)
• Fixed https://github.com/concrete5/concrete5/issues/2623
• Fixed pagination in form results (thanks mitchray)
• Fixed overrride permissions for user groups not working
• Fixed https://github.com/concrete5/concrete5/issues/2451 (thanks mlocati)
• Style customizer for theme should be easier to use on options that have colors but no fonts available
• Fixed If you create a Checkbox page attribute and select The checkbox will be checked by default. When adding the attribute to pages the box is not checked
• Fixed https://www.concrete5.org/developers/bugs/5-7-4-2/cannot-reset-theme-customization-for-this-page/
• Fixed If you does not have access to group search, you'll get a JSON error message (thanks hissy)
• Fixed filtering by log status levels on Dashboard page
• Fixed http://www.concrete5.org/developers/bugs/5-7-4-2/bug-with-tags-attribute-type1/
• Fixed bug where duplicated pages couldn’t have their block content edited in composer (thanks katzueno)
• Username validation error string fixes (thanks ounziw)
• Fix class not included in legacy page list (thanks hissy)
• Fixed bug: Add layout to area. Without refreshing page, edit container layout of new area, then cancel. Layout looks weird

Developer Updates

• Big thanks to mlocati for delivering a completely new way to specify database XML, built off of the Doctrine DBAL library, including its types and functionality instead of ADODB’s AXMLS. Database XML now has support for foreign keys, comments and more. Doctrine XML is a composer package and can be used by third party projects as well. More information can be found at https://github.com/concrete5/doctrine-xml.
• $view->action() now works for blocks in add and edit templates. This makes block AJAX routing much easier (simply reference $view->action(‘my_method’) in your block add/edit template, and implement action_my_method) in your block controller.
• Code cleanup and API improvements and better code documentation (thanks mlocati)
• Configuration and old PHP constants removed and replaced (thanks mlocati)
• Completely new approach to command line utilities built off of the Symfony command line class; existing utilities ported (thanks mlocati!)
• Adds ability to add Social Icons via config. (thanks TimDix)
• Packages can also add command line utilities through their on_start() method (thanks hissy)
• Flag images for multilingual sites can now be specified in application/images/countries/ as well as theme/current_theme/images/countries (as opposed to coming solely from concrete/images/) (thanks akodde)
• Custom file type inspectors now work again.
• Block types are checked to see if they exist prior to import (thanks Remo)
• Attribute keys are checked to see if they exist prior to import (thanks Remo)
• Permission keys are checked to see if they exist prior to import (thanks Remo)
• Upgraded to Zend Framework 2.2.10 to fix certain internationalization issues (thanks mlocati)
• Fixed duplicate success message on cloned form blocks on the same page (thanks bluefractals)
• Fixed bugs installing concrete5 with strict mysql tables enabled (thanks mlocati)
• Updated Magnific Popup to 1.0 (thanks mitchray)
• If you're running an OpCache like PHP’s Opcache, APC, XCache or something else, when you clear the cache this cache will also be cleared (thanks mlocati)
• Can compute hash key based on full asset contents if so desired, using the concrete.full_contents_asset_hash config value (thanks mlocati)
• Page cache adapters can now be loaded from places other than the core namespace (thanks hissy)
• updateUserAvatar now fires on_user_update event (thanks timdix)
• Attribute sets no longer need to have unique handles across different categories (thanks ijessup)
• Delete page event now can be cancelled by hooking into the event and settings $this->proceed to false (thanks mlocati)
• You can now customize the session save path through configuration (thanks mlocati).
• Updated picturefill.js library to 2.3.1.
• You can now specify your environment for configuration through an environment variable (CONCRETE5_ENV) as well as through host name (thanks ahukkanen)
• File manager JavaScript API improvements

Подробнее: http://concrete5.org/documentation/developers/5.7/background/version-history/5-7-5-release-notes/

5.7.4.2

(основная версия)
20 Май 2015 - 80MBHelp System Updates

• Completely new help system, with guided walkthroughs, multiple videos and more.

Conversations Feature Updates

• Using the Conversation block with non-logged-in users now behaves more like a Guestbook block. It provides a place for a name and email address, and uses the captcha for validation.
• You can now receive notifications when new messages are posted to your conversations. This option is also overridable at the block conversation level. Registered users can also subscribe to conversation updates through an end-user UI.
• Conversation Add Message permission now has the ability to set new permissions by a particular access entity to approved or unapproved by default. (e.g. let guests post but make their posts unapproved by default, while letting registered users post with no restrictions.)
• Conversations Dashboard interface now has filter by deleted, approved, unapproved or flagged message options available.
• Better display of message status in Conversations Dashboard interface.
• You can now sort by message posting date ascending or descending in the Conversations Dashboard interface.
• Conversations Dashboard message list now gives you a contextual menu when clicking on a message. Actions include flagging, unflagging, deleting, undeleting, approving and viewing the original page of the message.
• Non-logged-in posts will use gravatars if that option is checked in the Dashboard.

Editor Improvements

• Update to Redactor 10, which features an upgraded API for developers and numerous bug fixes.
• New Plugin: Undo & Redo
• New Plugin: Special characters palette (thanks Mesuva!)
• Lightbox can now have its width and height specified for web page links.
• Better handling of URLs loading in lightbox (now loads them in an iframe)
• Can now open links in a new tab.
• Editors can be more easily called programmatically, through the editor service.
• Rich text editor plugins can be added through marketplace add-ons and custom packages.

Mobile Editing Feature Updates (thanks Hissy!)

• You can now edit a page in composer view on mobile devices.
• Hide mobile menu on checking out a page in edit mode.
• Notification alerts are now responsive.
• Redactor rich text editor is now usable on mobile devices.
• Notification window is mobile friendly.
• Search results in dashboard pages are friendlier on mobile.
• Mobile menu button is active properly in edit mode.

Other Feature Updates

• Better dashboard update process that checks for compatible add-ons, gives more information about upgrades.
• Uploading files to the file manager now gives you a success dialog in which you can edit the uploaded files' attributes, assign them to sets, or choose them for an image block, etc...
• Improved site interface translation dashboard page. Can see context, comments, search and translate plurals (thanks mlocati)
• You may now choose multiple files from the file manager if a block or editing interface supports it (thanks olsgreen!)
• You can now add blocks to an area by clicking on the area and selecting "Add Block". This will open the side panel and you may click a block, stack or clipboard entry there to add to the selected area.
• You can now filter a page list by a specific topic.
• Lots of updates to Multilingual system for better translation extraction, better experience with plurals, bug fixes, other improvements (thanks mlocati)
• Ability to choose a custom canonical URL for the page, instead of always having that canonical URL locked to the URL slugs and absolute site structure.
• You can once again set a custom template for a block at the area level with $area->setCustomTemplate('block_handle', 'custom_template'); This should be less buggy than it was in 5.6.x as well.
• You can now set a custom template in a page type output page for a composer output control block. " 'More options', including the ability to import files from remote URLs and the incoming directory is now available from the file manager in front-end page mode.
• Nicer file set administration, including the ability to sort all files in a file set by different criteria for reordering (thanks goutnet at EC-Joe)
• Much faster installation process for Elemental Full. Much lower memory footprint.
• More useful Dashboard Package Details screen (thanks goutnet)
• Archive custom template for the Page Title block now shows the value of the current topic on pages where content is filtered by topic.
• Share this Page block now supports Google Plus and Pinterest
• You can now specify the name of the form submission button (thanks EC-Joe)
• Breadcrumb custom template now available for Auto-Nav (thanks hissy)
• You can now specify what kind of HTML tag you want to use in the Page Title block (thanks dclmedia)
• Maintenance mode now is permission controlled. Those who have the "View site in maintenance mode" permission can edit and access the site even while maintenance mode is turned on (thanks ExchangeCore)
• You can now specify the "canonical host", "canonical port" and https:// settings of your site in the URLs dashboard page. You can also control whether your site is forced to render at this exact combination (for SEO purposes.) This setting will also be used by the Domain Mapper and other add-ons.

Behavioral Improvements

• Clicking on a page attribute now scrolls the page attribute detail panel down to the bottom to make it clear one was added (Thanks mesuva)
• Page title now updates when using the topic list on a blog entry page or elsewhere (thanks hissy)
• Newsflow is now friendlier on mobile, has as nicer appearance, obeys other dialog shortcuts (escape to close)
• Related pages in different languages are now denoted thusly in the sitemap.xml (thanks mlocati) Instead of defaulting to the current time/date, form block date/datetime have the option of starting empty or defaulting to the current date (thanks MeyerJL)
• You can now search by page type again in the page search interface.
• Minor installation error messaging improvements (thanks Mnkras)
• Some style improvements to panels (thanks hissy)
• File manager now keeps the same file types when creating thumbnails (keeping pngs transparent, etc..) (thanks mitchray!)
• Style improvements to Auto-Nav and Page List block forms.
• We no longer attempt to retrieve packages from the marketplace if you're not connected, improves performance (thanks goutnet)
• Bug fixes to antispam settings page and system in general (thanks EC-Chris)
• Form block now redirects you to the proper spot on the page for success message (thanks ahukkanen)
• Better detection of changed cached assets (thanks mlocati)
• concrete5 should run better in IE9.
• Files saved through the image editor should much smaller now.
• Better compression of localized assets, better localized asset support (thanks mlocati)
• Non-logged-in users accessing protected pages will be forwarded to those pages upon successful login (thanks deanwhillier)
• Speed improvements to the installation procedure.
• Image thumbnailing should use much less RAM, should work more reliably with larger images.
• Better sorting of block types in the Add Block panel (thanks JohnTheFish)
• When duplicating multilingual page trees, pages that already exist will be skipped (thanks ezannelli)
• Improved reliability and functionality of HTML emails (thanks mlocati)
• Additional page paths now redirect with a 301 header (thanks Mainio)
• Importing page type default attributes now works.
• Better translation of topic trees and topic tree nodes (thanks mlocati)
• Content import with block type sets will now use existing sets if they are available.
• Conversations block now includes its content in the search index (thanks mkly)
• Significantly improved performance of the on-demand file thumbnailing utility when a cached version is found (thanks ijessup)
• Custom block design style fixes – don't output a style tag when just changing a custom template, better style tag support (thanks mlocati)
• You can now unmap a page in the multilingual page report.
• You can now set the minimum and maximum ranges of style customizer sliders by defining concrete.limits.style_customizer.size_max and concrete.limits.style_customizer.size_min (thanks EC-Joe)
• respond.js and html5-shiv.js are now optionally included by themes, rather than being hard-coded for IE8 and below.
• You can now embed the block controller for this share this page block in a page template more easily.
• You can now specify permissions and attributes for external links (thanks mitchray)
• Better scrolling in add block panel on Firefox (thanks EC-Joe)
• Fixed https://github.com/concrete5/concrete5-5.7.0/issues/875

