* Editor: Prevent certain HTML elements from being unexpectedly removed or
modified in rare cases.
* Media: Fix a collection of minor workflow and compatibility issues in the new
media manager.
* Networks: Suggest proper rewrite rules when creating a new network.
* Prevent scheduled posts from being stripped of certain HTML, such as video
embeds, when they are published.
* Work around some misconfigurations that may have caused some JavaScript in
the WordPress admin area to fail.
* Suppress some warnings that could occur when a plugin misused the database or
user APIs.
Additionally: Version 3.5.1 fixes a few security issues:
* Server-side request forgery (SSRF) and remote port scanning via pingbacks.
Fixed by the WordPress security team.
* Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon
Cave of the WordPress security team.
* Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5
was released to address this issue.
Highlights
* New Media Manager
+ Beautiful interface: A streamlined, all-new experience
+ Create galleries faster with drag-and-drop reordering,
inline caption editing, and simplified controls
+ Insert multiple images at once with Shift/Ctrl+click
* New Default Theme - Twenty Twelve
+ Simple, flexible, elegant
+ Mobile-first, responsive design
+ Gorgeous Open Sans typeface
+ Uses the latest Theme Features
* Admin Enhancements
+ New Welcome Screen
+ Retina-Ready (HiDPI) Admin
+ Hide Link Manager for new installs
+ Better accessibility for screenreaders, touch devices, and
keyboard users
+ More polish on admin screens, including a new color picker
* For Developers
+ WP_Comment_Query and WP_User_Query accept now meta queries
just like WP_Query
+ Meta queries now support querying for objects without a
particular meta key
+ Post objects are now instances of a WP_Post class, which
improves performance and caching
+ Multisite's switch_to_blog() is now significantly faster and
more reliable
+ WordPress has added the Underscore and Backbone JavaScript
libraries
+ TinyMCE, jQuery, jQuery UI, and SimplePie have all been
updated to the latest versions
+ Image Editing API for cropping, scaling, etc., that uses
ImageMagick as well as GD
+ XML-RPC: Now always enabled and supports fetching users,
managing post revisions, searching
+ New "show_admin_column" parameter for register_taxonomy()
allows automatic creation of taxonomy columns on associated post-types.
Changes:
* Fixes some issues in the admin area where some older browsers (IE7, in
particular) may slow down, lag, or freeze.
* Fixes an issue where a theme may not preview correctly, or its screenshot may
not be displayed.
* Fixes the use of multiple trackback URLs in a post.
* Prevents improperly sized images from being uploaded as headers from the
customizer.
* Ensures proper error messages can be shown to PHP4 installs. (WordPress
requires PHP 5.2.4 or later.)
* Fixes handling of oEmbed providers that only return XML responses.
* Addresses pagination problems with some category permalink structures.
* Adds more fields to be returned from the XML-RPC wp.getPost method.
* Avoids errors when updating automatically from very old versions of WordPress
(pre-3.0).
* Fixes problems with the visual editor when working with captions.
Additionally: Version 3.4.2 fixes a few security issues and contains some
security hardening. These issues were discovered and addressed by the WordPress
security team:
* Fix unfiltered HTML capabilities in multisite.
* Fix possible privilege escalation in the Atom Publishing Protocol endpoint.
* Allow operations on network plugins only through the network admin.
* Hardening: Simplify error messages when uploads fail.
* Hardening: Validate a parameter passed to wp_get_object_terms().
ChangeLog:
Wordpress 3.4.1:
* Fixes an issue where a theme’s page templates were sometimes not detected.
* Addresses problems with some category permalink structures.
* Better handling for plugins or themes loading JavaScript incorrectly.
* Adds early support for uploading images on iOS 6 devices.
* Allows for a technique commonly used by plugins to detect a network-wide activation.
* Better compatibility with servers running certain versions of PHP (5.2.4, 5.4)
or with uncommon setups (safe mode, open_basedir), which had caused warnings or
in some cases prevented emails from being sent.
Additionally: Version 3.4.1 fixes a few security issues and contains some security
hardening. These issues were discovered and fixed by the WordPress security team:
* Privilege Escalation/XSS. Critical. Administrators and editors in multisite
were accidentally allowed to use unfiltered_html for 3.4.0.
* CSRF. Additional CSRF protection in the customizer.
* Information Disclosure: Disclosure of post contents to authors and contributors
(such as private or draft posts).
* Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
* Hardening: Require a child theme to be activated with its intended parent only.
