The major reason for releasing this version is due to the discovery of a potential JavaScript code injection attack which has been corrected in the new release. Some other less serious errors have also been eliminated and a few extra features have been added.
The exhaustive list of changes can be viewed in the CHANGELOG file found in the root of your SPIP installation.
http://trac.rezo.net/trac/spip/brow...
And a simplified list of these changes is detailed here below for your reading pleasure:
- the SQL virtual server is updated following the unification of its error processing routines for all database ports (the PostGres port in particular has been subject to numerous regressions);
- the management of multiple or multi-server SQL databases is now more consistent and intuitive.
- certain tags and functions with holes have been corrected, specifically to possibly enable plugins with another tool other than the CFG plugin. This entails:
- the
#PLUGINtag which now supplies all of the information featured in the plugin.xml file - the
#URL_ECRIREtag, which returns an empty string if its argument is an unavailable script - the
#ACTION_FORMULAIREtag, which has its first argument equal to#ENV{action}by default - the
plugins_afficher_plugin_distfunction which automatically supplies alink to theconfigurer_NAME_OF_THE_PLUGINscript or template if there is one - the
maj_whilefunciton which now nows have to make updates to the tables used by a plugin - the
lire_meta,ecrire_meta, andeffacer_metafunctions which can be applied to other tables of meta data other than the standard table.
- the
- the
#INTRODUCTIONtag now works for sections like it has always done for articles (includes the#DESCRIPTIFfield data)
- all of the
LOGO_xxxtags now work according to the same standards:-
#LOGO_xxx{200, 0}produces the same as[(#LOGO_xxx|image_reduire{200, 0})]; -
LOGO_DOCUMENT**returns the correct path to the thumbnail file
-
- a single document can now bee marked as being linked to several objects (articles,...)
- correction of a bug found in complex CVT forms
- output of statistics in CSV format
- addition of the
type='mime/type'on[<emb1>->doc1]links
- checking the status of an article when requesting its status to be changed, in order to avoid repeat proposition of an article already published (#1932)
- in the event of a dead SQL connection, a old reusable cache must pass through gunzip
- use the native
json_encode()funciton when there is one
- manage the session caches in flat format and no longer in a sub-directory; use the data in the cache rather than
filemtime.
- correction of a major bug in the management of
header('HTTP/1.1 404 Not Found');
- improvement in the
lignes_longuescode which introduced spaces willy-nilly
- enable searching a forum by IP address, and display of all the links if they’ve been hacked with
[style=position:relative left:-999px]
- a TEST mode: judiciously placed
define()functions used to invalidate microblogs and sending emails
- securing JavaScript code in the
informer_auteurfunction (credit: Dotsafe)
- delete the date check on articles which are really old (Mathieu Lopes)
- IPv6 compatibility for the IP field in the
spip_forumtable (Senjamin Sonntag)
- correction of a bug in
lignes_longuesused in the forums (multiple spaces introduced by error in the 2.1 release)
- the
post_insertionpipeline, used in plugins for attaching objects pending the creation of the principal object in the database + correction of thepre_insertionpipeline forspip_auteurs
- security on the declaration of external databases (Thomas Sutton)
- taking into account of
progid:DXImageTransform.Microsoft.AlphaImageLoader(src=...)in the CSS compressor
- inclusion of function files when using the matrix
- correction of the "W" bug in certain versions of Opera and IE which trigger the saving of the article currently being edited (#1940)
- reintroduction of accent marks in passwords (which were messed up when passed through sha256) (#1945)
- correction of the speed bug occurring when saving revisions (patch per device)
- correction of the
form_hiddenfunction with HTML URLs
- administrators can once again change their email addresses without needing to make email confirmations (bug introduced in 2.1)
- emptying of the path cache for
var_mode=recalculeven if the admin cookie has been lost
-
var2jsis now compliant withjson_encode
- correction of the loss of context for "propre" or "arbo" URLs of the form:
article32.html
-
direction_csscan be used on template CSS files (if the template has the.css.htmlfile extension)
- the
charger_filtre()function for loading and looking for a filter from PHP code
-
#PLUGIN{xxx,tout}enables the retrieval of all of the info in the plugin (Eric)
- correction of a bug in indirect pagination when the pagination step is dynamically specified
- notification calls on
instituerbreveandinstituersite
Note also that if you have stayed using version 2.0, a new version has been generated to correct the security hole, which you can download here : http://files.spip.org/spip/archives...
See you again soon !
Ben, on behalf of the SPIP team