2.0.10

• "Images: Before/After" option was added to Dynamic Objects, powered by BeerSlider
• Added Model::delete() method to build delete statements using Model::query() chains
• Added webfeeds cover image to blog RSS output
• Consistency fix for +() characters in HMAC auth, since some clients encode differently
• Updated tests for PHPUnit 8
• Updated URLify plugin
• Record error to console if a visible notice isn't present for a form validation error
• Added subresource integrity parameters to Page::add_script() and Page::add_style() to set integrity and crossorigin attributes
• Removed references to Aviary editor and Persona auth
• Added JSON Feed support to the blog
• Added Media RSS support to the blog
• Added SameSite support for CSRF protection for PHP 7.3+ users
• Added Form::failed() convenience method
• Only load lib/vendor/autoload.php if it exists
• Deny all requests to /lib/*
• Switched file manager endpoints to passing file parameter explicitly instead of inferring from the path

2.0.9

Security update

Updated the Apache .htaccess settings and Nginx example configuration to more securely handle files uploaded through the file manager.

Note: Nginx users should copy the following new lines into their server{} block in their Nginx configuration and restart Nginx to apply the update:

location ~ ^/files/.*\.(?!(gif|jpe?g|png|mp4|pdf))$ {
	add_header Content-disposition "attachment";
}

It was also discovered that file extension limits weren't being verified when renaming files, which has been fixed too.

Search improvements

We've made some big improvements to the search bar for Web Pages, Blog Posts, and Accounts. This also affects Model::where_search(), improving other instances of it as well.

You can now use "quoted text" in searches to search for literal phrases that include spaces.

You can also use -word to omit words from your search. Combined, these improvements give users a lot more flexibility in how they can query their data.

Other improvements

• Password recovery page can be overridden with a custom handler.
• Added a new |absolutize template filter (usage: {url|absolutize}) to ensure URLs are absolute.
• Added conf/envmap.php to map alternate environment variables and to Elefant's own.

Bug fixes

• Fixed an issue deleting files.
• Fixed empty searches in Model::where_search().
• Fixed consistency of HMAC to prefer + instead of %20.
• Fixed potential error in blog post parsing.

2.0.8

Improvements:

• I18n filters now accept DateTime objects in addition to date strings
• Added Form::generate_csrf_token() for custom use cases
• Minimal grid supports every column size increment of 5%
• Image::resize() defaults to auto-detecting the correct format
• Access control on WYSIWYG editor plugins so the editor can still be used by non-admins
• Updated Google OAuth2 login support and added Google auth credentials to user settings form
• Added admin/util/select-buttons helper to convert select boxes to button groups
• Let users set jquery_source = Off to disable jQuery completely on the front-end
• Force jQuery source to be local if admin
• Admin toolbar and admin area usability improvements
• Added admin/modal template for admin pages in frames
• Upgraded URLify to version 1.1.2-stable
• Upgraded Analog to version 1.0.11-stable

Bug fixes:

• Fixed error marking file manager app upgraded
• Fixed exception in admin toolbar template
• Removed PHP 5.3 from travis-ci config, fixed PHPUnit issues on travis-ci
• Fixed issue with dollar signs in some database passwords
• Fixed warning on templates not always quoting array keys

2.0.7

Security updates:

• Fixed remote execution in file manager (#287)
• Fixed remote execution in stylesheet editor (#286)

Improvements:

• Added "Now" button next to date field in blog posts

Bug fixes:

• Fixed open graph image dimension tags

2.0.6

Improvements:

• Added emoji support to page titles and descriptions, block titles, and blog post titles
• Added one-click Bitly link generator to file manager
• Revamped Elefant backend UI with larger inputs, buttons, and spacing for improved usability
• Updated minimal-grid.css to accommodate wider screen widths
• Added og:image:width and og:image:height Open Graph tags to blog posts
• Added I18n::short_date_year_time filter for short dates including years + times

Bug fixes:

• Fixed timecodes in embedded YouTube videos
• Fixed upload validation error in filemanager/util/browser

2.0.5

• Additional CSRF protection on uploads and other forms
• Fixed pager on on user chooser widget for sites with thousands of users
• Added first/last page buttons to user chooser and dynamic objects widgets

2.0.4

Security updates:

• Fixed url decoding happening after validation on some file uploads
• Increased restrictions in htaccess files
• Added .phtml, .pht, .php3, .php4, and .phar to restricted uploads
• Limit profile photo uploads to .jpg and .png
• Verify .csv and .vcf user imports

Improvements:

• Added responsive embed code for YouTube videos
• Added superscript button to wysiwyg editor
• Added social/cookienotice helper for cookie law compliance
• Added .e-col-15 to minimal-grid.css
• Added $.recenter_modal() to modal.js and auto-resize on window resize
• Close modal dialogs by clicking away
• User ID from API tokens is now available via user\Auth\HMAC::$user_id
• Added --no-symbols option to ./elefant generate-password
• Allow $page->add_style() with ?v= appended to stylesheet links for cache busting
• Added month limit to blog archives sidebar
• Re-enabled caching on blog archives sidebar

Bug fixes:

• Fixed thumbnail preview in blog edit form
• Fixed potentially skewed profile photos in accounts
• Fixed validation errors in RSS output
• Admins should be able to preview scheduled posts
• Fixed admin toolbar not correctly fetching list of apps
• Fixed use of undefined constant in admin toolbar
• Strip script and style tags from open graph post descriptions

2.0.3

Changes:

• Added 'Twitter: Tweet This' option to Dynamic Objects menu to display tweetable quotes in posts and pages.
• Improved HMAC validation by making data lowercase to avoid urlencoding differences in other programming languages.
• Added client-side validation to filetype validation rule.
• Added Facebook Pixel tracking support.
• Upgraded MediaElement video player to version 4.2.7
• Added new fcallback input validation rule to validate file uploads with a callback (e.g., to validate file contents)
• Added 'Video GIF (MP4)' option to Dynamic Objects for mp4 videos as gifs (autoplays, loops, muted, and no player controls)

Fixes:

• Fixed an error cancelling forms.
• Fixed image size ratio differences in blog sidebar thumbnails.

2.0.2

Changes:

• Upgraded Redactor wysiwyg editor to version 2.11
• Upgraded jQuery-filedrop plugin to latest version

2.0.1

Bug fixes:

• Additional type check on $ext in ExtendedModel
• Namespace fix in HMAC authenticator