Wordpress 3.4:
* Enhanced theme control
* Customize theme options before activating a new theme using Theme Customizer
* Use Theme Previewer to customize current theme without changing the front-end design
* Custom Headers
* Improved Custom Headers with flexible sizes
* Selecting Custom Header Images and Custom Background Images from Media Library Screen
* Media improvements
* Support HTML in image captions
* Under the Hood improvements
* Improvements in WordPress internationalization and localization (more info)
* Different split in translation POT files for faster translations
* Codex XML-RPC information update accessed via XML-RPC_WordPress_API
* WP_Query improvements
Three external libraries included in WordPress received security updates:
* Plupload (version 1.5.4), which WordPress uses for uploading media.
* SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
* SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
WordPress 3.3.2 also addresses:
* Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
* Cross-site scripting vulnerability when making URLs clickable.
* Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
Highlights:
* Easier Uploading
- File Type Detection - A single upload button
- Drag-and-Drop Media Uploader
* Dashboard Design
- New Toolbar in the dashboard, combining the Admin Bar and admin
header
- Responsive design for some screens, including iPad/tablet
support
- Flyout menus, providing single-click access to any screen
* New User Experience
- New feature pointers, helping users navigate new features
- Post-update About screen
- Dashboard welcome area for new installs
* Content Tools
- Better co-editing that releases post locks immediately
- Don't lose widgets when switching themes
- Tumblr Importer
* Under the Hood improvements
- Use the postname permalink structure without a performance
penalty
- Improved Editor API
- is_main_query() function and WP_Query method
- Remove a number of funky characters from post slugs
- jQuery 1.7.1 and jQuery UI 1.8.16
- A new Screen API for adding help documentation and adapting to
screen contexts
- Improved metadata API
* Performance improvements and hundreds of bug fixes
More changes at http://codex.wordpress.org/Version_3.3
From the Announcement blog: "This maintenance release fixes a server
incompatibility related to JSON that’s unfortunately affected some of you,
as well as a few other fixes in the new dashboard design and the Twenty
Eleven theme."
Highlights:
* Refreshed Administrative UI - Admin redesign
* New Default Theme "Twenty Eleven" - Uses the latest Theme Features
* Full Screen Editor - Distraction free writing experience
* Extended Admin Bar - More useful links to control the site
* Enhanced Browser Compatibility -
- Drop Internet Explorer 6 support
- Start End-of-life (EOL) cycle for Internet Explorer 7
- Browse Happy notify users of out-of-date browser
* WordPress is Faster and Lighter -
- Faster page loads -- We've gone through the most commonly loaded pages in WP and done improvements to their load time
- Faster Upgrades -- The update system now support incremental upgrades so after 3.2 you'll find upgrading faster than ever
- Optimizations to WP_Filesystem -- Updates over FTP are now much quicker and less error prone
- Stream downloads to the filesystem -- Improves update times and lowers the memory footprint
- Performance improvements for wptexturize()
- Remove PHP4 compatibility including timezone support
- More efficient term intersection queries
- Some optimizations in the HTML sanitizer (kses)
- Speed optimizations for is_serialized_string()
- Cache the Dashboard RSS Widgets HTML output to reduce unnecessary Ajax requests as well as the memory footprint
- And many other improvements and tweaks
Contains also security fixes from wordpress 3.1.4.
* Various security hardening by Alexander Concha.
* Taxonomy query hardening by John Lamansky.
* Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
* Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
* Improves file upload security on hosts with dangerous security settings.
* Cleans up old WordPress import files if the import does not finish.
* Introduce "clickjacking" protection in modern browsers on admin and login pages.
* Fix a vulnerability that allowed Contributor-level users to improperly
publish posts.
* Fix user queries ordered by post count.
* Fix multiple tag queries.
* Prevent over-escaping of post titles when using Quick Edit for pages.
This maintenance and security release fixes almost thirty issues in 3.1,
including:
* Some security hardening to media uploads
* Performance improvements
* Fixes for IIS6 support
* Fixes for taxonomy and PATHINFO (/index.php/) permalinks
* Fixes for various query and taxonomy edge cases that caused some plugin
compatibility issues
Version 3.1.1 also addresses three security issues discovered by
WordPress core developers Jon Cave and Peter Westwood, of wordpress's security
team. The first hardens CSRF prevention in the media uploader. The
second avoids a PHP crash in certain environments when handling
devilishly devised links in comments, and the third addresses an XSS
flaw.
