Chamilo 1.11.30
27 June 2025
Chamilo version 1.11.30 is now available (security release).
Upgrading to Chamilo 1.11.30
Chamilo 1.11.30 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Chamilo updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Chamilo install to test the 1.11.30 upgrade prior to applying it live. Get started managing your Chamilo installations with Installatron
What's New in Chamilo 1.11.30
Note
- Chamilo 1.11.30 comes with subtle changes in the root .htaccess file which could affect your system (for example by triggering "Not Found" errors on course homepages) if you use Apache < 2.4.38-3. Please check line 37 of /.htaccess for more info.
Security
- Social: Add sec_token when commenting posts Fix GHSA-33gm-vrgh-m239
- Social: Add sec_token when accepting a friend request Fix GHSA-33gm-vrgh-m239
- Social: Add sec_token when denying a friend request Fix GHSA-33gm-vrgh-m239
- Social: Add sec_token when deleting friend Fix GHSA-33gm-vrgh-m239
- Glossary: Remove XSS Fix GHSA-4wcp-3rh3-7wm4 advisory
- Confirm delete action with modal instead of alert Fix advisory GHSA-gw58-89f7-4xgj
- Remove on* attributes through new filter of HTML Purifier Fix advisory GHSA-gw58-89f7-4xgj
- Remove on* attributes for input text fields Fix advisory GHSA-gw58-89f7-4xgj
- Work: Sanitize file name that could import document with special characters
- Dropbox: Sanitize file name that could import document with special characters
- Plugin: OnlyOffice: Add filtering to new filenames created through the plugin
- Display: Sanitize attributes for anchor tag in Display::url function Refs advisory GHSA-gw58-89f7-4xgj
- Glossary: Use entity to save glossary Refs advisory GHSA-gw58-89f7-4xgj
- Remove on-attributes when showing an HTML editor in forms Refs advisory GHSA-24cc-9jp9-rxx6
- Prevent XSS when setting image alt text by using the ckeditor image plugin Refs advisory GHSA-24cc-9jp9-rxx6
- Fix pattern to remove on* attributes from HTML tags
- Fix SQL injection vulnerability by escaping dates in SOAP registration script
- Fix SQL injection vulnerability by escaping filename when uploading hot potatoes image
- Fix SQL injection vulnerability by escaping assoc_handle in openid login
- Improve database query handling in CourseSelectForm by using parameterized queries and simplifying SQL logic
- Sanitize English name input in sub_language_add.php to prevent dangerous characters
- Use FormValidator::addText and FormValidator::addCheckBox instead addElement method
- Plugin: VChamilo: Add clearDatabaseName method to sanitize database names and update usages
- Sanitize language variable inputs and improve variable handling in multiple files
- Sanitize main database name in Virtual.php to prevent unsafe inputs
- Add MIME type validation for image uploads in ck_uploadimage action
- Plugin: VChamilo: Update import logic to handle 'phar://' paths to import config
- Refactor hidden input generation using Display::input Replaced manual HTML string construction with the Display::input method for hidden inputs. This improves code readability, maintainability, and aligns with existing utility usage. Security measures with Security::remove_XSS remain intact. See advisory GHSA-7p5f-34rx-49h8
- Remove unused 'page' parameter from session user forms. See advisory GHSA-h3m8-53j3-xjx8
- Add a whitelist of allowed help topics
- Messages: Ensure accepted friends have invitations sent See advisory GHSA-m5xj-5xf3-rqch
- Apply XSS removal when importing users See advisory GHSA-hc3c-8p55-xh4r
- Fix case sensitivity in phar file validation Adjusted the `str_starts_with` checks to be case-insensitive by converting paths to lowercase. Also refactored the logic to separate `isPharFile` handling from writable checks, improving readability and error handling with better feedback messages.
