Version 2.11.11 (2013-04-03)
----------------------------
### Fixed
Pass the style attribute to empty image gallery table cells (see #5485).
### Fixed
Do not override the website path in the default config file (see #5339).
Version 2.11.10 (2013-03-21)
----------------------------
### Fixed
Cast varchar date fields to int when selecting from the database (see #5503).
### Fixed
Only unset POST variables if `Widget::submitInput()` returns `true` (see #5474).
### Fixed
Strictly compare values when determining whether to save or not (see #5471).
### Updated
Updated TinyMCE to version 3.5.8 (see #5329).
### Fixed
Correctly show the "invalid date and time" error message (see #5480).
### Fixed
Correctly split the words when adding to the search index (see #5363).
### Fixed
Correctly load TinyMCE in IE7 and IE8 (see #5346).
### Fixed
Send the correct cache headers in "client cache only" mode (see #5358).
### Fixed
Remove the session of deleted or disabled users (see #5353).
### Fixed
Correctly set the cookie paths (see #5339).
This relase contains fix for CVE-2012-6112(TinyMCE), too.
Version 2.11.9 (2013-02-05)
---------------------------
### Fixed
Support numeric front end dates in the form generator (see #5238).
### Fixed
Support whitespace characters when parsing simple tokens (see #5323).
### Fixed
Allow to run multiple TinyMCE instances with different configurations on the
same page (thanks to Andreas Schempp) (see #4453).
### Fixed
Correctly trigger the "saveNewPassword" hook (see #5247).
### Fixed
Consider the `save_callback` of the password field in `tl_user` when a back end
user is forced to change his password (see #5138).
### Fixed
Do not group standalone lightbox elements on HTML5 pages (see #3742).
### Fixed
Anonymize IP addresses in `Form::processFormData()` (see #5255).
### Fixed
Replaced the 1200 pixel limit when resizing images with the values defined in
the system settings (see #5268).
### Fixed
Make sure there is an array in `Controller::generateMargin()` (see #5217).
### Fixed
More robust input validation in the back end filter menu and no more absolute
paths in error messages printed to the screen (thanks to aulmn) (see #4971).
### Fixed
Unset non-existing fields when restoring versions (see #5219).
Version 2.11.8 (2013-01-07)
---------------------------
### Fixed
Make sure entered dates map to an existing date (see #5086).
### Fixed
Fixed the MySQLi field count (see #5182).
### Fixed
The Date class should return `00:00` for `Date(0)->time` (see #4249).
### Reverted
Handle dependencies when updating extensions (see #3804).
### Fixed
Fixed the unprefixed CSS gradient output (see #4569).
### Fixed
Fixed a small formatting issue in the Music Academy theme (see #5160).
### Fixed
Show all extensions in the log when updating multiple at once (see #5144).
### Fixed
Standardize RSS feed aliases (see #5096).
### Fixed
Make the `FileUpload` constructor public (see #5054).
### Fixed
Use `isset()` in the `Database::fetch*()` methods (see #4990).
### Fixed
Changed the `System::getReadableSize()` algorithm to powers of two (see #4283).
### Fixed
Removed Tahiti and the Netherlands Antilles from the countries list (see #3791).
### Fixed
Also adjust the `be_navigation.html5` template to the new "getUserNavigation"
hook changes (see #3411).
Version 2.11.7 (2012-11-29)
---------------------------
### Fixed
Only execute runonce files after the DB tables have been created (see #5061).
### Fixed
Add an empty option in the TimePeriod widget if there are none (see #5067).
### Fixed
Handle auto_items in the `Frontend::addToUrl()` method (see #5037).
### Fixed
Do not use `specialchars()` in the "page" insert tag (see #4687).
### Fixed
Set the return path when sending e-mails (see #5004).
### Fixed
Handle border color names when importing style sheets (see #5034).
### Fixed
Prevent the "Illegal string offset" error in back end widgets (see #4979).
### Fixed
Handle dependencies when updating extensions (see #3804).
### Fixed
Switched all comments of the example website to "moderated" (see #4995).
### Fixed
Replaced the automatic copyright notice with a meta generator tag.
### Fixed
Remove HTML tags when overriding the page title (see #4955).
### Fixed
Decode entities in meta tags like "description" (see #4949).
### Fixed
Remove newsletter subscriptions when a member closes his account (see #4943).
### Fixed
Prevent deleting referenced content elements using "edit multiple" (see #4898).
### Updated
Updated SwiftMailer to version 4.2.1 (see #4935).
### Fixed
Set the file permissions depending on the server's umask setting (see #4941).
### Fixed
Correctly handle external image URLs in the image element (see #4923).
### Fixed
Fixed the too eager IP address anonymization (see #4924).
### Fixed
Fixed the automatic page alias generator (see #4880).
Version 2.11.6 (2012-09-26)
---------------------------
### Fixed
Correctly handle root pages in `Controller::getPageDetails()` (see #4610).
### Fixed
Consider the page language when forwarding (see #4841).
### Fixed
URL encode the enclosure URLs in RSS/Atom feeds (see #4839).
### Fixed
Also create empty templates folders if a theme is imported (see #4793).
### Fixed
Decode Punycode domains when used via insert tag (see #4753).
### Fixed
Correctly handle open tags in `String::substrHtml()` (see #4773).
### Fixed
Correctly handle units when importing style sheets (see #4721).
### Fixed
The mediabox plugin did not play Vimeo videos (see #4770).
### Fixed
Correctly align stylect menus in the form generator in the back end (see #4557).
### Fixed
Add a link if a news item or event points to an internal page (see #4671).
### Fixed
Wrap the MooTools fallback into CDATA tags on XHTML pages (see #4680).
### Fixed
Do not add a default value to textareas (see #4722).
