[[WikkaReleaseNotes | Wikka Changelog]] ---- ===== [[WhatsNew | Wikka 1.1.6.3]] Release Notes ===== ''Released on May 7, 2007'' >>===This is an archive page=== For the **{{color c="red" text="latest release"}}** news please refer to [[WhatsNew | this page]]. ==See also:== ~-**[[WhatsNew1163 | What's new in 1.1.6.3?]]** ~-[[ThirdPartyInfo | Third-party bundled software]] ~-[[http://wush.net/trac/wikka/roadmap | Wikka development roadmap]] >>::c:: ==Security patches== ~-Sanitized UserSettings to prevent JS injection. Ticket:363 (thanks to Sakaru) ~-Secured ##""LoadRecentComments()""## and ##""LoadRecentlyCommented()""##. Ticket:383 ~-Dropped use of ##""GetEnv()""## to retrieve Wikka configuration because of potential security issues on shared servers. It's still possible to point to load a configuration file stored outside the installation directory (and outside the webroot, for increased security) by editing wikka.php, uncommenting the definition of WAKKA_CONFIG, and defining it as the path to your configuration file. Ticket:98 ~-Fixed bug that allowed information on revisions to private pages (page name, edit note and revision datetime) to show up in the RecentChanges feed. Ticket:305 ~-Replaced every occurrence of ##$_REQUEST## with ##$_GET## or ##$_POST## to enforce security of user input. Ticket:312 ~-Patched a native PHP vulnerability (HTML Entity Encoder Heap Overflow Vulnerability) affecting virtually //any//web application running on PHP<5.2. The security fix was also applied to GeSHi version 1.0.7.18. Ticket:427 ==Bug fixes== ~-Fixed bug producing invalid XHTML in referrer handlers. Ticket:469 ~-Added missing trailing slash that could result in invalid ##base_url## during installation. Ticket:438 ~-Fixed bug in Onyx that could prevent correct feed parsing when using PHP<4.3.0. Ticket:420 ~-Further minor fixes. Ticket:466, Ticket:437 ---- CategoryEN