docs/NEWS

Version 2.6-alpha1 ()
------------------------------------------------------------------------

   * Update bundled avatar plugin: Fix gravatar image fetching, remove
     defunct options for identica and twitter avatars, and clean up
     documentation,

   * PHP 8.4 fix: Remove deprecated constant E_STRICT

   * PHP 8 compatibility fixes for bundled XML/RPC.php

   * Upgrade bundled jQuery to jQuery 3

   * Fix option to set a different theme as fallback option by setting
     Engine: $themename in a themes info.txt

   * Let installer check for the intl extension, needed for the strftime
     compatibility library used for PHP 8.1+

   * Update Parser of textile plugin

   * Update smarty from v4.3.5 to v5.4.3. This new major version has
     breaking changes, worked around as much as possible in the s9y core

   * Fix an often broken element of old themes by not adding the
     integrated search box when 2k11 is used as the default theme

   * Fix specific search terms (like a - at the end) causing an error
     page when using MySQL/MariaDB (thanks to  GuillaumeValadas) 

   * Swap order of entries in the dashboard, so that upcoming
     entries are shown first

   * Set more efficient defaults for (jpg) thumbnail generation

   * Add ability to receive webmentions. They will be displayed as ping-
     or trackbacks

   * Fix admin dashboard link in menu not showing tool tips
     (thanks to HQJaTu Jari Turkia)

   * Fix token cleanup SQL statement in PostgreSQL environments
     (thanks to HQJaTu Jari Turkia)

   * Block access to .inc php files via .htaccess

   * Make serendipity_sendMail() standard compliant by using CRLF
     instead of LF to separate headers.

Version 2.5.0 (February 13th, 2024)
------------------------------------------------------------------------

   * Restore compatibility with PHP 7.4 by setting that version as
     composer platform (downgrades psr/simple-cache dependency)

   * Remove bundled composer.phar (thanks to hboeck)

   * Update composer dependencies (mostly for PHP 8.3 compatibility):
      katzgrau/klogger (1.0.0 => 1.2.2)
      pear/http_request2 (v2.5.1 => v2.6.0)
      pear/net_dns2 (v1.5.3 => v1.5.4)
      psr/log (1.0.0 => 1.1.4)
      smarty/smarty (v4.3.2 => v4.3.5)

   * Fix a PHP notice in User management ("isEditable") (garvinhicking)

   * Fix a bug when the p parameter given was set to 0 (@hannob)

   * Fix an incompatibility with MySQL 5.7 or later (@mariohommel)


Version 2.5-beta1 (September 28th, 2023)
------------------------------------------------------------------------

   * Update Net/DNS2 to v1.5.3
     This dependency was also added to composer. A wrapper was added for
     backwards compatibility with the old include path.

   * Fix Onyx/RSS dependency under PHP >= 8.0

   * Address several warnings when using PHP 8.2

   * Update HTTP_Request2 to current version v2.5.1
     This dependency was also added to composer. A wrapper was added for
     backwards compatibility with the old include path.
     Subsequently, some files form bundled_libs/HTTP were dropped that
     were not part of Request2.

   * Update smarty to current version v4.3.2.
     Also enables a warning suppressor, which should avoid issues with
     old smarty templates when using PHP 8.0 or newer.
  
   * Avoid warning under PHP 8.2 when using an SQLite database

   * Improved and extended russian translation files, thanks to Vadim
     Rakhmatullin

   * [!] Bugfix: Fixes showing wrong values for Usergroup permission
         configuration. All checkboxes where enabled instead of
         only the ones really set, thus saving any usergroup with
         these checkboxes would changer permissions as indicated
         by the checked values. Please ensure after upgrading that
         any possible custom usergroup configurations have the 
         wanted permission settings. If you have never saved
         a permission group setting, you will not be impacted.
         (garvinhicking)

   * Adds new time formats to 2k11 frontend (using %H:%M for date output)

   * Fix: Several uninitialized variable error notices in upgrader,
          category management, maintenance (garvinhicking)

   * Fix: 2k11 fonts now downloaded locally and included with template.

   * Fix: Utilizes missing variables in Smarty admin upgrader
     (garvinhicking)

Version 2.4.0 (November 20th, 2022)
------------------------------------------------------------------------

   * Fix: Avoid bad number of arguments to sprintf and fix logic error
     in spamblock plugin.     

   * Improve w3c compatibility be encode square brackets of comment
     mode links (thanks @hannob)

   * Fix: Previewing comments warning threw a warning on PHP 8, when
          debug mode on (thanks @hannob)

   * Fix: Editor autosave cached was not deleted when saving entry

   * Fix: Editor autosave was not on by default, despite the setting
          being active by default

   * Fix: admin/entries.tpl: fix undefined variable iso2br

   * Fix: The calendar plugin threw a warning about $cond['join'] not
          existing in some setups

   * Fix: Avoid one more situation where responsive image upscaled
          a small thumbnail

   * Bugfix: Entryproperites plugin no longer insert empty records
     for multiple authors (garvinhicking)

   * Improve permalink generation performance and enable more unicode
     replacements (thanks to mbirth!)

Version 2.4-beta1 (September 12th, 2021)
------------------------------------------------------------------------
   * Hide more PHP warnings in production mode, to ease the migration
     to PHP 8
   * Fix: Deleting a user was not possible
   * New images added via the ML will set loading="lazy", improving
     site performance for visitors (only if height and width known)
   * Remove multitude of wysiwyg toolbars
   * PHP 8 compatibility for serendipity core
   * Fix: Using the ML filters in the selection popup after uploading
          no longer removes option to insert image into article
   * Drop never fully integrated laminas-db powered database backend
   * Drop legacy mysql database backend (long ago replaced by mysqli)
   * Update Cache/Lite to 1.8.3 for better PHP 7.4 compat
   * Change backend_image_add hook to always contain same structure
   * Split date and time input in editor into two input fields
   * Improve performance of the media library by caching the file list
   
Version 2.4-alpha2 ()
------------------------------------------------------------------------
   * Adds 'image_id' to event 'backend_image_add' in addData array
   * Move MySQL databases from MyIsam and UTF8 to InnoDB and utf8mb4, 
     enabling full unicode input.
   * added type 'media' to configuration types,
     this shows an input text with the button for the media library,
     unified the CSS between this item and the plugin item,
     hide the preview when no image is selected
   * renamed 'multiDelete' in media selection to 'multicheck'
     as suggested in the comments
   * check for empty file input in media_upload
   * stripped the multilingual tags from the preview iframe
   * totally resorted the language files, added a new 'langsorter.php'
     script which automatically sorts and completes the languages,
     strings which doesn't seem in use are now in the 'orphaned' section
   * Make it possible for plugins to let the core skip the check
     whether trackbacks are already sent, with 
     $serendipity['skip_trackback_check']
   * Add the original image to the response images srcset when
     the original image is small, to avoid upscaling

Version 2.4-alpha1 ()
------------------------------------------------------------------------

   * template/bootstrap4/sidebar.tpl: fix usage of wrong template
     variable which prevented the sidebar from being emitted.

   * templates/2k11/admin/comments.tpl: Stay on the same page after
     approving a comment; truncate comments to the same length (200)
     as given by /include/admin/comments.php

   * Merge s9y and plugin update notifications in dashboard.

   * Fix: Simplify count_plugin_upgrades() in event_spartacus.

   * Fix: Modified sql statement used for htaccess blocking to work in
          MySQL 5.7.
          Thanks to @fasterit!