Bug Fixes

• Fixed sorting of FAQ Entries in the FAQ block.
• Fixed bug that led to selected topics in topic tree not appearing selected on editing.
• Placing view files in the application/views/ will now work (thanks RuspinaDev)
• Fixed bug with social links block not displaying properly on sites that didn't already load Font Awesome. (thanks jaromirdalecky)
• Facebook authentication should work again (thanks EC-Joe)
• Fixed bug where If the HTML block is saved without any changes (thus not triggering the on change event), the textarea remains empty and the content is lost (thanks mitchray)
• Fixed inability to have multiple form blocks or survey blocks or blocks with interactive form submissions on the same page and not have submission affect both of them.
• Image slider should work properly in composer.
• Fixed bug in content importer where page types with package attributes weren't having their packages set properly.
• Choose language on login now functions correctly (thanks mlocati)
• Interactive blocks like form and survey and now be included in stacks and displayed on pages (thanks nicemaker)
• Bug fixes to composer editing experiences where blocks couldn't be loaded in composer.
• Fix error when searching by approved or unapproved version. Miscellaneous display improvements to search interfaces in the Dashboard.
• The "addAttachment" method in the Mail Service now works again (thanks SnefIT)
• Miscellaneous fixes to content exporter to make it more resilient.
• Fixed bug where "Public Date/Time" core property wasn't being properly displayed or saved in composer.
• Fixed bug in page attribute display block where complex attribute types couldn't always be printed out.
• Fixed bug where jobs couldn't be scheduled to run through browser visit.
• Fixed HTML block tooltip getting cut off (thanks mitchray)
• Remove old page versions job now works again.
• Cookie settings bug fixes (thanks tao-s)
• Fixed MP4 video files not showing up as the right file type in the file manager.
• Bug fixes with multilingual browser detection (thanks ezannelli)
• Fixed bug with packaged page type controllers not being properly used as page controllers.
• Fixed infinite redirect on multilingual websites that set the Home Page as their default language page (thanks mlocati)
• Better behavior with advanced permissions and users who can only view their own files in the file manager.
• Bug fixes to custom external forms.
• Fix bug deleting file version object and then attempting to add new versions might give attribute errors.
• Bug fixes to configuration values in session cookies, database backed sessions (thanks tao-s)
• Better permissions checking in the file manager (thanks hissy)
• Drafts now show up in the sitemap again; tweaks to fix sitemap showing unapproved pages.
• Fixed bug with topic list block not displaying topics for a page properly.
• Topics can now contain ampersands and other special characters.
• Localization bug fixes (thanks mlocati)
• Fixed http://www.concrete5.org/community/forums/customizing_c5/strange-workflow-error/
• Feature block link option now works with the hover description custom template"
• Fixed programmatic filter by checkbox attribute not displaying all appropriitems if passing "false" to the option.
• Fixed bug where single page controllers in application/ directory weren't working.
• Better inheritance of area permissions to blocks in areas when inheriting permissions from page types in advanced permissions mode (thanks hissy)
• Fixed for file sets for better sanitizing, miscellaneous usage fixes (thanks Mnkras)
• Fixed broken area styles when using more than one custom class on an area (thanks jordif)
• Bug fixes to color picker widget when used in a block dialog (thanks olliephillips)
• Fixed fatal error that would display in area permissions dialog when attempting to use advanced permissions to inherit permissions from an area set in page defaults (Thanks hissy)
• Fixed potential cross site scripting error in composer detail form.
• Fixed ""Navigate this page in other languages" - Invalid argument supplied for foreach()" that could happen with unmapped multilingual websites.
• Fixed issue where dashboard panel would not stay closed if closing manually.
• Localization fixes to Page Type Composer Control Name (thanks hissy)
• Bug fixes and better sanitizing when saving Banned Words in the Dashboard (thanks Mnkras)
• Better page permissions set on drafts page for users of advanced permissions mode (thanks hissy)
• Bug fixed where Add Survey, Approve Page, Edit Survey, save – survey listed twice in the Dashboard. (thanks ECJoe)
• Fixed http://www.concrete5.org/developers/bugs/5-7-3-1/multiple-versions-of-a-page-cannot-be-deleted-at-once/
• Fixed Unable to edit a user when concrete.seo.trailing_slash is enabled (thanks ECJoe)
• Workflow progress categories are now uninstalled when uninstalling packages (thanks mkly)
• Fixed bug when removing group or user from "Add SubPage" permissions in advanced permissions mode.
• fixed bug with Reply to this email address (thanks MeyerJL)
• Better display on editing grid layouts when working with layouts that have multiple column classes (thanks ezannelli)
• Fixed malformed Page Cache Expires header when using full page caching.
• Conversations: fixed javascript errors when not using redactor editor.
• Conversations: fixed attachment disabling not removing the attach file button when editing a message.
• Minor page type composer validation bug fixes
• Packaged permission key fixes (thanks mkly)
• Packaged workflow fixes (thanks mkly)
• Fixed appearance of pagination on form results dashboard page.
• Fixed pretty URLs not being invoked for certain block actions, in other situations. Normalized pretty URLs and made them work better.
• We now properly used custom scrapbook view layers for blocks added from the clipboard on the stacks dashboard page.
• Fixed bug where applying timed permissions to a copied page change the permissions object of the original page.
• Fixed XSS sanitization issues in private messages (thanks Mnkras)
• Fixed minor XSS issues (thanks Netsparker)
• Data URL images in CSS files are correctly preserved in asset caching (thanks mlocati)
• Fixed http://www.concrete5.org/developers/bugs/5-7-3-1/moving-blocks-in-a-stack/
• Fixed Replacing file throwing erroneous "file is too large" error message
• Fixed Bulk Editing file properties does not add new File Versions
• Lots of bug fixes to page aliases, including bug where original page would be deleted if an alias was in the trash and the trash was emptied.
• Automated groups on login or register will automatically be entered if a custom automation controller doesn't exist (thanks Mnkras)
• Fixed http://www.concrete5.org/developers/bugs/5-7-3-1/user-search-shows-same-user-multiple-times/#732257
• Fix display order issue of aliased pages (thanks hissy)
• Fixed Can't create link to file or page from within composer form
• Fixed Page List Filtering By Page Type and Show Aliases
• Fixed bug in exists() method in Cache library (thanks SnefIT)
• Fixed HTML validation error when using built-in Securimage Captcha
• Fixed preview icon in Feature block (thanks zneek)
• Fixed bug: After fresh C5 install with no demo content - inserting first image, when uploading to filemanager not visible
• Fixed invalid error messages when accessing search interfaces in the dashboard when users didn't have permission to access them.
• Copied form blocks now work on their target page.
• Copied from blocks can now be edited on their target page.
• Fixed bug where new versions of files incorrectly had the same date added date as old versions.
• Fixed http://www.concrete5.org/developers/bugs/5-7-3-1/content-block-clipboard-custom-classes/
• Fixed https://www.concrete5.org/developers/bugs/5-7-3-1/page-type-permissions-broken-copy-functionality/#698852
• Multiple Google Maps block can now work on the same page (thanks JohnTheFish)
• Fixed typo in user registration notification email (thanks ounziw)
• Fixed http://www.concrete5.org/developers/bugs/5-7-3-1/authentication-type-renders-only-once/ (thanks companyou)
• Fixed https://www.concrete5.org/developers/bugs/5-7-3-1/dashboard-system-section/
• Fixed error when proxy servers send "unknown" instead of an IP address (thanks spainer)
• Fixed bug where an attribute key with the same handle can exist in two categories (thanks Remo)
• Set view theme using setViewTheme() in a package's on_before_render method now correctly sets the theme (Thanks goutnet)
• Fixed potential directory traversal inclusion bug with tools URLs (thanks Egidio Romano of Minded Security)
• Fixed CSRF vulnerability in Dashboard Registrations page; better sanitization of email addresses as well (thanks Egidio Romano of Minded Security)
• Fixed miscellaneous XSS bugs (thanks Mnkras)

