Installatron Remote is absolutely free for unlimited installs and imports, backups and restores, and up to three (3) updates per calendar month. Here's what you get for subscribing to Installatron Remote Premium for just $29/year:
Unlimited email and ticket-based support (for issues pertaining to Installatron Remote).
Unlimited installed app updates.
Unlimited installed app automatic updates (not available to non-subscribers).
Unlimited installed app scheduled backups (not available to non-subscribers).
Unlimited installed app clones (not available to non-subscribers).
Installatron branding no longer added in the footer of installed apps.
Contao är ett open source content management program. Contao var tidigare känd som TYPOlight.
Installatron Remote is a one-click solution to install and manage all of your Contao websites. Using Installatron helps ensure Contao is kept up-to-date and secure, and Installatron features like Clone, Backup and Restore, and Backup Scheduling can save you time. Learn more about Installatron Remote
Contao är ett open source content management system (CMS) för personer som vill ha en professionell närvaro på Internet som är enkel att underhålla. Den state-of-the-art struktur systemet erbjuder en hög säkerhet standard och ger dig möjlighet att utveckla sökmotorvänliga webbplatser som är också tillgänglig för personer med funktionshinder. Vidare kan systemet utökas flexibelt och billigt. Enkel hantering av användarnas rättigheter, Live Update Service, den moderna CSS ramar och många redan integrerade moduler (nyheter, kalender, formulär, etc.) har snabbt gjort Contao en av de mest populära öppna förvaltning källkod system på marknaden.
Use CAST(… AS BINARY) instead of BINARY (leofeyer)
Fix the help wizard (bytehead)
Add the missing relations to the DCAs (aschempp)
Add the domain to the "root page dependent module" configuration (aschempp)
Disallow creating or updating elements with invalid parent record (aschempp)
Handle ampersands in the alt attribute of the picture insert tag (markocupic)
Use the correct session bag in the preview link listener (leofeyer)
Make the default (global) operations more consistent (aschempp)
Disable overlayClick for SimpleModal (zoglo)
Fix the base path for canonical URLs (fritzmg)
Do not normalize the resampling-filter array key (ausi)
Make sure the correct test-case package is installed in Contao (aschempp)
5.3.19
Bug Fixes
Fix the sorting when copying multiple form fields as a non-admin user (qzminski)
Replace insert tags in Twig surrogate parent templates (ausi)
Enable double encoding for JSON in Twig (ausi)
Handle null result in 404 router provider (aschempp)
Make Contao 5.3 compatible with PHP 8.4 (bytehead)
Fix the "lost password" module (leofeyer)
5.3.18
Bug Fixes
Show section headlines in the back end preview (leofeyer)
Allow basic entities in section headlines (leofeyer)
Make the abstract entities migration case-sensitive (leofeyer)
Prevent possible type error in DC_Table::getClipboardPermission (fritzmg)
Do not load the CAPTCHA script in the back end preview (leofeyer)
Skip fragments which inherit legacy modules in debug:fragments (bytehead)
Remove superfluous domain encoding (falkgeist)
Cache hot path in model (Toflar)
Allow page controllers to create the response context (fritzmg)
Consider the doNotDeleteRecords setting when deleting child records (patrickjDE)
Fix login redirect and session usage (fritzmg)
Fix the permissions check for "save and duplicate" (aschempp)
Decode entities for favorites labels (fritzmg)
Use the RateLimiter component to limit password reset requests (bytehead)
Flag deprecated Twig functions as deprecated (m-vo)
Harden CSP header parsing (bytehead)
5.3.17
Bug Fixes
Fix the ContentElementTypeListener (Toflar)
5.3.16
Bug Fixes
Deprecate Controller::sendFileToBrowser() and add the postDownload hook to the UPGRADE.md file (Toflar)
Check permissions on all operations in the PermissionCheckingVirtualFilesystem decorator (m-vo)
Use a listener to set the allowed element types (aschempp)
Enable pauseOnMouseEnter in the Swiper template by default (fritzmg)
Fix a type error in CalendarContentVoter (fritzmg)
Improve the template DX when overwriting variables (m-vo)
Improve the VFS extra metadata handling (m-vo)
Do not redefine existing fragments (bytehead)
Replace newlines in CSP headers (bytehead)
Fix an invalid array access in the Model::cloneOriginal() method (Toflar)
Add the missing root--dark icon (zoglo)
Fix tooltips on mobile devices (fritzmg)
Do not save long file extensions during filesync (fritzmg)
Use the resource finder in the Twig template locator (aschempp)
Move fieldset legend padding to button (fritzmg)
Remove PDF remnants (fritzmg)
Fix a type error in NewsContentVoter (fritzmg)
Add a null check for a possible empty array (bytehead)
5.3.15
Security
CVE-2024-45398: Remote command execution through file uploads
CVE-2024-45612: Insert tag injection via canonical URLs
5.3.14
Bug Fixes
Handle string IDs in the article content voter (aschempp)
Only add the galleryTpl field to the legacy gallery element (fritzmg)
Correctly handle news feed URLs in the page routing listener (leofeyer)
Fix the parent record loading in the dynamic parent table voter (aschempp)
Fix the description list markup for template templates (fritzmg)
Fix type error in downloads content element (fritzmg)
Fix the name of symlinked filesystem adapters (fritzmg)
Fix the line height of the ellipsis containers (leofeyer)
Consider subfolders and Twig templates within the theme export (zoglo)
5.3.13
Bug Fixes
Fix the content element player start time (kllmanu)
Show a warning if a personal data module allows to change the password (leofeyer)
Add voters for content elements (aschempp)
Generate a new session ID after a member has changed their password (leofeyer)
Allow toggling fieldset states with keyboard actions (A11Y) (zoglo)
Improve the web worker time limit (ausi)
Restore the previous messages order in DC_Table (fritzmg)
Use ERR.submit in all DC forms (fritzmg)
Improve the visibility of the .limit_toggler in the back end (lukasbableck)
Encode mailto addresses in the markdown element (Toflar)
Add the DataContainer::getActiveRecord() method (Toflar)
Prevent endless recursion when copying elements with children (ausi)
5.3.12
Bug Fixes
Clone content elements with all data (aschempp)
Make sure to add the assets/files context to all image paths (leofeyer)
Use maxLines: Infinity to automatically resize the ACE editor (leofeyer)
Make the theme icons forward compatible (leofeyer)
Fix the double form submission script (leofeyer)
Skip database backups if the remaining migrations will not be executed (fritzmg)
Fix the padding of the main content area on mobile devices (leofeyer)
Fix the z-index of the limit height toggle (leofeyer)
Use the modified element when cloning (aschempp)
Use the widget attributes to generate the DCA row (aschempp)
Cleanup a leftover service argument (Toflar)
Do not limit the number of download items (mpitz)
Add the :never return type to methods that never return (aschempp)
Generate public URIs for automatically mounted adapters replacing symlinks (m-vo)
Handle .<ext>.twig file extensions in DC_Folder (m-vo)
5.3.11
Bug Fixes
Fix the priority of the web worker and improve memory handling (Toflar)
Fix missing submitter in form data (ausi)
Fix infinite loop in encore dev --watch (zoglo)
5.3.10
Bug Fixes
Remove two leftover clearing DIVs (leofeyer)
Prevent double form submission (ausi)
Fix symlinked file not inside root directory (ausi)
Evaluate scripts in Ajax form responses (ausi)
Fix toggling nodes if there is no global operation (leofeyer)
Fix drag and drop in the file manager (leofeyer)
Skip sleeping in messenger web worker (ausi)
Return to the list view after adding items to the clipboard (aschempp)
Fix missing query parameters in the file insert tag (ausi)
Use the translator language instead of the request language for the iflng and ifnlng insert tags (Toflar)
Check CSRF and private response after the session (ausi)
Replace non-routable URLs with an empty string for the {{link*}} insert tags (fritzmg)
Initialize the Contao framework when working with opt-in tokens (aschempp)
Rework the messenger integration (Toflar)
Remove the process timeout in the SuperviseWorkersCommand (md-netdesign)
Undeprecate using $model->classes (aschempp)
Cache relative paths in the ContaoFilesystemLoader (m-vo)
Replace insert tags when parsing widget templates (fritzmg)
Use the original ID for nested fragments if available (aschempp)
Fix more edge cases in the HtmlAttributes class (ausi)
Overwrite the page metadata before parsing the news article (lukasbableck)
Fix an endless loop in the DC_Folder::getParentFilemounts() method (leofeyer)
Do not trigger the PHP header() deprecation for certain headers (fritzmg)
5.3.9
Bug Fixes
Invalidate the pagemounts cache in the back end access voter when duplicating a page (lukasbableck)
Remove a redundant strlen() check (leofeyer)
Correctly set the status code of the fallback route to 404 (veronikaplenta)
Make Twig 3.10.2 the minimum requirement (leofeyer)
Fix the CSS class of legacy templates in new elements and modules (veronikaplenta)
5.3.8
Bug Fixes
Handle quoted columns names in the boolean fields migration (ausi)
Skip permissions checks for child records (aschempp)
Hide migrated news feeds in the navigation menu (leofeyer)
Fix the ParsedSequence::serialize() method (ausi)
Allow contao.insert_tag tags without method and priority (fritzmg)
Do not use the deprecated replaceInsertTags hook (ausi)
Check access to fieldsOfTable for the file edit operation (aschempp)
Show all page types in the help wizard (leofeyer)
Allow hyphens in custom legacy template names (fritzmg)
Add the component style sheets before the user style sheets (leofeyer)
Implode arrays recursively when showing undo records (leofeyer)
Allow to move an error page within its root (aschempp)
Correctly set the defer attribute for combined deferred scripts (ReneLuecking)
Use the new onpalette_callback to unset fields in the file manager (aschempp)
Fix invalid HTML markup in splash screens (bennyborn)
Store enum fields in the DCA extractor cache (SeverinGloeckle)
Fix non-existent "contao.image.image_factory" in FeedItem.php (stefansl)
Disable the search index listener in the back end (Toflar)
Fix the PHP subprocess call once again (Toflar)
Catch the URL generator exception in the news insert tag (qzminski)
Test the deserialize Twig filter (ausi)
Add a deserialize Twig filter (leofeyer)
5.3.7
Bug Fixes
Make the member group voter cacheable (aschempp)
Make the PhpTemplateProxyNode class compatible with Twig 3.9 (ausi)
Fix the elements check in the sectionwizard.js script (qzminski)
Use PhpSubprocess instead of Process in the ProcessUtil class (Toflar)
5.3.6
Bug Fixes
Ensure compatibility with Twig 3.9 (leofeyer)
Handle empty strings in the StringResolver class (qzminski)
5.3.5
Bug Fixes
Fix the order of the media block in the text element markup (ausi)
Use Encore to minify the SVG icons (leofeyer)
Add the missing styles to the new table element (zoglo)
Enable the sortAttrs option in the SVGO configuration (leofeyer)
Fix the elements check in the modulewizard.js script (qzminski)
Use display: grid in the image gallery preview (zoglo)
Initialize Handorgel on the element (zoglo)
Add the missing WysiwygStyleProcessor autowiring alias (Toflar)
Also unset the disable, start and stop fields when an admin edits themselves (aschempp)
Cache SQL queries in the page type voter (aschempp)
Fix some edge cases when parsing HTML style attributes (ausi)
5.3.4
Security
CVE-2024-28235: Session cookie disclosure in the crawler
CVE-2024-28190: Cross site scripting in the file manager
CVE-2024-28191: Insert tag injection via the form generator
CVE-2024-28234: Insufficient BBCode sanitization
5.3.3
Bug Fixes
Fix a bug in setIfExists() with Stringable objects (ausi)
Fix double encoding/decoding in the HtmlAttributes class (ausi)