   * Switch new installations with MySQL >= 5.6.4 or MariaDB >= 10.0.5
     to the InooDB stoprage engine and utf8mb4 charset. This enables
     proper unicode support plus fulltext indexes, something older
     mysql databases were not capable of

   * Plugin nl2br: Include figure and figcaption tags (2.21.3)
     Thanks to @stephanbrunker!

   * Plugin spamblock: Add timeout protection against spambots (1.89).
     Thanks to @stephanbrunker!

   * #657: functions.config.inc.php:
     eventhooks backend_login and backend_fail in function
     serendipity_login and serendipity_authenticate_author
     now only called with external=true (secondary login)

   * Fix: added eventhook multilingual_strip_langs in
     categories and permalinks for tagged translation
     Thanks to @stephanbrunker!

   * Change language names to native languages.
     Thanks to @stephanbrunker!

   * #650: Multiple fixes and enhancements, mainly to language settings.
     Thanks to @stephanbrunker!

     * admin/personal.inc.php: removed setting of $_SESSION:
       serendipity_lang (already set in serendipity_config.inc.php
       for all scenarios)
     * admin/plugins.inc.php: fix some lookups from $_GET to
       $serendipity['GET']
     * compat.inc.php: function detectLanguage returns now NULL if
       the detection failed, also doesn't change $serendipity['autolang']
       anymore which remains 'en' as general fallback.
     * functions.config.inc.php:
       * major rework of the functions serendipity_getSessionLanguage
         and serendipity_getPostAuthSessionLanguage. Those two functions
         should now process the user input via GET and POST, store it
         into SESSION and COOKIE, and if no such input is given,
         fallback to browser language negotiation and default language.
         More details in the comments to that functions.
         $serendipity['detected_lang'] is the language found from user
         input or browser negotiation.
       * function serendipity_load_configuration sets the language
         back to 'autolang' (which is 'en') if the language loaded does
         not exist. Also sets the value $serendipity['default_lang']
         to the default language of the blog.
       * removed the Cookie 'userDefLang' which is no longer needed
     * functions.entries.php:
       * function serendipity_printArchives() hooks now
         into hook_event::'frontend_fetchentries' to get multilingual
         data, also doesn't show months and years with zero entries.
       * function fetchEntryCategories, fetchEntryData and
         fetchCategories strips now data of multilingual tags
     * functions.routing.inc.php: fix some lookups from $_GET to
       $serendipity['GET']
     * plugin_api.inc.php: added function find_plugin_id which returns
       an array of the ids of the installed instances of the given plugin
       this is used for checking the configuration of that plugin in other
       plugins
     * created a new event hook 'multilingual_strip_langs' to strip
       tagged translation of elements outside the sidebar (mostly
       categories in entry display).

   * Add plugin update notifications to the plugin update button and
     to the dashboard.

Version 2.3.5 (April 25th, 2020)
------------------------------------------------------------------------

   * Fix: CSS: Restrict block display of summary to trackbacks. (#703)

   * Fix: Don't strip HTML from comments body in serendipity_plugin_comments
          before serendipity_event_unstrip_tags can convert the HTML tags
          (being called via frontend_display hook). (#702)

   * Fix: [CKE] Don't remove <details> and <summary> elements from
          WYSIWYG editor.

   * Fix: Don't delete extend properties from the entryproperties
          plugin when publishing from dashboard (or sending
          delayed trackbacks). (#695)

   * Fix: SQL error in serendipity_plugin_history present since we
          "don't allow requesting an archive page that doesn't exist"
          (2.3.3). (#694)

   * Fix: Entry title in backend list of entries was double escaped.

   * Fix: Don't drop upgraded_version from local plugin cache.

   * Fix: Regular expression in functions_routing.inc.php

   * Fix: Truncate extension of media items to 5 chars (which ist the
          max length of the corresponding database field). (#609)
          Thanks to @mmitch!

Version 2.3.4 (March 25th, 2020)
------------------------------------------------------------------------

   * Security: Fix RCE on Windows.
     Thanks to Junyu Zhang <rgdz.eye@gmail.com>!

   * Fix: ML: Fixed filename generation when renaming and added
          some error messages on rename failures.

   * Display source of plugins (Spartacus, bundled or locally installed).

Version 2.3.3 (March 22nd, 2020)
------------------------------------------------------------------------

   * #651: When using checkboxes to insert multiple media files, if only
     one asset has been selected, do not use the gallery mode,
     but instead single-asset view. Also improves to click the title
     of an asset to select its checkbox, and hides the 'Insert all'
     button when no assets are selected. (garvinhicking)

   * Use the video tag for videos in the Medialibrary, also when
     inserting such a video into an entry

   * media_choose.tpl: Fixes bad usage of
     {serendipity_hookPlugin eventData=...} to {serendipity_hookPlugin eventData=}
     and allow plugins to skip HTML block insertion to use their own
     markup

   * Updates mailer event plugin to support force sending mails on
     published blog entries and ability to prepend a mail body.
     Also fixes missing "keep strip tags" configuration option

   * Fix serendipity_killPath().
     Thanks to @surrim!

   * Don't allow requesting an archive page that doesn't exist.
     Thanks to @lotharsm!

   * Fix: Set action to empty in functions_routing.php when serving JS;
     otherwise the default page has been generated at every call.

   * Fix: Add valid HTTP referrer when trying to delete a
          trackback from the frontend.

   * Fix: Wordwrap at word boundaries only in bundled plugin
          serendipity_plugin_comments.

   * Fix: Force empty limit to "" in serendipity_fetchEntries().

   * Fix: Escape version string in update notifier to avoid XSS.

   * Fix: Prevent renaming a ML object into an existing file,
          resulting in deletion of both from disk and database.

   * Fix: Items in Medialibrary that are not images now get
          the correct link

   * Fix: Remember where you stored images last (#652)

   * Fix: [bbcode] Get roman numerals working in bbcode plugin.
          Thanks to Fabien Chabreuil!

   * Fix: Force positive limits for number of entries shown on
          title page and in RSS feed. s9y doesn't work with 0 or
          negative numbers, so force our default (15) in this case,
          (#646)

Version 2.3.2 (October 16th, 2019)
------------------------------------------------------------------------

   * Fix: Auto-generated mails submitted to qmail as MTA will get
          mangled if encoded to quoted-printable due to qmail
          changing "\r\n" linebreaks to "\r\r\n". Submit just "\n"
          as linebreaks; other MTAs should cope with that.

   * fix: Rotating an image did not rotate all responsive thumbnails

   * fix: The wysiwyg editor stripped the figcaption element used
          for image captions

   * Only populate $serendipity['GET'], $serendipity['POST'] and
     $serendipity['COOKIE'] with references to $_GET['serendipity'],
     $_POST['serendipity'], $_COOKIE['serendipity'] if they are
     transmitted as an array. Else, an empty array is used.
     Prevents PHP warnings (Issue 642) thanks to @hannob

   * Escape category images to avoid backend XSS.
     Thanks to @hannob!

   * Only allows .txt and .log files for spamblock logging.
     Thanks to Gary O'Leary-Steele (CVE TBD)

   * Fixes not properly displaying plugin save errors (validation)

   * Fix autologin when using MySQL (thanks @Eike Rathke,
     https://github.com/s9y/Serendipity/pull/632)

Version 2.3.1 (August 21st, 2019)
------------------------------------------------------------------------

   * Enhance i18n of ML multimove.

   * Fix ML multidelete.

   * Change footer_info and prev/next links for archive pages for
     "stable archives" sort order.

