WHATSNEW-5.7

------------------------------------------------------------------------------

                  What's new in each version of Interchange
                (in development since the version 5.6 branch)

------------------------------------------------------------------------------

See UPGRADE document for a list of incompatible changes.


Interchange 5.7.7 released on 2011-06-12.

Core
----
* Ensure users were always assigned sessions when using major
  browsers, regardless of any toolbar matches in the User Agent
  string.

* If we are running an or search and not all of the specs have equivelant sql
  specs (WHERE clauses) then don't try to optimize the query as doing so will
  cause records to not be returned that might match other specs.

* Allow customization of "DO ANOTHER" HTML block in the table editor.  The DO
  ANOTHER block contains hard-coded text and return-pages used for radio buttons
  which is always displayed for new entries.  This change allows customized HTML
  to replace it for when you want to use the table editor in your own custom
  admin pages.

* Strip bad characters from affiliate source.  These characters cause problems
  in the usertrack log (and possibly other places) if they are allowed to remain
  in the source.

* Remove newline from errormessages to be able to parse locale of it

* Fix a bug in the [read-cookie] tag which in very specific rare
  circumstances could return the wrong value for a cookie.

* Fix a bug in parsing of TemplateDir directive with multiple directories
  on a single line (RT#318).
  Thanks to Mat Jones for the report.

* Fix for processing GDBM files while using UTF8.

* Add additional UserDB encryption options.

* Add pragma handling for setting the Cache-Control header.

* Enhance TrustProxy to handle multiple chained proxies.

* Multiple bugfixes to payment modules.

* Fixes when sending UTF-8 email.

Tags
----
* Allow sorting of forum entries.

Standard Demo
-------------
* Fix for adding items to cart with options shows expired page message.  Thanks
  to Steve Graham <icdev@mrlock.com>.

* Fix for country selection drop down. 
  Thanks to Paul Jordan <paul@gishnetwork.com>.

* Fix for state selection drop down for Ireland.
  Thanks to Paul Jordan <paul@gishnetwork.com>.

------------------------------------------------------------------------------

Interchange 5.7.6 released on 2010-03-23.

Core
----
* Fix a "HTTP Response Splitting" security exploit.  This is not known
  to be exploitable in the standard demo, but could potentially affect
  other pages in rare circumstances.

* Fix a bug in initialization of Vend::Payment::BusinessOnlinePayment
  supplemental parameters.

* Fix a bug in css.tag to properly output the css when using the
  inline <style> block.

* Allow for bounces from Autoload routines.

* Fix SpecialPages directive for violation.html.

* Give some sort of informative error message if we crap out loading the locale
  db.

Standard Demo
-------------

* Correct comments in catalog.cfg for Limit robot_expire.

* Add comments for Limit ip_session_expire.

Admin UI
--------

* Remove the AdminUser configuration directive.

* Allow ids to be added to form widgets built from mv_metadata.

Contrib
-------

* Update jEdit syntax highlighting mode.

Debian packaging
----------------

* Multiple bug/dependency fixes.

------------------------------------------------------------------------------


Interchange 5.7.5 released on 2010-02-23.


Core
----

* Fix bug when calling some versions of Sys::Syslog.

* Multiple Debian fixes and translation updates.

* SEO-friendlier ActionMaps supported; hyphens are turned resolved into underscores.

Tags
----

* Make the [forum] tag default to NoReparse.

Payment
-------

* Upgraded Vend::Payment::PaypalExpress to v1.0.7 from http://kiwi.zolotek.net.

  * Fix for yet another variation in the way that Paypal handle Canadian province names. 
    So we have 'British Columbia', 'BC', and now 'B.C.' formats.

  * Allow use of the [assign] tag in shipping. 

  * Allow 'use_billing_override' to send billing addresses.

  * Display Long rather than Short PayPal error message to customers.

  Last three changes contributed by Josh Lavin.

* Added CyberSource SOAP toolkit payment module.  Includes payment modules for:
  * Standard credit card
  * Bill Me Later
  * Paypal Express Checkout
  * Electronic check

* Corrected Vend::Payment::BusinessOnlinePayment handling/passing of
  supplemental parameters.

