Version 3.0.5 (2013-02-19)
--------------------------
### Fixed
Removed the pixel unit from the video width and height attributes (see #5383).
### Fixed
Correctly load the language files (see #5384).
This relase contains fix for CVE-2012-6112(TinyMCE), too.
Version 3.0.4 (2013-02-14)
--------------------------
### Fixed
Correctly split the words when adding to the search index (see #5363).
### Fixed
If an eagerly loaded relation does not exist, return `null` instead of an empty
model in `Model::getRelated()` (see #5356).
### Fixed
Throw an exception if the file system and the database are out of sync and
show a meaningful error message (see #5101).
### Fixed
Return an associative array in `Model_Collection::fetchEach()` if the requested
field is **not** `id` (see #5134).
### Fixed
Make eagerly loaded "pageTree" fields mandatory again (see #4866).
### Fixed
Do not use forward pages as upper page in the book navigation (see #5074).
### Fixed
Correctly show the "empty news list" note (see #5304).
### Fixed
Correctly sort values by an external order field (see #5322).
### Fixed
Define the login status constants in the back end (see #4099, #5279).
### Fixed
Make sure the drag'n'drop hints do not overlay the field labels (see #5338).
### Fixed
Apply the color picker to single fields as well (see #5240).
### Fixed
Correctly close the SimpleModal overlay with the escape key (see #5297).
### Updated
Update TinyMCE to version 3.5.8 (see #5273).
### Fixed
Correctly check for nested arrays in `Widget::isValidOption()` (see #5328).
### Fixed
Preserve the order of multi source fields when exporting a theme (see #5237).
### Fixed
Also check whether the target exists when creating new folders (see #5260).
### Fixed
Load the core `autoload.php` files first (see #5261).
### Fixed
Support `null` as column default value in the DCA (see #5252).
### New
Added the `$blnDoNotCreate` option to the `Files` class, which makes the class
write to a temporary file first and then move it to its destination in one
atomic operation. This fixes some cache issues (see #5307).
### Fixed
Handle `@` blocks when importing style sheets (see #5250).
### Fixed
Show the newsletter list even if there is no jumpTo page configured in the
channel and show the enclosures in the newsletter reader (see #5233).
### Fixed
Added an option to load model relations uncached (see #5248, #5102). Also fixed
the `array_merge()` order so the default options can be overriden.
### Updated
Updated SimplePie to version 1.3.1 (see #5207).
### Updated
Updated SwiftMailer to version 4.3.0 (see #5263).
### Fixed
The jQuery accordion script did not work with minified markup (see #5245).
### Fixed
Removed the "spaceToUnderscore" option from all alias fields (see #5266).
### Fixed
The media content element now supports .ogg files (see #5282).
### Fixed
Do not rewrite requests for .mp3, .mp4, .webm or .ogv files (see #5258, #5284).
### Fixed
Correctly determin the last run of the command scheduler (see #5278).
### Fixed
Make the jQuery accordion behave like the MooTools version (see #5251).
### Fixed
Added support for more advanced media queries (see #5236).
### Fixed
Added the missing `UserGroupModel` class (see #5218).
### Fixed
Handle the case that `glob()` returns `false` (see #5226).
### Fixed
The table sorter did not work if jQuery and MooTools were active (see #5228).
### Fixed
Copy all content elements if pages are duplicated with childs (see #5241).
### Fixed
Added lazy template loading for newsletter mail templates.
Version 3.0.3 (2013-01-08)
--------------------------
### Fixed
Do not separate a style sheet with a font-face selector if the definition is
invisible or the media type of the style sheet is "all" (see #5216).
### Fixed
Looking for theme templates broke the install routine (see #5210).
### Fixed
Correctly handle empty newsletter channel selections.
* Hungarian and Slovenian language files are added, too.
Version 3.0.2 (2013-01-07)
--------------------------
### Fixed
Throw an error if FileTree or PageTree widgets are left blank although they are
marked as mandatory in the DCA (see #5131).
### Fixed
Modules and Hybrids included via content element were shown even if the content
element was invisible or not published (see #5203).
### Fixed
Do not try to limit the template selection to a particular theme but show all
available themes instead (see #5095).
### Fixed
Correctly build the comments subscription confirmation URL (see #5201).
### Fixed
Update the database if a file is being uploaded in the front end (see #5137).
### Fixed
Do not send a 404 header if an enclosure is requested and cannot be find by a
module; there might be another module which can (see #5178).
### Fixed
Consider the `save_callback` of the password field in `tl_user` when a back end
user is forced to change his password (see #5138).
### Fixed
Random images now open in the lightbox if configured (see #5191).