- Sanitize uploaded file names in a user import process See advisory GHSA-wrx6-5v5r-mmgx
- Initialize the variable to avoid a wrong result by old value See GHSA-qv5j-rq2p-q5w5
- Initialize variable to avoid wrong result by old value See GHSA-qv5j-rq2p-q5w5
- Documentation: Add security documentation about CSP (Content Security Policy) headers needing to allow unsafe-inline and unsafe-eval for the inline editor to work
- Fix XSS in session category See advisory GHSA-p4m6-gwhg-x89f
- Set token validation to set a student as tutor
- Exercise: Remove XSS when displaying fill in blanks results
New Features (for end-users, teachers and Chamilo admins)
- Plugin: Exercise monitoring and mouse focus tracking allowing for better control of remote exams, akin to some proctoring services
- Learnpath: Plugin: OnlyOffice: Allow showing PDF files directly in the learning path when ONLYOFFICE plugin is enabled
- Plugin: OnlyOffice: Add OnlyOffice viewer by default for corresponding extensions in documents tool when the plugin is enabled
- Portfolio: List base-course content in sessions when setting 'portfolio_show_base_course_post_in_sessions' is enabled
- Plugin: AI Helper: Add DeepSeek support
- User: Add extra fields filter to advanced user search in administration
- Exercise: Add configuration setting 'exercise_subscribe_session_when_finished_failure' to allow subscribing a user to a specific session when the user has failed a given test
- Exercise: Add configuration setting 'exercise_text_when_finished_failure' to allow displaying a text when the user has failed
- Tracking: Show progress based on visibles learning paths only (was previously showing global progress based on all learning paths including hidden ones, which made no visual sense)
- Plugin: H5pImport: Add hook to create course tool in new courses
- Exercise: Add OnlyOffice question type with document editing support
- Calendar: Add option for course agenda to define default participants
- Document: Add option to define an access start date for any given document
- Language: Mongolian language added. Requires following query to manually enable in 1.11.30: "INSERT INTO language (original_name, english_name, isocode, dokeos_folder, available) VALUES ('Монгол хэл','mongolian','mn','mongolian',1);" - Contributed by Tsogtsaikhan Byambaa
New Features (for developers and sysadmins)
- Plugin: Azure: Add option to use delta queries when syncing
- Portfolio: Add configuration setting 'portfolio_show_base_course_post_in_sessions'
- Session: Enable user session duration manual extension
- Internal: Set Apache redirect rules in .htaccess to defaults that work with most Apache >2.4.38-3.
- Extra Fields: Add support for attendance extra field
- Scripts: Add script to change course code. Replaces strings in all HTML files and exercises content
- Cron: Add users import from XLSX cron script with configurable input fields and comparison mechanisms for a first sync
- Display: Add configuration setting 'display_menu_use_course_categories' to use course categories as top horizontal drop-down menu
- Session: Add configuration setting 'scheduled_announcements_use_base_progress' for scheduled session announcement - by progress
- Admin: Add configuration setting 'session_import_drh_hide_old_relationships_check_box' to hide the old relationships checkbox on session import view for drh users
- Ticket: Add ticket deletion feature
Improvements and Debug
- Language: Ticket: #add partial translation in ES, FR, EN for ticket deletion functionnality
- Internal: Fix deprecated calls to mb_convert_encoding() to encode to HTML entities. Helps support PHP 8.3
- Internal: Fix deprecated calls to mb_convert_encoding() to encode to HTML entities. Helps support PHP 8.3
- Internal: Kses: Fix issue preventing loading $kses_allowedentitynames from global scope in PHP 8+
- CI: Fix issues setting up test environment for behat
- Ticket: Add option to give session admin the same right as admin, an … (#6384) Author: @yverhenne
- Use null coalescing operator for cleaner code in fill_blanks and question classes
- CI: Test updated version of Chrome install
- CI: Force use of PHP 7.4 in automated tests building sequence
- Plugin: before_login: Fix error due to (apparently) rogue copy-paste in plugin "Before login". Add information about config and theming to README.md
- Plugin: before_login: Fix error due to (apparently) rogue copy-paste in plugin "Before login". Add information about config and theming to README.md
- Admin: Modify default expiration date behaviour to avoid adding default expiration period when selecting "Never expires". Affects CSV import and user creation/edition forms
- Plugin: BuyCourses: Fix error in coupon processing
- Documentation: Fix RewriteRule for optimization of files access
- Internal: Fix .htaccess rules for scorm content and course home icons
- Course: Improve export of quiz questions, assignments in LP, and images in introduction page with mzb format
- Internal: Fix support for X-Sendfile headers
- Plugin: Add courseToolDefaultVisibility property to Plugin class to enable course plugins that are not visible by default (set it from the plugin with $this->setCourseToolDefaultVisibility(false); before install_course_fields_in_all_courses()). Enabled on positioning plugin