   * Fix pagination in core for "stable archives" sort order and fix
     prev/next links for pagination in timeline and bulletproof themes
     when "stable archives" are active.

   * Add Spartacus links ("more info") to plugin lists.

   * Fix/Change: Wording of plugin display ("version") and PHP/smarty
                 variable names.

   * Spartacus: Fix caching of plugin lists in getCachedPlugins().

Version 2.3.0 (August 10th, 2019)
------------------------------------------------------------------------

    * Fix: Don't show "Array" under Update notification if autoupdate
           plugin is not installed

    * Fix PHP 7.4 issue in PEAR HTTP_Request2

Version 2.3-rc1 (August 3rd, 2019)
------------------------------------------------------------------------

    * spamblock: Minor code change for PHP 7.4 compatibility (thanks
                 @hannob!)

    * Fix: Make $entry available for templates.

    * bulletproof theme: Fix preview iframe.

Version 2.3-beta1 (April 26th 2019)
------------------------------------------------------------------------
    * Activate stablearchive option by default for new blogs

    * Fix: Smarty reference and PHP7.2 compatibility issue in timeline theme.

    * Fix: PHP7.2 compatibility issue in clean-blog theme.

    * Security: Fix XSS in Editor Preview by interpreted EXIF tags
                (thanks @hannob!)

    * Security: Fix XSS in Media Library by interpreted EXIF tags
                (thanks @hannob!)

    * Allow to receive multiple trackbacks and pingbacks
      (thanks @mitch!)

    * Fallback for $lang variable when configuration failed to load,
      which evades some unuseful error messages (thanks @HQJaTu!)

    * Improve nl2br p mode to works with tags like <strike>
      (thanks @stephanbrunker)

    * Minimal PHP version is now PHP 7.0

    * Update voku/simple-cache to 4.0.1, fixes opcache warning on
      hosted environments (thanks @voku and @hannob)

    * Fix bug in nl2br's p mode that ate pre elements (thanks
      @stephanbrunker!)

    * Add internal cache invalidation when comment is added

    * Move cache into functions.inc.php, resulting in this API:
        * serendipity_setupCache() (used internally)
        * serendipity_cleanCache()
        * serendipity_cacheItem($key, $item, $ttl = 3600)
        * serendipity_getCacheItem($key)

    * Drop deprecated serendipity_purgeEntry function

    * Default settings: Disable entryproperties cache, enable internal
                        cache

    * Update Smarty to 3.1.33

    * Use voku/simple-cache for internal cache as bundled lib, which
      will allow to cache with memcached and redis instead of just
      on the filesystem

    * Set responsiveimages as default plugin

    * Add rewrite to absolute url for srcsets to the feed
      generation

    * Fix bug with not properly adding trailing "/" when managing
      directories, so that saving different permissions would not
      be properly applied

    * Re-add missing plugin API event hook backend_media_rename
      from prior pmigration in Serendipity 2.2 (#509)

    * Re-add missing ACL adjustments after renaming a directory
       (#509)

    * Fix typo that switched read permissions with write permissions
      when editing a category ACL

    * Fix mispositioned button in media db directory list.

    * Use figure/figcaption markup for media db images w/ captions.

    * Add localization to maintenance mode, add German translation.

Version 2.2.1-alpha1 (September 20th, 2018)
------------------------------------------------------------------------

    * PHP 7.2 support: New autologin token approach, various code
      changes

    * Add function to add multiple images to an enty at once,
      creating a gallery

    * Add maintenance mode, allowing access to the blog only for
      currently logged in user. This is meant to be activated when
      upgrading the blog.

    * [Security] Improved password hashing by moving to bcrypt

    * Fix bug that could lead to noindex being activated by accident

    * Update Smarty to 3.1.32

    * Update bootstrap 4 design to new bootstrap version

    * Add option to disable google fonts in several designs

    * Make it easier to drag plugins to other columns

    * Improve and fix the p-mode of the nl2br plugin (Stephan Brunker)

    * Support SVGs in Media Library

    * Support automatic generation of responsive image thumbnails, and
      using them when inserting images to entries

    * Rework messy code updating the database and entries when
      renaming or moving items in the media library

    * Improve internal cache to work with more plugins, by reacting
      to more variables changing the output

    * Add backend_view_entry hook, that is executed for every entry
      in the backend entry list

    * Updated entryproperties plugin to support a custom property for
      multiple ownership of an article

    * Emit and detect rel=trackback element to find trackback
      url, to have a reliable alternative to RDF used so far

    * Merge and rename the two configuration variables to limit
      displayed entries in the dashboard (#493):

      $serendipity['dashboardLimit'] and
      $serendipity['dashboardDraftLimit'] are now merged into
      $serendipity['dashboardEntriesLimit'] - please change your
      serendipity_config_local.inc.php accordingly if you used
      the former variables.

      The dashboard will now show as many future entries as
      configured in "dashboardEntriesLimit"; if there are less
      future entries, it will display drafts until
      "dashboardEntriesLimit" is reached.

    * Add a "delete" button to the backend entry form (#491, #494)

    * Change Spartacus default mirror to github (#489)

Version 2.1.6 (August 9th, 2019)
------------------------------------------------------------------------
   * Prevent error in upgrader when $sqlfiles is NULL.

   * Fix preview iframe in bulletproof, thx pixel32

Version 2.1.5 (May 1st, 2019)
------------------------------------------------------------------------
    * Security: Fix XSS in Editor Preview by interpreted EXIF tags
                (thanks to @hannob!)

    * Security: Fix XSS in Media Library by interpreted EXIF tags
                (thanks to @hannob!)

    * Fix mispositioned button in media db directory list.

    * Change default for comment subscription to full text.

    * Display errors if comment coulnd't be deleted.

    * Make it easier to drag plugins to other column.

    * Add fallback for broken JS in configuration screens.

Version 2.1.4 (September 20th, 2018)
------------------------------------------------------------------------

    * Security: Fix XSS for pagination, when multi-category selection
      is used. Thanks to Brian Carpenter (geeknik) and Hanno Boeck!

    * Minor code fixes (proper PHP escaping for 'orderkey' SQL statement

    * Skeleton, Timeline and Clean Blog templates: Add theme option to
      disable google webfonts

    * Link to https s9y.org pages

Version 2.1.3 (August 16th, 2018)
------------------------------------------------------------------------

    * Security: Make sure that the admins configuration for RSS
      and blog entry limit is parsed as integer for SQL queries.
      Thanks to @oreamnos and Hanno Boeck for reporting!

    * Security: Prevent XSS possibility in "edit entries" panel.
      Thanks to @oreamnos and Hanno Boeck for reporting!

    * Security: Disallow sending comment notifications and mails to more than one
      mail address. This could be used to approving opt-ins of requests
      that did not belong to the same email that was approved.
      Thanks to Hanno Boeck for reporting!

    * Security: Remove exit.php open redirect, when not using the trackexits-
      plugin configured with Serendipity exit tracking.
      Thanks to Julio Cesar (from infosec.com.br) and Hanno Boeck for reporting!

    * Fix SQL compatibility for creating of table "serendipity_groupconfig"

    * Added new "legal" plugin property bag attribute to indicate
      impact for the GDPR / DSGVO, used in conjunction with the
      serendipity_event_gdpr_dsgvo plugin

    * Disabled subToMe service by default to prevent issues with GDPR

Version 2.1.2 (March 25, 2018)
------------------------------------------------------------------------

    * Exclude defunct netmirror spartacus repository

    * Adapt .htacess default rules to exclude rewriting documentation
      (Issue #521)

    * Fix a regression in Net/DNSBL regarding
      serendipity_event_spamblock_rbl and
      serendipity_event_spamblock_surbl by adding Net/DNS2 1.4.3 as a
      bundled library to core and patching Net/DNSBL (#497)

    * Fixed broken Akismet API calls (#507)

    * Fixed comment preview for logged-in users (#503)

    * Fixed message display after comment editing/deleting (#526)

    * Don't show empty plugin groups in list (#496) and fix broken
      plugin display in Firefox.

