From Habari Project
Welcome to Habari Version 0.7!
This latest release of Habari contains major improvements and feature changes. You should read the Upgrading page before you upgrade.
- A bug in the filtering of
<a>tags in comments could have allowed an XSS exploit. Fixed in r4912
- The commenter's name field was not properly stripped of all HTML. When combined with the above issue this could have resulted in an XSS exploit. Fixed in r4193
<img>tags in comments were poorly sanitized, allowing a potential XSS exploit. Fixed in r4914 and r4915
- A bug in the URL filtering could have allowed an XSS exploit. See r4991, r5006 and r5011.
Bugs and Enhancements
Also, almost every aspect of Habari has had improvements and bug fixes; DB support, AtomPub, ACL, FormUI, the installer, the admin (which is now served as HTML5), internationalization. See the list of issues closed since 0.6.
- Improved the installer #891.
- Fixed an ACL bug so that users can be restricted to editing just their own profiles #1012.
- Improve database schema updating on SQLite #966.
- Stop authors overwriting changes made by other authors in multi-user sites #253.
- Bug fixes and improvements to the Habari media silo #960, #971, #990, #1110, #1111
- Allow retrieval of posts ordered by post info values #1035.
- Using AtomPub, support creating draft posts #1042 and editing tags #1130.
- Allow other software to use
- Work around bad changes introduced to PDO in PHP 5.2.12 and PHP 5.3.1 #1116, #1338.
- Plugin developers no longer need to use the Update::add() function to check if the plugin has been updated (though it will still work). Instead, the
guidcan be included in the plugin's XML #1208.
- We've added more unit tests (though there's still a long way to go).
- The manual has been improved.
- Numerous performance tweaks.
- The version of the Blueprint CSS framework that ships with Habari was upgraded from 0.7 to 1.0, which may cause minor display differences for themes which utilize it.
- Several updates to the WordPress importer were added to reduce the number of "garbage" items being imported from newer releases of WordPress. The importer now excludes menu items, auto-saved drafts, and revisions.
- Themes no longer need to manually specify the Atom, APP, and RSD tags in their head HTML, they are included in the theme->header() output by default.
Some things that Habari users should be aware of:
- Plugins now use an XML configuration file, which improves performance. See Creating a Plugin for details. Warning: this change may break your site. When upgrading from 0.6, you should deactivate all your plugins and upgrade them to versions that are compatible with 0.7. See the specific upgrade instructions for details on how to ensure your plugins are compatible.
- The format for theme XML configuration files has changed and themes should no longer declare a
THEME_CLASS. Warning: this change may prevent you from activating themes. See the upgrade instructions and Creating a Custom Theme for details.
- Theme comment forms must now use Habari's built-in form builder, FormUI. This makes it easier for plugins to work with comment submission, the most important benefit of which is allowing better spam prevention. Warning: this change may break your theme. See the specific upgrade instructions for details on how to use the FormUI comment form in your theme.
- Tag management has drastically changed internally, and in most cases tag code in themes and plugins will need to be updated. Warning: changes to how tags are implemented are likely to break your theme or plugins. See the specific upgrade instructions.
- Added a system to allow you to add output from plugins without editing theme files. Themes can define Areas to which users can add Blocks provided by plugins. This is similar to what other systems might call widgets.
There are also some changes that will be of interest to developers:
- Introduced the Taxonomy system, and ported the internal tag system to use it. See this post to the -dev mailing list if your theme or plugin retrieves tags.
- The post publish page now supports FormUI validators, so plugins can validate input when creating and editing posts.
- Retrieving and ordering posts via post info is now supported.
- We've upgraded to jQuery 1.4.2 (from 1.2.6!).
- Themes and plugins can now react to the activation and deactivation of themes.
Options::get()now only accepts two parameters - a name or an array of names and the default value to return if the option does not exist. If you were previously passing in multiple arguments as options you'll need to update your call. More details are in the commit message of r4390 and updated examples can be found in the
More than 1400 bug fixes and improvements have been made since the last release, but as with any piece of software issues and enhancement requests remain. For full details see Habari's change management system.
These release notes were compiled by the Habari Community.
On behalf of the community, we give our warmest thanks to the developers and contributors who made this Habari release possible.