5.3.2
Highlights
Add the csp_unsafe_inline_style Twig filter (ausi)
Bug Fixes
Revert the changes to the "file uploaded" check (fritzmg)
Harden mime type handling in the FilesystemItem class (m-vo)
Show headlines in article teasers again (zoglo)
Use the fragment registry in the debug:fragments command (bytehead)
Allow version 5 of lcobucci/jwt (leofeyer)
Register theme templates in the global namespace, too (ausi)
Enable collapsible fieldsets without storage (aschempp)
Override the access decision strategy instead of the manager (aschempp)
Fix a PHP 8 warning in the tl_article.getActiveLayoutSections() method (qzminski)
Fix the traceable access decision manager (aschempp)
Return to the list view after adding items to the clipboard (aschempp)
Use voters for theme permissions (aschempp)
Add the user access voter (aschempp)
Fix the front end module permissions (aschempp)
Make the ParentAccessTrait::hasAccessToParent() method private (aschempp)
Improve permission error message for DCA actions (aschempp)
Set the email message priority to "high" (Toflar)
Disable background workers if they are not supported (Toflar)
Convert protocol-relative URLs in the string resolver (aschempp)
5.3.1
Highlights
Register the dotenv:dump command by default in the Contao managed edition (Toflar)
Bug Fixes
Cache Image::getHtml() to speed up the tree view (Toflar)
Fix the newsfeed migration (aschempp)
Use Model::findById() instead of Model::findByPk() (leofeyer)
Show the route configuration in the news feed page (aschempp)
Fix the dotenv:dump command (aschempp)
Allow using insert tags in image alt and title attributes (leofeyer)
Deprecate inheriting CSS classes in nested elements (aschempp)
Use UrlUtil::makeAbsolute() when converting relative URLs (leofeyer)
Fix a type error in the login module (aschempp)
Use attrs().mergeWith() in Twig templates (leofeyer)
Make sure the .env.local.php is loaded correctly (Toflar)
Fix double inheritance of legacy templates in Twig (ausi)
Correctly register the AutoRefreshTemplateHierarchyListener (m-vo)
Fix that the guests migration only migrates one field at a time (aschempp)
Correctly generate the URLs to subscribe to comments (leofeyer)
Improve the performance of the database dumper (Toflar)
Correctly check if a "jump to" page is set when generating event feeds (leofeyer)
Make full authentication optional in the personal data module (leofeyer)
Handle unicode strings in insert tag flags (ausi)
Add a button to the "invalid request token" template (leofeyer)
Correctly implement the ImageFactoryInterface (leofeyer)
Fix the Twig loader infrastructure (m-vo)
Use files instead of data: resources to avoid breaking CSP (leofeyer)
Only make string URL absolute if it does not have a scheme (aschempp)
(större version) 10 November 2020 - 50MBContao version 4.9.0 is available. The release contains new features such as a crawler, a SERP widget, dynamic favicon.ico and robots.txt files, image lazy loading, backup codes and trusted devices for the 2-factor authentication, access control for content elements and form fields, a new front end preview, a universal table picker and a lot more. Läs mer: https://contao.org/en/news/contao-4_9_9.html
4.4.12
8 Januari 2018 - 43MB4.4.12 (2018-01-03)
Do not resend activation mails for active members (see #1234).
Order the files by name when selecting folders in the file picker (see #1270).
Optimize inserting keywords into tl_search_index (see #1277).
4.4.11 (2017-12-28)
Revert 'Quote reserved words in database queries (see #1262)'.
4.4.10 (2017-12-27)
Quote reserved words in database queries (see #1262).
Only add _locale if prepend_locale is enabled (see #1257).
4.4.9 (2017-12-14)
Show the "invisible" field when editing a form field (see #1199).
Only add pages requested via GET to the search index (see #1194).
Fix the Encrption class not supporting PHP 7.2 (see #8820).
Handle single file uploads in FileUpload::getFilesFromGlobal() (see #1192).
4.4.8 (2017-11-15)
Prevent SQL injections in the back end search panel (see CVE-2017-16558).
Support class named services in System::import() and System::importStatic() (see #1176).
Only show pretty error screens on Contao routes (see #1149).
1 November 2017 - 43MBThis bugfix release fixes a problem with displaying multi-day events if the "shortened view" option has not been enabled and a certain period is selected.
Changelog
Fixed: Filter multi-day events outside the scope in the event list (see #8792).
Fixed: Correctly show multi-day events if the shortened view is disabled (see #8782).
2 Oktober 2017 - 43MBThis bugfix release fixes several issues including a problem with displaying multi-day events if the "shortened view" option has not been enabled and a problem with combining style sheets with unencoded data: URLS.
Changelog
Fixed: Correctly handle unencoded data images in the Combiner (see #8788).
Fixed: Correctly show multi-day events if the shortened view is disabled (see #8782).
Fixed: Do not add a suffix when copying if the "doNotCopy" flag is set (see #8610).
Fixed: Use the module type as group header if sorted by type (see #8402).
Fixed: Always show the "show from" and "show until" fields (see #8766).
Fixed: Encode the username when opening the front end preview as a member (see #8762).
(säkerhetsutgåvan) 20 September 2017 - 43MB3.5.28
This bugfix release fixes an arbitrary PHP file inclusion vulnerability in the back end.
Highlights
Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
Improve the accessibility of the CAPTCHA widget (see #8709).
Fixed the iOS scrolling bug in the simple modal script (see #8708).
Correctly cache the unique keys in the SQL cache (see #8712).
3.5.27
This bugfix release fixes a problem with using IDN domains.
Highlights
Revert the Punycode library changes (see #8693).
3.5.26
This bugfix release fixes several minor issues and improves the e-mail address extraction in text elements.
Highlights
Prevent endless loops in the book navigation module (see #8665).
Limit the maximum size of dimensionless SVGs in the back end (see #8684).
Correctly handle custom namespaces when combining DCA files (see #8682).
Also check the X-Forwarded-Proto header when determining HTTPS (see #8691).
Correctly support 64 character template names everywhere (see #6819).
Updated the Punycode library to version 2 (see #8693).
Correctly use the en dash in the calendar modules (see #8690).
Remove the UTF-8 BOM when combining files (see #8689).
Do not add the CORS headers in the install tool (see #8681).
Correctly move folders with an "@" in their name (see #8674).
Correctly redirect to the last page visited upon login (see #8632).
Back port the e-mail extraction improvements (see #8679).
3.5.25
This bugfix release fixes several issues, including a problem with the page indexer and with rebuilding the search index in a multi-domain installation.
Highlights
Only show error messages to authenticated users in the install tool (see #8666).
Always show the modal windows in full height (see #8631).
Support cross domain requests when rebuilding the search index (see #8597).
Correctly store numbers with leading zero in the Config class (see #4035).
Delete an old search entry if the new URL is more canonical (see #8647).
Also make Folder::$dirname an absolute path again (see #8325).
Support using namespaces and use statements in DCA/config files (see #8635).
20 Januari 2017 - 43MBThis bugfix release fixes the issue with the download elements no longer being editable in the back end, and this bugfix release fixes a problem with handling SVGZ files as well as the download elements problem.
Changelog
Fixed: Correctly handle SVGZ files in the file manager (also fixes #8624).
Fixed: Revert the download element changes (see #8620).
Version 3.5.23: Fixed: Handle non-numeric values when calculating the image margin (see #8617).
Version 3.5.23: Fixed: Correctly generate the download elements in the back end (see #8620).
Version 3.5.22: Fixed: Prevent an endless redirect loop if the page alias is "/" (see #8560).
Version 3.5.22: Fixed: Correctly parse German dates with two digit years in MooTools (see #8593).
Version 3.5.22: Fixed: Correctly add new resources to the user/group permissions (see #8583).
Version 3.5.22: Fixed: Trigger the auto-submit function in the date picker (see #8603).
Version 3.5.22: Fixed: Call the load callback when loading page/file picker nodes (see #7702).
30 December 2016 - 43MBThis bugfix release fixes the security vulnerability CVE-2016-10074, which was found in SwiftMailer, a third-party software we are using in Contao.
Changelog
Updated: Update SwiftMailer to version 5.4.5 (fixes CVE-2016-10074).
19 December 2016 - 43MBThis bugfix release fixes a problem with displaying running repeated events and with sorting pages in the page picker. In addition, a potential XSS weakness found and reported by Pascal Gerundt has been fixed.
Changelog
Fixed: Correctly show running repeated events in the event list (see #8588).
Fixed: Improve the PHP 7.1 compatibility.
Fixed: Keep the root nodes order in the page selector (see #8577).
Fixed: Do not output invalid option values in widget error messages (see #8594). Thanks to Pascal Gerundt for finding and reporting the issue.
Fixed: Correctly parse english dates in MooTools (see #8573).
17 November 2016 - 43MBThis bugfix release fixes a problem with rebuilding the search index and with redirecting to the home page, if the language is not part of the URL. Also, two performance optimizations have been implemented, which greatly reduce the number of database queries in the event list and on pages, which are not marked as language fallback.
Changelog
Fixed: Only evaluate hasDetails() and hasText() upon the first call.
Fixed: Cache the PageModel::findPublishedFallbackByHostname() results (see #8544).
Fixed: Correctly redirect to the website root page (see #8552).
Fixed: Continue rebuilding the search index if there are errors (see #8541).
26 Oktober 2016 - 43MBThis bugfix release fixes several problems, including an issue with showing running events in the list of upcoming events and an issue with creating the administrator user in the install tool. In addition, the requests when rebuilding the search index are now run sequentially to prevent too many simultaneous requests.
Changelog
Fixed: Correctly "toggle select" nodes that are loaded via Ajax (see #8535).
Fixed: Show running events in the event list again (see #8497).
Fixed: Correctly calculate the maximum length of tl_files.name (see #8536).
Fixed: Correctly add the headline if a content element is versionized (see #8502).
Fixed: Optimize the DCA sorting filter for date fields (see #8485).
Fixed: Do not show version entries of deleted files (see #8480).
Fixed: Redirect the empty URL depending on language and alias name (see #8498).
Fixed: Apply specialchars() to widget attributes (see #8505).
Updated: Updated the Ace code editor to version 1.1.9.
Fixed: Handle special characters in passwords when creating an admin user (see #8512).
Fixed: Queue the requests when rebuilding the search index (see #8449).
20 September 2016 - 43MBThis bugfix release fixes several problems, including an issue with entering the password in the "close account" module and with the automatic indexing of a page. In addition, the list of countries and languages has been updated.
Changelog
Fixed: Handle special character passwords in the "close account" module (see #8455).
Fixed: Handle broken SVG files in the Image and File class (see #8470).
Fixed: Reduce the maximum field length by the file extension length (see #8472).
Fixed: Fall back to the field name if there is no label (see #8461).
Fixed: Do not assume NULL by default for binary fields (see #8477).
Fixed: Correctly render the diff view if not the latest version is active (see #8481).
Fixed: Update the list of countries and languages (see #8453).
Fixed: Correctly set up the MooTools CDN URL (see #8458).