    * Add template path as first entry to template_dirs (#524)

Version 2.1.1 (April 9th, 2017)
------------------------------------------------------------------------

    * Fixed a regression issue where configuration variables could not
      properly be stored when they were set to false.

Version 2.1.0 (April 8th, 2017)
------------------------------------------------------------------------

    * Some more PHP7 error catching

    * Fix missing token when updating plugin

    * Fix missing variable name in regular expression match, Issue #442

Version 2.1-rc1 (January 26th, 2017)
------------------------------------------------------------------------

    * Fix issue #437 - Remove the hardcoded media filter only_filename
      input field and re-allow the $order_fields['i.name'].

    * Issue #430, fix proper name of new feedShowMail configuration var
      in rss.php for showing mail addresses

    * [Security] Enhance CSRF-Tokens for toggling/moderating comments

    * Allow to set a default category for authors (personal preferences)

    * Changed how the hidden password element is displayed to prevent
      browsers from autofilling it into the entryproperties plugin

    * [Security] Enhanced media upload check to also check redirects
      for local files, thanks to Xu Yue (again!)

    * [Security] Prevent XSS in adding category and directory names,
      thanks to Edric Teo @smarterbitbybit.

    * [Security] For multi-deletion of entries, secure the HTTP referrer
      output to prevent XSS (Issue #435)

    * [Security] Reject %0D/%0A in exit tracking and other places
      (Issue #434)

    * [Security] Redirection of comment.php now checks the referrer
      and only allows the blog's host (thanks to Lee Sheldon Victor)

    * [Security] Fix missing integer casting for inserting new categories
      (thanks to cdxy)

    * Disabled Selenium test files unless enabled

Version 2.1-beta2 (September 26th, 2016)
------------------------------------------------------------------------
    * Improved backend accessibility by hiding iconfont icons for
      screenreaders (using aria-hidden).

    * Replaced the JS-based equal height solution in the backend with
      a modern CSS-only solution based on Flexbox for browsers that
      support it. (Browsers that do not support Flexbox or that only
      support outdated versions of Flexbox get the old JS solution as
      a fallback.)

    * [Security] Prevent moving files by using their directory name.
      [Security] Possible SQL injection for entry category assignment
      [Security] Possible SQL injection for removing&adding a plugin

      All issues require a valid backend login.
      Thanks to Hendrik Buchwald for finding this via their
      RIPS source code analyzer (www.ripstech.com)

    * [Security] Add new configuration option to enable fetching
      local files for the media uploader. By default this is now
      disabled to prevent Server Side Request Forgery (SSRF).
      Thanks to Xu Yue for pointing this out!

    * Added new API wrapper serendipity_request_url() to request URLs.
      Currently uses HTTP_Request2, might change to curl or others in
      the future, but irrelevant to plugins using this function.

    * Removed outdated themes blue, carl_contest, kubrick and wp. They
      live on Spartacus now.

    * Added new theme "Skeleton".  Skeleton is a responsive, mobile first
      HTML5/CSS3 theme built on the Skeleton framework.

    * Fix comaptibility bug preventing Internet Explorer (+Edge) to
      clear the entry editor cache when saving an entry

    * Remove backend js from preview_iframe.tpls, makeing entry previews
      faster, more accurate and more reliable

    * Introduce new plugin api function
      $plugin->getFile($filename, $key = 'serendipityPath'). Other
      than parseTemplate($filename) it will not parse the found file
      via smarty, and it allows directories inside $filename. Intended
      use is finding files like images via the fallback chain, giving
      themes the chance to serve custom versions instead.

    * Give theme authors the option to force using a template file from
      the frontend, {getFile file=... frontend=true}

    * Fix entry preview by making sure it always uses the correct
      template files to generate preview, replacing internal magic
      with direct parameters

    * Rewrite and simplification of the file fallback chain in
      serendipity_getTemplateFile. Removes templates/default/ from
      from the chain, as it was replaced by templates/2k11/

Version 2.1-beta1 (June 8th, 2016)
------------------------------------------------------------------------

    * Added new theme "Timeline".  Timeline is a fully responsive,
      mobile first HTML5/CSS3 theme built on the Bootstrap
      framework.

    * Add new config variable $serendipity['cors'] to allow to set
      Access-Control-Allow-Origin: * headers for sensible places
      (RSS feeds), to i.e. allow JavaScript's XMLHTTPRequest to read
      those feeds.

    * Introduce a section with modern recommended themes in the
      themes backend menu. Themes can be included there by setting
      Recommended: Yes in their info.txt

    * Merge sidebar and event upgrade pages in one single page
      button

    * Add colorpicker as possible plugin option item type, set
      type to 'color' to use it

    * Comments made via the backend on own articles don't trigger
      the comment notification (thanks to xoxys)

    * Fix missing perm checks for "standard user" in MediaLibrary

    * Fix show Dashboard entries by authors entries

    * Fix show Dashboard comments by authors entries (#385)

    * Use CDATA encoded body for ATOM feed

    * Fix: Ajax upload to ML now also works for non-images

    * Added new theme "Clean-Blog".  Clean Blog is a fully responsive,
      mobile first HTML5/CSS3 theme built on the Bootstrap
      framework.

    * Fixed checkbox entryproperties re-sets (#376)

    * Fixed media item delete handler (#371)

    * Rewrote Routing code for index.php to be outsourced into
      include/functions_routing

    * Removed broken feature for viewing blog entries by multiple
      authors, dropped code from core and plugin_authors.

    * Optimize scaleImage returns

    * Fixed media item rename handler (#370)

    * Fixed and enhanced multiple media redirects and path / name
      related issues, as well as some better umlaut conversions

    * Allow strict media directory selection by toggle filter

    * Allow a better auto char conversion to media upload item names

    * Added Start / End pagination to MediaLibrary and entries list

    * Added new bulk image move ability to MediaLibrary. This fixes
      several issues with rename AND remove and allows to automatically
      check and set MediaLibrary item entry paths on MOVE.
      Staticpages from v.4.52 are modified to support this too.
      Now supports Quickblog (imageselectorplus) entry path repairs.

    * Fix MediaLibrary objects not pass through into entryproperties
      CustomFields

    * Fix fatal error atom 1.0 issue; References #362

    * Fix eraseEntryEditorCache script in preview_iframe updertHooks
      IFRAME

    * Fix the Serendipity template and file fallback chaining to work
      more precise

    * Disable CKEDITOR Source protection for Smarty and WP-Smarty like
      markup, since now being usable w/o setting ACF OFF

    * Set Serendipity var use_autosave in backend only

    * Fix entries.inc fetching iframe event returning 1, when true and
      added a new language constant change message for multilanguage
      entry changes, instead of the wrongly used save message

    * Fix importers to use the new mysqli API extension with PHP 5+

    * WIP: Added an internal cache to speedup s9y's site generation. Can
      be activated by setting use_internal_cache to true in
      serendipity_config.inc.php. Test feedback needed.

