Version 3.3.7 (2014-11-24)
--------------------------
### Fixed
Fixed a potential directory traversal vulnerability.
### Fixed
Fixed a severe XSS vulnerability. In this context, the insert tag flags
`base64_encode` and `base64_decode` have been removed.
### Fixed
Handle nested insert tags in strip_insert_tags().
### Fixed
Correctly store the model in Dbafs::addResource() (see #7440).
### Fixed
Send the request token when toggling the visibility of an element (see #7406).
### Fixed
Always apply the IE security fix in the Environment class (see #7453).
### Fixed
Correctly handle archives being part of multiple RSS feeds (see #7398).
### Fixed
Correctly handle `0` in utf8_convert_encoding() (see #7403).
### Fixed
Send a 301 redirect to forward to the language root page (see #7420).
Version 3.2.16 (2014-11-24)
---------------------------
### Fixed
Fixed a potential directory traversal vulnerability.
### Fixed
Fixed a severe XSS vulnerability. In this context, the insert tag flags
`base64_encode` and `base64_decode` have been removed.
### Fixed
Handle nested insert tags in strip_insert_tags().
### Fixed
Correctly store the model in Dbafs::addResource() (see #7440).
### Fixed
Send the request token when toggling the visibility of an element (see #7406).
### Fixed
Always apply the IE security fix in the Environment class (see #7453).
### Fixed
Correctly handle archives being part of multiple RSS feeds (see #7398).
### Fixed
Correctly handle `0` in utf8_convert_encoding() (see #7403).
### Fixed
Send a 301 redirect to forward to the language root page (see #7420).
Version 3.3.6 (2014-10-31)
--------------------------
### Fixed
Always pass a DC object in the `toggleVisibility` callback (see #7314).
### Fixed
Correctly render the "read more" and article navigation links (see #7300).
### Fixed
Fix the markup of the form submit button (see #7396).
### Fixed
Do not generally remove insert tags from page titles (see #7198).
### Fixed
Consider the `useSSL` flag of the root page when generating URLs (see #7390).
### Fixed
Correctly create the template object in `BaseTemplate::insert()` (see #7366).
### Updated
Updated TinyMCE to version 4.1.6 and added the "lists" plugin (see #7349).
### Fixed
Fixed the FAQ sorting in the back end (see #7362).
### Fixed
Added the `Widget::__isset()` method (see #7290).
### Fixed
Correctly handle dynamic parent tables in the `DC_Table` driver (see #7335).
### Fixed
Correctly shortend HTML strings in `String::substrHtml()` (see #7311).
### Updated
Updated MooTools to version 1.5.1 (see #7267).
### Fixed
Updated swipe.js to version 2.0.1 (see #7307).
### Fixed
Use an `.invisible` class which plays nicely with screen readers (see #7372).
### Fixed
Handle disabled modules in the module loader (see #7380).
### Fixed
Fixed the "link_target" insert tag.
### Fixed
Correctly mark CAPTCHA fields as mandatory (see #7283).
### Updated
Updated the ACE editor to version 1.1.6 (see #7278).
### Fixed
Fix the `Database::list_fields()` method (see #7277).
### Fixed
Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
### Fixed
Set the correct path to TCPDF in `system/config/tcpdf.php` (see #7264).
Version 3.2.15 (2014-10-31)
---------------------------
### Fixed
Always pass a DC object in the `toggleVisibility` callback (see #7314).
### Fixed
Correctly render the "read more" and article navigation links (see #7300).
### Fixed
Consider the `useSSL` flag of the root page when generating URLs (see #7390).
### Fixed
Fixed the FAQ sorting in the back end (see #7362).
### Fixed
Added the `Widget::__isset()` method (see #7290).
### Fixed
Correctly handle dynamic parent tables in the `DC_Table` driver (see #7335).
### Fixed
Correctly shortend HTML strings in `String::substrHtml()` (see #7311).
### Updated
Updated MooTools to version 1.5.1 (see #7267).
