This is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are advised to upgrade to this release. This release includes another round of XSS fixes, improved Excel export, translation updates, and bug fixes to the SOAP API, installation, plugin system, and email notifications.
This version is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are advised to upgrade to this release. This release effects a security fix to the display of inline attachments, where arbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks. This version also includes a range of translation updates, regression fixes, and bug fixes, including multiple SOAP API-related bugs and regressions.
Included with this release are a range of bugfixes, translation updates, and general improvements. Highlights include improved installation, a fixed upgrade path from 1.1.x, fixes to the URL and path
detection, and updates to the plugin event system. Initial support for browser clickjacking protection has been added (both X-Frame-Options and X-Content-Security-Policy).
One can no longer theoretically login with a
disabled account. A bug in string_sanitize_url()
was fixed. Numerous MS SQL bugs were fixed. The
Global Profiles list is now sorted. is_writable()
in install.php was fixed. A possible redirect to
blank page for new admins was fixed. A wrong
strpos function call was fixed. fixed_in_version
was renamed to Fixed_in_version during database