    * Added <IfModule mod_rewrite.c> checks to .htaccess for URL
      rewriting

    * Add support for cronjob plugin to spartacus, to notify blog owner
      about possible updates (via e-mail)

    * Added link to preview spartacus themes on blog.s9y.org

    * Added two configuration variables that can be set in
      serendipity_config_local.inc.php to influence the dashboard entry
      limit:

      - $serendipity['dashboardLimit']: How many future entries to fetch
        (default: 5)
      - $serendipity['dashboardDraftLimit']: How many entries in total
        shall be displayed in the dashboard section (default: 5)
      - $serendipity['dashboardCommentsLimit']: How many comments
        (default: 5)

      (Draft entries will only be fetched if there are less future
      entries than the total entry limit)

    * Fix: the syndication plugin links subtome correctly to the atom
      feed when he is activated with the rss feed

    * Issue #238: When creating/renaming media directories, replace
      special characters with the same i18n rules like Permalinks are
      created, renaming umlauts etc.

    * Add "update all"-button to plugin update page

    * Issue #234: Granular options to force backend popups for certain
      areas

    * Introduce serendipity['ajax'] to detect incoming ajax requests
      and react accordingly in core and plugins

    * Issue #248: Add $serendipity['forceBase64']=true option (can be
      set in serendipity_config_local.inc.php) to make Serendipity
      *not* use 8bit Imap functions for sending mail, for MTAs that
      behave erradically otherwise.

    * Issue #257: Make sure to check entered admin-user password

    * Issue #264: Drop $authorid for permissions based on images
      instead of directories, it was not used anymore

    * Some small enhancements to the error reporting


Version 2.0.3 (January 4th, 2016)
------------------------------------------------------------------------

    * Fix XSS in backend comment editing form for logged-in authors,
      thanks to Onur Yilmaz and Robert Abela from Netsparker.com

    * Fix some backend entry form related event messages


Version 2.0.2 (July 24th, 2015)
------------------------------------------------------------------------

    * Fix security issues reported by Tim Coen of Curesec.com:

      - Forbid uploading files with PHP contents and possible
        PHP execution by authenticated users (critical if
        you have possible untrustworthy authors)
      - Add proper escaping for comment approval tokens to prevent
        SQL injection (authenticated authors only)
      - Add proper escaping of comment's author names in the
        comment reply form to prevent XSS (2k11 template, javascript
        based)

    * Minor layout fixes for media DB media filters

    * Backported some Importer db bugfixes

    * CKEDITOR bugfix releases to 4.4.8 - please read the changelog.
      Includes widget, lineutils, fakeobjects Plugins and S9y added
      cheatsheet and procurator Plugins.
      Changed config.autoParagraph set to false, to prevent wrapping
      p tags around extraAllowedContent tags.

    * Smarty bugfix upgrades to 3.1.27 - please read the changelog.
      Compilation time was vastly improved.
      New Features in NEW_FEATURES.txt.

    * It is now possible to switch to a theme's admin theme if it has
      been selected as a frontend theme first

    * Syndication Plugin Issue #285:
        - Add "none" as possible value for the xml-icon in the
          syndication plugin, to enable plain links
        - Reset subtome full icon path to support
          serendipity_getTemplateFile()
        - Link creation fixes for Bulletproof coloured style (eg blue)

    * Fix auto include of a User theme /admin/user.css backend file.

        PLEASE NOTE:

        2.0.1 brought in an automated include of a themes "user.css"
        file. If you don't want to use such file any more (and you have
        one), you will have to delete or rename it by hand!

        Also please note, that user stylesheet selectors like

            .selector {
                background-image: url(img/example.jpg);
            }

        now need to use the {TEMPLATE_PATH} like

            .selector {
                background-image: url({TEMPLATE_PATH}img/example.jpg);
            }

        Content of a user.css will always be put LAST into the combined
        CSS, this means it will override any possible plugin output.
        If a user.css file does not exist in your own template directory,
        but inside the default 2k11 template directory, this will always
        be used (this behaviour is called "default fallback chain").

    * Use https URLs for Atom feed, if called through HTTPS (hboeck)

    * Restore the "Show toolbar within media selector popup?" option,
      it was ignored before.

    * Fix Issue #321, negative offset for LIMIT SQL statements when
      using stable archive sorting and plugins like history.

    * Templatechooser will not apply theme in backend admin.

    * Use "secure" flag for (session) cookies sent over SSL, thanks to
      dayton967

    * Make preview_iframe.tpl template files load the proper frontend
      CSS file, including cache-busting version string when changing
      themes

    * Implement patch to properly initiate templates_c on installation
      for shared installs (thanks to fugue88)

    * Allow templatechooser plugin to read a custom "blacklist.txt"
      within its directory, that can blacklist certain themes from
      being selected.

    * Allow serendipity_setCookie() function to set custom expiry.

    * Adapt .htaccess profile of "mod_rewrite for 1&1 and problematic
      servers" to not include the "Options -MultiViews" option, since
      this is often blocked

    * Fix initializing smarty framework in the preview/saving iframe,
      so that a template's config.inc.php is always loaded.

    * Show debugging .tpl file information with relative directory only

    * fix wrong upgrade removal of dead files with 2.0.1 update


Version 2.0.1 (March 12th, 2015)
------------------------------------------------------------------------

    * Fix missing escaping (possible XSS) of category names in the
      Backend Entry Admin, which would allow editors that create a
      forged category name to attack other editors in the backend
      (privileged access to the backend required). Thanks a lot to Edric
      Teo for reporting this issue.

    * Improved detection for possible upgrade/plugin/PHP errors. A
      warning will be emitted on the dashboard, when the Serendipity
      JavaScript library could not be loaded.

    * syndication fix: use absolute urls for subtome

    * Issue 306: localStorage may be deactivated by setting a config
      option or using security-related extensions at least in some
      browsers, which might (at least in FF) break backend JS
      functionality. Added extra tests to 2k11 backend JS.

      If you use localStorage, please test if it is actually available
      by testing if localStorage !== null in JS.

    * Issue 280: Allow every theme to utilize a "user.css" file that
      gets loaded on top of the frontend (or backend, if in admin/
      subdirectory) theme. This file can be used for customized CSS of
      a blog-admin which carries over to future Serendipity updates

    * Issue 299: Do not display dashboard for users with no permission
      to perform actions in the backend (frontend-users)

    * Make "rewriteURL" smarty modifier available to do a
      {$CONST.PATH_ARCHIVE|rewriteURL} within a smarty template file.

    * Add a generic odd/even for backend dashboard widgets to align
      properly. Future dashboard widgets need to get the new extra
      class dashboard widget on the section element they create.

    * Fix event emoticate plugin to reflect proper call usage of
      serendipity_getTemplateFile(), if a theme uses custom emoticons.
      UPDATE your themes emoticons.inc.php file, if have. See example
      file in plugin dir.

    * Change 2k11 config.inc.php to reflect proper
      serendipity_getTemplateFile() when frontend files shall be
      referenced within the backend.

    * Fixed missing file message for deleted media items

    * Fixed entry editor JS not emitting a 'No tags' msg in taxonomy
      quick view. Improved serendipity.tagsList exit if freetag plugin
      is not installed.

    * Minor backend UI fixes (taxonomy quick view in entry editor,
     'Done' msg emitted by Bayes plugin)

    * Clearer language constants for entries in dashboard, labelled
      "In progress"


Version 2.0 (January 23rd, 2015)
------------------------------------------------------------------------

    * Smarty fix for purging compiled files

    * Fix wrong search page ordering when stable archive was active

    * Prevent entryproperties from saving/displaying a browser-side
      stored password that was actually not set.

