[!CAUTION]
v2.3.6 is a bug-fix release for sites on v2.3.5 or earlier.Upgrade from v2.3.5 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.6, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.
Highlights
[Security] Command injection in resize_image() (GHSA-3j33-c9v4-4p42). The ImageMagick convert command line did not shell-escape its destination filename; reachable via news submission with the right combination of prefs. (https://github.com/e107inc/e107/commit/794a179f)
Host-header recovery for sites locked out by v2.3.4 / v2.3.5. The GHSA-7pmw-jwvr-cq2x killswitch now case-folds, strips www., and strips trailing ports before comparison, and returns a logged 503 instead of a bare die(). Closes #5627 and #5634. (https://github.com/e107inc/e107/commit/aba3b169)
trusted_hosts SitePref for parked, staging, and multi-host setups. Authorise additional incoming hostnames from Admin → Preferences without touching e107_config.php. (https://github.com/e107inc/e107/commit/c2bb246b)
trusted_hosts SitePref. New textarea below the Site URL row in Admin → Preferences. Paste additional hostnames one per line (e.g. staging.example.com, example.org); the server-side normaliser strips schemes/paths and de-duplicates case-insensitively, so https://staging.example.com/ saves as staging.example.com. The pref is purely additive: requests whose Host matches the configured siteurl continue to pass without listing it here. Ref GHSA-7pmw-jwvr-cq2x, #5627. (https://github.com/e107inc/e107/commit/c2bb246b)
Changed
Host-header validation (security).www. and the bare apex now match each other, hostnames compare case-insensitively, and trailing ports are stripped before comparison, so https://example.com:8080/ matches https://example.com/. Sites that were stuck on the "Site Configuration Issue Detected" page after upgrading from v2.3.3 should now boot again without manual SQL edits.
Host-mismatch response. The bare die('Site Configuration Issue Detected. ...') that returned 200 OK with one line of plain text is replaced by a 503 Service Unavailable with a short HTML body that points the operator at the server error log. The diagnostic detail (configured siteurl, request Host) is written via error_log(), which previously sat after the die() and never fired.
The visible page intentionally does not echo the incoming Host, the configured siteurl, or any admin URL. The diagnostic surface stays in the log, which already requires server access. (https://github.com/e107inc/e107/commit/aba3b169)
Fixed
Thumbnail rendering on PHP 8.thumb.php boots the framework directly without class2.php, so E107_DEBUG_LEVEL was never defined for that request; the first call that opened a DB handle (typically when the SitePrefs disk cache was cold) hit a PHP 8+ fatal in e_db_pdo::__construct() and broke every thumbnail on the site. Now guarded with defset(). Fixes #5664. (https://github.com/e107inc/e107/commit/59aef4f1)
Thumbnail database credentials. With the E107_DEBUG_LEVEL fatal out of the way, thumb.php then failed with SQLSTATE[HY000] [2002] No such file or directory because its manual bootstrap chain never populated the MySQL config the PDO connector reads. The bootstrap now routes through e107::initCore() (the same call class2.php uses), so credentials are set before the first DB call. Follow-up to #5664 / #5665. (https://github.com/e107inc/e107/commit/02a79729)
Forgot-password page on v1-style themes.fpw.php fataled with Undefined constant LAN_112 when the active theme had no theme.xml (the legacy theme path uses e107_core/templates/legacy/fpw_template.php, which still references the old constant). The BC shim that mapped LAN_112 → LAN_FPW22 only fired in the members-only branch; it now fires before every downstream template require, regardless of branch. Fixes #5653. (https://github.com/e107inc/e107/commit/d9725b91)
Other legacy templates. Any legacy core template under e107_core/templates/legacy/ that referenced a dropped v1.x LAN_* constant could fatal on PHP 8 with a single missed reference. e107::predefineLegacyLans() now tokenises each legacy template before it loads and auto-defines any missing LAN_* with its own name as a value, emitting an E_USER_WARNING per auto-define so the maintainer trail stays visible. Wired into the six legacy require sites (fpw.php ×2, search.php, signup.php, user.php, usersettings.php). Refs #5653. (https://github.com/e107inc/e107/commit/b1290139)