Fixed: Also check the URL length when determining the search URL (see #8460).
20 April 2016 - 43MBThis bugfix release fixes several issues, including issues with the search index, the book navigation and the back end user switching. In addition, the handling of IDNA e-mail addresses has been consolidated.
Changelog
Fixed: Always trigger the "isVisibleElement" hook (see #8312).
Fixed: Do not change all sessions when switching users (see #8158).
Fixed: Do not allow to close fieldsets with empty required fields (see #8300).
Fixed: Make the path related properties of the File class binary-safe (see #8295).
Fixed: Always allow to navigate to the current month in the calendar (see #8283).
Fixed: Correctly validate and decode IDNA e-mail addresses (see #8306).
Fixed: Do not add the debug bar resources if hideDebugBar is enabled (see #8307).
Fixed: Skip forward pages entirely in the book navigation module (see #5074).
Fixed: Do not add the X-Priority header in the Email class (see #8298).
Fixed: Fix an error message in the newsletter subscription module (see #7887).
Fixed: Determine the search index checksum in a more reliable way (see #7652).
1 Mars 2016 - 43MBThis bugfix release fixes several minor issues, including a versioning issue and an issue with generating cross-domain and cross-language links.
Changelog
New: Added new versioning hooks (see #8168) - "oncreate_version_callback" (supersedes "onversion_callback") - "onrestore_version_callback" (supersedes "onrestore_callback")
Fixed: Re-add the $blnFixDomain argument to keep backwards compatibility.
Fixed: Always fix the domain and language when generating URLs (see #8238).
Fixed: Fix two issues with the flexible back end theme (see #8227).
Fixed: Correctly toggle custom page type icons (see #8236).
Fixed: Fix the domain in all article, news, event and FAQ insert tags (see #8204).
Fixed: Update mediaelement.js to version 2.19.0.1 (see #8217).
Fixed: Correctly render the links in the monthly/yearly event list menu (see #8140).
Fixed: Skip the registration related fields if a user is duplicated (see #8185).
Fixed: Correctly show the form field type help text (see #8200).
Fixed: Correctly create the initial version of a record (see #8141).
Fixed: Correctly show the "expand preview" buttons (see #8146).
Fixed: Correctly check that a password does not match the username (see #8209).
Fixed: Check if a directory exists before executing mkdir() (see #8150).
Fixed: Do not link to the maintenance module if the user cannot access it (see #8151).
Fixed: Show the "new folder" button in the template manager (see #8138).
1 December 2015 - 43MBContao version 3.5.6 is available. The bugfix release fixes the "An invalid form control with name='text' is not focusable" problem occurring in Firefox and Chrome.
Changelog
Fixed: Correctly determine the protocol delimiter in Idna::encodeUrl().
Fixed: Handle relative URLs when following redirects in the Request class (see #7799).
Fixed: Correctly handle empty UUIDs when comparing versions (see #7971).
Fixed: Remove the "required" attribute when setting up TinyMCE (see #8131).
1 December 2015 - 43MBThis bugfix release fixes several issues, including the wrong <time> tag rendering and the synchronization of the file system when moving or copying files with the source or target folder being excluded from synchronization.
Changelog
Fixed: Fix the domain when forwarding in the page controllers (see #8123).
Fixed: Use the feed URL instead of the base URL for enclosures (see #8116).
Fixed: Fix the <time> tags and standardize the event templates (see #8012).
Fixed: Handle empty href attributes in the book navigation (see #8104).
Fixed: Do not store e-mail addresses in the newsletter (un)subscription log.
Fixed: Correctly encrypt fields upon registration (see #8110).
Fixed: Correctly render required single checkboxes in the back end (see #7731).
Fixed: Correctly store multi select menus if no value is selected (see #7760).
Fixed: Prevent recursion when rendering 403/404 pages (see #8060).
Fixed: Map the FileTree widget to FormFileUpload in the front end (see #8091).
Fixed: Preserve the user input when loading image meta data (see #8108).
Fixed: Show the "toggle all" buttons in "edit multiple" mode (see #5622).
Fixed: Disable the gallery pagination if the images are sorted randomly (see #8033).
Fixed: Set the correct empty value when copying elements (see #8064).
Fixed: Correctly hide forward pages with no public subpages (see #8054).
Fixed: Correctly render the page picker if the value starts with # (see #8055).
Fixed: Correctly render the "group" option in the radio button and checkbox widgets.
Fixed: Correctly set the ID when toggling fields via Ajax (see #8043).
Fixed: Support call, sms and app hyperlinks when converting relative URLs (see #8102).
Fixed: Correctly check if a folder is protected when loading subfolders.
Fixed: Correctly check the synchronization status when copying or moving files.
Fixed: Adjust the code to be compatible with PHP7 (see #8018).
Fixed: Correctly show the UUID in the back end file manager popup (see #8058).
9 Oktober 2015 - 43MBThis bugfix release fixes the issue with the event reader only displaying the teaser text and the issue with the home page no longer being marked as active. It also improves working with files which have been excluded from synchronization.
Changelog
Fixed: Do not add the back end language in the meta wizard (see #8056).
Fixed: Do not add excluded files to the DBAFS if they are edited in the file manager.
Fixed: Add the |flatten insert tag flag to handle arrays (see #8021).
Fixed: Check for excluded folders in the back end file popup (see #8003).
Fixed: Fixed a wrong option name when initializing sortables (see #8053).
Fixed: Translate UUIDs to paths in the parent view header fields.
Fixed: Trigger the options_callback for the parent view header fields (see #8031).
Fixed: Correctly create the initial version of a member without username (see #8037).
Fixed: Improve the performance of the debug bar (see #7839).
Fixed: Correctly output the event details in the event_list template (see #8041).
Fixed: Only modify empty href attributes in the nav_ template (see #8006, #8038).
Fixed: Correctly show the group headlines in the repository DB updater (see #8020).
Fixed: Improve the e-mail regex to also match the new TLDs (see #7984).
Fixed: Ensure that the database port is not empty (see #7950).
Fixed: Remove the left-over usages of $this->v2warning (see #8027).
Fixed: Support the hasDetails variable in the event reader (see #8011).
10 September 2015 - 43MBThis bugfix release fixes a problem with the model registry, which noticeably affected the performance. It also improves the compatibility with Microsoft Edge and the Google pagespeed module.
Changelog
Fixed: Correctly handle dimensionless SVG images (see #7882).
Fixed: Correctly fill in the image meta data in news, events and FAQs (see #7907).
Fixed: Enable the strictMath option of the LESS parser (see #7985).
Fixed: Consider the pagination menu when inserting at the top (see #7895).
Fixed: Use en-dashes in event intervals (see #7978).
Fixed: Store the correct edit URL in the back end personal data module (see #7987).
Fixed: Adjust the breadcrumb trail when creating new folders (see #7980).
Fixed: Use $this->hasText in news and event templates (see #7993).
Fixed: Convert the HTML content to XHTML when generating Atom feeds (see #7996).
Fixed: Correctly link the items in the files breadcrumb menu (see #7965).
Fixed: Handle explicit collations matching the default collation (see #7979).
Fixed: Fix the duplicate content check in the front end controller (see #7661).
Fixed: Correctly parse dates in MooTools (see #7983).
Fixed: Register the related models in the registry (see contao/core-bundle#333).
Fixed: Correctly escape in the findMultipleFilesByFolder() method (see #7966).
Fixed: Override the tabindex handling of the accordion to ensure that the togglers are always focusable via keyboard (see #7963).
Fixed: Correctly generate the news and event menu URLs (see #7953).
Fixed: Check the script when storing the front end referer (see #7908).
Fixed: Fix the back end pagination menu (see #7956).
Fixed: Handle option callbacks in the back end help (see #7951).
Fixed: Fixed the external links in the text field help wizard (see #7954) and the keyboard shortcuts link on the back end start page (see #7935).
Fixed: Fixed the CSS group field explanations (see #7949).
Fixed: Use ./ instead of an empty href (see #7967).
Fixed: Correctly detect Microsoft Edge (see #7970).
Fixed: Respect the "order" parameter in the findMultipleByIds() method (see #7940).
Fixed: Always trigger the "parseDate" hook (see #4260).
Fixed: Allow to instantiate the InsertTags class (see #7946).
Fixed: Do not parse the image src attribute to determine the state of an element, because the image path might have been replaced with a data: string (e.g. by the Apache module "mod_pagespeed").
(större version) 5 Juni 2015 - 43MB111 tickets and pull requests have been completed during the 4 months of development and the following testing period.
Long Term Support
Contao 3.5 is an LTS version, which is supported at least until November 2016.
It supersedes the current LTS version Contao 3.2, which now enters its 6 months transition phase during which only security related issues will still be fixed.
New Features
PHP 5.4: The minimum PHP version required to run Contao has been raised to PHP 5.4. In this course, all templates have been adjusted to use short open tags (<?= $name ?> instead of <?php echo $name; ?>), which are available by default as of PHP 5.4.
Image meta data in themes: Theme exports now also contain the image meta data, which includes the name of the image, the image caption and the coordinates of the important part.
Select multiple checkboxes: You can now select multiple checkboxes at once in "edit multiple" mode by holding down the Shift key while clicking.
Windows compatibility: Contao now uses the DIRECTORY_SEPARATOR constant when replacing file paths with the PHP function str_replace() to ensure maximum compatibility with Windows systems.
Database key length: It is now possible to specify the length of a database key.
Initial versions: Contao now also shows initial versions in the "latest changes" section of the back end, which do not yet have an editing history.
Change password: The new front end module "change password" adds a form to the page, which members can use to change their password. Other than in the "personal data" module, the "change password" module will also ask for the old password.
Picture insert tag: Analogous to the {{image}} insert tag, there is now also a {{picture}} insert tag, which allows to insert responsive images.
Compare templates: Thanks to Yanick Witschi, there is now an option to compare customized templates with their original or another template of the same group.
Cache tuning: An additional lookup file now allows to map any request for the empty domain to a cached page, independent of which languages the visitor's browser accepts. In the past, only a limited mapping was possible.
Performance optimization: The performance of Contao when rendering websites with a lot of news or events could be notably improved by selectively tuning the database queries. In addition, lazy loading of the content elements by means of closures could decrease the RAM demand of the listing modules.
Newsletter recipients: It is now possible to move or copy newsletter recipients from one channel into another. At that, the stored double opt-in data will be deleted and the status will be set to "added manually".
Arrow brackets in user input: In Contao 3.5, we have adjusted the user input validation so arrow brackets are only removed if they are part of an HTML tag. A regular usage, e.g. as comparison operator, is now possible.
Improved error handling: The front end error handling has been standardized and now the 404 page is always generated if an event or a news item is not found or if an invalid page number or date is entered. This also applies if a page is called via its numeric ID instead of its alias (e.g. 44.html instead of home.html). Rendering the error page is meant to help avoid duplicate content in this case.
Duplicating multiple items: It is now possible to duplicate multiple items in the back end list view.
Hidden system files: The new release standardizes the handling of hidden system files beginning with a dot (e.g. .htaccess, .git or .svn). These files are now ignored everywhere in Contao.