    * Stronger check for existing logger interface to prevent errors
      when it is not actively used.

    * Fix entryproperties being removed when publishing an article
      from the dashboard and by specific plugins (freetag, trackback)
      that modify entry data.

    * Fix deleting comments when user is not an admin, but the entry
      belongs to him. Thanks to berberic.

    * Patch PEAR.php to use "static" isError declaration to prevent
      PHP error messages

    * Change order of IF-statements in entries.tpl to check for
      comment_moderate/comment_added, to properly emit the message
      whether a comment is being moderated.

    * Fix searching for entries in the admin panel with database
      types other than "mysql"

    * Change entry editor's category assignment to toggle between
      a hierarchical and a plain list (good for many categories)

    * Fix date formatting in entry editor to not use ISO year
      but the calendar year

    * Fix autoupdate version read and transmit


Version 2.0-rc2 (December 23rd, 2014)
------------------------------------------------------------------------

    * Fixes escaping of comments in the new backend pane to prevent
      XSS. Thanks to Steffen R�emann for reporting!

    * Fix wrong parameter count in serendipity_entity_decode


Version 2.0-rc1 (includes beta4/5/6) (December 19th, 2014)
------------------------------------------------------------------------

    * entryproperties plugin will now automatically disable nl2br
      markup, when the WYSIWYG editor is used to create en entry

    * PHP Requirement now is at: PHP 5.3+

    * Fix for syndication subtome onclick handler

    * Fix problematic preview stylesheet reference

    * Optimized clearing smarty template files on upgrading

    * Properly reset the "disable markup" feature of entryproperties
      plugin when none selected

    * PHP 5.4+ fix to properly call htmlspecialchars() / htmlentities() /
      html_entity_decode() with a charset option, that has been
      set to to default to UTF-8 and will yield empty strings when
      being used in NON-UTF-8 environments. Now we utilize a
      serendipity_specialchars() wrapper call.

    * Added SQLite3 OO database layer for PHP 5.4+

    * New personal preference to choose CKEditor toolbar presets.
      Presets can be overwritte through a
      templates/xxx/admin/ckeditor_custom_config.js if needed.
      See htmlarea/ckeditor_s9y_config.js for details.

    * Proof of concept templates "default-php" and "default-xml" have
      been moved to Siber...Spartacus. They would need adapting to
      Serendipity 2.0 (simple methods like getConfigDir() et al),
      but since those Template APIs have virtually zero usage scenario,
      they remain experimental.

    * Added new PAT_JS mod_rewrite rule to .htaccess files

    * Removed experimental support for PHP/SMARTY IN-MEMORY caching
      added in 2.0-beta3, since this could not work.

    * Smarty 3.1.21 upgrade (see changelog)

    * Fix ImageMagick new sizing issues while forcing image geometry
      exactly to given sizes with imageselectorplus

    * Fix issue #220 with pdf directory moving rename() error

    * Fix bug in entry listing, which showed wrong categories for
      entries (Issue #201)

    * Improve RegExp for Feed-URL matching, thanks to fugue88

    * Proper SQLite PDO filenames in shared installations (Issue #214)

    * ImageMagick now can get parameters to generate thumbnails,
      see serendipity_config.inc.php for example values

    * Allow to enable/disable the new autosave feature in personal
      preferences (Issue #213)

    * Re-added installer test for writable serendipity base directory


Version 2.0-beta3 (July 25th, 2014)
------------------------------------------------------------------------

    * Move admin/media_showitem.tpl to theme's directory in 2k11. With
      an adaptation in serendipity_admin_image_selector.php, this now is
      a "true" frontend template which uses the styles of the frontend
      theme. Theme authors might want to adapt it to their themes.

    * Moved general syndication plugin option into the core

    * Smarty 3.1.19 upgrade (see changelog)

    * Fixed thumbnail recreation, Issue #134

    * Merged external JS libraries into a central "plugins.js" of the 2k11
      backend template, can be updated through
      templates/2k11/admin/js/gruntipity.php helper script.

    * Adapted database table structure change for statistics, shoutbox,
      karma and spamblock plugin (for new field definition of "ip" field)
      Thanks to rohdef!

    * Added new option "enabledBackendPopups" that allow to specify
      if inline modal dialogs or popups are used in the backend for
      e.g. the category selectory and media library

    * added experimental support for PHP/SMARTY IN MEMORY caching
      Enabled by default, if classes found loaded.
      Disable with
        $serendipity['disable_apc'] = true;
      and
        $serendipity['disable_memcache'] = true;

    * Support added in serendipity_db_schema_import for sqlite
      autoincrement

    * Remove Google Reader button from syndication plugin options

    * Add subToMe-button to syndication plugin and change its defaults

    * Use Browsercache to save cache and restore entries

    * Improved installer to forbid using database table prefixes with
      special characters

    * Themes using Engines are now able to use the parent's
      configuration

    * Prevent "new" plugin api to install double instances of plugins
      that are not stackable (issue #45)

    * Back button in plugin-config

    * Adapted serendipity_editor.js to provide more global (though
      deprecated) API access methods for plugins like amazonchooser
      and linktrimmer, to perform insertion. Also fixed the
      insertion of text when the ID of the element is not prefixed

    * Move sort by name to simple filter in ML, replace file extension

    * Remember selected media library folder

    * Show upload-success or error with the ajax image uploader

    * Fix preview entry exception (issue #119)

    * Add serendipity.toggle_collapsible as a reusable JS function
      for the core backend and backend sections emitted by plugins as
      an easy way to provide show/hide functionality. (yellowled)

    * Fixed media insert target bug (issued by #143, #145, #121)

    * Fixed publish drafted-entries via dashboard (issue #160)

    * All frontend themes that rely on the bundled Core jQuery library
      are currently using the jquery.noConflict-mode for compatibility
      to older plugins.
      This mode is now considered deprecated and will be removed in
      future releases. A new variable:
        $serendipity['capabilities']['jquery-noconflict'] = false;
      in your theme's config.inc.php file can now turn of that
      noConflict-mode.

    * Due to distinction of backend and frontend themes, each theme
      that provides a custom jquery.js now only does so for the
      frontend. The backend now listens to a:

        $serendipity['capabilities']['jquery_backend'] = false;

      variable, and the file needs to be jquery_backend.js that
      a backend theme would reference to.

    * Changed 2k11's config.inc.php file to provide a more stable
      call of event hooks so that other themes can also hook
      their own events.

    * Changed JS for category filtering and its reset button to be a
      reusable function, which is now also used in the list of
      installable plugins.

    * Fixed wrong local documentation URL in plugin configuration

    * Added new "backend_dashboard" event-hook for plugins to use
      within dashboard.

    * Backend and Frontend themes can now be set independently from
      each other. New backend themes now need to set:

        Backend: Yes

      in their info.txt file. If you adapt a custom admin theme,
      ensure that it is compatible to the new "2k11" backend to
      ensure proper future usage within Serendipity. The bulletproof
      backend will now no longer be recognized as a backend theme
      option, but can be selected as a new frontend theme, while
      using 2k11 (=default) in the backend.

    * Include klogger, call it as $serendipity['logger']->debug/error.
      The log-level can be set in the general configuration and is
      disabled by default.

    * Fixed missing s9ymdb ID

    * Add HTTP_Request2 and dependencies as bundled libraries and
      update PEAR library to version 1.9.4

    * Implemented AJAX uploadResize option to allow resizing an image
      before upload (onli)

    * Improved file/directory removal code to (hopefully) fail more
      gracefully

    * Change "default" admin backend template fallback chain so that
      old admin themes can theoretically be shown with the "old"
      admin interface. This however in many themes breaks the
      Serendipity workflow. In other words, currently old custom backend
      themes are deprecated. We are still working on how to deal
      with this and if we can add some sort of compatibility or port.