### Fixed
Updated swipe.js to version 2.0.1 (see #7307).
### Fixed
Use an `.invisible` class which plays nicely with screen readers (see #7372).
### Fixed
Handle disabled modules in the module loader (see #7380).
### Fixed
Fixed the "link_target" insert tag.
### Updated
Updated the ACE editor to version 1.1.6 (see #7278).
### Fixed
Fix the `Database::list_fields()` method (see #7277).
### Fixed
Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
Version 3.3.5 (2014-08-27)
--------------------------
### Fixed
Do not output an empty `label` tag (see #7249).
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
Version 3.2.14 (2014-08-27)
---------------------------
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
Version 3.3.4 (2014-07-29)
--------------------------
### Fixed
Restore permission to delete root pages for admin users (see #7135).
### Fixed
Pass the file IDs instead of their UUIDs to the file picker (see #7139).
### Fixed
Correctly handle double quotes in comments (see #7102).
### Fixed
Ignore hidden files when building the internal cache (see #7098).
### Fixed
Correctly pass the insert ID of the undo record (see #6234).
### Fixed
Update the vendor libraries (fixes various issues).
Version 3.2.13 (2014-07-29)
---------------------------
### Fixed
Use `DOMDocument::loadXML()` instead of `DOMDocument::load()` (see 7192).
### Fixed
Specify the font size in `rem` for modern browsers (see #7209).
### Fixed
Make sure the default language file is loaded in the DCA extractor (see #7202).
### Fixed
Do not add unpublished FAQs to the XML sitemap (see #7210).
### Fixed
Preserve new lines when replacing simple tokens (see #7178).
### Fixed
Always prevent saving if `PageModel::loadDetails()` is executed (see #7199).
### Fixed
Use `===` to compare password hashes (see #7175).
### Fixed
Correctly mark GET parameters as used (see #7185).
### Fixed
Correctly apply the "disabled" attribute to input unit fields (see #7147).
### Fixed
Correctly check the permission to edit multiple files (see #7157).
### Fixed
Correctly handle other MySQL character sets (see #7140).
### Fixed
Correctly recognize Opera Mobile in the `Environment` class (see #5869).
### Fixed
Fix the grid offset for articles (see #7166).
### Fixed
Restore the basic entities in the source editor (see #7170).
### Fixed
Correctly build the breadcrumb trail in the style sheets module (see #7132).
### Fixed
Do not associate the "use SSL" option with sitemaps only (see #7163).
### Fixed
URL encode the pipe character in the Google web font URL (see #7120).
### Fixed
Handle double quotes in the title attribute of the `<link>` element (see #7124).
### Fixed
Use the `save_callback` when generating multiple aliases (see #7114).
### Update
Update SwiftMailer to version 5.2.1 (see #7110).
### Fixed
Correctly handle double quotes in comments (see #7102).
### Fixed
Ignore hidden files when building the internal cache (see #7098).
### Fixed
Correctly pass the insert ID of the undo record (see #6234).
* Finnish translation is added and Latvian translation is removed.
* Example website (Music Academy) is removed from core distribution.
It is still available on Contao Extension Repository.
Version 3.2.12 (2014-06-18)
---------------------------
### Fixed
Replace insert tags in external redirect targets (see #6765).
### Fixed
Also apply the font settings to the ACE element (see #7103).
### Fixed
Show the placeholder image in the "edit file" dialog if the original image
exceeds the maximum dimensions supported by the GD library (see #7032).
### Fixed
Preserve whitespace before `<textarea>` tags when minifying code (see #7087).
### Fixed
Restore the PHP 5.3 compatibility of the listing module (see #7078).
### Fixed
Do not offer to drop tables or fields if the safe mode is active (see #7085).
### Fixed
Correctly detect binary fields during theme export (see #7079).
Version 3.3.3 (2014-06-18)
--------------------------
### Fixed
Convert insert tags before assigning the page title to the template (see #7097).
### Fixed
Correctly render images in TinyMCE in the newsletter module (see #7089).