Code & Developer Updates

• Refactored Jobs to work in the new routing system rather than the legacy tools system (thanks Mnkras)
• Updated jQuery to 1.11.2 and jQuery UI to 1.11.4
• Lots of code cleanup (thanks Mnkras)
• jQuery Visualize JavaScript library updated and included in the new Asset System properly (thanks goutnet)
• Custom page type validator class, including a manager with the ability to register custom validators for page types.
• Better driver-based pagination customization API
• New page SEO helper provides a single reliable place to set a pages title, add segments, and more (thanks hissy)
• If developers provide themes with full sample content, they can now provide file manager thumbnails as well, which will improve installation speed and memory footprint.
• Cleaned up outdated and unused files (thanks ezannelli)
• Page templates can now be included in a package in a page_templates/ directory, as well as in the application/ folder (thanks Mesuva)
• ItemList sort API improvements (thanks EC-Joe)
• Lots of better code comments (thanks EC-Joe, EC-Chris)

5.7.4.1 Behavioral Improvements

• Add config setting to enable / disable help system (thanks akodde)
• Redirects with trailing URL slashes to non-trailing (or vice versa) now use the 301 code instead of 302.
• Code cleanup and bug fixes to form helper class (thanks mlocati)
• Miscellaneous code cleanup and notice error reduction (thanks mlocati)

5.7.4.1 Bug Fixes

• Fixed inability to save blocks, work with dialogs, do many things while asset caching was enabled (thanks mlocati.)
• Fixed certain panels and dialog windows not opening on Windows servers (thanks mlocati)
• Fixed bug when using "S" option to format date (incorrectly displaying as seconds) (thanks mlocati)
• Bug fixes with dashboard get image data URL (thanks mlocati)
• Fixed malformed URL in "Load More" in dashboard sitemap (thanks mlocati)
• Fix unquoted SQL input in permission assignment method (thanks mnkras)

5.7.4.2 Behavioral Improvements

• Saving only a custom template on a block will no longer wrap that block in a custom design DIV. Better saving and resetting of custom designs on blocks and areas.
• Topics improvements: topics can now be created below other topics; the only different between topic categories and topics is that categories cannot be assigned to objects, only topics can.
• We now include the page ID in the attributes dialog and panel.
• Feature block now contains an instance of the rich text editor (thanks MrKarlDilkington)
• Improvements to new update functionality when site can't connect to concrete5.org
• Improvements to new update functionality to make it more resilient with failures, but error messaging.
• Adding attributes to a page will ask for it be checked back/approved when clicking the green icon.
• Theme name and description can now be translated (thanks mlocati)
• Added an error notice when deleting a page type that's in use in your site.

5.7.4.2 Bug Fixes

• Some servers would redirect infinitely when activating a theme or attempting to logout. This has been fixed.
• Fix bug with multiple redactor instances on the same page and in the same composer window causing problems.
• Better rendering of empty areas in Firefox (thanks JeramyNS)
• Fixed problems with "concrete.seo.trailing_slash" set to true leading to an inability to login, other problems.
• Attributes that had already been filled out were being shown as still required in page check-in panel.
• Fixed bug where full URLs were incorrectly parsed if asset caching was enabled (thanks mlocati)
• Fix download file script leading to 404 errors after you go to the dashboard and hit the back button
• Fixed https://www.concrete5.org/developers/bugs/5-7-4-1/dont-allow-to-create-file-sets-with-names-containing-forbidden-c/
• Fix https://www.concrete5.org/developers/bugs/5-7-4-1/cant-replace-a-file-with-one-in-the-incoming-directory/
• Fix XSS in conversation author object; fix author name not showing if a user didn't put in a website (thanks jaromirdalecky)
• Searching files, pages and users by topics now works in the dashboard
• Picture tag now properly inserted by Redactor when working with themes that use responsive images.
• Fixed z-index of message author and status in conversations dashboard page.

Подробнее: http://concrete5.org/documentation/developers/5.7/background/version-history/5-7-4-2-release-notes/

5.7.3.1

12 Январь 2015 - 80MBFeature Updates

• You can now preview a mobile theme in advanced permissions mode, when previewing a theme as user (thanks hissy!)

Improvements

• Nicer language and country selection experience in the Multilingual Setup (thanks mlocati)
• Now when you are editing an existing page in composer, the URL slug field is read only, unless you click the edit pencil next to the slug.
• Image block now only displays images in the file manager when launching the file manager (thanks goutnet!)
• You can now click the pixel values in the area and block custom design pallette (rather than being forced to only use the slider.) (thanks olsgreen!)
• Dialog windows are resizable again (thanks goutnet)
• FAQ block now contains an instance of Redactor rich text editor rather than plain text.
• We won't generate .mo files for empty languages for Multilingual websites (fixes a bug with Zend Translation that doesn't work well with these) (thanks ezannelli)
• Google Maps block now provides support for scroll wheels (thanks NKay and EC-Joe)
• Modal windows should behave better on small screens (thanks hissy)
• Location lists now includes Japanese states (thanks kanetei and Katz)
• Validation and HTML improvements to the Image Slider blocks (thanks micrdy)
• Add block panel can now be pinned and will remain open (by clicking on the add block panel and clicking again.) (thanks goutnet!)
• Better checking on installation for the mbstring library (which is required due to a bug in the Patchwork i18n library)
• Form block now scrolls to the proper position on page (thanks Mainio)
• File manager now lets you choose how many results you want per page (thanks goutnet)
• Miscellaneous improvements to edit page in composer.

Bug Fixes

• Custom jobs can now be installed again in the application/jobs directory.
• Lots of bug fixes to multilingual site content and site translations (thanks mlocati!)
• Fixed some issues with sample content import from themes and page feed objects that weren't present.
• User registration attributes now save properly when users register.
• Pages no longer change positions in sitemap if they are published through composer.
• Fixed bug where pages set to have their sub-pages inherit from page type permissions weren't accurately doing so.
• Fixed bug where changing a page author from the sitemap would close the dialog window if the page author was changed twice without reloading the page.
• Fixed bug where package database files (db.xml) weren't refreshed fully when updating packages (thanks DanK)
• Fix Translate Interface / Reload Strings - Exception if folders missing
• Fixed some cosmetic issues with the Translate Site Interface page.
• Fixed bug where reordering composer form elements wasn't working.
• Fixed bug where page type was cleared when updating page templates from the design panel (thanks mesuva)
• Sitemap flat view works in Safari again.
• Fixed error with "show system pages" always displaying even if you uncheck the check box on certain PHP configurations (thanks Nielsb85)
• Fixing 404 on edit page type outputs if clicking on icon
• Fixed bug where deleting composer form elements wasn't working.
• Page list block preview area now works again (thanks hissy)
• Miscellaneous code comments and bug fixes (thanks Mnkras)
• When pretty URLs were enabled, "index.php" was preserved in the redirect URLs. This is no longer the case (thanks Mainio)
• Duplicated pages now show up properly in the Next/Previous block.
• Proper default value for the switch language block.

Developer Updates

• "on_page_view" event now passes back an argument "contents" which can be retrieved from the event, and the rendering library acts on the retrieved event, meaning that the rendered HTML can be acted on by events and passed back to the core (thanks Mainio)
• Added "on_cache_flush" global event that occurs whenever the entire application's caches are flushed (thanks Goutnet)
• Changed "on_page_view" block event to "on_block_load" (thanks Mainio)
• API fixes and tweaks to Mail Helper
• Flexible JavaScript and PHP API to control default filtering on the file manager, pass constants between PHP and JavaScript (thanks goutnet!)

Подробнее: http://concrete5.org/documentation/developers/5.7/background/version-history/5-7-3-1-release-notes/

5.7.3

(основная версия)
22 Декабрь 2014 - 80MBFeature Updates

• Full Multilingual Website support has been added to the core. This includes the functionality of the 5.6 Internationalization add-on, with improvements from the Internationalization Enterprise add-on as well.
• Much improved add page experience from the Sitemap.
• Better sitemap reload behaviors when changing attributes, page titles.
• Google Authentication type now included
• Authentication types can now optionally specify a group that users created by that authentication type will go into.
• You can now attach multiple classes to blocks and areas in the custom design menu (thanks mlabrum)
• Image slider block can now choose from external links OR from a page selector on the current site.
• Much improved functionality and appearance of the account navigation when public profiles are enabled (thanks hissy)
• Page Types can now specify default permissions for pages mode of that type.
• Default attributes are now settable for page types again.
• Added underline command to Redactor (thanks olsgreen!)
• Added center alignment to custom style dropdown for blocks and areas.
• Added the ability to change page type of an existing page from the sitemap.
• You can now duplicate a page type.

Behavioral Improvements

• /members now redirects to /members/directory when public profiles are enabled.
• Foundation grid framework now uses medium column sizes instead of large.
• Custom area classes at the theme level will now filter down into sub areas built by layouts (thanks Jon Hartman)
• Add on_before_user_add (which can be canceled by the $event->canAdd() method) and the on_user_attributes_saved method, which has access to all attributes that were saved at that time. Thanks to Jeremy Werst and Remo for ideas on implementation.
• Lots of miscellaneous internationalization improvements (thanks hissy)
• The local storage location type can now serve files from a different URL (thanks Mnkras)
• Storage location types can be uninstalled when a package is uninstalled (thanks Mnkras)
• Improved installation checks for required components (multibyte, iconv, all the options required for GD library).
• No longer show "Approve Version" blue box on page drafts – instead show a notice that this is an un-published draft.
• Less intrusive stacking of the page alert blue box.
• Topic trees now support multibyte characters (thanks hissy!)
• Fix to remove the closing link tag that was causing pages to fail HTML5 W3C validation (thanks olsgreen)
• Better use of page type permissions to control access.
• Edit profile screen allows users to set their default language (used to only be available in the Dashboard) (thanks GutDing)
• Composer edit interface now shows a publish button even for published pages.
• Custom area styles on defaults pages are now copied out to newly created pages of that type.
• Better job detecting when we can't edit a block in composer, and inform user of this fact.