- Internal: Trim spaces around passwords in mail to user on user creation
- Course: Export HTML documents as Moodle page activities
- Documentation: Add info about Mongolian language to changelog & estimated release date for 1.11.30
- Language: Added comments in data.sql for the addition of Estionian and Mongolian languages in a future major version. The languages are there, but internal policy prevent us from adding them in a minor version (because if would make the database records different from the default of 1.11.0)
- Language: Update translations
- Session: Add send_subscription_notification field when copying sessions (#6218) Author: @nosolored
- Attendance: Add group ID to parameters when using tablet vue with signature Author: @TheTomcat14
- Admin: ensure "login_as" flag is off anytime we logout or login with username/password directly
- Session: Enable user session duration extension days (#6012)
- Session: Add avatar display in session_user_edit.php for sessions with duration
- Learnpath: fix Language variable to reuse an existing one
- WYSIWYG: Allow Genially iframes in HTMLPurifier filter
- Session: Fix label in schedule announcements for 'progress' type
- Webservice: Update example WS call for add_courses_session
- Internal: Add labels to addmultiselect element for formvalidator
- Setitngs: Language: Fix PlatformLanguage visualization when on multi-URL configuration
- Portfolio: Keep user seleccion context when going back to post list from post view
- Portfolio: Fix encoding error to show all post by alphabetical order
- Portfolio: Fix encoding error to show all post by alphabetical order
- Portfolio: Fix option to show all post by alphabetical order and set only one link
- Portfolio: Add option to show all post by alphabetical order
- Ticket: Fix advanced ticket search to select all type of user since tickets can be assign to all type of user
- Plugin: Azure: Update resource for auth code with new Microsoft Graph API
- Session: #fix session per duration visibility management for user_portal page
- Scripts: Replace course code in cidReq param
- Scripts: Fix tables fields to replace course code
- Scripts: Use the appropriate directory name when replacing the course in replace_course_code.php
- Simplify variable initialization using null coalescing operator
- Scripts: Improve action messages in replace_course_code
- Scripts: Add missing tables to replace course code
- Refactoring ExerciseLib::replaceTermsInContent function to avoid repeat code
- Internal: Fix fclose() call to avoid undetected error
- Ticket: #fix advanced search to give result
- Plugin: H5P: Add missing translations for config option
- Plugin: H5P: Fix typo to include missing jquery-ui
- Language: Quiz: Add partial update in FR, ES, EN for translation of parameter HideComment
- Exercise: Add new option 'Hide comment' to the result page configuration extra parameter
- Plugin: H5P Import: Fix class declaration to be compatible with H5P library update
- Internal: Fix stricter functions declarations to improve PHPDoc from commit #ea334a3f6f because the return can be null when there is no token in session
- Tracking: Fix to adapt app/cache/.htaccess regeneration on archive cleanup to include the fix for the issue displaying the pChart-generated charts due to Apache 2.4 syntax change
- Document: [Minor] fix typo in a comment from previous commit
- Session: Add use of session's position on myStudent page when session_list_order is activated
- Session: Fix ambigous position error when activation session_list_order
- Session: Fix on course inclusion in session with gradebook copy set generate certificate and is requirement
- Ticket: Fix form validate redirection and return icon to keep projet_id context
- Session: Use config-defined headers for base user and session fields for Excel export
- CI: Update GitHub workflows to use ubuntu-24.04
- Document: # fix total document tool size usage calculation to avoid documents that have many registries in c_item_property
- Document: # fix total document tool size usage calculation to avoid DELETED documents that have many registries in c_item_property
- Document: # fix folder size calculation to avoid DELETED documents that have many registries in c_item_property
- Session: Fix configuration variable format to correspond to adaptation of report generation
- Session: Use config-defined headers and order for Excel export
- Course settings: Remove e=1 from direct course access link to be consistent with the explanation text
- Extra Fieldss: Fix default value to be used for text type extra fields only when there is no value and it is not null
- Learnpath: Fix session's lp copy
- Extra Fieldss: Fix default value to be used for text type extra fields only when there is no value
- Extra Fieldss: Add default value to be used for text type extra fields
- Session: Fix Excel export show display text for user's headers and fix spanish translation
- Language: Portfolio: Add partial update in FR, ES, EN for translation related to new alphabetical ordering option
- Portfolio: Add option to order post by title alphabetical order