Version 3.3.2 (2014-06-04)
--------------------------
### Fixed
Add the media query to the style sheets in debug mode (see #7070).
### Fixed
Disable the debug mode in the extension creator (see #7068).
### Fixed
Convert image source insert tags in the back end preview (see #7065).
### Fixed
Render all root nodes in the page and file picker (see #6844).
### Fixed
Add the "scssphp-compass" library to support Compass functions.
### Fixed
Support adding multiple TinyMCE instances to the same page (see #7061).
Version 3.2.11 (2014-06-04)
---------------------------
### Fixed
Make `$this->locationLabel` available in the event list (see #7030).
### Fixed
Correctly set the root page title (see #7023).
### Fixed
Only show the sort hint if there is more than one element (see #6935).
### Fixed
Try to raise the PHP limits upon file synchronization (see #7035).
Though there is no description in CHANGELOG.md, data for an example web site
(Music Academy) was removed from the distribution.
Version 3.3.1 (2014-05-30)
--------------------------
### Fixed
Grant access to static files inside the `vendor` folder.
### Fixed
Do not make the `FormRadioButton` options an array (see #7060).
### Fixed
Support adding ACE and TinyMCE in subpalettes (see #7056).
### Fixed
Only use the DropZone uploader where Ajax uploads can be processed (see #7046).
### Fixed
Make the viewport field 255 characters long (see #7050).
### Fixed
Restore the "submit_container" class in the `FormSubmit` widget (see #7055).
### Fixed
Correctly generate the CSS classes of the `FormSelectMenu` widget (see #7045).
### Fixed
Use a more precise UUID detection in the `FilesModel` class (see #7054).
### Fixed
Use `pack()` instead of `hex2bin()` to be compatible with PHP 5.3 (see #7010).
Version 3.2.10 (2014-05-21)
---------------------------
### Fixed
Correctly urlencode folder names in the file manager (see #6925).
### Update
Update MooTools to version 1.5.0 (see #6924).
### Fixed
Allow for up to 13 characters in `Validator::isEmail()` (see #6950).
### Fixed
Only fall back to the default option if there is no POST data (see #6899).
### Fixed
Do not override the event start time in `Events::addEvent()` (see #6701).
### Fixed
Correctly detect binary fields during theme import (see #6852).
### Fixed
Do not urldecode twice in `DC_Folder` (see #6840).
### Fixed
Standardize the fallback behavior of the downloads/gallery element (see #6662).
### Fixed
Correctly hide duplicated elements in the module wizard (see #6826).
### Fixed
Fix the mediabox "imgBackground" option (see #6866).
### Fixed
Strip double quotes in the options wizard (see #6919).
### Fixed
Strip the insert tag flags before passing the tag name to the hooks (see #6860).
### Fixed
Catch Swift exceptions when sending form data via e-mail (see #6941).
### Update
Update the back end date picker to version 2.2.0.
### Update
Update ACE to version 1.1.3.
### Fixed
Check for reserved article aliases before validating the alias name (see #6978).
### Fixed
Store the UUID of uploaded files in the session (see #6986).
### Fixed
Only assume a moved file or folder for new resources (see #6907).
### Fixed
Correctly strip the file extension in the `File` class (see #6968).
### Fixed
Remove the menu when `Swipe.kill()` is executed (see #6861).
### Fixed
Consider the protocol when embedding YouTube videos (see #6900).
Version 3.2.9 (2014-04-07)
--------------------------
### Fixed
Fixed a critical vulnerability of the install tool (see #6855).
### Fixed
Filter disabled groups in the registration module in the front end (see #6757).
### Fixed
Work around a bug in SimplePie with the "skip items" option (see #6107).
### Fixed
Fix the Swipe "continuous" option if there are exactly two slides (see #6812).
### Fixed
Apply `addslashes()` to strings in the `Config` class (see #6808).
### Fixed
Do not empty all fallback fields in sorting mode 4 (see #6498).