Bug Fixes

• Fixes bug where "inherit permissions from page type" on a page in advanced permissions mode did nothing.
• Fixed bug where form blocks with file uploads weren't working and were displaying errors on submission.
• Using a separate theme for mobile requests now works.
• Fixed bug where updating packages wasn't working.
• Fixed bug where marketplace pagination wasn't working.
• Fixed bug where custom blocks styles weren't showing up on stacks in the dashboard after being first saved.
• Fixed bug where "edit container layout" wasn't showing up on certain layouts (including those on copied pages.)
• Bug fixed: Edit profile shows the user timezones dropdown even if user timezones are not enabled (thanks GutDing)
• Fixed http://www.concrete5.org/developers/bugs/5-7-2-1/uninstalling-packages-and-upgrading-packages-produce-error/#686546
• Fixed bug when displaying custom channels on logs (thanks hissy).
• Fixed bug where block composer templates in packaged blocks weren't being found (thanks jaromirdalecky)
• Bug fixes with asset caching and various attribute types when concrete5 is installed in a subdirectory.
• Fixed bug where email validation errors weren't being printed out to the screen when resetting passwords.
• Fixed issue: 500 error for Editing Thumbnails missing Width/Height.
• Lots of bug fixes to conversations per-block attachment settings.
• Conversation posting permissions now work to restrict posting to certain groups or users.
• Fixed potential SQL injection when saving form blocks (thank Mnkras).
• Fixed full page cache bug that could return a 500 error when rendering a page for the first time (subsequent page requests from the cache would be fine.)
• External forms are now properly overridable.
• Fixed bug: Editing image thumbnails / Saving does not work with alternate file storage location (thanks ahukkanen).
• Fixed bug where "apply to site" or "reset site customizations" in the theme customizer wouldn't reset or override custom page styles.
• Better checking for URL icons (favicon, etc…) that may have been deleted before trying to output them (thanks Mnkras)
• "Reply to email address" now will be properly checked when editing form options (thanks hissy)
• Fixed bug that lead to Page Owner permission access entity not working in advanced permission mode.
• Miscellaneous bug fixes when using badges (thanks hissy)
• Fixed bug where register page inherited page permissions of site (leading to it being inaccessible on sites where only registered users could view the site.)
• Fixed bug "Composer content-block gets decoupled when I edit the content-block in-context"
• Fixed http://www.concrete5.org/developers/bugs/5-7-2-1/template-autonav-block-duplicates/
• Fixed http://www.concrete5.org/developers/bugs/5-7-2-1/autonav-navbar-nav-bootstrap-conflict/
• Fixed bug where you could drag a topic tree node outside of a topic tree.
• Fixed missing site title in many email templates (thanks hissy)
• Fixed bug where flagging a conversation as spam resulted in "Invalid Flag Type" (thanks mnkras)
• Fixed bug where custom block types in the add block to area advanced permission weren't being saved.
• Fixed http://www.concrete5.org/developers/bugs/5-7-2-1/facebook-authentication-redirecting-to-incorrect-path-with-extra/
• Fixed http://www.concrete5.org/developers/bugs/5-7-2-1/form-block-constant-exists-form_block_sender_email/
• Fixed error when trying to upload files via the "More" link in the file manager when there were files in the incoming/ directory.
• Fixed Page Attribute Display blocks won't display rich text in version
• Fix inability to set permissions on view user attributes permission
• Fixed the inability to include a rich text attribute on a page.
• Fixed bug: "If user granted only (for instance) "delete" permissions on page, gets composer pane with "Access Denied" as well"
• Fixed issue where
• tags couldn't be included in the description text of an image slider entry (due to style conflicts.) (thanks mkly)
• Fixed several bugs with file storage locations.
• Fixed bug on file sets add where error messages weren't displaying properly (thanks akodde)

Developer Updates

• Page Selector form helper is now decoupled from the JavaScript Page Selector library. Should be much easier to work with.

Подробнее: http://concrete5.org/documentation/developers/5.7/background/version-history/5-7-3-release-notes/

5.7.2.1

17 Ноябрь 2014 - 80MBFeature Updates

• Feature block now can link to pages and external links.
• Improvements to Grid Framework for use with frameworks that require two class names on columns.
• Theme Developer Feature Update: Zurb Foundation Grid Framework now available.
• Improvements to Theme Customizer for developers who don't want to create multiple presets, they just want to make their theme customizable.
• Members directory has been brought back for sites with public profiles.
• Added Most Popular to Remote marketplace search results.

Behavioral Improvements

• Command/Alt-clicking "Visit" on a sitemap page to open it in a new tab no longer reloads the current tab to the new page.
• Fileinfo is no longer required to run concrete5 5.7.
• More performance improvements in edit mode.
• Dragging stacks and clipboard items out of the lefthand panel now closes the panel (and reopens if dropping occurs onto no hotspot.)
• Page name is now available in the SEO panel.
• Better feedback on file uploads into the file manager that don't complete.
• Better file permissions checking. Making file and directory permissions configurable values.
• Sitemap "View" link now links to pages using their path-based URLs, not their cID based ones.
• Sitemap now automatically approves changes if users have permission to do so and the concrete.misc.sitemap_approve_immediately config value is set to true (which is the default.)
• More consistent behavior when interacting with blocks in global areas on a page and then discarding changes.
• Improved internationalization support (thanks hissy)

Bug Fixes

• Lots of fixes to user registration, including messaging, the ability to fully validate users through email, and more.
• Fixed exception error message at the end of changing a user's password.
• Fixed bug where the "Inspect/Page Templates" page in the themes section of the dashboard was accidentally deleted in a previous upgrade to 5.7.1. 5.7.2.1 restores the page.
• Fixed (illegal offset type) on rich text editor dashboard page when running concrete5 in a language other than English (thanks Remo).
• Fixed caching and copying bugs when working with pages that had their own page-level theme customizations.
• Fixed error with no feedback displaying in change password if user did something wrong.
• Removed the automatic insertion of composer output control blocks in the Main area, as it was causing problems in page templates that didn't have a Main area.
• Fixed bug in edit profile where Basic Information is not displayed if there are no member attributes (thanks GutDing)
• Fixed invalid error "You do not have permission to publish a page in this location" when using composer to publish certain types of pages as a non super user.
• Fixed weird redirection problems when turning concrete.seo.trailing_slash to true.
• Got rid of strange file permission reset on cache when loading packages.
• Fixed duplication of files on certain uploads.
• Fixed some incorrect redirection when logging in as an administrator when redirect to Dashboard is enabled (thanks TaoS)
• Made leaving a value out of image size constraint keep the current aspect ratio and resize the provided value.
• Fixed bug where sample content with lightbox images was broken when installing Elemental.
• Fixing redirect errors when enabling the trailing slash in URLs.
• Fix Full Page Cache HTTP Headers Incorrect Output
• Fixed bug in file set pagination that capped it at 10. May have fixed other pagination bugs.
• Fixed bug where two databases tables had incorrect database case, leading problems when submitting the form block or working with IPs when migrating from case insensitive file systems to case sensitive file systems.
• Fixed http://www.concrete5.org/index.php?cID=674327&editmode=
• Fixed "Class security does not exist" error when attempting to force redirection to base URL.
• Fixed http://www.concrete5.org/developers/bugs/5-7-2/error-when-moving-block/
• Fixed bug where external links in sitemap were encoded and linked to incorrectly
• Uninstall packages with authentication types now properly removes them from the database (Thanks EC-Chris).
• Fixed zip tooltips not showing when zip not installed during installation.
• Fixed bug where you couldn't remove a question from a form block.
• Fixed issues with garbled translation messages (thanks mlocati)
• Elemental theme h6 text transform now takes proper variable (thanks jordif.)
• Fixed: Keys for custom attribute categories installed by packages are not currently updated (thanks cpill0789).
• Fixed SQL bug that could arise when using setAttribute() with a topics attribute type (thanks Raverix)
• Fixed some HTML escaping issues in the page attribute display block (thanks Mnkras)
• Fixed "Concrete\Core\Permission\Key\AddBlockBlockTypeKey' does not have a method 'canAddBlock" when working with global areas on pages that didn't have a main area (thanks akodde!)
• Fixed http://www.concrete5.org/developers/bugs/5-7-2/flakey-behaviour-when-adding-user-to-workflow-access/
• Fixed http://www.concrete5.org/developers/bugs/5-7-2/changing-rss-handle-andor-deleting-topic-tree-blog-chokes-out-in/ (thanks Mnkras)
• Fix conversations error when using gravatar as a fallback and rendering comments from anonymous
• Fix issue with File::delete not deleting the row from the Files table.
• Fixed http://www.concrete5.org/developers/bugs/5-7-2/stack-version-history/
• JavaScript syntax improvements and some JS bug fixes (thanks EC-Joe)
• Composer improvements when page types were included in packages.
• Fixed bug where empty page attribute display block wouldn't display placeholder text on a stack page (thanks infostreams.)