Admin navigation icons and user-handler permissions on PHP 8.sitelinks_class::setIconArray() built the admin nav map from ~40 E_32_* constants and user_handler::$core_perms referenced dozens of ADLAN_* / ADMSLAN_* / E_16_* / E_32_* entries, all loaded lazily by the admin language file as bare reads. PHP 8 promotes bare reads of undefined constants to fatal Errors, so any caller that hit these before the admin language file loaded crashed. Both sites are now wrapped in defset() so the undefined case returns the empty default. (https://github.com/e107inc/e107/commit/0635801a)
FAQ plugin cron registration on PHP 8.e107_plugins/faqs/e_cron.php referenced LANA_FAQ_CRON_1, LANA_FAQ_CRON_2, and LAN_AUTOMATION at admin cron-registration time, which runs before English_admin.php is loaded. PHP 8 turned the bareword fallback into a fatal; the registration path now uses defset(). (https://github.com/e107inc/e107/commit/21f7b584)
strftime() deprecation on PHP 8.1+.StrptimeTrait::buildMonthArrays() called PHP's strftime() to localise month names. PHP 8.1 deprecated the function and PHP 9 will remove it, so the @-suppressed call still landed in error_log. Both calls are now routed through the eShims::strftime() polyfill that already exists in the tree. (https://github.com/e107inc/e107/commit/295ce2a1)
For Developers
Added
e107::predefineLegacyLans($path) token-scan safety net for legacy templates. Tokenises the requested template, finds bare LAN_* token references (skipping function/method/class/static contexts and call sites), and define()s any that are still missing with their own name as value. Token extraction is cached on hash_file('sha256', $path) keyed entries (APCu when available, otherwise a file under e_CACHE); a process-local memo short-circuits repeat resolutions. Warm-cache cost is roughly 6 µs vs the ~4 µs baseline.
Wired into fpw.php, search.php, signup.php, user.php, and usersettings.php. The wrappers call it immediately before the existing require/include so caller-scope template variables ($FPW_TABLE, $SIGNUP_BODY, etc.) remain assignable. Refs #5653. (https://github.com/e107inc/e107/commit/b1290139)
trusted_hosts SitePref plumbing. A new e107::isAllowedHost() private helper composes the allow-list from parse_url(siteurl)['host'] plus the entries saved in trusted_hosts. The pref reads as a newline-separated list; the saver normalises (scheme/path strip, case-fold dedup) before writing back. (https://github.com/e107inc/e107/commit/c2bb246b)
Docker-based parallel test environments.e107_tests/bin/e107-tests is a new CLI that spins up an isolated PHP + Apache + MySQL stack per worktree (up | down | reset | clean | install | urls | status | logs | shell | db-shell | exec | run | list). Each worktree + matrix combo gets a deterministic compose project name derived from the worktree path, so parallel sessions never collide on container names, networks, volumes, or host ports. A new config.docker.yml layer slots into the existing config cascade (sample → yml → docker → local).
Test coverage.resize_handlerTest exercises the ImageMagick branch of resize_image() with three command-substitution payloads and asserts no marker file is created and no id-style output leaks into a filename. e107HostValidationTest covers the case-fold, www-strip, and port-strip behaviour of e107::isAllowedHost() plus trusted_hosts composition. e107RequireLegacyTemplateTest covers the tokeniser context filtering, define/warn behaviour, scope preservation, missing-file return value, and the #5653 regression case. (https://github.com/e107inc/e107/commit/794a179f, https://github.com/e107inc/e107/commit/c2bb246b, https://github.com/e107inc/e107/commit/b1290139)
Changed
language::bcDefs() no-argument default expanded. The boot-time call from class2.php:590 previously defined only LAN_180 → LAN_SEARCH. Legacy templates that referenced any other dropped v1.x constant whose replacement happens to live in English/English.php still fataled on PHP 8. The default now covers ~20 boot-resolvable aliases: generic actions (LAN_406 / LAN_419 / LAN_435), the v1 download prefix (LAN_dl_7..LAN_dl_35), and a defined-as-empty group for dropped-without-replacement constants.
