phpList 3.5.4
31 May 2020
phpList version 3.5.4 is now available (security release).
Upgrading to phpList 3.5.4
phpList 3.5.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply phpList updates as new versions are released, or use Installatron's Clone feature to duplicate an existing phpList install to test the 3.5.4 upgrade prior to applying it live. Get started managing your phpList installations with Installatron
What's New in phpList 3.5.4
Security
- Implement XSS filters in /lists/admin/admin.php and /lists/admin/admins.php — thanks to Sarthak Saini for reporting the issue and @xh3n1 for providing the fix.
- Implement XSS filter in /lists/admin/user.php and /lists/admin/users.php — thanks to Carlos Ramírez from wizlynx group for reporting the issue.
- Implement XSS filter in /lists/admin/editattributes.php — thanks to @r0ck3t1973 for reporting the issue
- Implement XSS filter in /lists/admin/send_core.php — thanks to @r0ck3t1973 for reporting the issue
- Implement XSS filter in /lists/admin/connect.php and /lists/admin/subscribelib2.php — thanks to @r0ck3t1973 for reporting the issue
- Implement XSS filter in /lists/admin/configure.php and /lists/admin/list.php — thanks to @r0ck3t1973 for reporting the issue
- Implement XSS filter in /lists/admin/importsimple.php and /inc/magic_quotes.php — thanks to @Songohan22 for reporting the issue
- Switch to strict comparison in /lists/admin/index.php and /lists/admin/subscribelib2.php — thanks to @peng-hui for reporting the issue
Changes
- Changed config value for “$database_host ” from ‘localhost’ to ‘dbhost’ — enabling a default setup that works with a DB that is not on the same machine
- Clickable link at the top of the click stats page — thanks to @samtuke, see [the pull request](https://github.com/phpList/phplist3/pull/656)
- Added HTTP_Request2 as a fallback when curl is not available — thanks to @duncanc, see [the pull request](https://github.com/phpList/phplist3/pull/652) for more details.
- Updater menu entry is now shown only for superusers
- The updater handles deletion of broken symlinks
- Help added for the website field on the Settings page and updated help texts about date format and ‘ tracking codes — thanks to @duncanc
Bug Fixes
- Updated default list of TLDs — thanks to @duncanc for pointing it out the problem
- Fixed incorrect statistics link in German installations, due to incorrect translation see [mantis issue](https://mantis.phplist.org/view.php?id=20183) — please consider that fetching translations won’t fix the issue for now. It’s the update itself that uses the corrected version. Thanks to @jimbocity for reporting it.
- Fixed broken link in the Install file — thanks to [Hiroyuki Sato]( https://github.com/hiroyuki-sato)