Update Feed

Chamilo 1.11.30

27 June 2025

Chamilo version 1.11.30 is now available (security release).

Upgrading to Chamilo 1.11.30

Chamilo 1.11.30 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Chamilo updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Chamilo install to test the 1.11.30 upgrade prior to applying it live. Get started managing your Chamilo installations with Installatron

What's New in Chamilo 1.11.30

Note

Chamilo 1.11.30 comes with subtle changes in the root .htaccess file which could affect your system (for example by triggering "Not Found" errors on course homepages) if you use Apache < 2.4.38-3. Please check line 37 of /.htaccess for more info.

Security

Social: Add sec_token when commenting posts Fix GHSA-33gm-vrgh-m239
Social: Add sec_token when accepting a friend request Fix GHSA-33gm-vrgh-m239
Social: Add sec_token when denying a friend request Fix GHSA-33gm-vrgh-m239
Social: Add sec_token when deleting friend Fix GHSA-33gm-vrgh-m239
Glossary: Remove XSS Fix GHSA-4wcp-3rh3-7wm4 advisory
Confirm delete action with modal instead of alert Fix advisory GHSA-gw58-89f7-4xgj
Remove on* attributes through new filter of HTML Purifier Fix advisory GHSA-gw58-89f7-4xgj
Remove on* attributes for input text fields Fix advisory GHSA-gw58-89f7-4xgj
Work: Sanitize file name that could import document with special characters
Dropbox: Sanitize file name that could import document with special characters
Plugin: OnlyOffice: Add filtering to new filenames created through the plugin
Display: Sanitize attributes for anchor tag in Display::url function Refs advisory GHSA-gw58-89f7-4xgj
Glossary: Use entity to save glossary Refs advisory GHSA-gw58-89f7-4xgj
Remove on-attributes when showing an HTML editor in forms Refs advisory GHSA-24cc-9jp9-rxx6
Prevent XSS when setting image alt text by using the ckeditor image plugin Refs advisory GHSA-24cc-9jp9-rxx6
Fix pattern to remove on* attributes from HTML tags
Fix SQL injection vulnerability by escaping dates in SOAP registration script
Fix SQL injection vulnerability by escaping filename when uploading hot potatoes image
Fix SQL injection vulnerability by escaping assoc_handle in openid login
Improve database query handling in CourseSelectForm by using parameterized queries and simplifying SQL logic
Sanitize English name input in sub_language_add.php to prevent dangerous characters
Use FormValidator::addText and FormValidator::addCheckBox instead addElement method
Plugin: VChamilo: Add clearDatabaseName method to sanitize database names and update usages
Sanitize language variable inputs and improve variable handling in multiple files
Sanitize main database name in Virtual.php to prevent unsafe inputs
Add MIME type validation for image uploads in ck_uploadimage action
Plugin: VChamilo: Update import logic to handle 'phar://' paths to import config
Refactor hidden input generation using Display::input Replaced manual HTML string construction with the Display::input method for hidden inputs. This improves code readability, maintainability, and aligns with existing utility usage. Security measures with Security::remove_XSS remain intact. See advisory GHSA-7p5f-34rx-49h8
Remove unused 'page' parameter from session user forms. See advisory GHSA-h3m8-53j3-xjx8
Add a whitelist of allowed help topics
Messages: Ensure accepted friends have invitations sent See advisory GHSA-m5xj-5xf3-rqch
Apply XSS removal when importing users See advisory GHSA-hc3c-8p55-xh4r
Fix case sensitivity in phar file validation Adjusted the `str_starts_with` checks to be case-insensitive by converting paths to lowercase. Also refactored the logic to separate `isPharFile` handling from writable checks, improving readability and error handling with better feedback messages.
Sanitize uploaded file names in a user import process See advisory GHSA-wrx6-5v5r-mmgx
Initialize the variable to avoid a wrong result by old value See GHSA-qv5j-rq2p-q5w5
Initialize variable to avoid wrong result by old value See GHSA-qv5j-rq2p-q5w5
Documentation: Add security documentation about CSP (Content Security Policy) headers needing to allow unsafe-inline and unsafe-eval for the inline editor to work
Fix XSS in session category See advisory GHSA-p4m6-gwhg-x89f
Set token validation to set a student as tutor
Exercise: Remove XSS when displaying fill in blanks results