### Fixed
Do not allow template names to be longer than the DB fields (see #6819).
### Fixed
Correctly set the start time of a multi-day event (see #6802).
### Fixed
Correctly handle OR queries in the listing module (see #6344).
### Fixed
Use a monospaced font for the plain text newsletter preview (see #6790).
### Fixed
Adjust the `vScrollTo()` offset if the paste hint is visible (see #6478).
Version 3.2.7 (2014-02-13)
--------------------------
### Fixed
Fix another weakness in the `Input` class and further harden the `deserialize()`
function. Thanks to Martin Auswöger for his input.
Version 2.11.16 (2014-02-13)
----------------------------
### Fixed
Fix another weakness in the `Input` class and further harden the `deserialize()`
function. Thanks to Martin Auswöger for his input.
* pkgsrc change: remove obsolete lines for contao31.
Version 3.2.5 (2014-02-03)
--------------------------
### Fixed
Correctly load the parent pages in the navigation modules (see #6696).
### Fixed
Correctly encode URLs with GET parameters in the syndication links (see #6683).
### Fixed
Do not pass POST data to the `deserialize()` function, so it is not vulnerable
to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).
### Fixed
Allow any character in passwords, especially the less-than symbol (see #6447).
### Fixed
Purge the image cache if a file is being renamed (see #6641).
### Fixed
Preserve tags in custom CSS definitions (see #6667).
### Fixed
Make the swipe CSS selectors more specific (see #6666).
### Fixed
Correctly optimize floating-point numbers in style sheets (see #6674).
Version 2.11.14 (2014-02-03)
----------------------------
### Fixed
Do not pass POST data to the `deserialize()` function, so it is not vulnerable
to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).
Version 3.2.4 (2014-01-20)
--------------------------
### Fixed
Updated the Russian translation of the TinyMCE "typolinks" plugins (see #6224).
### Fixed
Do not create multiple stylect layers upon Ajax changes.
### Fixed
Some DCAs were missing the "rem" unit (see #6634).
### Fixed
Correctly trim the SQL statements in the `Database` class (see #6623).
### Fixed
Fix some broken back end icons (see #6214).
### Fixed
Show a hint in the news archive menu if there are no items (see #5888).
### Fixed
Prevent the back end tool tips from exceeding the screen width (see #6639).
### Fixed
Support the Google+ vanity name in addition to the numeric ID (see #6454).
### Fixed
Correctly detect Android tablets in the `Environment` class (see #5869).
### Fixed
Correctly resolve the module dependencies (see #6606).
### Fixed
Correctly unset the PHP session cookie depending on its parameters.
### Fixed
Fixed the XHTML variant of the comments form (see #5675).
### Fixed
Correctly assign articles to columns (see #6595).
### Fixed
Correctly merge the CSS classes in the `Hybrid` class (see #6601).
fix a few trivial (but nasty) problems of this almost leaf package:
approved by gdt@.
Version 3.2.3 (2013-12-20)
--------------------------
### Fixed
Correctly resize the mediaboxAdvanced in IE11 (see #6504).
### Fixed
Set the correct status header for cached files (see #6585).
### Fixed
Correctly set the empty value depending on the DB field (fixes#6550, #6544).
### Fixed
Prevent saving of detached models (see #6506).
### Fixed
Correctly determine the ACE editor's height (see #6578).
### Fixed
Always fall back to English if a language does not exist (see #6581).
### Fixed
Correctly display repeated events in the event list (see #6555).
### Fixed
Correctly show the available layout columns in the article module (see #6548).
### Fixed
Correctly show the "read more" link in the news list modules (see #6439).
### Updated
Updated html5shiv to version 3.7.0 (see #6543).
### Fixed
Support browsers with both mouse and touch support in the back end (see #6520).
### Fixed
Correctly handle multiple `RadioTable` widgets on the same page (see #6389).
### Fixed
Fixed two issues with the SQL cache (see #6507).
### Fixed
Do not require a redirect page for newsletter channels (see #6521).
