Tiki Wiki CMS Groupware 12.14
28 October 2018
Tiki Wiki CMS Groupware version 12.14 is now available (security release).
Upgrading to Tiki Wiki CMS Groupware 12.14
Tiki Wiki CMS Groupware 12.14 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Tiki Wiki CMS Groupware updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Tiki Wiki CMS Groupware install to test the 12.14 upgrade prior to applying it live. Get started managing your Tiki Wiki CMS Groupware installations with Installatron
What's New in Tiki Wiki CMS Groupware 12.14
12.14
- svn 1.10.x evaluates to 1.1 as a simple float, and so shows as being lass than the minimum version 1.3, so use the php version_compare functio
- wiki: Improve encoding of link attribute
- img: Prevent invalid html in image tag
- Tiki 12.x should support PHP5.3, reverting to long sintax array
- version 12.14svn in twversion.class.ph
- using https to export files to release (http is down)
12.13
- Escape HTML special characters in context, added and deleted lines
- Avoid code injection
- better external link handling
- calendars: Escape special chars in calendar item titles
- clean_xml on svg drawingsr65391 | robertokir | 2018-01-31 17:15:03 +0100 (Wed, 31 Jan 2018) | 2 lines
- File gallery upload safety improvements.
- Better check of input parameters and use parameterized query
12.12
- feature check for inline editing
- trackers: Require post for most controller actions
- Modules: rollback one unnecessary confirmation step (no need to confirm before editing, when saving the edit is enough)
- users: Add confirmation step to assign user to group operation (thanks Jyhem)
- Also remove deprecated ticket function calls
- query: Add support for arrays of arrays in "form_input" type query generation (which generates hidden inputs for all request variables)
- perms: Add confirm check for permission changes
- Modules: add confirmation steps for creating, modifying, assigning and unassigning modules (including the custom modules)
- PluginAlias: deleting an alias deletes them all. Thanks luis_asa!
- Fix for tiki-wizard_admin.php (2 of 2)
- Fix for tiki-wizard_admin.php (1 of 2)
- wizard admin: better request filtering, including adding a relative url filter
- better var filtering for batch_send_newsletters
- debug: Observe $prefs.feature_debug_console when showing smarty debug info (and add a warning)
- JavaScript string special characters escaping.
- Use pagename filter for wiki page object ID.
- Backport is partial due to differences in code.
- Prevent bypassing of the xss filter by padding zeros
- Add attributes to xss filter. Not an exact backport - simply backporting the latest list of attributes from 17.x
- Additional escaping for css values used in text color wiki syntax
- implement checkOrigin() to avoid false CSRF errors. Fixes r62751 and r62753
- Improve r62661 with better label to avoid confusing with well known activists group (thanks Luci)
- Make it obvious which comments were entered by anonymous
- tiki-contact better filtering
- comments: better filtering and escaping for comment object IDs, with certain changes to original commit due to remove_badchars() method not being available in Tiki12
- Also display visible subgalleries in galleries listings when user does not have global list_file_galleries permission.
- Don't mention comments to users who cannot read them
- user messages: array to string error in db query was causing download of all messages to fail
- replace_hotwords(): empty lines returned when some hotwords containing PCRE metacharacters are present
- Escape all PCRE metacharacters rather than just slashes.
- filters: improve language and imgsize filters
- Backport tiki-check.php to all supported versions
- Keep PEAR constructor compatibility, adjust constructor visibility on child classes (issue introduced in r60748)
- Keep PEAR constructor compatibility (issue introduced in r60748)
- reduced size of icon shown with pluginfile. thanks pom2ter and marclaporte
- New composer.lock without the problematic things
- Reverting r61023. Revert My fix of ANY_VALUE function as a workaround for ONLY_FULL_GROUP_BY mode and compatibility with MySQL 5.7, because it is not compatible with MariaDB 10.0.x (function ANY_VALUE() doesn't exist) which can be also the default db engine in some servers. Related: https://jira.mariadb.org/browse/MDEV-10426 . Alternative workaround those using Mysql 5.7: mysql > SET GLOBAL sql_mode=(SELECT REPLACE(@@sql_mode,'ONLY_FULL_GROUP_BY',''));
12.11
- Re-updated composer.lock - seems better now?
- only match .png at end of line (thanks drsassafrass)
- (Also add the same for the other allowed file extensions)
- Issue with temporary files: Should be "sys_get_temp_dir() . $temp" not "$temp . sys_get_temp_dir()" i think
- (plus add some missing spaces)
- Also use the ZF1 version of Rand::getBytes (thanks Xavi :)
- update Zend Framework 1 to latest (note: some packages moved from composer.tiki.org to github: anythingslider, tablesorter and some others, needs fixing on the server i believe...)