- Session: Fix Excel export do not put headers in upper case and remove official code column
- Language: partial update in FR, ES, EN for translation related to specific feature
- Standardize header titles for tools help
- Internal: Fix E_NOTICE by undefined variable
- Plugin: BBB: fix video download link to correspond to new path in BBB
- Internal: Refactor file upload error handling for early exits
- Attendance: Fix escaping of language var in JS context preventing comments to be added in attendance in courses in French
- Learnpath: Remove uploaded SCORM/AICC file immediately after treatment
- Exercise: #fix notice appearing in exercise list and exercise rendering
- Work #fix compilatio error on pending work when compilatio is not activated
- Internal: Refactor CourseSelectForm to simplify conditional logic and improve readability
- Refactor CourseSelectForm to simplify conditional logic and improve readability
- Plugin: Azure: User the id property instead of objectId from resource
- Plugin: Azure: Refactor provider to enhance user data retrieval with new Microsoft Graph API
- Session: Add Excel export of certified users in course session with extra fields
- Internals: return the users last registered first when password lost in case of many occurences
- Tracking: Fix session admin permissions in statistics module
- Exercise: Improve document reload in result view
- Exercise: Prevent cached document in results page by adding timestamp to iframe
- Documentation: Update link to public internal documentation in README.md Author: @Kaneda-1
- Exercise: Auto-refresh OnlyOffice iframe
- Exercise: Auto-refresh OnlyOffice iframe to show results
- Exercise: Auto-refresh OnlyOffice iframe to show latest edits
- Language: Update language terms
- Exercise: Add validation to enforce correct answer and positive score
- Language: Update language terms
- Admin: remove restriction due to experimental feature on access to entry to main/admin/user_move_stats.php in the administration menu
- Exercise: Fix student id to display onlyoffice answer
- Exercise: Fix student edit permissions & finalization view in OnlyOffice
- Internal: Improvements and structure adjustments for moodle import
- Plugin: Azure: Fix session redirect after login from custom page
- Exercise: Add automatic feedback comments to email notification
- Exercise: Add readonly to editor onlyoffice in results
- Exercise: Improve display onlyoffice doc editor
- Exercise: Fix evaluation of Answer in Office doc question
- Exercise: Improve file handling with onlyoffice and exercise tracking
- Exercise: Add missing parameters for docInfo onlyoffice
- Learnpath: Add direct lessons list access button & hide header in reduced mode
- Exercise: Improve OnlyOffice integration with dynamic return URLs
- Exercise: Improved OnlyOffice integration and URL handling
- User: Language: #fix syntax from previous commit about plateformLanguage by default when updating a user instead of english
- User: Language: #change set platformLanguage by default when updating a user instead of english
- Internal: #fix commit de5623b2740be to show last 10 registered users in user group and session pages to show only user from the current URL
- Tracking: improve display on comment to indicate progress based on visibles LPs only
- Learnpath: Fix LP visibility to review registry in base course if nothing set in session
- Tracking: improve display on comment to indicate progress based on visibles LPs only
- Document: LP: fix access to document in LP for sessionAdmin when session_admins_access_all_content is true
- Survey: Fix survey publication form blank block and htmlspecialchars() TypeError
- Language: Update language terms for progress calculation and others
- Skill: Minor: adapt skill block to be visible to all on the index page as it is on the user_portal page
- User: Fix filters & editable columns in extra fields for advanced edit
- Admin: Filter extra fields from GET in user_advanced_edit.php and allow filtering on fields as admin (do not take into account modifyability of field)
- Gradebook: Fix total average weight calculation
- Tracking: Fix column position for email in report
- Plagiarism: Compilatio: fix analyses API query to work with all services and contracts for compilatio
- Language: Update language terms
- User: add advanced user edition with bulk and ajax updates
- Plugin: BuyCourses: Fix bug in learning path end page/final item when plugin is enabled. End page could not load because of buggy query in services feature of plugin.
- Gradebook: Fix pre-loading of stats with the allow_gradebook_stats setting
- Documentation: Add PHPDoc block to getAllValuesByItem() to explain it only returns fields with filter=1
- Tracking: fix average total time spent on platform calculation and use See dfca26416355703049309d2b69b38b15669a0e42
- Documentation: Add index on c_quiz_question.type in optimization guide
- Statistics: Add user extra fields to export users in course session
- Plugin: Azure: Fix create/drop of azure_ad_sync_state table on install/uninstall
- Exercise: set tolerance to pointer for draggable question
- Documentation: Add changelog entry for 1.11.30 with note on the .htaccess rule change.