### Fixed
Use the related field instead of `id` in the model query builder (see #6540).
Version 3.2.2 (2013-12-09)
--------------------------
### Fixed
Correctly support insert tags nested in shortened "iflng" tags (see #6509).
### Fixed
Do not require a foreign key to define a relation in the DCA (see #6524).
### Fixed
Use UUIDs as parent IDs in `Dbafs::addResource()` (see #6532).
### Fixed
Correctly set the default language (see #6533).
### Fixed
Correctly update the order fields in the database updater (see #6534).
### Fixed
Do not override the "href" property in `addImageToTemplate()` (see #6468).
### Fixed
Correctly handle URLs if page aliases are disabled (see #6502).
### Fixed
Handle UUIDs in `Model::getRelated()` (see #6525).
### Fixed
Hide records with only one version from the "changed elements" overview.
### Fixed
Use an auto-resizing textarea to store CSS selectors.
### Updated
Updated the ACE editor to version 1.1.2.
### Fixed
Prevent the ACE editor from overlapping the modal window (see #6497).
### Fixed
Use the default back end theme when running in safe mode (see #6505).
* pkgsrc change: drop optional php-tidy package requirement from MESSAGE.
Version 3.2.1 (2013-11-29)
--------------------------
### Updated
Updated TinyMCE to version 3.5.10 to fix the IE11 issues (see #6479).
### Fixed
Optionally override the repository tables when importing a template (see #6470).
### Fixed
Only do the UUID conversion once even if the `Database\Updater` helper methods
are called multiple times (see #6481).
### Fixed
Correctly toggle the mobile/desktop view (see #6227).
### Fixed
Correctly detect UUIDs in the "file" insert tag (see #6472).
### Fixed
Correctly assign images to FAQs (see #6465).
### Fixed
Improved the speed and memory footprint of the news archive menu (see #6463).
### Fixed
Removed `CalendarEventsModel::findBoundaries()` (see #6467).
Version 2.11.13 (2013-11-19)
----------------------------
### Fixed
Sort the list of available modules (see #6391).
### Fixed
Decode entities in passwords (see #6252).
### Fixed
Replace insert tags in the details view of the listing module (see #6120).
Version 3.1.4 (2013-10-14)
--------------------------
### Fixed
Do not show the debug bar in the modal dialog (see #6302).
### Fixed
Ignore the "maxlength" setting in certain form fields (see #6283).
### Fixed
Correctly show the "toggle page status" icon (see #6282).
### Removed
Removed the TinyMCE spell checker (see #6247).
### Updated
Updated TCPDF to version 3.0.38 (see #6268).
### Fixed
Correctly render the pages breadcrumb menu for non-admin users (see #6067).
### Fixed
Correctly handle the accordion fields during the version 3.1 update (see #6229).
### Fixed
Correctly handle special characters in page aliases (see #6232).
Version 3.1.3 (2013-09-24)
--------------------------
### Fixed
Do not redirect to protected pages after logout (see #6210).
### Fixed
Consider the additional arguments in `Frontend::jumpToOrReload()` (see #5734).
### Fixed
Prevent article aliases from using reserved names (see #6066).
### Fixed
Correctly update the RSS feeds if a news item or event changes (see #6102).
### Fixed
Correctly link to news and calendar feeds via insert tag (see #6164).
### Fixed
Make the CSS ID available in the custom navigation module (see #6129).
### Fixed
Do not cache the "toggle_view" insert tag (see #6172).
### Fixed
Unset the primary key if a model is deleted (see #6162).
### Fixed
Support `tel:` and `sms:` upon IDNA conversion (see #6148).
### Fixed
Apply the width and height to the audio player as well (see #6114).
### Fixed
Do not exit after a template has been output (see #5570).
### Changed
Drop the database query cache (see #6070). This renders `executeUncached()` and
`executeCached()` deprecated. Use `execute()` instead.
### Fixed
Handle all possible errors when uploading files (see #5934).