New hooks: The following hooks were added: compileArticle, postAuthenticate, newsListCountItems, newsListFetchItems, getPageStatusIcon
Updated plugins: The following plugins were updated: Respimage to version 1.3.0, jQuery to version 1.11.2, jQuery UI to version 1.11.4, Mediaelement.js to version 2.16.4, Colorbox to version 1.6.0, HTML5Shiv to version 3.7.2, DropZone to version 3.12.0, ACE-Editor to version 1.1.8
IDE compatibility: The Contao source code has been highly optimized regarding its IDE compatibility, so now it is possible to click almost every class, method or property to directly jump to its declaration.
Full Changelog
Updated: Updated TinyMCE to version 4.1.10.
Updated: Updated respimage to version 1.4.0.
Updated: Updated jQuery to version 1.11.3.
Updated: Updated Colorbox to version 1.6.1.
Fixed: Consistently sanitize the names of uploaded files (see #7852).
Fixed: Fixed loading cached pages with both a mobile and desktop layout (see #7859).
Fixed: Omit the index.php fragment if the request string is empty (see #7757).
Fixed: Adjust the edit URLs in the versions menu in "edit multiple" mode (see #7745).
Fixed: Do not cache the login module if there is an error (see #7824).
Fixed: Correctly handle encrypted rows (see #7815).
Fixed: Only create a new version in the personal data module if something actually changed (see #7415).
Fixed: Also fire the "modifyFrontendPage" hook when loading from cache (see #7457).
Fixed: Fixed several minor issues with the registration module (see #7816).
Fixed: Update the revision date if a member updates their personal data (see #7818).
Fixed: Do not allow to restore versions in the back end user settings (see #7713).
Fixed: Use the timestamp of an element to initialize its first version (see #7730).
Fixed: Hide the "edit header" button if there are no editable fields (see #7770).
Fixed: Make the "form_submit" templates overwritable again (see #7854).
Fixed: Correctly inherit empty page permissions (see #6782).
Fixed: Decode the GET parameters before setting them in the Input class (see #7829).
Fixed: Fixed the "specified value 't' is not a valid email address" error (see #7784).
Fixed: Correctly set data- or ng- attributes in the widgets (see #7772).
Fixed: Correctly display the headline in the template editor (see #7746).
Fixed: Make Validator::isValidUrl() RFC 3986 compliant (see #7790).
Fixed: Fixed switching between the page and file picker in the URL wizard (see #5863).
Fixed: Make the "the old password is incorrect" message translatable (see #7793).
Fixed: Fix copying multiple items in parent view (see #7776).
Fixed: Disable the "compare template" icon for folders (see #7802).
Fixed: Fix the field order in the template diff view (see #7808).
Fixed: Validate the coordinates in the Image::setImportantPart() method (see #7804).
Fixed: Only add order fields of binary fields in the DCA extractor (see #7785).
New: Select multiple checkboxes by holding down the SHIFT key (see #7781).
Changed: Show versions even if there is only one (see #7730).
Fixed: Loosely check the suhosin.memory_limit setting (see #7696).
Improved: Support specifying the database key length (see #7771).
Improved: Check for ASCII strings in the utf8_romanize() function (see #7748).
Changed: Controller::replaceInsertTags() is now public static.
Fixed: Restore the removed attributes of the "picture_default" templates (see #7752).
Changed: Moved the insert tag logic into a separate class.
Improved: Show the upload limits in the file manager (see #7389).
Improved: Also export the image meta data when exporting themes (see #7480).
Improved: Improve the model registry (see #7725).
Changed: The templates now use short open tags.
New: Add a front end module to change the password (see #7418).
Changed: Allow to copy and move newsletter recipients across channels (see #7570).
New: Added the "newsListCountItems" and "newsListFetchItems" hooks (see #7694).
New: Added the "compileArticle" hook (see #7686).
New: Added the "picture" insert tag (see #7635 and #7718).
Changed: Stop ignoring notices by defaut now that the error level is configurable.
Updated: Updated respimage to version 1.3.0.
Updated: Updated jQuery UI to version 1.11.4.
Updated: Updated mediaelement.js to version 2.16.4.
Updated: Updated Colorbox to version 1.6.0.
Updated: Updated jQuery to version 1.11.2.
Updated: Updated HTML5Shiv to version 3.7.2.
Updated: Updated DropZone to version 3.12.0.
Updated: Updated the ACE editor to version 1.1.8.
Improved: Also convert image links in TinyMCE to {{file}} insert tags (see #7581).
New: Support copying multiple records in the list view (see #7499).
Fixed: Do not strip opening arrow brackets when stripping tags (see #3998).
Improved: Simplify the moo_mediabox templates (see #7521).
Changed: Always return the model in the File and Folder classes (see #7567).
Fixed: Consistently ignore hidden system files (see #7536).
New: Make the calendar model available in the templates (see #7388).
Changed: Render the 404 page if the request contains an invalid date format (see #7545).
Changed: Always render the 404 page if a news/event/FAQ alias is invalid (see #7238).
New: Prevent calling a page via ID if there is a page alias (see #7661).
Improved: Use closures to lazy-load content elements in the news/event list (see #7614).
Improved: Optimized the database queries (see #7450 and #7710).
Improved: Add a log entry if a back end user switches to another account (see #7441).
Improved: Optionally use the ProxyRequest class in the automator (see #7681).
Fixed: Add a unique index for member usernames, too (see #7701).
New: Add a diff view for custom templates (see #7599).
New: Added the "postAuthenticate" hook (see #7493).
New: Pass $arrFields as fourth argument in the "prepareFormData" hook (see #7693).
Fixed: Return a boolean value in the *User::authenticate() method (see #7497).
New: Make count, page and keywords available in the search module (see #7577).
New: Added the "getPageStatusIcon" hook (see #7556).
Fixed: Improve the cache handling for empty URLs (see #7618).
Improved: Improved the IDE compatibility (see #7634).
(säkerhetsutgåvan) 14 Februari 2015 - 43MBThis bugfix release fixes a directory traversal vulnerability discovered by Arnaud Buchoux of Orange Consulting (see CVE-2015-0269).
The vulnerability allows logged in back end users to view files which are outside their file mounts or the document root. It is, however, not possible to edit these files or to view their content. Upgrading is still highly recommended.
Changelog
Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See CVE-2015-0269 for more information.
23 Januari 2015 - 43MBThis bugfix release fixes several smaller issues including the wrong LESS import path in the Combiner class and the problem with the missing class_exists() call in the file and page picker.
Changelog
Fixed: Fix an infinite recursion problem in the FilesModel class (see #7588).
Fixed: Fix the position of the input field hints (see #7561).
Fixed: Do not apply the GDlib maximum dimensions to SVG images (see #7435).
Fixed: Do not show the diff icon if a record has been deleted (see #7429).
Fixed: Remove a left-over headline from the ce_text.xhtml template (see #7502).
Fixed: Preserve comments when exporting CSS files (see #7482).
Fixed: Fix the LESS import path in the Combiner (see #7533).
Fixed: Hide the width and height attributes if there is a sizes attribute (see #7500).
Fixed: Remove the hardcoded figcaption width (see #7549).
Fixed: Only load the model in the file/page picker if the class exists (see #7490).
Fixed: Romanize style sheet names (see #7526).
Fixed: Add the username to the "account has been locked" log entry (see #7551).
Fixed: Consider the suhosin.memory_limit when raising the PHP limits (see #7035).
Fixed: Added two missing exclude flags in the tl_page data container (see #7522).
Fixed: Send an UTF-8 charset header in the die_nicely() function (see #7519).
Fixed: Correctly validate dates in the Widget class (see #7498).
Fixed: Back port the fixes from #7475 and #7473.
Fixed: Send the same cache headers for cached and uncached pages (see #7455).
Fixed: Fix the current() expects parameter 1 to be array issue (see #6739).
Fixed: Correctly replace the *_teaser insert tags (see #7488).
Fixed: Adjust the last and previous login labels (see #7426).
Fixed: Unset the postUnsafeRaw cache in Input::setPost() (see #7481).
(större version) 26 November 2014 - 43MBHighlights
SVG support: Thanks to Tristan Lins' initiative, Contao 3.4 supports SVG and SVGZ images. The images can not only be resized (thumbnails) but are also editable with the source editor in the file manager.
Responsive images: Martin Auswöger and Yanick Witschi have created the biggest pull request in the history of Contao to support new technologies like the 'picture' element as well as the sizes and the srcset attribute. In combination with the picturefill.js script, you can implement responsive images, which are sent to the client in different sizes depending on the device and resolution. As an additional highlight, the two have enhanced the automatic thumbnail generation so you can now mark any section of an image as "important part" in the file manager. Then, when cropped, the image will be focused on this part. An introduction to responsive images is available on responsiveimages.org.
Style sheet order: The order of the internal and external style sheets is now configurable in the page layout, so the internal style sheets can be injected after the external ones if needed. In addition, there is now an option to export internal style sheets.
Asynchronous JavaScript: Analogous to the |static flag, which allows to include JavaScripts and style sheets statically, an |async flag has been added in Contao 3.4, which allows to load JavaScript files asynchronously using the async attribute.
Image links in TinyMCE: It is now possible to switch between the page and file picker when needed, so you can not only link pages in TinyMCE but also files.
Active page in the navigation menu: The active page in the navigation menu is now always rendered as a link, if the URL contains query parameters (e.g. when reading a news article). If you e.g. open the page news/james-wilson-returns.html, it is now possible to click the link to the news.html page in the navigation menu.
Theme export with SQL files: It is possible in Contao 3.4 to store SQL files in the templates folder, which is associated with a theme. The SQL files will then be included in the export and the install tool will automatically find them after the theme import.
Timing attack prevention: In PHP 5.5, new functions to create and verify password hashes have been added to prevent timing attacks. We are using these functions in Contao 3.4, together with appropriate fallback routines for PHP 5.4 and 5.3.
Login to comment: If a visitor is not logged in and the "login to comment" option is enabled, the comment form will be hidden. Contao 3.4 will additionally display a "please log in to comment" message.
Skip images without meta data: There is now an option to skip images without meta data in an image gallery. This corresponds to the behavior of Contao 2.
Registration and password mails: The e-mail texts of the member registration and lost password modules now support simple tokens, which means that they can be personalized.
Insert tag link_name: The new insert tag {{link_name}} outputs the name of a page (in contrast to the {{link_title}} tag, which outputs the page title).
DCA flag "doNotTrim": With the "doNotTrim" flag of the DCA, you can suppress the automatic removal of whitespace at the beginning and end of the user input.
Non-negative natural numbers: A new regular expression to validate non-negative natural numbers has been added, which can be used in the DCA as 'rgxp'=>'natural'.
New hooks and callbacks: The following hooks have been added in Contao 3.4: compareThemeFiles, extractThemeFiles, exportTheme, sendNewsletter. The DCA now also triggers an "onundo_callback" when restoring a deleted record.
Change Log
Fixed: Consider image size IDs when overriding the default image size (see #7470).
Fixed: Do not require to set a media query in the image sizes.
Fixed: Fixed a potential directory traversal vulnerability.
Fixed: Fixed a severe XSS vulnerability. In this context, the insert tag flags base64_encode and base64_decode have been removed.
Fixed: Also use simple tokens for the newsletter subscription modules (see #7446).
Fixed: Only show the root page languages in the meta wizard (see #7112).
Fixed: Correctly create the initial version in the personal data module (see #7415).
Fixed: Check if a DB driver has been configured in Config::isComplete() (see #7412).
Fixed: Correctly mark deleted versions in Versions::addToTemplate() (see #7442).
Fixed: Replace insert tags of RTE fields in the back end preview (see #7428).