Developer Improvements

• Added GridFrameworkServiceProvider and GridFrameworkManager. New Manager class will be used going forward. Allows easy binding and registration of driver-based classes.
• Miscellaneous content importer improvements.
• Updates to MenuItem classes for more flexibility.
• Attempting to set time limit to zero when adding packages.
• New LinkAbstractor class now contains methods used to abstract links and import content (instead of being included in the content block controller) (thanks jordanlev)
• Miscellaneous fixes to content importer and content swap.

Подробнее: http://www.concrete5.org/documentation/developers/5.7/background/version-history/5-7-2-1/

5.7.2

(основная версия)
11 Ноябрь 2014 - 80MBThis release is so large that we long since gave up categorizing the small things that we were doing. Here are some of the high points:

Editing

• A completely new layout engine allows for inline editing of content, layouts and style customization. Blocks can be dragged into the page and easily rearranged.
• Inline content editing uses the Redactor editor, a beautiful editor with deep integration to concrete5, and full bootstrap 3 interface integration.
• The Dashboard user interface is completely updated. Navigating it is much easier, and the interface is much more attractive.
• concrete5's user interface is now powered by Bootstrap 3.

Themes and Blocks

• concrete5 now ships with the Elemental theme, by far the prettiest theme we've ever built.
• The concrete5 Dashboard, main toolbar and Elemental theme are all fully responsive.
• Themes can optionally refer to grid frameworks, and can have full grid support built in. Layouts have been substantially updated to support these grid frameworks (as well as be fully responsive.)
• Theme controllers can control many aspects of a theme, including its grid framework, custom CSS classes that are available for different block types, which assets a theme supports, and more.
• Theme customization is completely rewritten, far more powerful and based on LESS. Themes may have multiple preset groups of LESS variables that power their stylesheets.
• Every block in the core has been reskinned, and many are new or completely rebuilt. Blocks like Feature, FAQ, Horizontal Rule, Page Attribute Display, Topic List, Social Links, Share this Page and Testimonial add useful new functionality to concrete5. The HTML block now includes the ACE editor. The video block is fully HTML5 compliant. And so. much. more.
• Block-level MVC no longer generates ugly URLs.

Pages and Architecture

• Page types and page templates are now two separate concepts. Page types refer to pages as objects -- Blog Entry, Empty Page, Project, Product -- and page templates refer to templates that actually appear in themes. The same page type can be run in multiple themes.
• concrete5's Composer is now a very flexible form builder that can route attributes and blocks into different page templates. Each page type has its own custom instance of Composer.
• A Feed Object is available in the Dashboard (and created through the Page List block), giving Page Lists the ability to create RSS feeds that are permalinked.

Files

• A completely new image editor is now built-in. Resize and crop images, and add filters.
• File manager thumbnails are now completely extensible. Multiple thumbnails at different breakpoints can power the picture tag in a theme that supports it.
• File storage locations are now pluggable. An adapter for Amazon S3 is coming shortly.

Conversations

• Conversations are now built-in, with the Conversations block replacing the Guestbook block. Conversations is a reusable, object-oriented way to build conversations throughout a site, and use the same system for powering a guestbook as ultimately powering a forum. Conversations features threading, asynchronous loading, file attachments, spam filtering, flagging, rating and more.

Code Quality

• Our core JavaScript and CSS has been completely rewritten and modernized.
• We have officially begun to convert our code base to the PSR-2 standard.
• concrete5's sitemap is now powered by Dynatree (soon by Fancytree.)
• Our PHP classes have been substantially reorganized and autoloading is PSR-4 compliant. They are now namespaced.
• The PageList, FileList and UserList classes have been completely refactored, and should be much easier to extend and work with.

Users and Groups

• Groups can optionally be hierarchical.
• The account and public profiles are now separated. Accounts are always enabled, and public profiles are optional.
• Social Links are built-in as attributes, and globally available settings in your Dashboard.
• The user editing interface in the Dashboard is much improved.

Architecture

• A completely new file-based configuration option, powered by the Laravel Configuration component, is the standard. concrete5's inflexible constants are gone.
• A completely new assets layer manages JavaScript and CSS dependencies, asset versioning between packages, and inclusion or exclusion of assets based on whether they are provided in themes. This asset framework also handles automatic asset minification and combination.
• A new taxonomy concept -- Topics -- is now available. These are managed centrally in the dashboard and can also be attached as attributes to files, users and pages.
• concrete5 has better localization support than ever, including improvements in locale switching, date and number handling, and multibyte URL handling
• A completely new and more flexible cache layer is present, replacing Zend Cache.
• The events system has been completely overhauled and is now powered by the Symfony2 EventDispatcher component.
• An AuthenticationType layer makes it easy to add custom third party authentication libraries.
• A completely new routing system, Session, Cookie, Request and Response components powers the framework. Model-view-controller setups are completely refactored and much more robust.
• Autoloading is now automatic.
• concrete5's database access is now powered by Doctrine, a popular, robust framework for database access.
• Many other third party libraries, including Pagerfanta, Monolog, Patchwork, and Imagine are being used, giving developers acess to a much richer API.
• concrete5 now supports IPv6.
• concrete5's third party libraries are all delivered by Composer.

Подробнее: http://www.concrete5.org/about/blog/core-releases/concrete5-5-7-is-now-available/

5.6.3.4

11 Сентябрь 2015 - 65MBBug Fixes

• Fix incorrect public date when composer drafts are saved https://github.com/concrete5/concrete5/pull/1896 (thanks jordanlev)
• Index asID in form answers for better performance https://github.com/concrete5/concrete5/pull/1894
• Use mysqli extension instead of mysql if it's available https://github.com/concrete5/concrete5-legacy/pull/1828 (thanks ahukkanen)
• Redundant display_mode in sitemap call removed https://github.com/concrete5/concrete5-legacy/pull/1829 (thanks jasteele12)
• Don't cut words in search results https://github.com/concrete5/concrete5-legacy/pull/1899 (thanks mlocati)
• Fix remove old page versions job https://github.com/concrete5/concrete5-legacy/pull/1901 (thanks hissy)
• Fix image helper resizing https://github.com/concrete5/concrete5-legacy/pull/1904 (thanks danklassen)
• Bug fixes to Image block https://github.com/concrete5/concrete5-legacy/pull/1895 (thanks hissy)
• Hide help when closing dialog https://github.com/concrete5/concrete5-legacy/pull/1903 (thanks mlocati)
• Redundant $db->Insert_ID removed https://github.com/concrete5/concrete5-legacy/pull/1833 (thanks ceko)
• Typo in package unistall https://github.com/concrete5/concrete5-legacy/pull/1908 (thanks mlocati)
• Source view in content block fixed https://github.com/concrete5/concrete5-legacy/pull/1910 (thanks mlocati)
• Reindex page version fixed https://github.com/concrete5/concrete5-legacy/pull/1911 ( thanks melat0nin)
• Make sure thumbnails created with imagick have exact dimensions https://github.com/concrete5/concrete5-legacy/pull/1913
• Support for mysqli added in installation process https://github.com/concrete5/concrete5-legacy/pull/1916

Подробнее: http://concrete5.org/documentation/background/version_history/

5.6.3.2

(релиз безопасности)
16 Сентябрь 2014 - 65MBBehavioral Improvements

• Email messages now have the Message-ID parameter set (thanks mlocati!)
• Avoid unnecessary call to get package handle https://github.com/concrete5/concrete5/pull/1806 (thanks raphaelstolt)

Miscellaneous Improvements

• Backup performance improvement https://github.com/concrete5/concrete5/pull/1771 (thanks ForestMist)
• Google map blocks allows you to add a balloon https://github.com/concrete5/concrete5/pull/1775 (thanks mlocati)
• Attribute key categories are translatable https://github.com/concrete5/concrete5/pull/1792, https://github.com/concrete5/concrete5/pull/1793 (thanks mlocati)
• Youtube block video dimension 16:9 by default https://github.com/concrete5/concrete5/pull/1802
• Hide version number in upgrade page if it’s hidden in page header https://github.com/concrete5/concrete5/pull/1064 (thanks mlocati)
• Mark captcha as required https://github.com/concrete5/concrete5/pull/1813 (thanks mlocati)
• Mark form elements as required https://github.com/concrete5/concrete5/pull/1811 (thanks mlocati)
• Ability to use select attribute in sitemap job https://github.com/concrete5/concrete5/pull/1817 (thanks hissy)
• File helper functions return values added https://github.com/concrete5/concrete5/pull/1830 (thanks ahukkanen)