### Fixed
Find e-mail addresse like `a@b.com` in `String::encodeEmail()` (see #5175).
### Fixed
Make sure there is a minimal MooTools core version for the command scheduler
(see #5195).
### Fixed
Made `Model::getPk()` and `Model::getTable()` static (see #5128).
### Fixed
Do not move resources in the file manager if the targets exist. Otherwise the
database might get out of sync with the file system (see #5145).
### Fixed
Convert automatically generated article alias names if the page uses folder URL
style alias names (see #5168).
### Fixed
The newsletter system did not yet handle file ID attachments (see #5118).
### Fixed
The gallery and downloads element now support using the user's home directory
again (see #5113).
### Fixed
Added an option to load models uncached (see #5102).
### Fixed
Added support for `CURRENT_DATE`, `CURRENT_TIME` and `CURRENT_TIMESTAMP` to the
database installer (see #5089).
### Fixed
Store the whole database row in `Calendar::addEvent()` so e.g. RSS feeds with
the event text instead of just the teaser are being rendered (see #5085).
### Fixed
Purge the internal cache after a module has been (de)activated (see #5016).
### Fixed
Do not cache the `system/cron/cron.txt` file (see #5105).
### Fixed
Do not create content elements for news and events which redirect to articles,
pages or external URLs during the version 3 update (see #5117).
### Fixed
Handle incorrectly closed indexer comments (see #5119).
### Fixed
The table content element did not assign the correct CSS class names when there
was only one row and one column (see #5140).
### Fixed
Consider the dynamic ptable when copying/deleting content elements (see #5041).
### Fixed
Scan templates in the autoload creator even if there are no classes (see #5158).
### Fixed
Corrected the main column margin when using the layout builder in combination
with the responsive grid (see #5170).
### Fixed
Consider the sorting order of external style sheets (see #5038).
### Fixed
The numeric file mounts of a user were overridden by the real paths (see #5083).
Version 2.11.8 (2013-01-07)
---------------------------
### Fixed
Make sure entered dates map to an existing date (see #5086).
### Fixed
Fixed the MySQLi field count (see #5182).
### Fixed
The Date class should return `00:00` for `Date(0)->time` (see #4249).
### Reverted
Handle dependencies when updating extensions (see #3804).
### Fixed
Fixed the unprefixed CSS gradient output (see #4569).
### Fixed
Fixed a small formatting issue in the Music Academy theme (see #5160).
### Fixed
Show all extensions in the log when updating multiple at once (see #5144).
### Fixed
Standardize RSS feed aliases (see #5096).
### Fixed
Make the `FileUpload` constructor public (see #5054).
### Fixed
Use `isset()` in the `Database::fetch*()` methods (see #4990).
### Fixed
Changed the `System::getReadableSize()` algorithm to powers of two (see #4283).
### Fixed
Removed Tahiti and the Netherlands Antilles from the countries list (see #3791).
### Fixed
Also adjust the `be_navigation.html5` template to the new "getUserNavigation"
hook changes (see #3411).
Contao Open Source CMS 3.0.0 is new major release since Contao (as
TYPOlight) was publicly released.
Major changes from 2.11.
* Use PHP namespace and more flexible to extend.
* Improve performance with mapper class loader.
* Better support for mobile devices and responsive design
* Database supported file management and handling of file's meta data.
* jQuery support coexist with MooTools.
* Directories in URL path.
* HTML5 based audio/video player (also YouTube).
* Improve ease to use.
* Display of what has changed.
* Complete fix for CSRF.
Version 2.11.6 (2012-09-26)
---------------------------
### Fixed
Correctly handle root pages in `Controller::getPageDetails()` (see #4610).
### Fixed
Consider the page language when forwarding (see #4841).
### Fixed
URL encode the enclosure URLs in RSS/Atom feeds (see #4839).
### Fixed
Also create empty templates folders if a theme is imported (see #4793).
### Fixed
Decode Punycode domains when used via insert tag (see #4753).
### Fixed
Correctly handle open tags in `String::substrHtml()` (see #4773).
### Fixed
Correctly handle units when importing style sheets (see #4721).
### Fixed
The mediabox plugin did not play Vimeo videos (see #4770).
### Fixed
Correctly align stylect menus in the form generator in the back end (see #4557).
### Fixed
Add a link if a news item or event points to an internal page (see #4671).
### Fixed
Wrap the MooTools fallback into CDATA tags on XHTML pages (see #4680).
### Fixed
Do not add a default value to textareas (see #4722).
### Fixed
Do not override the comments array in case login is required to comment,
otherwise no commets will be shown (see #4064).