- Fixes an issue with creating temporary files. thanks drsassafras. Adapted since Zend 1.x doesn't have function getBytes. Please, revise or improve if needed. hth
- filegals: Only include each file once in a zip download. thanks jonnyb
- images: Only make icons smaller than the original image size. thanks jonnyb
- listpages: Use smarty var assigns instead of captures (much more efficient) and escape the $initial var. thanks jonnyb
- find: Don't set exact_match on the query when clearing a find filter as even when empty it's counted as true if set (FIXME). thanks jonnyb
- permissions: Using disabled on the "advanced" quick perm radio buttons meant the value was not being returned in the form so advanced perms would be reset to "none" - fixes wish6230 for me
- Remove unnecessary check
- bp from trunk to make sure the XMLUPDATE plugin updates the modification date/time and user in the db tables (arguably a fix) and provide another parameter option in the FILES plugin to show the time as well as the date of the last modification
- Usability: increase number of characters you can use in total for tags for a single form submission (to avoid having to re-submit the pending ones in subsequent form submissions). Not a backport since in tiki 15+ this limit is not hardcoded in the tpl.
- wiki xml zip: Update vendor_extra PEAR XML_PARSER to version 1.3.7 to avoid fatal errors; update vendor_extra Pear.php to get rid of constructor errors in PHP 7; use the syntax required since php 5.2.8 for ziparchive open command in xmllib.php.
- Resolves issue with ?6?8?2Use Image from URL?6?8?3 option in banners not displaying properly.
12.10
- maps: Handle zoom level string better
- restrict comment field to 200 chars
- filegals: If feature_draw was disabled and fgal_allow_duplicates was not allowed, then uploading new filegal-based avatars was not possible.
- Regression from way back in r52286 (by me, sorry - thanks marclaporte)
- Upgrade dompdf to version 0.6.2 due to security issues on 0.6.1
- remove jquery ui dialog overflow hidden to allow autocomplete widget in wiki link dialog to display contents outside the dialog (fixed upstream in 1.12.0 which is used in tiki 16.x)
- jscalendar smarty/tiki function updates the alt hidden field with timestamp when user manually changes the text field (i.e. clicking escape and not using the date/time picker - onClose was not being called in that case)
- customsearch: Initialise search data for date range on page load so it works first time
- composer.lock shasum fixes
- Backport tiki-check.php
- rss: Don't clear the refresh rate for the rss module (a.k.a. external feed) when clearing the cache of items
- TZ leap-seconds.list broke tiki-user_preferences.php after php upgrade (thanks ohertel)
- scroll to top of customsearch results if window is scrolled down - useful with ajax pagination
- Remove old-style constructors. Get rid of depreciated warnings when running PHP7.
- Formatting of dynamic variables no longer allows them to be inline https://dev.tiki.org/item5831
- Fix Usability bug to display a simple .webm (VP8) video in Tiki uploaded to a file gallery through plugin mediaplayer. It still fails to display with webdocviewer even if seems to be supported in theory.
- Update maximum length allowed for permNames to 36 instead of 50, since tiki will internally prepend 14 extra characters to them (tracker_field_).
- Update maximum length allowed for permNames to 36 instead of 50, since tiki will internally prepend 14 extra characters to them (tracker_field_).
- Allow trimming PermName on upgrades to 50 characters, which seems to be the maximum allowed by MySQL Full Text Search as Unified Search Index. Using same arbitrary convention as added in the code here: https://sourceforge.net/p/tikiwiki/code/59180 . This upgrade script is not placed under the installer/schema folder by default since it might potentially break some installations upon upgrade if they were using such long permanent names for real. Therefore, we leave this upgrade script here under doc/devtools/ by default, so that each admin can move it to installer/schema in their own install at their own risk. Thanks marclaporte
- Trim long permanent names in tracker fields at creation time to maximum 50 characters, to prevent errors when atempting to use MySQLFTS as unified search index. We could allow longer permanent names when other search index engines are the ones being used, but this will probably only delay the problem until the admin wants to change the search engine for some reason (some constrains in Lucene or Elastic Search, as experience demonstrated in some production sites in real use cases over long periods of time). And to increase chances to avoid conflict when long names only differ in the end of the long string, where some meaningful info resides, we'll get the first 40 chars, 1 underscore and the last 9 chars. Thanks Michael Finko for reporting the issue and marclaporte
- search: Fix a missing node class check which was making multi-word searches fail with the Lucene engine.
- Missed from a backport a few months ago, so only was a problem in 12.x, apologies (and thanks Geoff for spotting it)