Bug Fixes

• Important - Breaking Change Mail templates were not reset in the mail helper, if you relied on a partial reset by the reset method, check your code https://github.com/concrete5/concrete5/pull/1757 (thanks ojalehto)
• Fixed bug where certain characters in sent emails could be stripped, by updating the Zen_Mime third party library. (thanks mlocati)
• Fixed bug where full page caching was reported in seconds on a given page but is actually in minutes.
• Fixed bug: MySQL 5.6: Error when adding a file to a file set (thanks Remo)
• Fixed bug where sitemap order could act strangely on duplicating pages (thanks Mainio)
• Fixed bug where you couldn’t drag and drop a page to copy it more than once in one browser load (thanks Mainio)
• Fixed bug in grunt translation task with multibyte characters cut in half https://github.com/concrete5/concrete5/pull/1761 (thanks Hissy)
• Fixed dutch date format https://github.com/concrete5/concrete5/pull/1727 (thanks akodde)
• Fixed directory permission problem with suPHP https://github.com/concrete5/concrete5/pull/1739 (thanks ahukkanen)
• Fixed import of user attributes https://github.com/concrete5/concrete5/pull/1763
• Fixed upgrade process https://github.com/concrete5/concrete5/pull/1765 (thanks mlocati)
• Fixed sitemap.xml where a % character could mess things up https://github.com/concrete5/concrete5/pull/1778 (thanks tao-s)
• URL slug in SEO Updater hidden for single pages https://github.com/concrete5/concrete5/pull/1770 (thanks lehik)
• Display number attribute for users with value 0 https://github.com/concrete5/concrete5/pull/1786 (thanks mlocati)
• Fixed number of elements consistency in pagination https://github.com/concrete5/concrete5/pull/1785 (thanks EC-Joe)
• Duplicate classes in autoloader removed https://github.com/concrete5/concrete5/pull/1789 (thanks jezmck)
• Unused variable removed https://github.com/concrete5/concrete5/pull/1791 (thanks mlocati)
• XML CIF Importer Bugfix where some links weren’t processed https://github.com/concrete5/concrete5/pull/1799 (thanks nebuleu)
• Form export with checkbox list fixed https://github.com/concrete5/concrete5/pull/1803
• Make sure strings saved in database aren’t translated when added but only when viewed https://github.com/concrete5/concrete5/pull/1766 (thanks mlocati)
• Allow users to search for localized group names https://github.com/concrete5/concrete5/pull/1524 (thanks mlocati)
• Fix error message when adding attributes which already exist https://github.com/concrete5/concrete5/pull/1805 (thanks hissy)
• Various fixes in the form result export https://github.com/concrete5/concrete5/pull/1807 (thanks mlocati)
• Duplicate code removed https://github.com/concrete5/concrete5/pull/1750 (thanks akodde)
• Fixed page speed settings inheritance https://github.com/concrete5/concrete5/pull/1759 (thanks akodde)
• Fixed typo in content importer https://github.com/concrete5/concrete5/pull/1809 (thanks hissy)
• Fix label in user search screen http://www.concrete5.org/developers/bugs/5-6-3-1/inappropriate-message-on-dashboard-user-searches/ (thanks FumitoMIZUNO)
• Date picker fixes https://github.com/concrete5/concrete5/pull/1782 (thanks mlocati)
• Time settings fixed https://github.com/concrete5/concrete5/pull/1820 (thanks hissy)
• Duplicate page ordering fixed https://github.com/concrete5/concrete5/pull/1823 (thanks hissy)
• Update issue fixed when site was using mysqli https://github.com/concrete5/concrete5/pull/1826 (thanks ahukkanen)
• Ignore master collections in generate sitemap job https://github.com/concrete5/concrete5/pull/1831 (thanks hissy)
• Fixed live update when adding a file to a set https://github.com/concrete5/concrete5/pull/1819 (thanks hissy)

Security Fixes

• Fixed full path disclosure bug when sending a session cookie with an empty string (thanks occupe)
• Encode themeHandle variable to prevent XSS https://github.com/concrete5/concrete5/pull/1801 (thanks mmetince)
• Fixed certain database sanitization routines used by blocks.

Developer Updates

• Added miscFields to form helper method input https://github.com/concrete5/concrete5/pull/1705 (thanks cryophallion)
• Updated npm packages https://github.com/concrete5/concrete5/pull/1728 (thanks mkly)
• Fixed grunt task to write translation files to /web/languages instead of /build/web/languages
• Added image method to form helper https://github.com/concrete5/concrete5/pull/1704 (thanks cryophallion)
• Improved date handling methods, add-on developers might want to have a look at this pull request https://github.com/concrete5/concrete5/pull/1777 (thanks mlocati)
• Collection->addBlock takes a string as the block handle as well (https://github.com/concrete5/concrete5/pull/1701/)
• Config::getOrDefine can be used without manually running "if defined" https://github.com/concrete5/concrete5/pull/1762
• New event on_user_deleted which is raised when the user is actually deleted https://github.com/concrete5/concrete5/pull/1769 (thanks mlocati)
• Additional CSS classes for attributes https://github.com/concrete5/concrete5/pull/1787 (thanks zanedev)
• It is possible to search for checked and unchecked boolean attributes https://github.com/concrete5/concrete5/pull/1788

Подробнее: http://www.concrete5.org/documentation/background/version_history/

5.6.3.1

(релиз безопасности)
3 Апрель 2014 - 65MBSecurity Fixes

• Removed incorrect permission checks on file replace that would only check whether user had access to add files (and not replace the particular file.) (thanks Mnkras)
• Removed potential email buffer overflow bug in MySQL.
• Don't show that a page is pending approval unless they can view the toolbar (thanks Mnkras)
• Removed potential display of broken SQL query when passing arrays as tags to be viewed (note: no SQL injection potential.)
• Removed XSS vulnerability in Open Flash Chart third party library by removing library.
• Removed XSS vulnerability in SecurImage helper files by removing unneeded helper HTML files in third party library

Features

• Better mobile support for dashboard (thanks hissy!)
• Improved performance when running concrete5 on a site that uses multiple languages (thanks mlocati.)

Bug Fixes

• Fixed Empty Trash removes content NOT in Trash (thanks mlocati)!
• Fixed Can't move an alias – it moves original page (thanks mlocati!)
• Fixed http://www.concrete5.org/developers/bugs/5-6-3/unable-to-download-multiple-files-under-some-circumstances/ (Thanks mlocati)!
• Fixed inability to save date picker date in some circumstances (thanks Remo.)
• Fixed inability to upload multiple files in file manager (thanks mlocati!)
• Fixed open_basedir warning error when logging in if open_basedir protection is enabled (thanks NKay)
• Fixed Rich Text Editor "Simple" mode not translated (thanks Remo).
• Fallback to GD library if processing with Imagick fails (thanks mlocati).
• fixed errors that displayed when opening an image that didn’t exist on systems with the Imagick extension installed (thanks mlocati)!
• Fix toolbar not showing on aliased pages when logged in (thanks francz)
• Fixed http://www.concrete5.org/developers/bugs/5-6-3/apostrophe-problem-in-page-controls/ (thanks mlocati)
• Fixed Google Maps block offset when using coordinates (thanks mlocati)

Подробнее: http://www.concrete5.org/documentation/background/version_history/5-6-3-1-release-notes/

5.6.3

(основная версия)
14 Март 2014 - 65MBInstallatron:

• Languages bundled with concrete5 can now be selected through Installatron.

Features

• Languages with greater than 90% completion are now included in concrete5, meaning they can be installed immediately (thanks international team, included mlocati, hissy, Remo, patrickheck, more...)
• Much Improved Stacks, including the following new features (thanks Mainio!): Add block from clipboard, Rename the stack, Duplicate the stack, and Reorder stacks.
• Added task permission to control who can export users from user search.
• Added the ability to add one permission line or remove one permission line from pages in bulk.
• User selector now has the ability to clear the user (thanks NazWeb)
• Much improved user password hashing, security improvements and hardening (thanks bdsl!)
• TinyMCE is now localized (thanks mlocati and tao-s)
• You can now test your email settings from the email settings dashboard page. (thanks mlocati!)

Miscellaneous Improvements

• Retain multibyte file titles when uploading files in other languages (thanks hissy).
• Usernames can now contain periods in the middle (not at the beginning or end) (thanks mlocati.)
• Page attributes are now listed by attribute set display order, if they happen to fall into one (thanks jordanlev)
• Various localization fixes and additions (thanks mlocati, Remo, ojalehto, patrickheck)
• Profile pages are now translateable (thanks Remo)
• Can override Block assets from a package https://github.com/concrete5/concrete5/pull/1419 (ojalehto, remo)
• Refactored generate sitemap job for better extensibility and readability (thanks Remo and mlocati.)
• Package items are localized when uninstalling (thanks mlocati.)
• Date picker is better localized, reducing bugs (thanks patrickheck)
• Add version to installation screen https://github.com/concrete5/concrete5/pull/1424 (thanks mesuva)
• Better support for mysqli in certain query situations (thanks NazWeb)
• Area names now appear translated (thanks Remo and mlocati)
• Additional CSS classes for core components now present (thanks Remo and mlocati)
• Better localization of some displayed dates and times (thanks mlocati)
• You can now clear alternate file storage locations.
• We now use Imagick for image resizing if it happens to be installed (thanks JeffPaetkau!)
• Defaulting session cookie to httpOnly (thanks Indrek Kõnnussaar)
• Faster page publishing when using composer and publishing to a location of the site with a large number of peer pages (thanks hutbert)