New Features (for end-users, teachers and Chamilo admins)

Plugin: Exercise monitoring and mouse focus tracking allowing for better control of remote exams, akin to some proctoring services
Learnpath: Plugin: OnlyOffice: Allow showing PDF files directly in the learning path when ONLYOFFICE plugin is enabled
Plugin: OnlyOffice: Add OnlyOffice viewer by default for corresponding extensions in documents tool when the plugin is enabled
Portfolio: List base-course content in sessions when setting 'portfolio_show_base_course_post_in_sessions' is enabled
Plugin: AI Helper: Add DeepSeek support
User: Add extra fields filter to advanced user search in administration
Exercise: Add configuration setting 'exercise_subscribe_session_when_finished_failure' to allow subscribing a user to a specific session when the user has failed a given test
Exercise: Add configuration setting 'exercise_text_when_finished_failure' to allow displaying a text when the user has failed
Tracking: Show progress based on visibles learning paths only (was previously showing global progress based on all learning paths including hidden ones, which made no visual sense)
Plugin: H5pImport: Add hook to create course tool in new courses
Exercise: Add OnlyOffice question type with document editing support
Calendar: Add option for course agenda to define default participants
Document: Add option to define an access start date for any given document
Language: Mongolian language added. Requires following query to manually enable in 1.11.30: "INSERT INTO language (original_name, english_name, isocode, dokeos_folder, available) VALUES ('Монгол хэл','mongolian','mn','mongolian',1);" - Contributed by Tsogtsaikhan Byambaa

New Features (for developers and sysadmins)

Plugin: Azure: Add option to use delta queries when syncing
Portfolio: Add configuration setting 'portfolio_show_base_course_post_in_sessions'
Session: Enable user session duration manual extension
Internal: Set Apache redirect rules in .htaccess to defaults that work with most Apache >2.4.38-3.
Extra Fields: Add support for attendance extra field
Scripts: Add script to change course code. Replaces strings in all HTML files and exercises content
Cron: Add users import from XLSX cron script with configurable input fields and comparison mechanisms for a first sync
Display: Add configuration setting 'display_menu_use_course_categories' to use course categories as top horizontal drop-down menu
Session: Add configuration setting 'scheduled_announcements_use_base_progress' for scheduled session announcement - by progress
Admin: Add configuration setting 'session_import_drh_hide_old_relationships_check_box' to hide the old relationships checkbox on session import view for drh users
Ticket: Add ticket deletion feature