Fixed: Handle nested insert tags in strip_insert_tags().
Fixed: Correctly store the model in Dbafs::addResource() (see #7440).
Fixed: Send the request token when toggling the visibility of an element (see #7406).
Fixed: Always apply the IE security fix in the Environment class (see #7453).
New: Added the CSS units vw, vh, vmin and vmax (see #7417).
Fixed: Replace leafo/lessphp with oyejorge/less.php (see 7012).
Fixed: Show the correct root icon in the page/file picker (see #7409).
Fixed: Add an empty option to the image size select menu (see #7436).
Fixed: Nest wrapper elements in the back end preview (see #7434).
Fixed: Correctly handle archives being part of multiple RSS feeds (see #7398).
Fixed: Correctly handle 0 in utf8_convert_encoding() (see #7403).
Fixed: Send a 301 redirect to forward to the language root page (see #7420).
Fixed: Handle SVG images in the default back end uploader.
New: Pass the parent ID of a page to the navigation template (see #7391).
Improved: Support the "min", "max" and "step" attributes on number fields (see #7363).
Improved: Show the database query duration in debug mode (see #7323).
New: Added the "executeResize" hook (see #7404).
Fixed: Handle disabled modules in the module loader.
New: Support responsive images and the element (see #7296).
New: Added the "compareThemeFiles", "extractThemeFiles" and "exportTheme" hooks.
Improved: Use the image meta data in Controller::addEnclosuresToTemplate() (see #6746).
New: Add the dir="rtl" attribute if the page language is RTL (see #7171).
Improved: Export .sql files in the theme folder and allow to reimport them (see #7048).
Changed: Do not mark pages as active if there are query parameters (see #7189).
Changed: Use addImageToTemplate() in the ContentHyperlink class (see #7296).
Changed: Removed the H2 sub-headlines in the back end (see #7248).
Improved: Only create one DcaExtractor instance per table (see #7324).
Improved: Add a CSS class indicating the number of columns in a gallery (see #7138).
Improved: Allow to switch between the page and file picker in TinyMCE (see #6974).
Improved: Show a message if logging in is required to comment (see #7031).
New: Added the "sendNewsletter" hook (see #7222).
Improved: Make the pagination template more flexible (see #7174).
Improved: Limit the selectable file types depending on the element type (see #7003).
New: Prevent timing attacks when verifying passwords (see #7115, #5853).
Changed: Hide the "start" and "stop" fields if an element is not published (see #7148).
New: Support the backlink configuration setting in the parent view (see #7083).
New: Added a regex to check for nonnegative natural numbers (see #4392). This also includes the "minval" and "maxval" flags to specify a miminum or maximum value.
Improved: Optionally hide files without matching meta data in downloads (see #6874).
New: Preserve the original CSS ID and classes in the alias elements (see #6638).
Improved: Do not directly query the INFORMATION_SCHEMA database (see #7302).
New: Added the "doNoTrim" flag to the Widget class (see #4287).
Improved: Support simple tokens in registration and lost password mails (see #7101).
Changes: Consider the options array in Model::countBy() (see #7033).
New: Support SVG and SVGZ images (see #7108, #5908).
Changed: Move the mime types array to a configuration file (see #6843).
New: Added the sort flag to the eval section of the DCA (see #4072).
New: Added the "onundo_callback" (see #7258).
Improved: Consider the values of referenced fields in the back end search (see #4376).
New: Add an option to export style sheets (see #7049).
New: Added widget-* CSS classes to front end form fields (see #7041).
Improved: Make the loading order of the style sheets configurable (see #6937).
Removed: Remove the rel="author support (see #7291).
New: Added $item['isTrail'] to the navigation menu templates (see #7096).
Improved: Handle data- and ng- attributes in Widget::addAttributes() (see #7095).
Changed: Add the class "tableless" to the member_ templates (see #7207).
Improved: Added the |async flag to $GLOBALS['TL_JAVASCRIPT'] (see #7172).
New: Added the "link_name" insert tag (see #7218).
Improved: Simplify the "member_grouped" template (see #7015).
Changed: Make the front controller classes overwritable.
(större version) 26 November 2014 - 43MBHighlights
SVG support: Thanks to Tristan Lins' initiative, Contao 3.4 supports SVG and SVGZ images. The images can not only be resized (thumbnails) but are also editable with the source editor in the file manager.
Responsive images: Martin Auswöger and Yanick Witschi have created the biggest pull request in the history of Contao to support new technologies like the 'picture' element as well as the sizes and the srcset attribute. In combination with the picturefill.js script, you can implement responsive images, which are sent to the client in different sizes depending on the device and resolution. As an additional highlight, the two have enhanced the automatic thumbnail generation so you can now mark any section of an image as "important part" in the file manager. Then, when cropped, the image will be focused on this part. An introduction to responsive images is available on responsiveimages.org.
Style sheet order: The order of the internal and external style sheets is now configurable in the page layout, so the internal style sheets can be injected after the external ones if needed. In addition, there is now an option to export internal style sheets.
Asynchronous JavaScript: Analogous to the |static flag, which allows to include JavaScripts and style sheets statically, an |async flag has been added in Contao 3.4, which allows to load JavaScript files asynchronously using the async attribute.
Image links in TinyMCE: It is now possible to switch between the page and file picker when needed, so you can not only link pages in TinyMCE but also files.
Active page in the navigation menu: The active page in the navigation menu is now always rendered as a link, if the URL contains query parameters (e.g. when reading a news article). If you e.g. open the page news/james-wilson-returns.html, it is now possible to click the link to the news.html page in the navigation menu.
Theme export with SQL files: It is possible in Contao 3.4 to store SQL files in the templates folder, which is associated with a theme. The SQL files will then be included in the export and the install tool will automatically find them after the theme import.
Timing attack prevention: In PHP 5.5, new functions to create and verify password hashes have been added to prevent timing attacks. We are using these functions in Contao 3.4, together with appropriate fallback routines for PHP 5.4 and 5.3.
Login to comment: If a visitor is not logged in and the "login to comment" option is enabled, the comment form will be hidden. Contao 3.4 will additionally display a "please log in to comment" message.
Skip images without meta data: There is now an option to skip images without meta data in an image gallery. This corresponds to the behavior of Contao 2.
Registration and password mails: The e-mail texts of the member registration and lost password modules now support simple tokens, which means that they can be personalized.
Insert tag link_name: The new insert tag {{link_name}} outputs the name of a page (in contrast to the {{link_title}} tag, which outputs the page title).
DCA flag "doNotTrim": With the "doNotTrim" flag of the DCA, you can suppress the automatic removal of whitespace at the beginning and end of the user input.
Non-negative natural numbers: A new regular expression to validate non-negative natural numbers has been added, which can be used in the DCA as 'rgxp'=>'natural'.
New hooks and callbacks: The following hooks have been added in Contao 3.4: compareThemeFiles, extractThemeFiles, exportTheme, sendNewsletter. The DCA now also triggers an "onundo_callback" when restoring a deleted record.
Change Log
Fixed: Consider image size IDs when overriding the default image size (see #7470).
Fixed: Do not require to set a media query in the image sizes.
Fixed: Fixed a potential directory traversal vulnerability.
Fixed: Fixed a severe XSS vulnerability. In this context, the insert tag flags base64_encode and base64_decode have been removed.
Fixed: Also use simple tokens for the newsletter subscription modules (see #7446).
Fixed: Only show the root page languages in the meta wizard (see #7112).
Fixed: Correctly create the initial version in the personal data module (see #7415).
Fixed: Check if a DB driver has been configured in Config::isComplete() (see #7412).
Fixed: Correctly mark deleted versions in Versions::addToTemplate() (see #7442).
Fixed: Replace insert tags of RTE fields in the back end preview (see #7428).
Fixed: Handle nested insert tags in strip_insert_tags().
Fixed: Correctly store the model in Dbafs::addResource() (see #7440).
Fixed: Send the request token when toggling the visibility of an element (see #7406).
Fixed: Always apply the IE security fix in the Environment class (see #7453).
New: Added the CSS units vw, vh, vmin and vmax (see #7417).
Fixed: Replace leafo/lessphp with oyejorge/less.php (see 7012).
Fixed: Show the correct root icon in the page/file picker (see #7409).
Fixed: Add an empty option to the image size select menu (see #7436).
Fixed: Nest wrapper elements in the back end preview (see #7434).
Fixed: Correctly handle archives being part of multiple RSS feeds (see #7398).
Fixed: Correctly handle 0 in utf8_convert_encoding() (see #7403).
Fixed: Send a 301 redirect to forward to the language root page (see #7420).
Fixed: Handle SVG images in the default back end uploader.
New: Pass the parent ID of a page to the navigation template (see #7391).
Improved: Support the "min", "max" and "step" attributes on number fields (see #7363).
Improved: Show the database query duration in debug mode (see #7323).
New: Added the "executeResize" hook (see #7404).
Fixed: Handle disabled modules in the module loader.
New: Support responsive images and the element (see #7296).
New: Added the "compareThemeFiles", "extractThemeFiles" and "exportTheme" hooks.
Improved: Use the image meta data in Controller::addEnclosuresToTemplate() (see #6746).
New: Add the dir="rtl" attribute if the page language is RTL (see #7171).
Improved: Export .sql files in the theme folder and allow to reimport them (see #7048).
Changed: Do not mark pages as active if there are query parameters (see #7189).
Changed: Use addImageToTemplate() in the ContentHyperlink class (see #7296).
Changed: Removed the H2 sub-headlines in the back end (see #7248).
Improved: Only create one DcaExtractor instance per table (see #7324).
Improved: Add a CSS class indicating the number of columns in a gallery (see #7138).
Improved: Allow to switch between the page and file picker in TinyMCE (see #6974).
Improved: Show a message if logging in is required to comment (see #7031).
New: Added the "sendNewsletter" hook (see #7222).
Improved: Make the pagination template more flexible (see #7174).
Improved: Limit the selectable file types depending on the element type (see #7003).
New: Prevent timing attacks when verifying passwords (see #7115, #5853).
Changed: Hide the "start" and "stop" fields if an element is not published (see #7148).
New: Support the backlink configuration setting in the parent view (see #7083).
New: Added a regex to check for nonnegative natural numbers (see #4392). This also includes the "minval" and "maxval" flags to specify a miminum or maximum value.
Improved: Optionally hide files without matching meta data in downloads (see #6874).
New: Preserve the original CSS ID and classes in the alias elements (see #6638).
Improved: Do not directly query the INFORMATION_SCHEMA database (see #7302).
New: Added the "doNoTrim" flag to the Widget class (see #4287).
Improved: Support simple tokens in registration and lost password mails (see #7101).
Changes: Consider the options array in Model::countBy() (see #7033).
New: Support SVG and SVGZ images (see #7108, #5908).
Changed: Move the mime types array to a configuration file (see #6843).
New: Added the sort flag to the eval section of the DCA (see #4072).
New: Added the "onundo_callback" (see #7258).
Improved: Consider the values of referenced fields in the back end search (see #4376).
New: Add an option to export style sheets (see #7049).
New: Added widget-* CSS classes to front end form fields (see #7041).
Improved: Make the loading order of the style sheets configurable (see #6937).
Removed: Remove the rel="author support (see #7291).
New: Added $item['isTrail'] to the navigation menu templates (see #7096).
Improved: Handle data- and ng- attributes in Widget::addAttributes() (see #7095).