Bug Fixes

• Better sanitization integer value in cID parameter so you can't trigger an exception by passing an array as cID (Note: no SQL injection possible in this bug – just an ugly exception error display.)
• Fix bug where custom templates applied to blocks weren't always displayed on blocks in pages when those blocks used output caching.
• Page Search Index content field is now larger (thanks mlocati.)
• Fixed bug in advanced permissions where dragging an empty label or an un-saved label and then editing it could modify other permission rows.
• Date Archive block threw error on some php installations due to case of loader call
• Disable on_render_complete on upgrade
• Package update improvements when downloading from concrete5.org
• Fixed group related ID bug when using MySQL in a different auto increment setting (thanks chemett.) Related discussion here: http://www.concrete5.org/developers/bugs/5-6-2-1/install-fails-with-mysql-auto-increment-offset-set/
• Resolved issues in OpenID authentication that broke OpenID on PHP 5.3, and resulted in other errors.
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/copy-php-code-to-blogs-description-area-is-buggy/
• Better implementation of the "remain logged in" cookie (thanks Indrek Kõnnussaar and others for pointing out the issues.)
• Fixed potential sql vulnerability here: http://www.concrete5.org/developers/bugs/5-6-2-1/item-list-pagination-unsanitized-current-page/
• Job installation message typo (thanks bluefuton)
• CSRF Protection in Edit Profile Page (thanks Indrek Kõnnussaar)
• XSS Flaw fixed in Public registration page (thanks Indrek Kõnnussaar)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/error-when-pasting-scrapbook-from-clipboard/
• Fixed http://www.concrete5.org/developers/bugs/5-6-1-2/overriding-single-pages-within-a-theme-package/
• Stronger anti-session-fixation measures
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/adding-datetime-user-attribute-required-on-registration-form-blo/
• Fixed area handles with special characters in block delete https://github.com/concrete5/concrete5/pull/1324
• FileSet::populateFiles respects display order
• Blog Entry date formatting for localization https://github.com/concrete5/concrete5/pull/1317
• Blog Thumbnail data localization fix https://github.com/concrete5/concrete5/pull/1327
• Profile date format for localization https://github.com/concrete5/concrete5/pull/1339
• Prevent very high numbers in sitemap totals https://github.com/concrete5/concrete5/pull/1338
• Improve export on some charsets https://github.com/concrete5/concrete5/pull/1335
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/javascript-errors-when-adding-select-attribute-values/
• Fixed bug "Custom block design / Collection Versions / design is lost after block reorder" - thanks mlocati.
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/adding-background-design-to-main-area-causes-all-stacks-placed-o/#discussionpost
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/non-translated-value-select-some-options/ (thanks mlocati)
• Fixed bug with blocks being kicked out of layouts after move - thanks mlocati
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/unable-to-add-tags-block-to-a-stack (thanks mkly)
• Fixed group enter/exit events not firing when a user is updated in the dashboard
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/fatal-error-during-upgrade-due-to-missing-administrators-group/
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/event-handlers-during-upgrade-process/
• Prevented ccm.sitemap.js 404 in registration form https://github.com/concrete5/concrete5/pull/1357
• Changed job queue batch size to a 10 and added constant JOB_QUEUE_BATCH_SIZE
• Fixed error in sitemap index with blocks that no longer exists https://github.com/concrete5/concrete5/pull/1363 (thanks akodde)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/call-to-a-member-function-submit-on-a-non-object-on-backup-datab/
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/error-messages-not-shown-in-backup-page/
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/illegal-job-run-duration-causes-a-database-exception/
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/cannot-save-versions-repost/ (thanks mkly)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/form-date-field-xss-bug/#598679 (thanks patrickheck)
• Fixed http://www.concrete5.org/index.php?cID=574181 (thanks patrickheck)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/jobs-concrete5-5.6.2-dropped-api-support-for-jhandle/
• Fixed some full path disclosure bugs in certain newer dashboard files (thanks Osanda)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/url-slug-suggestion-is-too-slow-when-adding-new-pages/
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/survey-details-does-not-include-anonimous-responses/ (thanks mlocati)
• Fixed bug when editing page type defaults for page types that had an apostrophe in them.
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/php-warning-on-add-blockadd-date-navigation-page/
• Fixed some package urls to all be relative https://github.com/concrete5/concrete5/pull/1348
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/search/#559776 (thanks mlocati)
• Fixed missing translation in Bulk SEO Tool https://github.com/concrete5/concrete5/pull/1409
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/form-block-file-upload-issues/ (thanks mlocati)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/youtube-block-firefox-v.23-blocked-loading-mixed-active-content/ (thanks Remo)
• Fixed redirect and XSS flaws in download file single page. (Thanks @OsandaMalith !)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/unhandled-exception-when-downloading-invalid-files/ (thanks mlocati)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/language-for-new-users-should-be-same-as-default-language-5.3.rc/ (thanks mlocati)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/strings-break-from-getjavascriptstrings-to-ccm_t-if-they-include/ (thanks mlocati)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/dashboardsitemap-deleting-fails-because-string-is-not-escaped/ (thanks remo)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/mail-helper-reply-to-header-set-twice/ (thanks Remo)
• Fixed http://www.concrete5.org/index.php?cID=554715&editmode= (thanks mlocati)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/ghost-execution-of-queuable-jobs/ (thanks JohnTheFish)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/slices-of-many-queable-jobs-could-be-executed-together/ (thanks JohnTheFish)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/spaces-in-stateprovince-kill-js-on-user-edit-page./
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/blog-date-archive-block/#573700 (thanks mlocati and Guido)
• Fixed "regular expression too large" error that could occur when using code that used the URLify library.
• Moved on_page_view event to be process.php's inclusion for improved multilingual support with the Multilingual Add-On (allowing for localization of the form block, etc...)
• Fixed http://www.concrete5.org/developers/bugs/5-6-2-1/rss-link-broken-when-using-a-custom-template-for-page-list-block/#597918

Developer Updates

• Some code cleanups for Strict and Notice
• Code cleanups (thanks ojalehto)
• URLify library updated to latest version.
• Select attributes now allow users to add new values through code through setAttribute, if the attribute allows it.
• New build process through Grunt should improve the PHP short tag to full tag conversion, automatically downloads nearly completed languages, and clarifies and simplifies our toolchain.

Подробнее: http://www.concrete5.org/documentation/background/version_history/5-6-3-release-notes/

5.6.2.1

28 Август 2013 - 65MBFeatures

• Great new UI Improvements to the Select Attribute (thanks arcanepain)

Bug Fixes

• Fixed broken queue operations on systems that didn’t have the MySQL PDO extension installed. http://www.concrete5.org/developers/bugs/5-6-2/copy-page-children-pages-no-longer-working/
• Removed Main area from Page Forbidden because it was causing problems in certain advanced permissions setups and the page object isn’t set to a Page Forbidden single page anyway, so the intended behavior would never work correctly.
• Fixed Upgrade issue with moving from 5.5.2.1 to 5.6.2.1 http://www.concrete5.org/developers/bugs/5-6-2/manually-upgrading-from-5.5.2.1-to-5.6.2-causes-mysql-error/
• Fixed Page version update of block permission edit http://www.concrete5.org/developers/bugs/5-6-2/block-permission-update-isnt-considered-a-page-update-for-edit-m/
• Fixed Error message with invalid Page Type handle http://www.concrete5.org/developers/bugs/5-6-2/receive-sql-error-when-trying-to-add-duplicated-page-type-handle/
• Fixed tranlation compilation error http://www.concrete5.org/developers/bugs/5-6-2/concrete5-v5.6.2-messages.po-compile-error/ (thanks Remo)
• Block Type names handled more robustly (thanks jordanlev)
• Clarified empty UI when background image of the day was changed by constant http://www.concrete5.org/developers/bugs/5-6-2/empty-interface-settings/

Developer Updates

• Allow ConcreteDashboardHelper::inDashboard() to take a string path (thanks aghouseh)
• Various code cleanups (thanks ojalehto, synlag, bluefuton, mlocati)
• Removed BlockController::getUniqueIdentifier()

Подробнее: http://www.concrete5.org/documentation/background/version_history/5-6-2-1-release-notes

5.6.2

(основная версия)
15 Август 2013 - 65MBFeatures

• Improved and Updated Jobs: Slick New Interface.
• Improved and Updated Jobs: Job Sets allow you to group jobs so they can run at the same time.
• Improved and Updated Jobs: Jobs can support queueing (for jobs that have to run for long periods of time.
• Improved and Updated Jobs: Cleaned up and normalized some of the API.
• Improved and Updated Jobs: Better job running explanation on the Dashboard page.
• Improved and Updated Jobs: Scheduling of a Job Set can be done through cron (as before) or through concrete5. These jobs will then be run periodically as triggered by users visiting your site.
• Delete and Duplicate now support incremental progress with progress bars. Much more reliable.
• New advanced permission "View Page in Sitemap" controls whether a user can see a page in the intelligent search site search or the Sitemap. This has no bearing on whether they can view the page if they navigate to it directly.

Behavioral Improvements

• Much improved CMS behavior in sites that support multiple editing languages, including:
• Localization of attributes, permissions, block types other dynamic content as seen by editors.
• Localization of intelligent search
• Better URL slug localization
• Stacks now support workflow for approve and delete.
• Stacks now show “Submit to Workflow” if the stack will be added to a workflow.
• Page approval workflows now show which version will be approved in their descriptive text, lessening confusion.
• Stack approval button is hidden if the stack is in workflow.
• Stacks now create new versions on any content edit (since stacks don’t have edit mode.)
• Better CDATA support in import/exporter.
• When rendering a full page exception/error, the HTTP error code 500 is now used.
• Approve Stack/Page button now green (thanks shotster.)
• Login page now shows region in the language dropdown (if multiple languages are available on your site and login allows you to choose language.) (thanks mlocati)
• Guestbook date now localized (thanks mlocati)
• Block Types appear localized in the interface (thanks mlocati)
• UI Accessibility improvements for dashboard checkboxes and radio buttons(thanks aghoush)
• Placeholder text for Next Previous Block add/edit form (thanks jordanlev)
• Improved YouTube Block URL parsing (thanks ojalehto)
• Inspect Block Dialog now shows active Block count as well as total
• Logging added for Page move to trash and Page delete
• Allow choice of new page type to assign pages to when deleting a page type (thanks mlocati)
• No longer show deleted pages in dashbaord breadcrunmbs (thanks JohnTheFish)
• Clean up page list ui (thanks arcanpain, aghouseh)
• Backup dialog shows error if cannot delete backup file (thanks mlocati)
• Enable browser spellchecker as partial fix for discontinued Google Spell API
• Improved Permission denied messages on some dialogs (thanks hissy)
• New Page Preview for Composer (thanks gregjoyce)