------------------------------------------------------------------------------


Interchange 5.7.4 released 2009-12-09.


Core
----

* Make the default session 'spider' variable reflect $Vend::Robot status,
  which more accurately says whether the request was made by (what
  Interchange considers) a spider, not just any old temporary session.

* Force raw encoding for file uploads (RT #268).

* Overhaul syslog support and offer much faster Sys::Syslog mechanism.

* Move parsing of CGI input to Vend::Dispatch::open_cat (#268).

* Fix bug related to [tag pragma name value] semantics being different
  than [pragma name value].

* Increased performance when using mv_max_matches with searches:

  * Make mv_max_matches stop all further searching once the limit is
    hit, rather than loading the entire result set into memory and
    then truncating it.

  * Add pragma max_matches, which takes precedence over user-supplied
    mv_max_matches unless the user-supplied argument is more restrictive.

* Provide a default implementation of mime_name for compatibility with
  older versions of Encode.pm.

* Recognize LWP::UserAgent as a robot.

SystemTag
---------

* Avoid encoding binary data in [deliver].

Debian packaging
----------------

* Eliminated commands with absolute paths in maintainer scripts.

* Added Spanish translation of Debconf templates.

Admin UI
--------

* Multiple cleanups and minor performance enhancements.


------------------------------------------------------------------------------


Interchange 5.7.3 released 2009-11-05.


Core
----

* Fix empty charset= lines when no $Vend::StatusLine was previously set.

* Allow POST with Content-type of application/json.

* Remove empty mv_arg from more-list links.

* Cleanup some POD documentation.

* Fix crash with TolerateGet and upload forms (#325).
 
* Show discount error message that was missing. Fixed by Jeff Boes.

* Die on errors in global configuration of crontab.

* Stop display of invalid user-provided session ID. Should not be XSS
  exploitable, since displayed in text/plain context, but don't show anyway
  in case any browser does improper content-type handling.

* Avoid XSS exploit in CGI input error. Reported by Justin Otten.

* Add BounceRobotSessionURL directive to 301 redirect robots which
  provide an explicit mv_session_id to the canonical page URL without
  the explicit mv_session_id. This prevents search engine urls from
  being indexed with an explicit session_id.

Tags
----

* Remove reference to deprecated Spreadsheet::WriteExcel::Big module in
  backup-database tag.

* Allow passing of "id" to the [display] tag. It will be output in the form
  element and a label element will be created to match, if appropriate.

  Example 1:

  [display id=category options=|
  =--select--,
  1=Junior High School,
  2=High School,
  3=College,
  4=Graduate School,
  | value="[evalue category]" type=select name=category]

  Output (bring your own <label for=category>):
  <select name="category" id="category">
      <option value="" SELECTED>--select--
      <option value="1">Junior High School
      <option value="2">High School
      <option value="3">College
      <option value="4">Graduate School
  </select>

  Example 2 (label elements provided):

  [display name=publish_email value="[evalue publish_email]" type=radio
  passed="0=No,1=Yes" blank_default=1 id=publish_email]

  Output:
  <input type="radio" name="publish_email" value="0" id="publish_email0">
       &nbsp;<label for="publish_email0">No</label>
  <input type="radio" name="publish_email" value="1" id="publish_email1" checked>
       &nbsp;<label for="publish_email1">Yes</label>

Standard Demo
-------------

* Correct bounces to nonexistent error pages.

* Fixed bug that causes options to not show up on the checkout receipt, or the
  order report, or the mail reciept for most or all items.

* Fix problem that prevented unsubscribing from all mailing lists.

Debian packaging
----------------

* Keep virtual host name supplied by user.

* Move CSS & image files from /var/www/interchange-5 to
  /usr/share/interchange-ui.

* Use virtual host instead of system hostname as server name for demo catalog
  if FullUrl is enabled.

* Updated translations of Debconf templates.


------------------------------------------------------------------------------


Interchange 5.7.2 released 2009-09-17.