Changes:
* Internal Linking - click a button for an internal link and it allows
you to search for a post or browse a list of existing content and select it
for inclusion.
* Admin Bar - contains various links to useful admin screens. By default,
the admin bar is displayed when a user is logged in and visiting the site
and is not displayed in admin screens for single blog installs. For multisite
installs, the admin bar is displayed both when visiting the site and in the
admin screens.
* Streamlined Writing Interface - new users of WordPress will find the write
screen much less cluttered than before, as more of the options are hidden by
default. You can click on Screen Options in the top right to bring them back.
* Post Formats - meta information that can be used by themes to customize
presentation of a post. Read more in the article Post Formats.
* Network Admin - move Super Admin menus and related pages out of the regular
admin and into a new Network Admin screen.
* List-type Admin Screens - sortable columns for list-type screens and better
pagination.
* Exporter/Importer Overhaul - many under the hood changes including adding
author information, better handling for taxonomies and terms, and proper
support for navigation menus.
* Custom Content Type Improvements - allows developers to generate archive
pages, and have better menu and capability controls.
* Advanced Queries - allows developers to query multiple taxonomies and custom
fields.
* Refreshed Blue Admin Color Scheme - puts the focus more squarely on your
content.
More changes at http://codex.wordpress.org/Version_3.1
* Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
* Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.
* Fix potential information disclosure of posts through the media uploader. Affects users of the Author role.
* Enhancement: Force HTML filtering on comment text in the admin
* Enhancement: Harden check_admin_referer() when called without arguments, which plugins should avoid.
* Update the license to GPLv2 (or later) and update copyright information for the KSES library.
ChangeLog:
* Fix XSS vulnerabilities in the KSES library: Don't be case sensitive to
attribute names. Handle padded entities when checking for bad protocols.
Normalize entities before checking for bad protocols in esc_url().
Fixes issues in the XML-RPC remote publishing interface which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish or delete posts.
* Fix moderate security issue where a malicious Author-level user could gain further access to the site.
* Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
* Fix canonical redirection for permalinks containing %category% with nested categories and paging.
* Fix occasional irrelevant error messages on plugin activation.
* Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
* Clarify the license in the readme
* Multisite: Fix the delete_user meta capability
* Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins
* Multisite: Fix ms-files.php content type headers when requesting a URL with a query string
* Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs
While here, set license.
3.0.1:
* Fixed 54 tickets total. A break down of ticket status by component can be found in Trac (http://core.trac.wordpress.org/milestone/3.0.1).
* Added unregister_nav_menu(), for child themes.
3.0:
* WordPress and WordPress MU have merged, allowing the management of multiple sites (called Multisite) from one WordPress installation.
* New default theme "Twenty Ten" takes full advantage of the current features of WordPress.
* New Custom Menu Management feature, allows creation of custom menus combining posts, pages, categories, tags, and links for use in theme menus or widgets.
* Custom Header and Custom Background APIs.
* Contextual help text accessed under the Help tab of every screen in the WordPress administration.
* Ability to set the admin username and password during installation.
* Bulk updating of themes with an automatic maintenance mode during the process.
* Support for Shortlinks.
* Improved Custom Post Types and Custom Taxonomies including hierarchical (category-style) support. (Try the Custom Post Type UI or GD Custom Posts And Taxonomies Tools plugins to see the possibilities.)
* A lighter admin color scheme to increase accessibility and put the focus more squarely on your content.
2.9.2:
* Fixed problem where where logged in users can peek at trashed posts belonging to other authors.