Conflict policy: where the same legacy constant had divergent mappings across per-entrypoint shims (LAN_7..LAN_10, LAN_112, LAN_122, etc.) the global default deliberately omits them and per-entrypoint shims remain authoritative. Mappings whose replacement lives in a lazy lan_*.php cannot be resolved at boot (defined() returns false and the entry silently no-ops); those are still handled by per-entrypoint language::bcDefs() calls after the relevant e107::coreLan(). Refs #5653. (https://github.com/e107inc/e107/commit/d2ef6b10)
Host comparison helper. A new e107::normaliseHost() lowercases, strips a trailing ort, and strips a leading www. before comparison. Plugins that previously did their own Host-header guards should switch to e107::isAllowedHost() so the trusted_hosts allow-list composes correctly. (https://github.com/e107inc/e107/commit/aba3b169)
resize_image() shell escaping. The convert command line now passes the destination through escapeshellarg() and casts the integer geometry/quality args. If you maintain a fork or call resize_image() directly from a plugin, no migration is required, but any caller that previously relied on quoting the destination itself can drop that quoting. Ref GHSA-3j33-c9v4-4p42. (https://github.com/e107inc/e107/commit/794a179f)
Fixed
thumb.php bootstrap. The manual bootstrap chain (prepare_request / setDirs / set_constants / ...) is replaced by e107::initCore() fed the same mySQL-prefixed $sql_infocompact() array class2.php passes.
Note the v2.3.x e107::_init() does not translate keys the way master's e107::setMySQLConfig() does, so the array must go in prefixed. The master-style str_replace('mySQL', '', $k) translation breaks v2.3.x because e_db_pdo still reads $config['mySQLserver'] etc. Follow-up to #5664 / #5665. (https://github.com/e107inc/e107/commit/02a79729)
submitnews.php title slug. The slug used to build the destination filename for resize is now confined to [A-Za-z0-9_] before reaching resize_image(), so shell metacharacters never escape the filter even if a future caller relaxes the filename quoting. Ref GHSA-3j33-c9v4-4p42. (https://github.com/e107inc/e107/commit/794a179f)
resize_handlerTest teardown sentinel.tearDown() ran even when setUp() had short-circuited via markTestSkipped() (CI images without ImageMagick); in that case $savedPref === null took the unset($GLOBALS['pref']) branch and wiped the global pref array for every following test in the shuffled unit-suite run. A prefMutated sentinel now flips true only after _before() mutates $pref, and _after() bails out early otherwise.
CI on the legacy PHP cells.actions/checkout@v3 was reclassified to a Node 20 action, which requires glibc 2.27+; the official php:5.6 / php:7.0 images are on Debian 9 (glibc 2.24) and the action errors before its main logic. The two legacy cells now use an inline git fetch + git checkout against the run SHA.
The php:5.6 × mysql:8.0 and php:7.0 × mysql:8.0 combinations have also been dropped via matrix.exclude. Mysql:8 starts with character-set-server=utf8mb4 by default and the PDO driver in those PHP versions doesn't recognise the charset, failing the connection handshake before any test runs. (https://github.com/e107inc/e107/commit/d024d205, https://github.com/e107inc/e107/commit/756dc92c)
Composer audit no longer blocks resolution. Composer 2.9.x refuses to resolve package versions affected by a Packagist security advisory at install time. Every twig/twig between v1.28 and v3.20 carries at least one advisory, leaving v3.26.0 as the only resolution candidate; v3.26.0 requires PHP 8.1+, so the PHP 7.4 cell of the unit-test matrix failed composer update. The test harness is dev-only and never ships with a release, so the audit's resolution-time block is now disabled via config.audit.block-insecure: false. composer audit still runs after install and reports any advisories. (https://github.com/e107inc/e107/commit/46351d1a)
Matrix CI design restored. The "Collapse 5×5 matrix into one host-orchestrated job" experiment that landed during the v2.3.5 cycle was reverted: single jobs ran ~20 minutes end-to-end vs ~5 minutes per cell under master's parallel matrix, and exhibited intermittent docker / mysql container startup races at the per-cell DB pre-create step. v2.3.x CI is back to the matrix layout that mirrors master, with the legacy PHP cells extended via the inline-checkout and matrix.exclude pair above. (https://github.com/e107inc/e107/commit/da47684c)
language::bcDefs() graveyard collisions on v2.3.x. Pre-defining LAN_199, LAN_406, and LAN_419 at boot collided with v2.3.x's lazy lan_search.php and lan_upload.php (which still use define(); master converted them to array form in #5465). PHPUnit's convertWarningsToExceptions=true escalated the "Constant already defined" warning and aborted mid-load. Those three entries are dropped on this branch; the lazy LAN files remain authoritative. (https://github.com/e107inc/e107/commit/f1b4bf27)
[!CAUTION] v2.3.5 is a security release for sites on v2.3.4 or earlier. Upgrade from v2.3.4 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.5, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.