Core
----

* Close remote disclosure security vulnerability, and added new configuration
  option AllowRemoteSearch to selectively re-enable remote searches on "safe"
  tables. Defaults to products, variants and options.

  Please see UPGRADE for important information on upgrading your
  catalogs to prevent any problems.

* Fix validate_charset to return mime charset names only.

* Enable catalog usertags within dispatch routines.

* Add SpecialSub order_missing (#221).

* Make TAX_CATEGORY_FIELD work as intended, where a colon-separated table and
  field will work as well as a simple field in the same table as the item.

* Add environment variable MINIVEND_DISABLE_UTF8 which allows us to
  skip the Encode module entirely.

  Since "no encoding" does not remove the tie from regexes to Encode,
  but only disables it, you can't use that method. You have to literally
  not include Encode in the module namespace. This environment variable
  prevents require/import of the module if it is set true.

  It also adds a Global UTF8 directive that would normally not be, but could
  be, set by the user. This disables UTF8 with "no encoding", which should avoid
  some of the Perl UTF8 insanity but still won't avoid a potential "require" or
  "dofile" on a simple regex.

* Change Vend::CharSet away from the quasi-object style of programming
  (i.e. Module->routine()), since this module is only used internally.
  This will improve performance if/when a large number of CGI parameters
  are passed.

* Pass data to be encoded by Vend::CharSet by reference. While the
  Encode module inexplicably won't operate on references, at least we
  can avoid slinging hundred-megabyte files by value for what ends up
  being a no-op. Should you have to decode the data, it will still be
  slow but it will be limited to that eventuality, not every uploaded
  file.

* Vend::Interpolate::taxable_amount: Remove unnecessary calls to item_subtotal
  and thus the database. Thanks to Josh Braegger <jbraegger@backcountry.com>.

* Unit tests: Test various values access methods. Fix some [query] test
  corner cases.

* Add new child-process tag and core support routines. This tag runs
  ITL code in a forked child process. Useful for offloading processes
  that take a relatively long time to complete.

* link programs:
  * Make HTML just a tad more modern.
  * Make message configurable in config.h.in.
  * Alter compile_link.PL to allow error message to be built from a file.
    Uses four lines, concatenating remainder of file into one big line 4.
    Tested with 70K file with many double-quotes, newlines, and carriage
    returns.
  * Add status option to make compile_link.PL to make error status
    configurable.
  * Add status option to make compile_link.PL to make error content type
    configurable.

* Fix rare bug that caused requests to / URL with a query string to fail, e.g.:

  http://hostname/?somevar=1

  Interchange in that case looked for a page called "/?somevar=1".

  Thanks to David Christensen <david@endpoint.com> for the fix.

* Correct .access functionality directly in pages/

  .access worked in subdirectories like pages/abc/, but didn't work directly
  under pages/.

* BounceReferrals changes:

  * Fix bug that kept query strings from being passed through due to use of
  nonexistent %$CGI::Values instead of %CGI::Values.

  * Remove mv_pc and mv_source to prevent redirection loops.

  * Don't generate a "process" URL for root URL; use DirectoryIndex instead,
    if available.

* Make [email] process cc and bcc options for plain text emails (#250).

* Allow catalogs to be set to have Perl always global by default.

      AllowGlobal        catname
      PerlAlwaysGlobal   catname

    This is a global directive (i.e. interchange.cfg).

    [perl global=0] will still be honored, i.e. that will be interpreted
    by Safe.

  * Allow catalogs to turn off "strict" in global mode by default:

      PerlNoStrict       catname

    This is a global directive (i.e. interchange.cfg).

  This is intended as an easy way to allow catalogs to work all right
  with Vend::Charset. Sad, but can't think of any better way short of
  maintaining our own version of the UTF8 modules. It is really sad,
  because the Perl powers that be have totally abandoned Opcode and
  Safe.

  NOT RECOMMENDED FOR USE BY NON-SOPHISTICATED INTERCHANGE USERS.

* Correct issue with hi-bit characters in search strings.

