glFusion v1.1.3 is primarily a security and bug fix release, with a few minor feature enhancements thrown in.

This release does make database modifications, so you must run the Installation / Upgrade routine after you have loaded the files to your server.

There are three security updates included with this release to address the following issues:

SQL Injection Issue which could allow an attacker to compromise (gain access) to any user's password hash. This was a very serious vulnerability which could allow your admin user account to become compromised.

User Masquerading which would allow anyone to log in as any user if they knew the password hash of the user. By setting the appropriate cookie on their own browser, you could bypass the user name / password screen and log in directly. Combined with the SQL Injection issue above, this would allow an attacker to easily log in as any user.

Cross Site Scripting (XSS) Issue which could allow an attacker to use a glFusion site in cross site scripting attacks.

All of these issues have been fixed in glFusion v1.1.3 and some additional checks have been included to help prevent future issues like these.

Caching of the template files generally provides a significant performance boost, but we have found in some environments it can actually have a negative impact on performance. Specifically, on sites where the disk access is slower, caching of the templates will slow down the site and add to the server load. A good is example is Windows based servers that use network shares to store the web directories.

You now have the ability to control whether or not the templates are cached. In the Online Configuration system, under Themes, is the new option Enable Template Caching. We recommend you do your own tests, disable caching and see how it affects the performance of your site.

glFusion uses several small template files to assemble each web page. It can be difficult to understand which template to modify to affect a change to the look and feel of your site. While not a new feature, glFusion has always supported having comments in the template files that are stripped before sending to the browser. These comments are surrounded by {# …comment here #}. The new feature in v1.1.3 is the ability to convert these internal template comments into HTML comments. This means any {# #} will be translated into <!– –> so you can see them when viewing the source of your rendered web page.

We have also added a special template variable called templatelocation which is replaced the physical location and name of the current template file. We have added the following comment to every .thtml template (in private/plugins as well as public_html/):

  {# begin {templatelocation} #}
  
  {# end {templatelocation} #}

If you enable Template Comments, when you view the source of your page, you'll see something like this for each template used to build the page:

<!--  begin /usr/home/www/private/plugins/polls/templates/pollanswer.thtml  -->
  <li><input type="radio" name="aid[0]" value="6" />&nbsp;Other</li>
<!--  end /usr/home/www/private/plugins/polls/templates/pollanswer.thtml  -->

You can now easily see what template is being used, the content it produces, and where it ends.

glFusion has always had the ability to show or hide most of the Story Information information like author, views, mail story, etc. The ability to hide or show the story date / time was never included. We've solved this oversight by adding the option to show or hide the story date / time.

glFusion v1.1.1 added a new feature to consolidate all CSS and JavaScript output into a single reference point for the browser. This significantly improved the page load times. Now that this feature has been well exercised, we've also discovered it can add some extra CPU load to the server. We've redesigned how the CSS and JavaScript is spooled so we now have the best of both worlds, improved page load times and no additional server load.

We moved the Current Password field to the top of the entry form. Since a user must enter their current password to change their existing password, it makes sense to have it listed before the new password fields.

We've also added a Password Strength meter to give feedback to the user on how secure their password really is.

• What's New block did not honor the URL rewrite setting for stories (Mark)
• Increased size of Forum category title text (Eric)
• Not all StaticPage options are cloned (mark)
• The theme API themename_themeJS() has been renamed to theme_themeJS() and no longer relies (or uses) the themename. (mark)
• Removed PDF option references and consistency fixes in story templates (Eric)
• Fixed issue where 1 or 111 would show up in templates (Mark)
• Updated getID3() to latest production release (Mark)
• Static page bullets not working in IE and proper nesting of typography icons (Eric)
• Search box text is hard coded in header.thtml (Eric)
• Forum code block max width breaks fixed width layouts (Eric)
• After mailing users, screen refreshes to admin/moderation.php not admin/index.php (Eric)
• Language & Layout inconsistencies (Eric)
• Improved error detection when sending emails (Mark)
• Tweaked plugin upload to not crash when hitting certain permission errors (Mark)
• “Edit a Comment' is hard coded in the source (mark)
• Sending trackbacks to WordPress sites fail (mark)
• Uploading large plugins could error with max_execution_time exceeded (mark)
• The template library does not properly handle double dashes (–) in the item id when creating the instance cache HTML comment (mark)
• Hide “Comments (0)” indication when there are 0 comments (Eric)
• Default text size for textarea (Eric)
• Menu graphic <li> background does not display in IE6 (Eric)
• “No boxes” should read “No Blocks” in Account Settings (Eric)
• Clean up loginform.thtml (Eric)
• Copy icon broken in site tailor (Eric)
• Default topic was not selected on new stories (mark)
• htmlLawed has been upgraded to v1.1.7.2 (mark)
• Deleting a plugins files (without uninstalling the plugin) causes glFusion to crash (mark)
• Postcards do not display properly in mail client (mark)
• CUSTOM_templateSetVars() does not work for story templates (mark)
• Icon for additional profile API broken (mark)
• Added default mooDrawer and mooMorph example widgets (Eric)

Calendar Plugin

• Implemented getheadercss() - allows admin to have custom style.css (Mark)
• Cannot edit minutes field in Event Start Date after 1.1.2 upgrade (mark)

CAPTCHA Plugin

• If using the 'general' option to enable CAPTCHA in a static page, there is no template variable to pass (mark)

FileMgmt Plugin

• If uploads are not moderated, the extension mapping rename is not performed. (mark)

Forum Plugin

• Added ability to have custom style.css in theme/plugins/forum/ (Mark)
• Removed duplicate configuration data from config.php (Mark)

Media Gallery Plugin

• Added $_MG_CONF['play_mp4_flv'] option to play MP4 video in Flash Video Player (Mark)
• Added ability to have custom style.css in theme/plugins/mediagallery/ (Mark)
• Fixed gallery_remote issue where parent/child relationship was not properly set (Mark)
• Fixed some cosmetic issues with Coppermine import (Mark)
• Search results do not honor the gallery view thumbnail size. (mark)

Polls Plugin

• Added ability to have custom style.css in theme/plugins/polls/ (Mark)

Site Tailor

• Canceling edit of menu item returns to menu listing instead of element list (mark)
• When trying to edit a menu's elements, it crashes with editTree() error. (mark)

v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0