Improvements and Debug

Language: Ticket: #add partial translation in ES, FR, EN for ticket deletion functionnality
Internal: Fix deprecated calls to mb_convert_encoding() to encode to HTML entities. Helps support PHP 8.3
Internal: Fix deprecated calls to mb_convert_encoding() to encode to HTML entities. Helps support PHP 8.3
Internal: Kses: Fix issue preventing loading $kses_allowedentitynames from global scope in PHP 8+
CI: Fix issues setting up test environment for behat
Ticket: Add option to give session admin the same right as admin, an … (#6384) Author: @yverhenne
Use null coalescing operator for cleaner code in fill_blanks and question classes
CI: Test updated version of Chrome install
CI: Force use of PHP 7.4 in automated tests building sequence
Plugin: before_login: Fix error due to (apparently) rogue copy-paste in plugin "Before login". Add information about config and theming to README.md
Plugin: before_login: Fix error due to (apparently) rogue copy-paste in plugin "Before login". Add information about config and theming to README.md
Admin: Modify default expiration date behaviour to avoid adding default expiration period when selecting "Never expires". Affects CSV import and user creation/edition forms
Plugin: BuyCourses: Fix error in coupon processing
Documentation: Fix RewriteRule for optimization of files access
Internal: Fix .htaccess rules for scorm content and course home icons
Course: Improve export of quiz questions, assignments in LP, and images in introduction page with mzb format
Internal: Fix support for X-Sendfile headers
Plugin: Add courseToolDefaultVisibility property to Plugin class to enable course plugins that are not visible by default (set it from the plugin with $this->setCourseToolDefaultVisibility(false); before install_course_fields_in_all_courses()). Enabled on positioning plugin
Internal: Trim spaces around passwords in mail to user on user creation
Course: Export HTML documents as Moodle page activities
Documentation: Add info about Mongolian language to changelog & estimated release date for 1.11.30
Language: Added comments in data.sql for the addition of Estionian and Mongolian languages in a future major version. The languages are there, but internal policy prevent us from adding them in a minor version (because if would make the database records different from the default of 1.11.0)
Language: Update translations
Session: Add send_subscription_notification field when copying sessions (#6218) Author: @nosolored
Attendance: Add group ID to parameters when using tablet vue with signature Author: @TheTomcat14
Admin: ensure "login_as" flag is off anytime we logout or login with username/password directly
Session: Enable user session duration extension days (#6012)
Session: Add avatar display in session_user_edit.php for sessions with duration
Learnpath: fix Language variable to reuse an existing one
WYSIWYG: Allow Genially iframes in HTMLPurifier filter
Session: Fix label in schedule announcements for 'progress' type
Webservice: Update example WS call for add_courses_session
Internal: Add labels to addmultiselect element for formvalidator
Setitngs: Language: Fix PlatformLanguage visualization when on multi-URL configuration
Portfolio: Keep user seleccion context when going back to post list from post view
Portfolio: Fix encoding error to show all post by alphabetical order
Portfolio: Fix encoding error to show all post by alphabetical order
Portfolio: Fix option to show all post by alphabetical order and set only one link
Portfolio: Add option to show all post by alphabetical order
Ticket: Fix advanced ticket search to select all type of user since tickets can be assign to all type of user
Plugin: Azure: Update resource for auth code with new Microsoft Graph API
Session: #fix session per duration visibility management for user_portal page
Scripts: Replace course code in cidReq param
Scripts: Fix tables fields to replace course code
Scripts: Use the appropriate directory name when replacing the course in replace_course_code.php
Simplify variable initialization using null coalescing operator
Scripts: Improve action messages in replace_course_code
Scripts: Add missing tables to replace course code
Refactoring ExerciseLib::replaceTermsInContent function to avoid repeat code
Internal: Fix fclose() call to avoid undetected error
Ticket: #fix advanced search to give result
Plugin: H5P: Add missing translations for config option
Plugin: H5P: Fix typo to include missing jquery-ui
Language: Quiz: Add partial update in FR, ES, EN for translation of parameter HideComment
Exercise: Add new option 'Hide comment' to the result page configuration extra parameter
Plugin: H5P Import: Fix class declaration to be compatible with H5P library update
Internal: Fix stricter functions declarations to improve PHPDoc from commit #ea334a3f6f because the return can be null when there is no token in session
Tracking: Fix to adapt app/cache/.htaccess regeneration on archive cleanup to include the fix for the issue displaying the pChart-generated charts due to Apache 2.4 syntax change
Document: [Minor] fix typo in a comment from previous commit
Session: Add use of session's position on myStudent page when session_list_order is activated
Session: Fix ambigous position error when activation session_list_order
Session: Fix on course inclusion in session with gradebook copy set generate certificate and is requirement
Ticket: Fix form validate redirection and return icon to keep projet_id context