Changed: Add the class "tableless" to the member_ templates (see #7207).
Improved: Added the |async flag to $GLOBALS['TL_JAVASCRIPT'] (see #7172).
New: Added the "link_name" insert tag (see #7218).
Improved: Simplify the "member_grouped" template (see #7015).
Changed: Make the front controller classes overwritable.
3 November 2014 - 43MBThis release fixes the incomplete output of the submit button markup as well as the handling of insert tags in page names and titles. In addition, several JavaScript plugins have been updated.
What's New
Fixed: Always pass a DC object in the toggleVisibility callback (see #7314).
Fixed: Correctly render the "read more" and article navigation links (see #7300).
Fixed: Fix the markup of the form submit button (see #7396).
Fixed: Do not generally remove insert tags from page titles (see #7198).
Fixed: Consider the useSSL flag of the root page when generating URLs (see #7390).
Fixed: Correctly create the template object in BaseTemplate::insert() (see #7366).
Fixed: Fixed the FAQ sorting in the back end (see #7362).
Fixed: Added the Widget::__isset() method (see #7290).
Fixed: Correctly handle dynamic parent tables in the DC_Table driver (see #7335).
Fixed: Correctly shortend HTML strings in String::substrHtml() (see #7311).
Fixed: Updated swipe.js to version 2.0.1 (see #7307).
Fixed: Use an .invisible class which plays nicely with screen readers (see #7372).
Fixed: Handle disabled modules in the module loader (see #7380).
Fixed: Fixed the "link_target" insert tag.
Fixed: Correctly mark CAPTCHA fields as mandatory (see #7283).
Fixed: Fix the Database::list_fields() method (see #7277).
Fixed: Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
Fixed: Set the correct path to TCPDF in system/config/tcpdf.php (see #7264).
Updated: Updated TinyMCE to version 4.1.6 and added the "lists" plugin (see #7349).
Updated: Updated MooTools to version 1.5.1 (see #7267).
Updated: Updated the ACE editor to version 1.1.6 (see #7278).
(större version) 8 September 2014 - 43MB120 tickets and pull requests have been completed during the 4 months of development and the following 2 months of testing.
What's New:
Fixed: Correctly show the comments in the "comments" element (see #7040).
Fixed: Correctly store the file selection in "edit multiple" mode (see #7028).
Update: Update Compass to version 0.12.6.
Fixed: Improve the UUID validation to prevent false positives (see #7010).
Fixed: Correctly sort by date in the listing module (see #5609).
Fixed: Fix the back link in the "single article" view (see #6955).
Fixed: Never cache insert tags if the output is not used on the website (see #7018).
Fixed: Strip forbidden HTML tags in the markdown content element (see #7021).
Fixed: Prevent parallel execution of the new command line scripts.
Fixed: Also set the sql_mode in the MySQLi driver (see #6996).
Fixed: Purge the script cache if a style sheet is edited (see #7005).
Fixed: Disable the maintenance screen if a back end user is logged in (see #7009).
Fixed: Correctly set the textarea value in the template (see #6995).
Fixed: Make sure the security questions gets always generated (see #6990).
Fixed: Do not use date_default_timezone_get() in the configuration file (see #6989).
Fixed: Correctly generate absolute URIs in Controller::generateFrontendUrl().
Fixed: Fix the link button padding (a.tl_submit).
Update: Update TinyMCE to version 4.0.26.
Fixed: Correctly set and explain the page title field (see #6953).
Fixed: Correctly show the template sources (see #6875).
Fixed: Support input tags without a "type" attribute in the CSS framwork (see #6902).
Fixed: Import the tinymce.css style sheet in TinyMCE (see #6970).
Fixed: Catch Swift exceptions when sending form data via e-mail (see #6941).
Fixed: Try all locale variations when loading TinyMCE (see #6952).
Fixed: Correctly overwrite the article template (see #6938).
Fixed: Correctly wrap long labels in the tree view (see #6954).
Fixed: Correctly add the WAI-ARIA attributes (see #6217).
New: Allow to override the default form field template (see #4547).
Changed: Only pass the current form data to the "processFormData" hook (see #6705).
New: Add a DropZone-based file uploader (see #6064).
New: Add permissions to import and export themes (see #5835).
Improved: Make the fields of the meta wizard configurable in the DCA (see #4327).
Improved: Also show the preview image when editing multiple files (see #6643).
Improved: Show the file location below the "name" field in the file manager (see #6503).
Improved: Add some basic WAI-ARIA attributes to the navigation menu (see #6217).
Improved: Automatically convert file paths in TinyMCE into insert tags (see #5965).
Changed: Move the custom layout section markup into template files (see #6531).
Improved: Move the form field markup into the template files (see #6834).
New: Add template inheritance and template insertion (see #6508 and #6934).
New: Add a flexible back end theme.
Update: Update colorbox to version 1.5.8.
Update: Update mediaelement.js to version 2.14.2.
Update: Update jQuery to version 1.11.0 and jQuery UI to version 1.10.4.
Update: Update the color picker to version 1.4.
Changed: Use the "bootstrap" theme for the date picker (see #6692).
Update: Update the back end date picker to version 2.2.0.
Update: Update ACE to version 1.1.3.
Improved: Use the widget attributes instead of the DCA in the picker widgets (see #6881).
Improved: Enable the interlace bit when creating image thumbnails (see #6529).
Improved: Assign articles to layout sections with an article module only (see #6094).
New: Add the "parseDate" hook (see #4260).
New: Make the title tag configurable in the page layout (see #6783).
New: Add helper methods to generate markup depending on the output type: Template::generateStyleTag(), Template::generateInlineStyle(), Template::generateScriptTag(), Template::generateInlineScript(), Template::generateFeedTag()
New: Add the "customizeSearch" hook (see #5223).
New: Add a button to generate article aliases via "edit multiple" (see #6628).
New: Add a pagination menu at the listing bottom (see #6377).
Fixed: Only override element and module templates in the front end (see #6878).
Changed: Use the html5shiv-printshiv.js script in the front end (see #6293).
New: Added the "getLanguages" hook (see #6545).
Changed: Render the table summary as 'caption' tag in HTML5 (see #6295).
Changed: Also convert paths without delimiter in Combiner::fixPaths() (see #6417).
New: Add the "colorizeLogEntries" hook (see #5803).
New: Added an "oncut_callback" and "oncopy_callback" to DC_Folder (see #6814).
Improved: Support optional dependencies in the module loader (see #6835).
New: Mark the beginning and end of each template in debug mode (see #6841).
New: Added the insert tag flags "urlencode" and "rawurlencode" (see #6859).
Improved: Add files and folders to the database in details view (see #6880).
New: Add version control for editable files.
New: Add a configurable "viewport" field to the page layout (see #6251).
New: Split the layout builder CSS code into a static and a responsive style sheet, so the responsive behaviour can be disabled (see #6251).
New: Added more static convenience methods to the Config class: set(): temporarily set a configuration value, presist(): permanently store a configuration value, remove(): permanently remove a configuration value, A static get() method has been available already.
Update: Update TinyMCE to version 4.0.20 (see #1495).
New: Handle .scss and .less files in the Combiner. This also allows to add SCSS or LESS files as external style sheets to the page layout.
New: Allow to override the default module or content element template (see #4547).
Improved: Create a new version if a member changes their data in the front end.
Improved: Shorten the file paths in the FileTree widget (see #6488).
Improved: Hide the details page link in the listing module if the details page condition is not met (see #6332).
New: Make the file system synchronization available on the command line (see #6815).
New: Make the Automator methods available on the command line (see #6815).
Changed: Moved the asset version constants to $GLOBALS['TL_ASSETS'] (see #5759).
New: Added a "preview front end as member" button (see #6546).
Changed: Hide forward pages if they point to unpublished target pages (see #6376).
Changed: Only enable the debug mode in the FE if there is a BE user (see #6450).
Changed: Do not require MooTools or jQuery for the command scheduler (see #6755).
Changed: Use the new Google Universal Analytics code snippet (see #6103).
Improved: Add $parent as fourth parameter to the "compileDefinition" hook (see #6697).
Update: Update TCPDF to version 6.0.062.
Changed: Enable the maintanance mode by default (see #6758).
New: Added a markdown content element (see #6052).
Changed: Merged the "newsarchive" and "newsarchive_empty" templates (see #6647).
Changed: Make the following functions public static (see #6351): Controller::getArticle, Controller::getContentElement, Controller::getForm, Controller::getFrontendModule
New: Support editing the front end preview page via the "url" parameter (see #6471).
Improved: Do not combine .js and .css files when running in debug mode (see #6450).
New: Added a DcaLoader class to decouple the DCA loading process (see #5441). DCAs can now be loaded anywhere using Controller::loadDataContainer().
Changed: Convert slashes to hyphens in the standardize() function (see #6396).
Improved: Add a getModel() method to modules, elements and hybrids (see #6492).
Improved: Support the "HAVING" command in the Model\QueryBuilder class (see #6446).
Changed: Use class constants for BackendUser::isAllowed().
Bugs fixed since 3.3.0:
Fixed: Convert insert tags before assigning the page title to the template (see #7097).
Fixed: Correctly render images in TinyMCE in the newsletter module (see #7089).
Fixed: Add the media query to the style sheets in debug mode (see #7070).
Fixed: Disable the debug mode in the extension creator (see #7068).
Fixed: Convert image source insert tags in the back end preview (see #7065).
Fixed: Render all root nodes in the page and file picker (see #6844).
Fixed: Add the "scssphp-compass" library to support Compass functions.
Fixed: Support adding multiple TinyMCE instances to the same page (see #7061).
Fixed: Grant access to static files inside the vendor folder.
Fixed: Do not make the FormRadioButton options an array (see #7060).
Fixed: Support adding ACE and TinyMCE in subpalettes (see #7056).
Fixed: Only use the DropZone uploader where Ajax uploads can be processed (see #7046).
Fixed: Make the viewport field 255 characters long (see #7050).
Fixed: Restore the "submit_container" class in the FormSubmit widget (see #7055).
Fixed: Correctly generate the CSS classes of the FormSelectMenu widget (see #7045).
Fixed: Use a more precise UUID detection in the FilesModel class (see #7054).
Fixed: Use pack() instead of hex2bin() to be compatible with PHP 5.3 (see #7010).
Fixed: Restore permission to delete root pages for admin users (see #7135).
Fixed: Pass the file IDs instead of their UUIDs to the file picker (see #7139).
Fixed: Correctly handle double quotes in comments (see #7102).
Fixed: Ignore hidden files when building the internal cache (see #7098).
Fixed: Correctly pass the insert ID of the undo record (see #6234).
Fixed: Update the vendor libraries (fixes various issues).
Fixed: Do not output an empty label tag (see #7249).
Fixed: Allow floating point numbers in "number" input fields (see #7257).
Fixed: Do not adjust the start time of past events (see #7121).
Fixed: Reset the image margins if it exceeds the maximum image size (see #7245).
Fixed: Reset $blnPreventSaving when a model is cloned (see #7243).
Fixed: Do not reload after storing CURRENT_ID in the session (see #7240).
Fixed: Correctly validate the page number of the versions menu (see #7235).
Fixed: Handle underscores in the Google+ vanity name (see #7241).
Fixed: Correctly handle the rem unit when importing style sheets (see #7220).
Fixed: Fix two issues with the extension repository theme.
Installatron:
Contao 3.3.5 has passed all tests. Earlier 3.3.x versions were not released due to failures upgrading from earlier versions.