[!IMPORTANT] v2.3.5 ships a single fix for a CSRF vulnerability in the AJAX comment moderation endpoints. Sites that allow user comments and have at least one logged-in moderator or admin should upgrade promptly.
Highlights
[Security] CSRF on AJAX comment moderation (GHSA-m4hh-m278-jwg5). The AJAX delete, approve, and edit branches in comment.php previously executed when only the payload and the ADMIN gate were present, so a cross-origin POST without an e-token would still go through. A logged-in moderator visiting an attacker page could be made to block, approve, or edit comments without their knowledge. The endpoints now reject any mutation request that lacks a valid form token, and the front-end UI threads the token through the delete/approve/edit anchors so legitimate clicks keep working. (https://github.com/e107inc/e107/commit/a46a77a6)
For Administrators
Changed
AJAX comment moderation (security)./comment.php?mode=delete, ?mode=approve, and ?mode=edit now return {"msg":"Unauthorized access!","error":true} when the request omits or fails the e-token check. The shipped front-end UI was updated in lockstep, so this is transparent for legitimate use. If you maintain a custom theme that replaces the comment-options or comment-edit shortcodes, see the developer note below. Ref: GHSA-m4hh-m278-jwg5. (https://github.com/e107inc/e107/commit/a46a77a6)
For Developers
Changed
Comment-options shortcodes now emit data-token.comment_shortcodes::sc_comment_delete() and the comment-edit anchor render a data-token attribute populated from e_TOKEN. The corresponding handlers in front.jquery.js read it back and include e-token in the AJAX payload. If you ship a fork of these shortcodes or a custom AJAX client that talks to /comment.php, mirror the change — without it your delete/approve/edit calls will be rejected. Ref: GHSA-m4hh-m278-jwg5. (https://github.com/e107inc/e107/commit/a46a77a6)
Token enforcement is local to comment.php for now. The central session_handler::check() still only validates the token when one is present. If you add new AJAX mutation branches to comment.php or to similar endpoints, guard them explicitly with e107::getSession()->checkFormToken($_POST['e-token']) until the central gate is tightened.
[!CAUTION]
v2.3.4 is a bug-fix release for sites on v2.3.3 or earlier.Upgrade from v2.3.3 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.4, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.
[!IMPORTANT]
v2.3.4 collects the most overdue work in the queue: security advisory fixes for password reset, comment editing, and Media Manager imports; the PHP 8.x compatibility patches that have been accumulating; and the bug fixes that really needed to ship. It's not a feature release; the goal is to give v2.3.x sites a stable point release they can adopt while v2.4 work continues separately.
Highlights
[Security] Critical Broken Access Control on comment edit (GHSA-5w63-63rh-99q6).comment.php previously allowed any authenticated user to overwrite another user's comment by passing that comment's itemid. The updateComment() SQL now requires the row's comment_author_id to match the editor's USERID, so cross-user edits return "Update Failed" instead of succeeding silently. (https://github.com/e107inc/e107/commit/23961a8f)
[Security] Server-Side Request Forgery in Media Manager imports (GHSA-92fr-7h4f-22pp).e_file::getRemoteFile() and getRemoteContent() now reject URLs that resolve to private, loopback, link-local, or otherwise reserved IP addresses, and limit cURL to HTTP/HTTPS. Sites that legitimately need to fetch from intranet hosts can opt back in by defining e_REMOTE_FILE_ALLOW_PRIVATE to true. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
[Security] Privilege hardening. Media Manager preferences and avatar settings now require Main Admin. The default userclass visibility and edit permissions are also Main Admin by default (previously Admin). (#5489, #5477)
Admin area usability. Numerous fatal-error and rendering fixes across admin search, admin UI grids, mailout, polls, datetimepicker, phpinfo, and legacy admin pages. (#5211, #5464, #5271, #5473)
Email reliability. Fixes to CC handling, DKIM identity, persistent-recipient leakage across sendEmail() calls, and IP logging in notifications. (#5498, #5535, #5545)
PHP 8.x compatibility. Several warnings and fatals on PHP 8.0–8.5 removed from db_verify, thumb.php, file_class, theme_handler, and rating-/forum-info rendering. (#4501, #5443, #5482)
Forum info restored.sc_foruminfo now renders active-user counts and the newest member again. Two long-standing bugs had been hiding the whole block: the SELECT for the newest user was commented out, and the e_TRACKING_DISABLED ternary condition was inverted so the block was only shown when tracking was disabled, which is never the default. (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/54e4b9de)
[!NOTE]
A note from the maintainer, @Deltik:
v2.4 is going to need more time before it's at the quality level the e107 community deserves. Here's what's upcoming:
MyISAM → InnoDB as the default engine, for crash recovery, row-level locking, and proper transactions
utf8mb3 → utf8mb4 for native emoji support and full Unicode in usernames, posts, and comments
Implicit FULLTEXT indexes that work on InnoDB, so search no longer pins us to MyISAM
JWT-backed CAPTCHAs where the challenge carries its own server-signed solution token, eliminating the need to stash state in a guest session
No more sessions for guests. Every anonymous visitor today gets a server-side session row; that goes away.