    * Fix bundled jquery's source mapping, upgraded to 1.11.1

    * Fixed missing media name in resize GET URL

    * Fix MediaDB overlay display

    * Re-Added possibility to change filename/target directory for
      media uploads

    * Update CKEditor to 4.4

    * Fixed some missing internationalization instances

    * Minor CSS improvements for upgrader, plugin sequencing widget

    * RSS importer accepts pubDate in addition to pubdate element.

    * Upgrader in Dashboard can be disabled, returns error message when
      URL not accessible

    * Added a category filtering ability for the entry editor

    * Better check when removing old/dead files to prevent error
      messages

    * WYSIWYG editor respects image floats

    * Support html5 multiple file upload

    * Modernizr, magnificPopup updates

    * Improvements to equal heights js, button labels

    * No longer truncate long entry titles

    * Improve non-WYSIWYG editor tag insertion, url insertion

    * Improve less DOM firing on certain javascript tasks

    * Introduce js_backend event hook


Version 2.0-beta1 and followup -beta2 (April 14th, 2014)
------------------------------------------------------------------------

    * Upgrade Smarty libs to 3.1.18

    * Automatic upgrade removal of old Smarty2 files (2.0-alpha2)
      function uses SPL

    * Implemented patch https://github.com/s9y/Serendipity/pull/15

    * When switching Themes, both the backend and the frontend
      will remember the timestamp of the last theme change,
      to make sure that the browser will not cache a mismatching CSS.

    * Fix theme change issues with global template vars in core
      (1559472ca3) see 'temporary added empty $template_config_groups'
      in 1.7-rc2 (eb77dc369a)

    * Use Smarty for backend display output

    * "Themes" are now what has previously been mixed as "Design",
      "Theme", "Template" or "Layouts".

    * WYSIWYG-Spawn-API reworked (2k11/admin/wysiwyg_init.tpl)

    * All Javascript-functions like SetCookie now reside in a
      serendipity-object, simulating a namespace.
        SetCookie(...)
      became
        serendipity.SetCookie(...)

    * Renamed JS-Function:
        toggleCategorySelector became toggle_category_selector

    * The advanced js option (eyecandy) got removed, as such a thing
      like advanced js doesn't exist anymore

    * dashboard_plugin has an equivalent in the core, replacing the
      frontpage

    * Constants like S9Y_FRAMEWORK_COMPAT are no longer set
      (include_once is used instead)

    * New additional option to render smarty-functions:
      serendipity_smarty_show($template, $data)

    * A number of functions now returns their result instead of echoing
      them (TODO: a bunch of image- and
      trackback-functions still use echo for messages"):
        serendipity_plugin_config
        serendipity_printEntryForm
        serendipity_printEntries
        function serendipity_showMedia
        serendipity_showPropertyForm
        showMediaLibrary
        serendipity_guessInput
        memSnap
        serendipity_displayTopUrlList
        serendipity_displayTopExits
        serendipity_displayTopReferrers
        serendipity_printConfigTemplate
        show_plugins

    * Functions removed from the core:
        serendipity_printConfigJS

    * Functions added to the core:
        serendipity_generateImageSelectorParams

    * All internal plugins got extracted from plugin_internal.inc.php
      and moved to plugins/.
      They are renamed to work there (upgrader task provides migration):
        serendipity_calendar_plugin    became serendipity_plugin_calendar
        serendipity_quicksearch_plugin became serendipity_plugin_quicksearch
        serendipity_archives_plugin    became serendipity_plugin_archives
        serendipity_categories_plugin  became serendipity_plugin_categories
        serendipity_syndication_plugin became serendipity_plugin_syndication
        serendipity_superuser_plugin   became serendipity_plugin_superuser
        serendipity_plug_plugin        became serendipity_plugin_plug

    * Add plugin hook "js", generating a virtual serendipity.js

    * Admin JS is now bundled in serendipity_editor.js.tpl and
      rendered using smarty in the theme config

    * Admin JS got rewritten using jQuery where applicable

    * serendipity_define.js.php removed

    * Removed support for layout.php

    * The whole PHP-Code now almost never echoes integrated HTML, but
      uses smarty template (TODO: Remove the almost)
      The necessary smarty-templates reside in 2k11/admin/
      Every theme can generate its own backend if it integrates those
      templates under admin/ itself

    * 2k11 is set as the new default backend, replacing bulletproof.
      default remains the fallback so far.

    * A number of functions had some arguments removed:
        * function serendipity_displayImageList:
            From
                function serendipity_displayImageList($page = 0, $lineBreak = NULL, $manage = false, $url = NULL, $show_upload = false, $limit_path = NULL, $smarty_display = true)
            to
                function serendipity_displayImageList($page = 0, $lineBreak = NULL, $manage = false, $url = NULL, $show_upload = false, $limit_path = NULL)
        * function serendipity_showMedia
            From
                function serendipity_showMedia(&$file, &$paths, $url = '', $manage = false, $lineBreak = 3, $enclose = true, $smarty_vars = array(), $smarty_display = true)
            to
                function serendipity_showMedia(&$file, &$paths, $url = '', $manage = false, $lineBreak = 3, $enclose = true, $smarty_vars = array())
        * generate_plugins
            From
                static function generate_plugins($side, $tag = '', $negate = false, $class = null, $id = null, $tpl = 'sidebar.tpl')
            to
                static function generate_plugins($side, $negate = false, $class = null, $id = null, $tpl = 'sidebar.tpl')

    * serendipity_showMedia now no longer returns the used template and
      echoes the generated HTML, but only returns the generated HTML

    * Themes now have their own configuration page,
      ?serendipity[adminModule]=templates&serendipity[adminAction]=editConfiguration

    * jQuery in the backend no longer runs in noConflict-mode. Use
      $(...) instead of jQuery(...)

    * The entryproperty-plugin will now always delete its cache on
      uninstall, not only if the cache is activated then

    * serendipity_is_iframe now really only checks for iframe and
      doesn't also echo it

    * Added option simpleFilters (meant to indicate to show less
      filters and poweruser-options)

    * serendipity_admin_image_selector.php no longer used by 2k11,
      instead the media library (with admin/media_choose.tpl,
      admin/media_upload.tpl, media_pane.tpl, media_items.tpl)
      can generat the imageselector on its own. The editor calls
      serendipity_admin.php?serendipity[adminModule]=media instead,
      with serendipity[textarea] indicating the target, and
      serendipity[showMediaToolbar] activating the imageSelector modus

    * New required PHP-Version: 5.3 or higher (checked in the installer)


Version 1.7.8 (February 9th, 2014)
------------------------------------------------------------------------

    * Fixed POST for db entry insert, caused by 1.7.6 security feature


Version 1.7.7 (February 6th, 2014)
------------------------------------------------------------------------

    * Fixed PHP parse error in templatechooser plugin. Blame garvin. :(


Version 1.7.6 (February 6th, 2014)
------------------------------------------------------------------------

    * Fixed backend security issues, thanks to Stefan Schurtz:

        - XSS of users realname in "Manage users" section
          (Backend, requires login)
        - XSS when creating an entry with bad id/timestamp values
          (Backend, requires login)
        - SQL-Injection for plugin installation parameter
          (Backend, requires admin login)

    * Templatechooser plugin uses "default" template as fallback,
      not "bulletproof".