(säkerhetsutgåvan) 14 Februari 2015 - 50MBThis bugfix release fixes a directory traversal vulnerability discovered by Arnaud Buchoux of Orange Consulting (see CVE-2015-0269).
The vulnerability allows logged in back end users to view files which are outside their file mounts or the document root. It is, however, not possible to edit these files or to view their content. Upgrading is still highly recommended.
Changelog
Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See CVE-2015-0269 for more information.
23 Januari 2015 - 50MBThis bugfix release fixes several smaller issues including a date validation problem in the Widget class and a problem with a PHP warning in the front end in multi-domain mode.
Changelog
Fixed: Romanize style sheet names (see #7526).
Fixed: Add the username to the "account has been locked" log entry (see #7551).
Fixed: Consider the suhosin.memory_limit when raising the PHP limits (see #7035).
Fixed: Added two missing exclude flags in the tl_page data container (see #7522).
Fixed: Send an UTF-8 charset header in the die_nicely() function (see #7519).
Fixed: Correctly validate dates in the Widget class (see #7498).
Fixed: Back port the fixes from #7475 and #7473.
Fixed: Send the same cache headers for cached and uncached pages (see #7455).
Fixed: Fix the current() expects parameter 1 to be array issue (see #6739).
Fixed: Correctly replace the *_teaser insert tags (see #7488).
Fixed: Adjust the last and previous login labels (see #7426).
Fixed: Unset the postUnsafeRaw cache in Input::setPost() (see #7481).
3 November 2014 - 50MBThis release release fixes several issues, including a problem with the HTTPS URL generation and the display of the filter menus for tables with dynamic parent table. In addition, several JavaScript plugins have been updated.
What's New
Fixed: Always pass a DC object in the toggleVisibility callback (see #7314).
Fixed: Correctly render the "read more" and article navigation links (see #7300).
Fixed: Consider the useSSL flag of the root page when generating URLs (see #7390).
Fixed: Fixed the FAQ sorting in the back end (see #7362).
Fixed: Added the Widget::__isset() method (see #7290).
Fixed: Correctly handle dynamic parent tables in the DC_Table driver (see #7335).
Fixed: Correctly shortend HTML strings in String::substrHtml() (see #7311).
Fixed: Updated swipe.js to version 2.0.1 (see #7307).
Fixed: Use an .invisible class which plays nicely with screen readers (see #7372).
Fixed: Handle disabled modules in the module loader (see #7380).
Fixed: Fixed the "link_target" insert tag.
Fixed: Fix the Database::list_fields() method (see #7277).
Fixed: Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
Updated: Updated MooTools to version 1.5.1 (see #7267).
Updated: Updated the ACE editor to version 1.1.6 (see #7278).
29 Augusti 2014 - 50MBThis bugfix release fixes several issues, including a problem with displaying recurring events and a problem with importing style sheets that use the "rem" unit.
Bugs Fixed:
Fixed: Allow floating point numbers in "number" input fields (see #7257).
Fixed: Do not adjust the start time of past events (see #7121).
Fixed: Reset the image margins if it exceeds the maximum image size (see #7245).
Fixed: Reset $blnPreventSaving when a model is cloned (see #7243).
Fixed: Do not reload after storing CURRENT_ID in the session (see #7240).
Fixed: Correctly validate the page number of the versions menu (see #7235).
Fixed: Handle underscores in the Google+ vanity name (see #7241).
Fixed: Correctly handle the rem unit when importing style sheets (see #7220).
Fixed: Fix two issues with the extension repository theme.
31 Juli 2014 - 50MBThis bugfix release fixes a range of smaller issues, including a problem with the CSS grid, which added too much margin to articles with offset.
Bugs Fixed:
Fixed: Use DOMDocument::loadXML() instead of DOMDocument::load() (see 7192).
Fixed: Specify the font size in rem for modern browsers (see #7209).
Fixed: Make sure the default language file is loaded in the DCA extractor (see #7202).
Fixed: Do not add unpublished FAQs to the XML sitemap (see #7210).
Fixed: Preserve new lines when replacing simple tokens (see #7178).
Fixed: Always prevent saving if PageModel::loadDetails() is executed (see #7199).
Fixed: Use === to compare password hashes (see #7175).
Fixed: Correctly mark GET parameters as used (see #7185).
Fixed: Correctly apply the "disabled" attribute to input unit fields (see #7147).
Fixed: Correctly check the permission to edit multiple files (see #7157).
Fixed: Correctly handle other MySQL character sets (see #7140).
Fixed: Correctly recognize Opera Mobile in the Environment class (see #5869).
Fixed: Fix the grid offset for articles (see #7166).
Fixed: Restore the basic entities in the source editor (see #7170).
Fixed: Correctly build the breadcrumb trail in the style sheets module (see #7132).
Fixed: Do not associate the "use SSL" option with sitemaps only (see #7163).
Fixed: URL encode the pipe character in the Google web font URL (see #7120).
Fixed: Handle double quotes in the title attribute of the element (see #7124).
Fixed: Use the save_callback when generating multiple aliases (see #7114).
Update: Update SwiftMailer to version 5.2.1 (see #7110).
Fixed: Correctly handle double quotes in comments (see #7102).
Fixed: Ignore hidden files when building the internal cache (see #7098).
Fixed: Correctly pass the insert ID of the undo record (see #6234).
2 Juli 2014 - 50MBThis bugfix release restores the PHP 5.3 compatibility of the listing module, fixes an issue with exporting binary data in the themes module and corrects the cursor display in the ACE editor.
Bugs Fixed:
Fixed: Replace insert tags in external redirect targets (see #6765).
Fixed: Also apply the font settings to the ACE element (see #7103).
Fixed: Show the placeholder image in the "edit file" dialog if the original image exceeds the maximum dimensions supported by the GD library (see #7032).
Fixed: Preserve whitespace before 'textarea' tags when minifying code (see #7087).
Fixed: Restore the PHP 5.3 compatibility of the listing module (see #7078).
Fixed: Do not offer to drop tables or fields if the safe mode is active (see #7085).
Fixed: Correctly detect binary fields during theme export (see #7079).
Fixed: Make $this->locationLabel available in the event list (see #7030).
Fixed: Correctly set the root page title (see #7023).
Fixed: Only show the sort hint if there is more than one element (see #6935).
Fixed: Try to raise the PHP limits upon file synchronization (see #7035).
21 Maj 2014 - 43MBThis bugfix release fixes issues with file names containing special characters and improves the file synchronization and the handling of binary fields during theme import. Also, the following plugins have been updates: Swipe, ACE, Datepicker, MooTools
Bugs Fixed:
Fixed: Correctly urlencode folder names in the file manager (see #6925).
Fixed: Allow for up to 13 characters in Validator::isEmail() (see #6950).
Fixed: Only fall back to the default option if there is no POST data (see #6899).
Fixed: Do not override the event start time in Events::addEvent() (see #6701).
Fixed: Correctly detect binary fields during theme import (see #6852).
Fixed: Do not urldecode twice in DC_Folder (see #6840).
Fixed: Standardize the fallback behavior of the downloads/gallery element (see #6662).
Fixed: Correctly hide duplicated elements in the module wizard (see #6826).
Fixed: Fix the mediabox "imgBackground" option (see #6866).
Fixed: Strip double quotes in the options wizard (see #6919).
Fixed: Strip the insert tag flags before passing the tag name to the hooks (see #6860).
Fixed: Catch Swift exceptions when sending form data via e-mail (see #6941).
Fixed: Check for reserved article aliases before validating the alias name (see #6978).
Fixed: Store the UUID of uploaded files in the session (see #6986).
Fixed: Only assume a moved file or folder for new resources (see #6907).
Fixed: Correctly strip the file extension in the File class (see #6968).
Fixed: Remove the menu when Swipe.kill() is executed (see #6861).
Fixed: Consider the protocol when embedding YouTube videos (see #6900).
Changes:
Update: Update the back end date picker to version 2.2.0.
Update: Update MooTools to version 1.5.0 (see #6924).
(säkerhetsutgåvan) 7 April 2014 - 43MBThis bugfix release fixes a critical security hole in the install tool, which allows to execute arbitrary code on the server.
Bugs Fixed:
Fixed a critical vulnerability of the install tool (see #6855).
Filter disabled groups in the registration module in the front end (see #6757).
Work around a bug in SimplePie with the "skip items" option (see #6107).
Fix the Swipe "continuous" option if there are exactly two slides (see #6812).
Apply addslashes() to strings in the Config class (see #6808).
Do not empty all fallback fields in sorting mode 4 (see #6498).
Do not allow template names to be longer than the DB fields (see #6819).
Correctly set the start time of a multi-day event (see #6802).
Correctly handle OR queries in the listing module (see #6344).
Use a monospaced font for the plain text newsletter preview (see #6790).
Adjust the vScrollTo() offset if the paste hint is visible (see #6478).
12 Mars 2014 - 43MBThis bugfix release fixes several minor problems, e.g. the broken "continuous" support of the content element slider or the sorting of the elements of the page/filetree widget in "edit multiple" mode.
Bugs Fixed:
Fixed: Add the "href" values for active breadcrumb menus to the template (see #6796).
Fixed: The file/page tree widget did not work properly in "edit multiple" mode (#6788).
Fixed: Preserve the referer ID when clicking the "switch to edit" button (see #6127).
Fixed: Encode e-mail addresses in the "explanation" form field (see #6771).
Fixed: Use a placeholder image if no thumbnail can be created (see #6754).
Fixed: Pass additional arguments to the "replaceInsertTags" hook (see #6672).
Fixed: Correctly initialize the Session class (see #6747).
Fixed: Do not use Input::setGet() in the event modules (see #6733).
Fixed: Correctly shorten the CSS background property (see #6709).
Fixed: Do not use UNION SELECT when searching for parent pages (see #6704).
Fixed: Disable zlib.output_compression when sending files to the browser (see #6717).
Fixed: Consider the event time in the event list module (see #6719).
Fixed: Make the newsletter recipient address available in the template (see #5782).
Fixed: Correctly handle Unicode characters in Validator::isGooglePlusId (see #6707).
Fixed: Fixed the arguments of two CalendarEventsModel methods (see #6781).
Fixed: Pass the "tableless" flag to the "form_message" template (see #6772).
Fixed: Update the swipe.js script so the "continuous" option works (see #6762).
Fixed: Improve the Search::removeEntry() method (see #6785).
Fixed: Correctly set the cookie path in the front mode in debug mode (see #6723).
Fixed: Point to Frontend::addToUrl() in front end templates (see #6736).
Fixed: Do not stop the cron job execution after the first interval.
(säkerhetsutgåvan) 13 Februari 2014 - 43MBThis bugfix release fixes another security hole related to the PHP object injection vulnerability, which was still exploitable in the Contao back end in version 3.2.5.
Bugs Fixed:
Further harden the deserialize() function and the Input class (see #6724).
(säkerhetsutgåvan) 3 Februari 2014 - 43MBThis bugfix release fixes a potential PHP object injection vulnerability (thanks to Pedro Ribeiro). The vulnerability exists, because POST data is passed to the deserialize() function, which was the case in the core multiple times. However, we were not able to exploit the vulnerability if the POST data was accessed via the Contao Input class. This does not mean that it cannot be accomplished though.
Bugs Fixed:
Correctly load the parent pages in the navigation modules (see #6696).