New admin area skin with a collapsible sidebar, badges, and mobile navigation
Bootstrap 5.3 + FontAwesome 6 UI refresh across the front-end and admin
Admin change history with revert for auditable database edits
Custom domains per page and static URL mapping for editorial control over URLs
Schema.org (JSON-LD) support for better SEO, with news schema baked in
Sitemap index support for sites past the single-sitemap limit
Image alt-attribute management in Media Manager
Plugin test runner so plugin authors can ship PHPUnit/Codeception tests with their plugins
The community PR backlog finally getting reviewed and processed
Password reset (security).fpw.php now refuses to process any request when the siteurl preference is unset, and builds the reset link from the pref directly rather than from SITEURL (which could be derived from HTTP_HOST). Ref: GHSA-7pmw-jwvr-cq2x. (https://github.com/e107inc/e107/commit/04511f9f)
Media Manager permissions (security). Media Manager Preferences and Avatar settings now require Main Admin. Media Category management is restricted to the A2 permission. (#5489)
Userclass defaults (security). Default userclass visibility and edit permissions now default to Main Admin instead of Admin. (#5477)
Admin area theme gate. Non-bootstrap3 admin themes that were known to break the admin area are no longer accepted; the admin falls back to a working theme. (https://github.com/e107inc/e107/commit/3b7097e0)
Site redirection.www. → bare-domain (and vice versa) handling was refactored out of class2.php into a dedicated method. (#5097)
Fixed
Fatal errors on the admin search page (#5211), the admin-UI with custom method attribute+filter (#5464), the polls form column selector (#5271), and the plugin-repair extended-user-field path (#5483).
Admin user area: avatar rendering (#5146), extended user fields restored after plugin refresh (#5483), unbanned users keeping "not verified" status (https://github.com/e107inc/e107/commit/e875515d), oversized navigation icons (#5345).
Admin email/mailout: CC recipients added correctly, DKIM identity corrected, recipients no longer persist across multiple sendEmail() calls, core prefs no longer stored on instance, mailout mailer-type restriction that was blocking pref saves. (#5498, #5535, #4123, #5355)
Admin log: query-speed optimization and indexing improvements, duplicate column removed from the rolling log, debug SQL query output. (#5490, #5473)
Forum plugin: newforumposts_menu page rendering (#5340), shortcodes now use e_HTTP for online.php links (PR #5340), sc_foruminfo now renders the active-users block and the newest-member link (previously hidden by an inverted condition, with the underlying user lookup query commented out) (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/54e4b9de).
Ratings: widget renders cleanly for items that have not been rated yet; previously a missing rating row triggered a PHP warning that became a fatal on PHP 8.5. (https://github.com/e107inc/e107/commit/db358ca1)
News plugin: language loading (#5465), body/extended search scope (#5523).
Signup: COPPA links updated (#5121), duplicate LAN_ERROR_* constants removed (#3438).
Notifications: IPv4 format on user_ban_flood (#3612), IP populated in notify_class (#5545), mcp_token tracker ignored in application tracker (#5288).
Core boot: database warning in class2.php (#5220), missing creation-log entry ID (#5317), config-hash handling (#5120), override-class conflict (#5114), SEF URL in the admin user-settings nav link (#5082).