Session: Use config-defined headers for base user and session fields for Excel export
CI: Update GitHub workflows to use ubuntu-24.04
Document: # fix total document tool size usage calculation to avoid documents that have many registries in c_item_property
Document: # fix total document tool size usage calculation to avoid DELETED documents that have many registries in c_item_property
Document: # fix folder size calculation to avoid DELETED documents that have many registries in c_item_property
Session: Fix configuration variable format to correspond to adaptation of report generation
Session: Use config-defined headers and order for Excel export
Course settings: Remove e=1 from direct course access link to be consistent with the explanation text
Extra Fieldss: Fix default value to be used for text type extra fields only when there is no value and it is not null
Learnpath: Fix session's lp copy
Extra Fieldss: Fix default value to be used for text type extra fields only when there is no value
Extra Fieldss: Add default value to be used for text type extra fields
Session: Fix Excel export show display text for user's headers and fix spanish translation
Language: Portfolio: Add partial update in FR, ES, EN for translation related to new alphabetical ordering option
Portfolio: Add option to order post by title alphabetical order
Session: Fix Excel export do not put headers in upper case and remove official code column
Language: partial update in FR, ES, EN for translation related to specific feature
Standardize header titles for tools help
Internal: Fix E_NOTICE by undefined variable
Plugin: BBB: fix video download link to correspond to new path in BBB
Internal: Refactor file upload error handling for early exits
Attendance: Fix escaping of language var in JS context preventing comments to be added in attendance in courses in French
Learnpath: Remove uploaded SCORM/AICC file immediately after treatment
Exercise: #fix notice appearing in exercise list and exercise rendering
Work #fix compilatio error on pending work when compilatio is not activated
Internal: Refactor CourseSelectForm to simplify conditional logic and improve readability
Refactor CourseSelectForm to simplify conditional logic and improve readability
Plugin: Azure: User the id property instead of objectId from resource
Plugin: Azure: Refactor provider to enhance user data retrieval with new Microsoft Graph API
Session: Add Excel export of certified users in course session with extra fields
Internals: return the users last registered first when password lost in case of many occurences
Tracking: Fix session admin permissions in statistics module
Exercise: Improve document reload in result view
Exercise: Prevent cached document in results page by adding timestamp to iframe
Documentation: Update link to public internal documentation in README.md Author: @Kaneda-1
Exercise: Auto-refresh OnlyOffice iframe
Exercise: Auto-refresh OnlyOffice iframe to show results
Exercise: Auto-refresh OnlyOffice iframe to show latest edits
Language: Update language terms
Exercise: Add validation to enforce correct answer and positive score
Language: Update language terms
Admin: remove restriction due to experimental feature on access to entry to main/admin/user_move_stats.php in the administration menu
Exercise: Fix student id to display onlyoffice answer
Exercise: Fix student edit permissions & finalization view in OnlyOffice
Internal: Improvements and structure adjustments for moodle import
Plugin: Azure: Fix session redirect after login from custom page
Exercise: Add automatic feedback comments to email notification
Exercise: Add readonly to editor onlyoffice in results
Exercise: Improve display onlyoffice doc editor
Exercise: Fix evaluation of Answer in Office doc question
Exercise: Improve file handling with onlyoffice and exercise tracking
Exercise: Add missing parameters for docInfo onlyoffice
Learnpath: Add direct lessons list access button & hide header in reduced mode
Exercise: Improve OnlyOffice integration with dynamic return URLs
Exercise: Improved OnlyOffice integration and URL handling
User: Language: #fix syntax from previous commit about plateformLanguage by default when updating a user instead of english
User: Language: #change set platformLanguage by default when updating a user instead of english
Internal: #fix commit de5623b2740be to show last 10 registered users in user group and session pages to show only user from the current URL
Tracking: improve display on comment to indicate progress based on visibles LPs only
Learnpath: Fix LP visibility to review registry in base course if nothing set in session
Tracking: improve display on comment to indicate progress based on visibles LPs only
Document: LP: fix access to document in LP for sessionAdmin when session_admins_access_all_content is true
Survey: Fix survey publication form blank block and htmlspecialchars() TypeError
Language: Update language terms for progress calculation and others
Skill: Minor: adapt skill block to be visible to all on the index page as it is on the user_portal page
User: Fix filters & editable columns in extra fields for advanced edit
Admin: Filter extra fields from GET in user_advanced_edit.php and allow filtering on fields as admin (do not take into account modifyability of field)
Gradebook: Fix total average weight calculation
Tracking: Fix column position for email in report