Developer Updates

• Block View overrides will only be included if they have a view.php included. If they only have a view.css etc they will be ignored.
• ADODB is updated to 5.18 (Thanks Remo!) MySQL transactional support library is the new default.
• Added event: on_file_duplicate
• Added event: on_file_set
• New Queue library available for developers to use.
• Better TextHelper::formatXML() function (more reliable, uses DOM)
• Updated MIME defintions for OGG formats. (thanks JeffPaetkau)
• Updated highlightSearch() to respect source string's case (thanks melat0nin)
• Better validation on ItemList::setItemsPerPage (so developer’s can’t unwittingly open security holes by not sanitizing their data and passing it to setItemsPerPage)
• Cleaner markup in view template for next/previous block (thanks jordanlev)
• Add static keyword to some methods (thanks mlocati, aghouseh, mnkras)
• No longer sorting contry/state lists if received from on_get_countries_list (thanks JohnTheFish)
• Can now pass either Package object or Package Handle to Environment::overrideCoreByPackage() (zemm)
• Add "numbers" and "disabled" classes to pagination number links (thanks melat0nin)
• Add runtime hash constant. (thanks Korvin)
• Consolidated wordSafeShortText into shortenTextWord (thanks patrickheck)
• Additional helper methods for FileSet class (thanks aghouseh)
• FileVersion properties from private to protected for overrides/extending
• Can pass array or file type extensions when launching file manager programatically (thanks mlocati)
• ValidateIpHelper now only returns private IP if no public IP’s are found in all $_SERVER vars checked (thanks mlocati)
• Add default sortBy to DatabaseItemList (thanks aghouseh)
• Refactor Remove Old Page Versions
• Add on_locale_change event (thanks mlocati)
• Loader::element() now throws Exception is args array key contains method parameter names.
• Various code cleanups (thanks mlocati, aghouseh, Mnkras et al)
• Added a couple public methods for Select Type Attribute properties (thanks aghouseh, jordanlev et al)
• Add PageList::filterBySelectAttribute() (thanks aghouseh, jordanlev et al)
• Added a FormHelper::number() for the
• Added method BlockController::getUniqueIdentifier() for clipboard blocks and ids
• Removed TextHelper::preventWidows()

Подробнее: http://www.concrete5.org/documentation/background/version_history/5-6-2-release-notes

5.6.1.2

21 Март 2013 - 65MBBug Fixes

• Fixed bug where sites had no CSS under certain circumstances
• Better support for multilingual page names while retaining XSS protection.
• Fixed scrollbar not returning on second open of dialog.
• Quieter errors if page cache errors out in mkdir or unlink
• Fixed JavaScript bugs in Date Nav edit mode (thanks synlag)

Developer Updates

• Added a new constant for PAGE_PATH_SEGMENT_MAX_LENGTH, that defaults to 128. This is the number of characters that URL segment can be (passed to the URLIfy library.)

Подробнее: http://www.concrete5.org/documentation/background/version_history/5-6-1-2-release-notes

5.6.1.1

19 Март 2013 - 65MBFeature Updates

• Sends an email upon user activation (for sites that keep users inactive until they’re approved.)

Bug Fixes

• Fixed error installing block add-on if other add-ons had already been installed.
• Fixed inability to set advanced permissions on blocks in areas with spaces or certain other special characters in them (a previous 5.6.0.2 bug fixed this problem at the area level, but not at the block level.)
• Fixed broken bulk page delete interface.
• Fixed inability to upgrade from 5.5.2.1 to 5.6.1
• Fixed incorrect usage of getPermissionCollectionID for cache identifier (it was supposed to be used for caching in certain situations but was not. Should lessen the amount of queries on some pages.)
• Fixed this http://www.concrete5.org/developers/bugs/5-6-1/5.6.1-fatal-error-call-to-a-member-function-getcollectionid/
• Fixed http://www.concrete5.org/developers/bugs/5-6-1/modal-exit-sets-overflowauto-on-body-tag-which-should-actually-b/#discussionpost
• Fixed bug where blocks in global headers wouldn’t display their custom design values in the design dialog (although they would work in the page.)
• Fixed: HTML showing as text in file attributes, better display value in file attributes in general.
• Fixed file version not updating due to cache.
• Fixed: http://www.concrete5.org/developers/bugs/5-6-1/local-page-cache-doesnt-clear-on-new-version/
• Fixed: http://www.concrete5.org/developers/bugs/5-6-1/cannot-call-method-hide-of-undefined/
• Fixed: http://www.concrete5.org/developers/bugs/5-6-1/layout-loading-preset-buttons/
• Fixed UserAttributeKey::getByHandle() returning -1 in some cases.
• Fixed: http://www.concrete5.org/developers/bugs/5-6-1/intelligent-search-wont-work-when-quick-link-has-been-deleted/
• Fixed: http://www.concrete5.org/developers/bugs/5-6-1/another-block-design-issue/
• Fixed: Survey Block error if no option is selected
• Fixed: Upgrade from 5.6.0.2 - Error: Block Type cannot be installed because no db.xml file can be found
• Fixed: Words in URLs are removed even if "Excluded URL Word List" is empty
• Fixed error in setup on child pages if pages had had their page types changed in the past.
• Fixed: Deleting a basic workflow kills editing in some cases
• Fixed: Fatal Error when paste a Page List block with rss enabled
• Fixed: PageCache Library fails to Output Cache Headers once cached
• Fixed: http://www.concrete5.org/developers/bugs/5-6-1/composer-changes-not-published/ (Thanks Remo)
• Fixed: http://www.concrete5.org/developers/bugs/5-6-1/clash-with-cache-class

Developer

• Fixed inability to override text helper in the core.

Подробнее: http://www.concrete5.org/documentation/background/version_history/5-6-1-1-release-notes

5.6.1

(основная версия)
14 Февраль 2013 - 65MBPerformance Improvements

• Removed much of the cache library and rewrote calls to dramatically improve performance.
• New cache library: Plugabble for working with proxy servers and caching libraries
• New cache library: Fires much earlier and requires far fewer resources to run (and no database connections)
• New cache library: Pages can be checked for inclusion in the cache and expired manually from within the speed settings dialog (which has been renamed Full Page Caching)
• New cache library: Proper page cache headers are written.
• Faster and more reliable customized theme generation (which points to the cached CSS file directly for better performance.)
• Environment/override cache is now stored in the files/cache/ directory (meaning that deleting this directory will clear the override cache, and that it can be accessed without hitting the database)
• Block caching is now stored in the database for faster lookups
• Improved general performance of the dashboard by limiting unneeded database lookups
• Form block only uses jQuery UI when necessary (thanks jordanlev)

Feature Updates and Behavioral Improvements

• Added the ability to control which words are excluded from URLs for SEO purposes (found in Dashboard > System and Settings > SEO > Excluded from URL Words)
• Improved display of Next/Previous block in edit mode. Re-introduced “Exclude System Pages” to the block, defaulted to on.
• Now we notify users if their cookies are disabled when they attempt to login (thanks olsgreen)
• Slideshow automatically clears, making it work better in Greek Yogurt theme.
• Slideshow height doesn’t jump around as much (thanks Remo)
• Google maps less intrusive on failure.
• Added button to delete all form responses for a particular form (thanks luisbarresco)
• Better fix for this: http://www.concrete5.org/developers/bugs/5-6-0-2/5.0.6.2-help-popup-window-sticks-on-the-screen/
• Including Italian Provinces (thanks mlocati)

Developer Updates

• Added the SITEMAP_APPROVE_IMMEDIATELY constant. Defaults to true. If set to false, pages added via the sitemap will not be approved immediately (or run through workflow.) Useful for sites where workflow is prevalent.
• added option in code for autonav templates to ignore exclude_nav attributes (thanks jordanlev)
• Fixing issue with countries/states helpers being extended improperly
• Added ENABLE_TRANSLATE_LOCALE_EN_US constant for international users who wish to force Zend_Locale to create an object even if using the en_US locale.
• Updated SimplePie RSS parsing library to 1.3.1
• Added APP_VERSION_DISPLAY_IN_HEADER constant (defaults to true) to control whether the version of concrete5 is shown in the meta header section (thanks Remo)
• Added new Security helper with sanitize functions (Thanks Chris Rosser)
• Added new AJAX Helper (thanks mlocati)
• New event: on_file_added_to_set
• New event: on_get_countries_list
• New event: on_get_states_provinces_list (thanks mlocati)
• New event: on_file_removed_from_set (thanks danklassen)
• New event: on_page_urlify (thanks remo)
• New event: on_page_body_index (thanks danklassen)

Подробнее: http://www.concrete5.org/documentation/background/version_history/5-6-1/

5.6.0.2

21 Сентябрь 2012 - 65MB

5.6.0.1

5 Сентябрь 2012 - 65MB

5.6.0

(основная версия)
29 Август 2012 - 65MB

5.5.2.1

18 Апрель 2012 - 58MB

5.5.2

(основная версия)
30 Март 2012 - 58MB

5.5.1

(основная версия)
24 Январь 2012 - 58MB

5.4.2.2

9 Октябрь 2011 - 49MB

5.4.2.1

31 Август 2011 - 49MB

5.4.2

(основная версия)
4 Август 2011 - 49MB

5.4.1.1

4 Март 2011 - 45MB