Scaffold for XmlAdminIcons in plugin_class (with rename guard in media_class). (#5295)
Changed
Comment ownership check.comment::updateComment() now constrains its SQL update to comment_author_id = USERID. If you maintain a fork or plugin that calls this method on behalf of another user (moderator tooling, cron-based imports), expect those calls to silently no-op and refactor toward a moderator-aware helper. Ref: GHSA-5w63-63rh-99q6. (https://github.com/e107inc/e107/commit/23961a8f)
e_file SSRF defense.getRemoteFile() and getRemoteContent() reject URLs that resolve to private/loopback/reserved IPs and any non-HTTP(S) scheme; cURL CURLOPT_PROTOCOLS/CURLOPT_REDIR_PROTOCOLS are pinned to HTTP/HTTPS. IPv4-mapped IPv6 addresses are canonicalized to IPv4 before the range check, so ::ffff:10.0.0.1 is treated as 10.0.0.1 and blocked. Define e_REMOTE_FILE_ALLOW_PRIVATE = true in e107_config.php to bypass for legitimate intranet use. Ref: GHSA-92fr-7h4f-22pp. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
Password reset link construction.fpw.php builds the reset URL from e107::getPref('siteurl') directly instead of the SITEURL constant. If you rely on SITEURL in similar contexts elsewhere, consider doing the same for anything that leaves the server (emails, webhooks, signed URLs). Ref: GHSA-7pmw-jwvr-cq2x. (https://github.com/e107inc/e107/commit/04511f9f)
Language file tooltips. Inline tooltip LAN constants standardized; some constants were consolidated. (#5465)
Permissions schema. Media Manager and userclass permissions tightened — plugins that depended on Admin (A) access to Media Manager prefs or avatars will now need Main Admin (0). (#5489, #5477)
e_parse::cleanHtml(). HTML5 void elements (, , etc.) are now normalized before serialization so saveHTML() output is identical across libxml versions. libxml as non-void and captured following content as its child; the new pre-serialization pass promotes that content to a sibling, and a complementary post-saveHTML pass strips the stray (and other void-element closing tags) that older libxml still emits, so every libxml ends up with the spec-compliant form. (https://github.com/e107inc/e107/commit/b63d11a2, https://github.com/e107inc/e107/commit/87abb7f7)
Form handler. Help-icon rendering, optgroup class identifiers, DST-related test stability. (#5214, #5269)
JavaScript. Invalid-element tab switch issue in admin/front JS. (#5230)
Update routines. Clear update info after GitHub update in admin boot/db, minor update_routines.php tweak (#5481), warning suppression in admin/auth.php for invalid language values (#5443).
Caching. Fatal in plugin_class.php cache-path resolution. (#5484)
The wait is finally over! e107 v2.3.3 Bootstrap CMS is finally out. This marks the last release that will support PHP 5.6. This release supports all versions of PHP from 5.6 through to 8.2.
Enjoy!
Features
Add missing setMetaTitle() method to e_admin_response #5112
e107 v2.3.1 is finally here, and with it a bunch of new features, improvements and bug fixes.
Support for PHP 5.6 through PHP 8.1 (#4554) – e107 v2 now adds PHP 8.0 and 8.1 support while maintaining support for PHP 5.6.
New Admin Theme Skins - Modern Light and Modern Dark. May now be selected during initial installation of e107.
Collapsible Navigation Panel - Option to reduce left-panel admin area navigation to icons only, for increased screen real-estate where it matters.
Database session handler performance improvement (#4575) – e107 v2.3.0 introduced a non-blocking session handler backed by the database; however, a missing index causes gradually slower performance the more rows there are in the session table. This release fixes that bug by adding the missing index through a database update (migration).
Thumbnail Generator rebuilt to use Intervention library.
WebP image support (#4270) – e107 can now serve WebP images to compatible browsers and convert existing images on-the-fly. Requires PHP 7.0+ with the GD WebP extension installed.
More reliable file uploads – A common complaint with e107 v2.3.0 was rejected file uploads. To fix this, e107 now recognizes files based on their MIME type.
Increased protection against cross-site scripting (XSS) – There is now improved layering of HTML tag rendering to reduce the likelihood of corrupting pages with bad HTML.
Increased protection against cross-site request forgery (CSRF) – Nonces have been added to some forms to prevent external sites from submitting them unbeknown to the authenticated user.
New theming features – Theme developers can now take advantage of Bootstrap 5 and customisable breadcrumbs.
SEO optimizations for Google, Facebook (Open Graph) and Twitter.