Correctly encode URLs with GET parameters in the syndication links (see #6683).
Do not pass POST data to the deserialize() function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).
Allow any character in passwords, especially the less-than symbol (see #6447).
Purge the image cache if a file is being renamed (see #6641).
Preserve tags in custom CSS definitions (see #6667).
Make the swipe CSS selectors more specific (see #6666).
Correctly optimize floating-point numbers in style sheets (see #6674).
20 Januari 2014 - 43MBThis bugfix release fixes an issue with resolving module dependencies and a problem with assigning articles to layout sections. Also, the Environment class now correctly detects Android tablet devices.
Bugs Fixed:
Updated the Russian translation of the TinyMCE "typolinks" plugins (see #6224).
Do not create multiple stylect layers upon Ajax changes.
Some DCAs were missing the "rem" unit (see #6634).
Correctly trim the SQL statements in the Database class (see #6623).
Fix some broken back end icons (see #6214).
Show a hint in the news archive menu if there are no items (see #5888).
Prevent the back end tool tips from exceeding the screen width (see #6639).
Support the Google+ vanity name in addition to the numeric ID (see #6454).
Correctly detect Android tablets in the Environment class (see #5869).
Correctly resolve the module dependencies (see #6606).
Correctly unset the PHP session cookie depending on its parameters.
Fixed the XHTML variant of the comments form (see #5675).
Correctly assign articles to columns (see #6595).
Correctly merge the CSS classes in the Hybrid class (see #6601).
(större version) 20 December 2013 - 43MB140 tickets and pull requests have been completed during the 4 months of development and the following 2 months of testing. Läs mer: http://contao.org/en/news/contao-3_2_0.html
3.1.5
8 November 2013 - 43MBThis bugfix release fixes an issue with the PDF export and with duplicating members.
Changelog:
Fixed: Correctly handle shorthand byte values (see #6345).
Fixed: Also update the sitemap if a news/event feed is updated (see #5727).
Fixed: Correctly sort by date in the listing module (see #5609).
Fixed: Correctly handle the autologin key if a member is duplicated (see #5945).
28 September 2013 - 43MBThe bugfix release fixes a potential data inconsistency issue when using models, which can be caused by the result cache.
The result cache has been removed entirely to fix the issue, which renders the methods executeUncached() and executeCached() deprecated. They only remain available as alias for the execute() method for reasons of backwards compatibility.
Changelog:
Changed: Drop the database query cache (see #6070). This renders executeUncached() and executeCached() deprecated. Use execute() instead.
Fixed: Consider the additional arguments in Frontend::jumpToOrReload() (see #5734).
Fixed: Prevent article aliases from using reserved names (see #6066).
Fixed: Correctly update the RSS feeds if a news item or event changes (see #6102).
Fixed: Correctly link to news and calendar feeds via insert tag (see #6164).
Fixed: Make the CSS ID available in the custom navigation module (see #6129).
Fixed: Do not cache the "toggle_view" insert tag (see #6172).
Fixed: Unset the primary key if a model is deleted (see #6162).
Fixed: Support tel: and sms: upon IDNA conversion (see #6148).
Fixed: Apply the width and height to the audio player as well (see #6114).
Fixed: Do not exit after a template has been output (see #5570).
Fixed: Handle all possible errors when uploading files (see #5934).
28 Augusti 2013 - 43MBThis bugfix release fixes issues with the output of IDNA domain names as well as two issues with the back end user interface (referer management and file picker). Also, the HTML5 form types "date", "time" and "datetime" are no longer used.
Changelog:
New: Added the Czech typolinks translations (thanks to ShiraNai7) (see #6051).
Fixed: Add the global date format in PageModel::loadDetails() (see #6104).
Fixed: Do not override the referer upon Ajax requests (see #5956).
Fixed: Fixed the content slider in IE < 9 (see #5878).
Fixed: Do not set a database driver by default (see #6088).
Fixed: Decode punycode domains in the listing module (see #5946).
Fixed: Show all themes a template is defined in (see #6071).
Fixed: Do not add the domain name twice in redirectToFrontendPage() (see #6076).
Fixed: Use the currentLogin field to sort users by their last login (see #5949).
Fixed: Fix the offset handling in the CSS grid (see #5943).
Fixed: Do not use the date, time and datetime input types (see #5918).
Fixed: Show tooltips for selected single images in the file picker (see #6031).
Fixed: Correctly synchronize if a sub folder is selected (see #5979).
Fixed: Correctly handle password which are longer than 64 characters (see #6015).
Fixed: Added missing Vietnamese characters to the UFT8 mapper (see #6010).
Fixed: Decode entities in the page and file pickers (see #5989).
Fixed: Ensure that the default user and group are integer values (see #6017).
Fixed: Added an option to purge the search cache (see #6041).
Fixed: Preserve the repository tables when importing a theme (see #6037).
Fixed: Pass the module to getAttributesFromDca() in the registration and personal data module classes (see #6002).
Fixed: Validate the e-mail address when creating an admin user (see #6003).
Fixed: Fix the newslist pagination count (see #5997).
Fixed: Make the GD image max width and height parameters mandatory (see #5940).
Fixed: Replace all insert tags when exporting a page as PDF (see #5990).
Fixed: Correctly validate the options in Widget::isValidOption() (see #5951).
Fixed: Decode IDNA domains in any system mail (see #5932).
Fixed: Store integers bigger than PHP_INT_MAX as string (see #5939).
Fixed: Fix the alignment of the versions menu in IE (see #5962).
Fixed: Do not cache the result of Model::count*() (see #5973).
Fixed: Added some missing office file extensions to the configuration (see #6021).
Fixed: Fixed the "indexPage" hook (see #5967).
Fixed: Do not copy the autologin hash when duplicating members (see #5945).
Fixed: Added .svgz support to the default .htaccess file (see #5938).
Install: Fixed the "Content" option to install correctly on newer versions of PHP. Blank installs and older versions of PHP were not affected.
3.1.1
25 Juni 2013 - 43MBThis bugfix release fixes several plugin issues, including the missing slider support in IE8, the wrong generation of the CSS3PIE file path and the wrong assignment of the dollar function to jQuery instead of MooTools.
In addition, the subscribable newsletter channels when editing users (back end) and members (front end) are now displayed correctly again. Läs mer: http://contao.org/en/news/contao-3_1_1.html
3.1.0
(större version) 21 Maj 2013 - 43MBAccording to the new time-based release schedule, the first minor update of Contao 3 has been published today. 217 tickets and pull requests have been completed during the four months development phase and the following two months testing phase.
There is one thing which you have to change manually: if your website uses sortable tables, you have to add the moo_tablesort or j_tablesort template in the page layout, so the JavaScript sorting continues to work. Läs mer: https://contao.org/en/changelog/versions/3.1.html
3.0.6
21 Mars 2013 - 43MBThis bugfix release fixes several issues, including the users' page and file mounts not being set correctly and the members' home directories not being created upon registration.
The relative path to the website (websitePath) is now stored separately in the system/config/pathconfig.php file instead of the local configuration file for technical reasons.
The local configuration file is now loaded twice again, before and after the module configuration files are loaded. This corresponds to the Contao 2.11 behaviour.
Fixed: Do not add links to news, events, FAQs or newsletters to the sitemap if the target page has not been published (see #5520).
Fixed: Include the local configuration file twice, once before and once after the module configuration files are parsed (see #5490). This will make settings like the debug or safe mode work properly.
Fixed: Correctly set the RSS feed self-reference (see #5478).
Fixed: Remove and from RSS and Atom feeds (see #5473).
Fixed: Do not remove the grid column margin on mobile devices (see #5475).
Fixed: Store the relative path to the installation in the pathconfig.php (see #5339).
Fixed: Correctly send the comment moderation mails (see #5443).
Fixed: Correctly create the user home directory upon registration (see #5437).
Improved: Made the .htaccess files Apache 2.4 ready (see #5032).
Fixed: Also truncate opened files in File::truncate() (see #5459).
Fixed: Added the "allowTransparency" attribute to the mediabox script (see #5077).
Fixed: The submit button label was not shown in the FormSubmit widget (see #5434).
Fixed: Show invisible elements in the back end preview (see #5449).
Fixed: Allow to create forward pages without a specific target (see #5453).
Fixed: Updated the TinyMCE typolinks plugin (see #5329).
Fixed: Correctly initialize the user's pagemounts (see #5454).
Fixed: Support loading static JavaScripts in the config.php files (see #4890).
Fixed: Show all articles if the article list module is in the same column (see #5373).
Fixed: Do not show mail_ templates from theme folders (see #5379).
Fixed: Consider only published events when finding the calendar boundaries and only render the previous and next links if there are events (see #5426).
Fixed: Do not override the header and footer height in the layout builder (see #5368).
Fixed: Correctly reset fallback, default and "do not copy" fields (see #5252).
19 Februari 2013 - 33MBThis bugfix release fixes the issue with duplicating elements with their child elements, adds the missing .ogg support and improves the stability of the database-assisted file system. Also, all vendor libraries have been updated.
This bugfix release also fixes the issue with the language files not being loaded correctly in 3.0.4.
Uncached model relations
Analogous to the option to load models uncached, you can now load model relations uncached, too.
8 Januari 2013 - 33MBThis bugfix release includes a fix for the issue with the inadvertently duplicated content elements and improved the compatibility of the database-assisted file system. This bugfix release also fixes the install routine which did not work on fresh installations in Contao 3.0.2.
Database-assisted file system
Image galleries and download elements can now use the user's home directory as source again
Newsletter attachments are sent correctly again
The database is updated if a file is uploaded in a front end form
Content element visibility
Modules and forms included via content element now consider the visibility settings of the content element. Before version 3.0.2, those resources were always visible.
Enclosure download
If a page contains multiple elements with enclosures, these enclosures could not be downloaded under certain circumstances. This issue has been fixed in Contao 3.0.2.
29 November 2012 - 33MBThis bugfix release fixed a couple of issues, including that page alias names could not contain Unicode characters anymore.
Also, with version 3.0.1 we have removed the automatic copyright notice in the front end according to the announcement of November 8th, 2012 and replaced it with a meta generator tag. Läs mer: https://contao.org/en/news/contao-3_0_1.html
3.0.0
(större version) 31 Oktober 2012 - 33MB
2.11.13
19 November 2013 - 32MBThis bugfix release fixes the issue with extensions not being sorted correctly on some file systems.
Fixed: Sort the list of available modules (see #6391).
Fixed: Decode entities in passwords (see #6252).
Fixed: Replace insert tags in the details view of the listing module (see #6120).
21 Mars 2013 - 32MBThis bugfix release fixes the issue with cookies having the wrong path and includes a TinyMCE update, so the editor works on IE7/8 again.
Fixed: Cast varchar date fields to int when selecting from the database (see #5503).
Fixed: Only unset POST variables if Widget::submitInput() returns true (see #5474).
Fixed: Strictly compare values when determining whether to save or not (see #5471).
Updated: Updated TinyMCE to version 3.5.8 (see #5329).
Fixed: Correctly show the "invalid date and time" error message (see #5480).
Fixed: Correctly split the words when adding to the search index (see #5363).
Fixed: Correctly load TinyMCE in IE7 and IE8 (see #5346).
Fixed: Send the correct cache headers in "client cache only" mode (see #5358).
Fixed: Remove the session of deleted or disabled users (see #5353).
Fixed: Correctly set the cookie paths (see #5339).