### Fixed
Do not override the comments array in case login is required to comment,
otherwise no commets will be shown (see #4064).
It also fixes a little security problem of permission check about undo
processing.
Quote from release announce: http://www.contao.org/en/news/contao-2_11_5.html
The bugfix release fixes a couple of issues, including the SOAP
compression problem in PHP 5.4, the IDNA URL converting issue and
the TinyMCE relative URLs problem.
Fixes a critical privilege escalation:
http://www.contao.org/en/news/contao-2_11_4.html
Version 2.11.4 (2012-06-12)
* Fixed
Fixed a critical privilege escalation vulnerability which allowed
regular users to make themselves administrators (see #4427).
* Fixed
Support insert tags as external redirect target (see #4373).
* Updated
Updated the CSS3PIE plugin to version 1.0.0 (see #4378).
* Fixed
Re-applied the "autofocus the first field" patch (see #4297).
* Fixed
The pagination menu fix was missing in the listing, search and RSS reader
modules (see #4292).
* Fixed
Added the "required" attribute to the captcha input field (see #4247).
* Fixed
Correctly tell Google Analytics to anonymize the visitor's IP (see
#4290). Heads up: Adjust your moo_analytics templates accordingly!
* Fixed
Correctly align stylect menus in Safari and Opera (see #4284).
pkgsrc change: install .htaccess as configuration file with .htaccess.default
as an example.
* Fix permission checking problem of Task center.
* Provide improved .htaccess.default.
* Several bug fixes and improvements.
Security release.
Version 2.11.2 (2012-03-14)
---------------------------
### Fixed
Fixed an issue with the CSS3PIE url being incorrectly rewritten (see #4074).
### Fixed
Fixed a security vulnerability in the file manager which allowed back end users
to download files from the `tl_files` directory even if they were not mounted in
their profile (thanks to Marko Cupic).
### Fixed
Fixed a potential XSS vulnerability in the undo module (thanks to Oliver Klee).
The issue is not considered critical, because it requires the script tag to be
in the list of allowed HTML tags, which is not the case by default.
### Fixed
The IDNA convert class did not run under PHP 5.2 (see #4044).
### Fixed
Store the date added when creating an admin user upon installation (see #4054).
### Fixed
Purge the Zend Optimizer+ cache after writing the local configuration file.
### Fixed
The IDNA convert class did not run under PHP 5.2 (see #4044).
### Fixed
Inject error messages of checkbox and radio groups inside the fieldset, so they
can be associated with it (accessibility) and do not break the CSS formatting.
This change does not require any template adjustments (see #3392).
### Fixed
Correctly handle tabs and line breaks when importing CSV data (see #4025).
### Fixed
Event feeds did not show the date anymore (see #4026).
### Fixed
Preserve absolute URLs in style sheets in the Combiner (see #4002).
### Fixed
Support all kinds of keydown events in the stylect plugin, so options can be
selected by pressing the first key of their label (see #3812).
### Added
Added a separate version check for LTS releases.
### Fixed
Prevent the auto_item feature from generating duplicate content (see #4012).
### Fixed
Do not add the `language` parameter when forwarding to a page (see #4011).
### Fixed
The date picker in the back end did not work correctly due to MooTools failing
to parse dates correctly (see #3954).
### Fixed
The TinyMCE links popup failed under certain conditions (see #3995).
### Fixed
Correctly add the language to insert tag links (see #3983).
### Fixed
When creating an admin user in the install tool, the username was not validated
correctly (see #4006).
### Updated
Updated MooTools to version 1.4.5 which fixes a critical bug.
### Fixed
Relative URLs are now validated correctly (`'rgxp'=>'url'`) (see #3792).
### Fixed
Adjust the submit button height in Opera (see #3940).
### Fixed
The front end preview drop-down menu did not use the stylect plugin.
### Fixed
Use the Facebook sharer instead a third-party app (see #3990).
### Fixed
Preserve IE conditionals like `[if (lt IE 9) & (!IEMobile)]` when replacing
ampersands in the front end (see #3985).
### Fixed
Set the maximum length of `inputUnit` fields to 200 (see #3987).
### Fixed
If an image with a title was added to a text element, the lightbox did not show
the title anymore (see #3986).
### Fixed
The hyperlink element did not output the link title anymore (see #3973).
### Fixed
Send a 404 header and do not index or cache a page if there is a pagination menu
and the `page` parameter is outside the range of existing pages. Now that list
and reader modules can be shown on the same page, it is likely that those pages
will be cached. This fix prevents the search index and temporary directory from
being flooded with non-existing resources (such as `?page=100000`).
### Fixed
Fixed the module wizard so you can use the stylect menu of a duplicated element
without having to reload the page (see #3970).
### New
Added the Slovenian translation of the TinyMCE "typolinks" plugin (thanks a lot
to Davor) (see #3952)
### Fixed
Fixed the "getContentElement", "getFrontendModule" and "getForm" hooks, so they
pass the generated content to the callback function (see #3962).
### Fixed
Correctly handle pages with the alias name "index" (see #3961).
### Fixed
Patched the MooTools core script to fix the accordion effect (see #3956).
### Fixed
The slimbox style sheets are now compatible with the combiner.
* Multilingual website URLs
* Global style sheet variables
* Improved FAQ module
* News archive/Event list/FAQ list/ and each reader on the same page
* Disabling the CSS framework
* Make style sheets static
* Modified request token system
* Contao safe mode
* Autogenerated local configuration files
* Adding system messages
* Insert tag changes
* Website root pages are required
* Make ListView output a table
* Embed Google web fonts
* Advanced image crop modes
* Forced password change
* Privacy settings
* Updated plugins (not extension)
* New hooks
* New methods in the File/Folder class
* Remove some old function