New "Hero" plugin for home page carousel management. Supports animated bullet points and buttons. (see e107.org home page for example)
After the release of 2.2.0, we have been working on crushing some bugs that did have some impact on functionality. We have therefore decided to release 2.2.1 sooner rather than later, and recommend everyone to update.
Please note that the 2.2.0 release was a major release with some important notes. Please refer to the previous post for more information on that release, including an overview of numerous great new features which were added!
New features:
Added new News shortcode {NEWS_AUTHOR_EUF} to retrieve Extended User Fields (e.g. {NEWS_AUTHOR_EUF: field=biography})
Fixes & Improvements:
Fixed a database check/update issue that occurred when the database name contains a hyphen (-) (#3800)
Fixed an issue with the Menu Manager preview not loading in some cases (#3815)
Fixed frontpage button link to Admin Area (#3775)
Fixed an issue with inserting a new custom page when using PHP 7.3 (#3812)
Added tablerender id to error pages (#3801)
Fixed an issue with (un)seralization (#2990)
Fixed comment author avatar not showing correctly in comment form (#3813)
Fixed issue in Download plugin with batch userclass options
Fixed issue in Forum plugin with forum mderator userclass recognition (#3814), with the Userlist shortcode links (#3809), and added placeholder option in {SEARCH} shortcode
Several Forum template optimizations for Bootstrap 4 (#2969)
We are very excited to announce the release of e107 v2.2.0!
This major release contains numerous new fatures as well as a great bunch of bug fixes and additional improvements. We recommend everyone upgrade immediately! Additionaly there are some important notes that should be considered when updating to the latest version. Please read these carefully!
Important notes:
The minimum PHP version as of 2.2.0 is now set to 5.6. Using PHP 7.1+ is recommended.
If you use any PHP version lower than 5.6, your website may break!
Bootstrap 4 Library has been updated to latest version: 4.3.1. See examples in the bootstrap4 theme
FontAwesome has been updated to the latest version 5.7.2. See examples in the _blank theme (theme.xml and theme.php)
db_Fetch() in e_LEGACY_MODE permanently removed. Old plugins should use e107::getDb->fetch('both'); if this is still required.
Changes to comments: Any reference to #comments-container (div ID) in the theme must be changed to .comments-container (div class) (#1944)
New features:
GDPR features: added "Privacy Policy" and "Terms and conditions" preferences. Added {SIGNUP_GDPR_PRIVACYPOLICY_LINK} and {SIGNUP_GDPR_TERMSANDCONDITIONS_LINK} shortcodes. (#3175 and #3579).
Admin Login with email address is now functional
Chatbox plugin: new default templates added (#3630)
Constats SITENAMESITEDESCRIPTION can be overridden using Englishcustom.php or Englishglobal.php plugin LAN files.
Added more styling functionality to {SIGNUP_IMAGES} and {SIGNUP_SIGNUP_TEXT} (#3582) and {LOGIN_*} shortcodes (#3466)
Added event triggers for rate/like functionality: user_like_submitted & user_rate_submitted (#3552)
Added load() method for the e_admin addon. See _blank plugin for examples. (#3695)
New MySQL database export method integrated to increase performance when creating a backup
"Under the hood" preparations to clean-up existing code (improving code quality) and introduction of new (database) interfaces for better support of up-to-date technology and easier 'hookings' of other/external interfaces (e.g. databases)
For developers: automated tests added in e107-test/code> repository https://github.com/e107inc/e107-test (to prevent bugs from being introduced, rather than having to fix them after they are an issue)
FontAwesome is now used by the NextPrev
New method added e107::getUserClass()->getUsersInClass
News e_related, added {RELATED_DATE} shortcode
Added afterPrefsSave() method in Admin-UI (#3799)
Fixes & Improvements:
Several improvements to plugin installation and related addons (#3531, #3536, #3592)
Improvements to plugin identification when checking for updates (#3711)
Several fixes to the Private Messenger plugin (#1758, #3413)
Several fixes to the Banner plugin (#3141)
Several fixes to the FAQ plugin
Several fixes to the Forum plugin: not being able to move a forum post (#3619), forum moderators permissions (#3490), deleting of last post (#3490), forum pagination, newforumposts plugin (#3757), inline editing of forum name was changing SEF URL (#3798)
Several fixes to the Download plugin (#3201, #3189, #3199, #2486, #3787)
