A version of the forum Vanilla 1.1.5 was released yesterday. This release is dedicated to fixing vulnerabilities and bugs in the engine (in the previous post, many were interested in the issue of security), as well as some minor improvements. Here is the complete list of changes:
Security
Fixed XSS vulnerability in the forms on the user profile page.
Fixed XSS vulnerability in the registration form.
Now a regenerating cookie.
Fixed CSRF vulnerability in ajax / UpdateCheck.php.
Fixed CSRF vulnerability on exit page.
More secure storage of user passwords.
Errors
Fixed a bug that did not allow the correct handling of some RemoveTab calls.
Fixed various bugs in the installer, manifested when using their database prefixes.
Improved verification of the section for the newly created topic.
Fixed a bug in the search results that link to multipage topics.
Fixed TOS page encoding.
Fixed font declaration in CSS (added quotes and default font).
Added message about successful password change.
Added missing closing DIV on the login page.
Theme editing form has been fixed.
Fixed bug with assigning user permissions.
The names of the tables and DB fields in the code are now taken from configuration variables in many server Ajax files.
Fixed typos in Head :: AddStyleSheet ().
Fixed various typos in comparison and equating signs (== instead of =).
Improved support for UTF-8 search engine.
Fixed a typo in AddDaysToTimeStamp ().
Added support for SSL-hosted images and profile icons.
The return address is coded in the login link.
A check is made to duplicate the username when saving a profile.
Fixed some CSS CSS bugs in IE6.
Fixed a bug that prevents the use of numeric database prefixes.
Features
The installer displays a warning when using an empty DB password.
Added various powers.
Added Discussion :: DiscussionPrefix ().
DiscussionManager :: GetDiscussionList () can now collect topics from several sections into one.
Simplified build for deployment (see lussumo.com/docs/doku.php?id=vanilla:installingfromsvn).
Added source JS and CSS.
Added Session :: GetCsrfValidationKey () to get a CSRF key.
Added PHPdocumentor - like comments to SqlBuilder.
Added new option SqlBuilder :: AddWhere () for the combination of operators OR and AND.
Added integrity checker (for debugging).
Chmod instructions fixed.
Added jQuery.js (version 1.2.6), in advance, for further use in Vanilla 1.2