Plagiarism: Compilatio: fix analyses API query to work with all services and contracts for compilatio
Language: Update language terms
User: add advanced user edition with bulk and ajax updates
Plugin: BuyCourses: Fix bug in learning path end page/final item when plugin is enabled. End page could not load because of buggy query in services feature of plugin.
Gradebook: Fix pre-loading of stats with the allow_gradebook_stats setting
Documentation: Add PHPDoc block to getAllValuesByItem() to explain it only returns fields with filter=1
Tracking: fix average total time spent on platform calculation and use See dfca26416355703049309d2b69b38b15669a0e42
Documentation: Add index on c_quiz_question.type in optimization guide
Statistics: Add user extra fields to export users in course session
Plugin: Azure: Fix create/drop of azure_ad_sync_state table on install/uninstall
Exercise: set tolerance to pointer for draggable question
Documentation: Add changelog entry for 1.11.30 with note on the .htaccess rule change.
Exercise: Refactor answer handling in exercise_show_functions.lib.php for oral expression questions
Exercise: Simplify ternary operator
Plugin: AI Helper: Rename Url class to DeepSeekUrl to resolve conflict
Plugin: AI Helper: Fix params of generateDeepSeekQuestions()
Plugin: AI Helper: Fix the DeepSeek prompt (use same as for OpenAI by default)
Link: Avoid double htmlspecialchars for links using Display::url See 15023ce6301a8b623d789e8e788b2db9bf470547
Internal: Use $.getJson instead of fetch
Calendar: Allow to delete registry in agenda_event_invitee when deleting user
Calendar: Add property types
Internal: Avoid unnecessary loop condition in duplicate links deletion script
Settings: Fix PlatformLanguage setting to support multi-URL configurations
Internal: Fix duplicate links handling with improved LP checks and deletion logic
Language: Don't load i18n files for datepicker and timepicker when language ISO code is EN
User: Fix session redirect after login from custom page
User: Improve layout of custom login page
Internal: Fix params and return types
Auth: Fix locale field when logging with facebook
User: Add custom login template support for session expiration page
Session: Add dynamic sorting for users table by name and date
Skill: Display: Use badge.design instead of openbadges.me/designer
Internal: Add return and params types + format code
Vendor: Use facebook/graph-sdk instead of facebook/php-sdk-v4
Internal: Fix script to upload video to Vimeo
Plagiarism: Compilatio: fix analyses API query to work with all services and contracts for compilatio
Gossary: complement to Fix load glossary from base course if not found in session
Internal: Fix pagination issue in SortableTable session handling
Plugin: Azure: Add option to filter groups by display name
Internal: Fix undefined index in request
Display: Load missing i18n files for date and time pickers
Internal: Revert PHP 8 compatibility improvement in api_htmlentities() as it causes issues filtering HTML tags in HTML titles
Vendor: Remove brumann/polyfill-unserialize > In case you are using PHP 7.0+ the original unserialize() will be used instead.
Portfolio: Duplicate post in session when commenting if portfolio_show_base_course_post_in_sessions is enabled
Course: Fix export mbz validation, root-only resources, skip empty folders
Internal: Portfolio: Add types to entity properties
Plugin: OnlyOffice: Fix E_NOTICEs when api_get_setting is not returning an array value
Internal: Remove return type mixed The mixed return type is available from php8.0
Internal: Fix ErrorCorrectionLevel::MEDIUM constant usage
Add missing use of ReflectionClass
Internal: Fix various PHP8 compatibility issues to reduce error messages
Documentation: Add precision bout the syntax for new RewriteRule with Apache > 2.4.38-3
Exercise: fix delete attempt from pending exercice page
Internal: Fix warning and error with php8
Gossary: Fix load glossary from base course if not found in session
Session: Fix session course position handling in CSV export/import
Plugin: OnlyOffice: Add checked vendor/ to git
Gradebook: Fix theme image paths in certificates
Plugin: Azure: Bump version to v2.5
Exercise: Fix hide_expected_answer exercise option for fill in the blank question type
Learnpath: Avoid showing PDF files in embed view
Group: Fix advanced search when adding user to class
Remove E_NOTICE about undefined variable
WYSIWYG: Allow all domain in iframes insertion if setting to allow iframe is true in HTMLPurifier filter
Userportal: Fix coach url when it is null
LDAP: Fix encrypted password generation to use the api function which is updated and not the local function that ended being different
Admin: Fix download of existing CSS by platform admin
Internal: Fix filter for "on" attributes was too wide and replaced normal text containing " on"
Documentation: Update upgrade guide from other minor versions regarding cache and CSS directories
Internal: Fix df47eac9b93700bdf3a73e2596e956e14ab1e4f2 where the filter for "on" attributes was too wide and replaced normal text containing " on"

Web Services

Add get_session_info_from_extra_field WS
Add get_extra_fields option to get_sessions WS
Only return relevant extra field properties in getSessionInfoFromExtraField()
Add get_user_info_from_username WS (rename from get_user_from_username)
Message: #add a new only_local option to save_user_message
#add a new get_user_progress_and_time_in_session ws
#add official_code parameter to the save_user ws