* Fixed other issues
2.9.1:
* Fixed problem where scheduled posts and pingbacks are not processed correctly due to incompatibilities with some hosts
* Fixed other issues
2.9:
User Features
* Trash status for posts, pages, and comments (includes restore and permanent delete)
* Add support for 'include' and 'exclude' to [gallery] (Gallery Shortcode)
* Allow user registration to be enabled by an XMLRPC client
* Add support for sticky posts to the WXR exporter and importer
* 'rel=canonical' for singular pages
* Scroll back to the same location after saving a file in the Plugin and Theme editors
* Correct comments and remove unnecessary echos from the default themes sidebar template file
* Enable the APP (Atom) attachment file download to work correctly
* Support location of category templates based on 'category-slug' as well as 'category-id' (Ticket 10614)
* Support location of tag templates based on 'tag-id' as well as 'tag-slug' (Ticket 10868)
* Support location of page templates based on 'page-slug' and 'page-id'
* Set "Allow my blog to appear in search engines" to checked in installation
* Don't offer to make a category its own parent
* Remove Sphere from search list
* Minify admin CSS
* Show correct max upload filesize error message
* Add 'rel' attribute to next/previous post links
* Make the default and classic themes comment textareas valid XHTML
* Clean up '.button' and '.button[disabled]' CSS classes, add 'spinner' and 'gray-out' buttons after clicking Publish or Update post
* Fix race condition with autosave when clicking Publish immediately after entering post title
* Add Comments for Pages in the WordPress Default theme
* Define '$content_width' for Kubrick
* Better feedback on publishing of future posts and pages
* Display comments in descending date order, consistently
* Add means of automatically repairing tables
* Press This bookmarklet fixes
* Give plugins and themes simple control over the text displayed at the end of an autogenerated Excerpt
* Don't show "Change Permalinks" button when editing the page set as "Front page"
* Image editing
* Retire BunnyTags importer
* Retire Jerome's keywords importer
* Explain that the permalink is temporary for autosave generated permalinks
* Update SimplePie to 1.2
* Eliminate the redundant and confusing comment threading depth of 1
* Easier Embeds with oEmbed support (see Ticket #10337) (oEmbed discovery disabled by default, use plugin to enable it)
* TinyMCE 3.2.7
* Remove rel='tag' on links in Tag Clouds
* Add a title to the Home link output by wp_page_menu()
* Adjust comment moderation keyboard shortcut keys 'd = trash' or delete depending on the screen
* Show "Draft updated" instead of "Post updated" when saving draft
* Show the login form in a popup when autosave hits the login grace period
* Open View/Preview post in a new window from the link in the Saved/Updated message
* Separate fields for 'image alt' and 'image caption' in Media uploader
* Display better information about broken themes when there is no stylesheet
* Improve situation when tables such as wp_options table were 'corrupt' new installation message was offered. Add means of automatically repairing tables
* Export and import custom taxonomies
* Admin copy improvements
* Don't show page templates in the drop down if they are in a subdirectory
* Make codex link open in a new window
* Change 'Remove' link on widgets to 'Delete' because it doesn't just remove it, it deletes the settings for that widget instance.
Development, Themes, Plugins
* Added 'excerpt_more' filter to wp_trim_excerpt() function, which allow developers to change excerpt '[...]' more string (Ticket 10395)
* Add 'smilies_src' filter so plugins can better add smilies
* Canonical redirects for post name queries
* Allow _wp_get_comment_list() to handle custom comment types
* Return an empty array instead of false for get_children() when no children found
* Add some filters so that HTTP requests can be filtered
* Move plugin update notice output to the plugin specific hook
* Limit wp-mail 'blog by email' checks to every 5 minutes
* Make it much easier to filter contact methods from user profiles
* Allow filtering of get_edit_post_link for custom post_type
* 'get_sample_permalink_html' filter
* Enforce activation key to be a string, reject activation keys that are arrays
* Support for new post types
* Respect custom post_type in queries
* Send Retry-After header when in maintenance mode
* Various WP Filesystem related fixes and documentation
* Add constants for ftp connections timeouts
* Increase timeout on cron-based requests when checking for upgrades
* Don't use has_action() before do_action() in http.php
* Speed up jQuery based scripts
* Use the current user as author for autosave
* Show My Posts as default view on the Edit Posts screen for users without 'edit_others_posts' cap
* Ensure that drafts viewed over XMLRPC have a correct gmt date set
* Pass user id to 'get_' the_author_meta filters
* Move _wp_get_user_contactmethods() into the registrations functions file
* Machine parseable db error codes
* Add global JS vars and actions to the media uploader iframe
* Add JSON compat for PHP < 5.2
* Make option_name the primary key for the options table
* Allow a plugin to do a complete takeover of Post by Email
* Logarithmic scale for tag cloud
* Pass Post ID to the 'get_comments_number' filter
* Always filter the url in the media upload form
* Add a 'the_terms' filter
* is_blog_installed() improvements
* Allow force_ssl_admin() to properly accept false as a value
* Pass logged_in cookie to async-upload and filter the cookie scheme in auth_redirect()
* Add more actions around database add/delete/update operations
* phpDoc for wp_"check|set"_post_lock functions
* Use the old strings which are more translator friendly and add a generic default string to aid re-use by plugins adding post_types
* Filter fields through kses upon display and introduce sanitize_user_object() and sanitize_user_field()
* Use null instead of 0 when setting content length
* Include 'hidden' directories in filesystem dirlist by default
* Pass args array to 'wp_list_pages' filter
* Actions for taxonomy updates
* Key should be 'comment_id' not 'post_id' in comments table
* Add get_delete_post_link () to retrieve delete posts link for post
* Add 'separator' parameter to wp_tag_cloud() and wp_generate_tag_cloud() functions (Ticket 10315)
* Added add_comment_meta() family of functions
* Use a post_parent of 0 instead of -1 to indicate unattached posts
* Improve get_page_hierarchy() function
* Deprecate the_content_rss(), add the_content_feed() and get_the_content_feed(). Convert places that called the_content_rss() with an excerpt length to the_excerpt_rss(). Remove the rss_excerpt_length option. Use the_content_feed() where the_content() was previously used in feeds.