* Include contao/Makefile.common from contao/Makefile.example.
* Add code some fragment tward to Contao 3.0 support.
* Add CT_VERBASE to use COMMENT.
* Use CT_FILES to Contao's files directory name.
It also fixes a little security problem of permission check about undo
processing.
Quote from release announce: http://www.contao.org/en/news/contao-2_11_5.html
The bugfix release fixes a couple of issues, including the SOAP
compression problem in PHP 5.4, the IDNA URL converting issue and
the TinyMCE relative URLs problem.
Fixes a critical privilege escalation:
http://www.contao.org/en/news/contao-2_11_4.html
Version 2.11.4 (2012-06-12)
* Fixed
Fixed a critical privilege escalation vulnerability which allowed
regular users to make themselves administrators (see #4427).
* Fixed
Support insert tags as external redirect target (see #4373).
* Updated
Updated the CSS3PIE plugin to version 1.0.0 (see #4378).
* Fixed
Re-applied the "autofocus the first field" patch (see #4297).
* Fixed
The pagination menu fix was missing in the listing, search and RSS reader
modules (see #4292).
* Fixed
Added the "required" attribute to the captcha input field (see #4247).
* Fixed
Correctly tell Google Analytics to anonymize the visitor's IP (see
#4290). Heads up: Adjust your moo_analytics templates accordingly!
* Fixed
Correctly align stylect menus in Safari and Opera (see #4284).
Security release.
Version 2.11.2 (2012-03-14)
---------------------------
### Fixed
Fixed an issue with the CSS3PIE url being incorrectly rewritten (see #4074).
### Fixed
Fixed a security vulnerability in the file manager which allowed back end users
to download files from the `tl_files` directory even if they were not mounted in
their profile (thanks to Marko Cupic).
### Fixed
Fixed a potential XSS vulnerability in the undo module (thanks to Oliver Klee).
The issue is not considered critical, because it requires the script tag to be
in the list of allowed HTML tags, which is not the case by default.
### Fixed
The IDNA convert class did not run under PHP 5.2 (see #4044).
Version 2.10.4 (2011-12-30)
---------------------------
- Fixed: the Environment class did not always return the correct script name
(#3603)
- Fixed: close the connection after sending a file to the browser (#3602)
- Fixed: the new Ajax cron trigger did not work in IE8 due to missing
Date.now() support (#3681)
- Fixed: do not block ressources required by the Google website preview in the
robots.txt file (#3688)
- Fixed: correctly update the cache after a new template has been created
(#3676)
- Fixed: correctly handle HTML comments in inline JavaScripts (#3696)
- Fixed: get the next autoincrement ID when importing a theme so deleted
themes can be restored (#3604)
- Fixed a few minor issues
Version 2.10.3 (2011-11-07)
---------------------------
- Fixed: the postLogin/Logout hooks broke the save() method of the model
(#3545)
- Fixed: the style sheet editor did not handle font-family/size:inherit
correctly (#3531)
- Fixed: MooTools changed the default wMode settings for Swiff (#3540)
- Fixed: the style sheet importer did not handle
border-color:transparent/inherit (#3480)
- Fixed: do not index empty news/event/FAQ/newsletter reader pages (#3511)
- Fixed: group labels were not always loaded correctly (#3591)
- Fixed: added a rename() workaround for Windows to the FileCache class (#3390)
- Fixed: the site structure was not ordered properly for non-admins (#3423)
- Fixed: custom layout sections were not displayed in "override all" mode
(#3460)
- Fixed a few minor issues
It is really fix the XSS problem.
Version 2.10.2 (2011-10-10)
---------------------------
- Updated: updated TinyMCE to version 3.4.6
- Fixed: do not remove slashes just because get_magic_quotes_gpc() exists
- Fixed: CSS units were not always applied when used with global variables
(#3464)
- Fixed: the task deadline field did not show the date picker (#3351)
- Fixed: do not return empty lines in the compileDefinition hook (#3440)
- Fixed: the TinyMCE spellchecker did not work anymore (#3487)
- Fixed: the regexp for validating phone numbers accepted invalid values
(#3493)
- Fixed: added the new HTML5 elements to the valid TinyMCE tags (#3479)
- Fixed: the style sheet generator did not support absolute URLs (#3512)
- Fixed: fixed a potential XSS vulnerability (thanks to sschurtz)
- Fixed a few minor issues
From release announce:
The maintenance release provides stability fixes for the version 2.10
branch and updates TinyMCE to version 3.4.4 (which fixes a few IE9
issues).
pkgsrc change:
Add a note to MESSAGE needs of www/php-tidy package when using minify
the HTML markup function of Contao 2.10.