- Exercise: Refactor answer handling in exercise_show_functions.lib.php for oral expression questions
- Exercise: Simplify ternary operator
- Plugin: AI Helper: Rename Url class to DeepSeekUrl to resolve conflict
- Plugin: AI Helper: Fix params of generateDeepSeekQuestions()
- Plugin: AI Helper: Fix the DeepSeek prompt (use same as for OpenAI by default)
- Link: Avoid double htmlspecialchars for links using Display::url See 15023ce6301a8b623d789e8e788b2db9bf470547
- Internal: Use $.getJson instead of fetch
- Calendar: Allow to delete registry in agenda_event_invitee when deleting user
- Calendar: Add property types
- Internal: Avoid unnecessary loop condition in duplicate links deletion script
- Settings: Fix PlatformLanguage setting to support multi-URL configurations
- Internal: Fix duplicate links handling with improved LP checks and deletion logic
- Language: Don't load i18n files for datepicker and timepicker when language ISO code is EN
- User: Fix session redirect after login from custom page
- User: Improve layout of custom login page
- Internal: Fix params and return types
- Auth: Fix locale field when logging with facebook
- User: Add custom login template support for session expiration page
- Session: Add dynamic sorting for users table by name and date
- Skill: Display: Use badge.design instead of openbadges.me/designer
- Internal: Add return and params types + format code
- Vendor: Use facebook/graph-sdk instead of facebook/php-sdk-v4
- Internal: Fix script to upload video to Vimeo
- Plagiarism: Compilatio: fix analyses API query to work with all services and contracts for compilatio
- Gossary: complement to Fix load glossary from base course if not found in session
- Internal: Fix pagination issue in SortableTable session handling
- Plugin: Azure: Add option to filter groups by display name
- Internal: Fix undefined index in request
- Display: Load missing i18n files for date and time pickers
- Internal: Revert PHP 8 compatibility improvement in api_htmlentities() as it causes issues filtering HTML tags in HTML titles
- Vendor: Remove brumann/polyfill-unserialize > In case you are using PHP 7.0+ the original unserialize() will be used instead.
- Portfolio: Duplicate post in session when commenting if portfolio_show_base_course_post_in_sessions is enabled
- Course: Fix export mbz validation, root-only resources, skip empty folders
- Internal: Portfolio: Add types to entity properties
- Plugin: OnlyOffice: Fix E_NOTICEs when api_get_setting is not returning an array value
- Internal: Remove return type mixed The mixed return type is available from php8.0
- Internal: Fix ErrorCorrectionLevel::MEDIUM constant usage
- Add missing use of ReflectionClass
- Internal: Fix various PHP8 compatibility issues to reduce error messages
- Documentation: Add precision bout the syntax for new RewriteRule with Apache > 2.4.38-3
- Exercise: fix delete attempt from pending exercice page
- Internal: Fix warning and error with php8
- Gossary: Fix load glossary from base course if not found in session
- Session: Fix session course position handling in CSV export/import
- Plugin: OnlyOffice: Add checked vendor/ to git
- Gradebook: Fix theme image paths in certificates
- Plugin: Azure: Bump version to v2.5
- Exercise: Fix hide_expected_answer exercise option for fill in the blank question type
- Learnpath: Avoid showing PDF files in embed view
- Group: Fix advanced search when adding user to class
- Remove E_NOTICE about undefined variable
- WYSIWYG: Allow all domain in iframes insertion if setting to allow iframe is true in HTMLPurifier filter
- Userportal: Fix coach url when it is null
- LDAP: Fix encrypted password generation to use the api function which is updated and not the local function that ended being different
- Admin: Fix download of existing CSS by platform admin
- Internal: Fix filter for "on" attributes was too wide and replaced normal text containing " on"
- Documentation: Update upgrade guide from other minor versions regarding cache and CSS directories
- Internal: Fix df47eac9b93700bdf3a73e2596e956e14ab1e4f2 where the filter for "on" attributes was too wide and replaced normal text containing " on"
Web Services
- Add get_session_info_from_extra_field WS
- Add get_extra_fields option to get_sessions WS
- Only return relevant extra field properties in getSessionInfoFromExtraField()
- Add get_user_info_from_username WS (rename from get_user_from_username)
- Message: #add a new only_local option to save_user_message
- #add a new get_user_progress_and_time_in_session ws
- #add official_code parameter to the save_user ws