Fixed an issue where the verification of LAN pack would falsely return errors (#3632)
Fixes to 'type' => 'country' in the Admin-UI (#3644)
Enhancements to the 'search' functionality in Admin-UI across different fields
User Extended Field country correctly displayed in User Profile (#3646)
User Extended Fields 'read' permission is now properly checked (#1799)
Avatars now support 'crop' to allow for non-square images. Simple usage: {USER_AVATAR: w=150&h=150&crop=1&shape=circle} (#3721)
Fixed an issue with the Admin Area > Preferences page crashing on specific Windows server environments (#3625)
Fixed an issue with the SEF URL configuration when social network tracking queries were used (e.g. Facebook links) (#3546)
Several improvements to theme layout detection
Improved user_forum_post_report, user_forum_post_report and user_forum_topic_created_probationary event triggers (#3618)
Improved filetypes and filesize checks when uploading files (#3507, #3460)
Added /contact SEF URL (#3566)
Fixed an issue with navigation (site links) icons not resizing properly (#3712)
Fixed an issue with list() method in the the e_admin addon (#3695)
Fixed an issue with userclasses being reset when 'probationary' user was automatically promoted to 'normal' user (#3657)
Rewritten "password reset" functionality to support webmail software pre-loading links. Links expire in 10 minutes now. (#3443)
"Required fields" indicator now properly showing on signup page and usersettings (profile) (#3676)
Relative datestamp now properly distinguishes between past and future dates (#3605)
Improved backwards compatibility when using BBcodes and WYSIWYG editor
Fixed an issue with Admin Help text not displaying in correct language (#3485)
Several enhancements to handle deprecated mysql_*() methods and improved PDO usage
Several compatibility fixes with Bootstrap 4 (#2962, #2969, and others)
Several PHP 7 compatibility fixes (#3216, #3596, #3562 and others)
We're happy to announce the release of e107 v2.1.9!
This release contains some great improvements as well as bug fixes. We recommend everyone upgrade immediately.
New features
It is now possible to override the chosen editor pref (WYSIWYG), using the e107::getForm()->bbarea() method by changing the $options array, e.g. $options['wysiwyg'] = 'tinymce4' (#3330)
Added option define('X-FRAME-SAMEORIGIN', false); in e107_config to allow for external websites including an e107 website through an iframe (#3101)
Fixes & improvements:
Fixed issue in update routine caused by an incorrect version number (#3302 #3311)
Added backwards compatibility fix to handle old data formatting better (#3305)
Fixed issue with multiple userclass selection in the Admin UI (#3249)
The CSS file ensuring backwards compatibility for non-boostrap or legacy themes (backcompat.css) is now correctly loaded
Fixed issue with LAN's not loading properly on contact.php page
Fixed issue with parsing the sign (#3307)
Fixed issue with 'To' textbox not showing in mail-out functionality (#3303)
Fixed issue with missing navigation text in Admin Area when using 'medium' width devices
Improved support for SVG icons (#1958)
Fixed several issues related to the displaying of comments (#2425 #2281 #2937)
Fixed issue so 'Items per page' option is now respected on custom pages (#3188)
Added default custom fields to Bootstrap 3 template (#3103)
Improved support for Cyrillic characters on registration and login (#2440)
Plugin Builder generated output improved with examples of custom filter and batch options.
Fixed an issue with the language packs not displaying in the Admin Area (#3059)
Added e_gsitemap addon to News and Download plugin (#2606)
Fixed an issue with error pages and redirection (#3179)
Added new event triggers and notifications for the Forum plugin: user_forum_topic_created_probationary, user_forum_topic_updated, user_forum_topic_moved, user_forum_topic_deleted, user_forum_topic_split, user_forum_post_created, user_forum_post_updated, user_forum_post_deleted, user_forum_post_report
Added BBcode template for Forum plugin (#3317)
New preferences in Forum plugin which allow to choose between BBcode or TinyMCE editor (#3318)
Fixed issues with Forum plugin URLs (#3171)
Fixed URL issue in Forum plugin when moving a forum topic (#3244)
Improved Forum parsing: forum titles are only shown using plain text (no HTML or BBcode) (#3245)
Fixed an issue in the forum plugin when marking a forum topic as 'read' (#3338)
Fixed issue in the featurebox plugin which caused debug information to show (#3290 #3074)
Fixed issue with incorrect 'update required' message showing for the featurebox plugin
ort