Version 1.7.5 (January 18th, 2014)
------------------------------------------------------------------------

    * Fixed textile PHP 5.2 (namespace) compat issue

    * Added default value to spamblocks required_fields option [name,
      comment]


Version 1.7.4 (January 11th, 2014)
------------------------------------------------------------------------

    * Fixed emoticate plugin icon link to check for textile class

    * Upgrade textile plugin libs - lib3 extends to PHP >= 5.3.
      Please check for new options!

    * Fixed spamblocks Captcha imagecreate() with PHP > 5.3 versions

    * Smarty 3.1.16 bugfix release - please read bundled-libs/Smarty/change_log.txt
      about changes to versions 3.1.16 and 3.1.15.
      Please also see special bundled-libs/Smarty/3.1.16_RELEASE_NOTES.txt

    * Removed blogg.de filter from spamblock plugin, adapted htaccess
      IP block algorithm for race conditions. .htaccess can now contain
      multiple Deny From ranges to prevent parsing problems (DLange)

    * Fixed IP columns in spamblocklog, spamblock_htaccess, karmalog, visitors
      and shoutbox to varchar(45) for IPv6 - including tunneled IPv4 (39+6)

    * Fixed possible double includement of plugin_internal.inc.php

    * Fix possible temporary caching errors failing $eventData[0]['properties']

    * Basic support for static blocks (includeentry plugin) in 2k11.

    * Added "backend_footer" event hook

    * Exclude "frontpage extensions" directories "_vti_cnf" on windows servers
      in Media Library

    * Fixed pagination when searching terms with fetchlimit < 4

    * Fixed deprecated /e modifier with PHP >= 5.5 in nl2br plugin restore method


Version 1.7.3 (August 28th, 2013)
------------------------------------------------------------------------

    * Trackback to https:// style URLs will use proper port 443 instead
      of 80.

    * Disabled htmlarea spellchecker module, http://osvdb.org/87395
      Thanks for Henri Salo for pointing this out. CVE-2013-5670


Version 1.7.2 (July 26th, 2013)
------------------------------------------------------------------------

    * Fix a syntax error in the "mysql" deprecation code, thanks
      to Ian


Version 1.7.1 (July 26th, 2013)
------------------------------------------------------------------------

    * Added new event hooks "backend_plugins_install", "backend_plugins_update"
      and "backend_templates_install".

    * Serendipity will switch to mysqli if PHP >= 5.5 is used (mysql
      is deprecated)

    * Smarty upgrade to 3.1.14 (read changeLog and the README for API changes since Smarty 2)

    * Upgrader will now remove/delete the browsercompatibility plugin

    * Fixed Media Library exclude path to not show/proceed ckeditor/kcfinders .thumbs dir

    * Fixed bulletproof->colorset GET mismatch with categorytemplates plugin
      config.inc.php [Line 29]

    * German translation for stable archives added (YL)

    * Fixed curl result bug in spartacus plugin

    * Create new migration task for propagate defaultBaseURL when
      currently empty (onli)

    * Fixed statistics sidebar querys ( & for PostgreSQL ) [242520b]
      and added some missing html end tags

    * Added missing current group name when editing usergroups


Version 1.7 (May 11th, 2013)
------------------------------------------------------------------------

    * rc4: Get ready for CKEDITOR-wysiwyg Plugin mode

    * rc4: Fixed fetching javascript object (for nugget textareas) in non-wysiwyg-mode

    * rc4: Change .htaccess blocking mechanism by spamblock plugin to not fetch
      too many datarows, thanks to DLange from the forums. (The .htaccess
      feature is still considered experimental, use at your own risk ;))

    * rc4: Fixed entryproperties backend 'cache now' link

    * rc3 + rc4: Media database: Escape more Cookie values to prevent storing
      possible XSS (http://board.s9y.org/viewtopic.php?f=3&t=19142).
      Escape hotlinked media filename. Escape importer host name error
      Thanks to GreenSun from the forums for bringing this to attention,
      originally reported by Dshellnoi Unix

    * rc2: Alter entries.tpl to add the line:
      {assign var="entry" value=$entry scope="parent"}
      for proper propagation of $entry to sub-templates.

    * rc2: Alter error reporting to only fail when 'debug' mode is enabled,
      so that "normal" blog installations will not fail on specific
      E_STRICT warnings that are not important.

    * rc2: temporary added empty $template_config_groups into templates with config,
      to avoid display troubles for template changes, if previous template had these set.
      Please check your template.

    * rc2: reflect POST submitted changes in Bulletproof template configs re-set situations

    * various PHP 5 compatibility fixes in core and plugins

    * Allow entryproperties plugin to define defaults for custom fields

    * Onyx, Net_URL classes: Remove PHP4 style constructor due to
      PHP5 error "Constructor already defined"

    * Improved RSS sidebarplugin to support Atom

    * Bundled simplepie

    * For Blogs running on a non-UTF-8 language, set a Smarty constant
      to indicate the actually used charset.

    * Added to use MyISAM handler for s9y tables (we do not use InnoDB
      features, but rely on MyISAM fulltext)

    * fixed defaultBaseURL did not show up installer. Thanks to onli.
      Follow up from c292bad

    * fixed draft & future entries preview link in backend

    * Improved karmarating plugin to be able to use AJAX calls
      (gregman)

    * Allow Smarty to fetch .tpl files from all directories so that
      s9y plugin can use the fetch() call for their .tpl files no
      matter which (symlinked) directory the plugin resides in.
      The Smarty security policy to us only serves as a restriction
      within .tpl files to not allow arbitrary PHP modifier/function calls.
      If in the future Smarty supports enforcing trustedDir checks on
      {include} calls separately to smarty->fetch() calls, we'll also
      add that to .tpl files.
      (garvinhicking)

    * Patch by Markus Br�kner: Properly handle files that have no
      extension in media database

    * Made Spartacus recognize github.com mirror (garvinhicking)

    * Add "Summary" output to title of summary archive pages, patch by
      hboeck

    * Set the smarty object by instance (ophian)
      It is often needed to access the Smarty object from anywhere in your code, e.g. in plugins
      We now ensure that there is only one instance of the object available.
      To obtain an instance of this class: $serendipity['smarty'] = Serendipity_Smarty::getInstance();
      The first time this is called a new instance will be created. Thereafter, the same instance is handed back.
      To overwrite use $serendipity['smarty'] = new Serendipity_Smarty; to create a new instance.

    * Set a global Serendipity errorToExceptionHandler (ophian)
      changed some old smarty trigger_errors to PHPs native function

    * Updated spamblock plugin (ophian)
      changed wordfilter to function and Commenters moderation check verify_once
      to get checked via wordfilter to reject known spam comments before

    * Changed backend comment (error) messages  (ophian)
      as now captured and styleable messages
      (newly added .serendipity_backend_msg_notice css class)

    * Updated nl2br plugin (ophian)
      added isolation tag using nl to br
      this also adds some NoBR buttons to backend entry forms

    * Smarty3 support (ophian)
      with this upgrade Serendipity / Smarty will at least need a webserver running the PHP 5.2 series.
      As of August 2011, all PHP users should note, that the PHP 5.2 series is NOT supported anymore by the PHP developers.
      All users are strongly encouraged to upgrade to PHP 5.3.8 and up. Please refer to your ISP about this.

    * Added new serendipity['defaultBaseURL'] variable that makes sure
      that the baseURL is not overriden when configuring serendipity
      with a possibly autodetected currentl URL. Patch by Manko10.


(Older NEWS see file NEWS_OLD)