* Add 'pad_counts' argument to wp_dropdown_categories()
* Remove codepress
* Remove the php-gettext library
* Canonical post thumbanils
* Add a filter to the_author_posts_link()
* Merge post.js with page.js and slug.js, optimize categories and tags JS, standardize postboxes IDs and JS
* Introduce register_theme_directory() which takes a wp-content-relative path and will additionally scan it for themes. Plugins can use this to add themes without requiring copying by the user
* Add set_user_role action hook
* Allow theme devs to change attrs (like CSS class) of thumbnail images
* Add wp-post-image CSS class to post images
* Allow for plugins to enhance the number of metadata fields captured from plugin and theme headers
* Merge updated pomo code
* Switch to using NOOP_Translations for untranslated sites
* Improve wptexturize performance
* Provide context to the strings in the Plugin and Theme installers to allow for different grammatical gender
* Fixes for theme subdir support
* Introduce wp_kses_post() and wp_kses_data() for filtering unescaped data
* Add 'orderby=comment_count' argument to query_posts()
* Honor Post Type for Sticky Posts
* Allow querying multiple post types
* Introduce add_theme_support(feature) and current_theme_supports(feature) for announcing and checking theme support for various features
* Introduce require_if_theme_supports()
* Add number of Embed related filters
* Add 'IMAGE_EDIT_OVERWRITE' constant to control edited image save or replace, most useful for setups that have dynamic image resizing
* Add load_child_theme_textdomain() to allow child themes to have their own translation files
* Add sidebar descriptions to sidebar settings and widget admin screen
* Make option_id primary. Add uniques for option_name and autoload
* Allow plugins to override the behaviour of load_textdomain() in a variety of flexible ways
* Mark _c() as deprecated. The new _x() function should be used instead.
* Allow plugins to change the redirect on post/page publishing/submitting
* Standardize on 'user_id' instead of 'user_ID' when passing comment data. Accept either 'user_id' or 'user_ID'. Remove 'user_id' global.
* Filter imported comments
* Introducing set_post_image_size(w, h, crop) so themes can register their special size/crop for canonical post images
* Standardize around "post image" instead of "post thumbnail"
* Allow registering post image support per post type
* Return false from is_paged() if on the first page.
* Check MySQL and PHP versions when auto upgrading
* Add required php and mysql versions to version.php
* Hard code required version in update-core.php
PR pkg/42765
- 2.8.5
* Fix for trackback DOS
* Removal of permalink_structure eval
* Remove some create_function() calls
* Disallow unfiltered uploads by default, even for admins. Enable it again with define('ALLOW_UNFILTERED_UPLOADS', true); in wp-config.php
* Add extra escapes here and there for some backside coverage
* Retire two old importers
* A few small bug fixes
- 2.8.6
* Fixed an XSS vulnerability in Press This
* Fixed issue with sanitizing uploaded file names that can be exploited in certain Apache configurations
Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended.
Highlights
* New drag-and-drop widgets admin interface and new widgets API
* Syntax highlighting and function lookup built into plugin and theme editors
* Browse the theme directory and install themes from the admin
* Allow the dashboard widgets to be arranged in up to four columns
* Allow configuring the number of items to show on management pages with an option in Screen Options
* Support timezones and automatic daylight savings time adjustment
* Support IIS 7.0 URL Rewrite Module
* Faster loading of admin pages via script compression and concatenation
For all the details see: http://codex.wordpress.org/Version_2.8
Initiall packaged by shinden@linux.pl and then hacked by me
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability.