  This corrects the "Wide character in subroutine entry" error that
  occurs when hi-bit characters are used in a search. The failure was
  caused by Digest::MD5's reluctance to process characters > 0xFF, so we
  just convert any search options to UTF8 before calculating the MD5.

* Add support for SHA1 encrypted userdb passwords.

  * Add new "promote" feature. When active, and passwords
    of any of the other algorithms are present, on next
    login the user's password will be promoted to the
    target hashing algorithm. This way, password strength
    can be increased organically.

  Use of SHA1 passwords can be specified in the same manner
  as currently MD5 can be:

  UserDB  ui  sha1  1

  To utilize the promotion feature, you add a similar line
  for the UserDB definition:

  UserDB  ui  promote 1

  Promote implies that strength is increased, but in reality
  promotion will move in any direction desired. The requested
  hashing algorithm is the target, and whatever the form of the
  passwords in the database, they will be converted to the target.

  E.g., if neither sha1 nor md5 is specified, and the database
  currently has md5 passwords, if promote is added, it will have
  the effect of promoting to crypt(), the target hashing algorithm
  (which happens to be the default).

  If promote is not used, the change is fully backward compatible.
  Whatever method is specified will be used, and if the database
  has passwords of a different algorithm, authentication will fail.

  You should not specify more than 1 hashing type. If you specify
  both md5 and sha1, you'll be subject to the whims of hash
  ordering from keys().

  Also note that, before promoting to a stronger hash, you should
  ensure your database's password field is long enough to hold the
  new, longer datum.

  Original work from Steven Jenkins <steven@endpoint.com> for
  framework of promotion code.

* Add global timeout feature for payment gateways.

  The different payment gateways all tend to implement their own timeout features
  with varying degrees of success. In particular, LWP-based clients do not appear
  to have any capability of passing a timeout by the developer whenever it uses
  the https protocol. Thus, the use of LWP's timeout feature is illusory and
  forces any activity to a 180s timeout.

  The new feature completely separates out the gateway activity with a fork,
  giving it reliable control over the duration of the gateway request. It also
  eliminates the need for each gateway module to implement its own timeout,
  either because the developer chose not to, didn't consider it, or because the
  developer discovered it was hopeless to do so using LWP.

  The feature is invoked using the "global_timeout" option in the payment route,
  or as an opt passed to [charge]. global_timeout should be any positive integer,
  which will define the number of seconds until the timeout is triggered. If this
  new option is not used, the effect is a no-op, with behavior identical to that
  prior to the feature. No changes in config means completely backward
  compatible.

  Additionally, a new "global_timeout_msg" option is available so that the
  message produced if the alarm fires can be customized within the payment route.

  E.g.:

      Route   payflowpro    id                 "__PAYFLOWPRO_ID__"
      Route   payflowpro    secret             "__PAYFLOWPRO_SECRET__"
      Route   payflowpro    partner            "__PAYFLOWPRO_PARTNER__"
      Route   payflowpro    vendor             "__PAYFLOWPRO_VENDOR__"
      Route   payflowpro    host               "__PAYFLOWPRO_SERVER__"
      Route   payflowpro    transaction        A
      Route   payflowpro    global_timeout     20
      Route   payflowpro    global_timeout_msg "We're sorry ... [etc.]"

* Add DowncaseVarname config. Given a space- or comma-delimited list of CGI
  params, Interchange will accept those params in any case from the query
  string and force them to lower case. Developed primarily to address affliates
  creating URLs with "mv_pc" but using inconsistent case in the URL, and thus
  Interchange missing it.

* Add new SessionCookieSecure boolean catalog directive. When enabled, makes
  session cookie set in https usable only in https.

* Add new SourcePriority catalog directive.

  SourcePriority <source_list>

  <source_list> is a prioritized list of cgi variables to get the source
  (affiliate) name from.  Can also include the following:

  mv_pc - has the current special casing of mv_pc, (ie RESET is special as
  are values that contain only digits).

  cookie-foo check the cookie with the foo label.

  session - stop here if session already exists, do not check any further
  variables.

  session-foo - stop here if foo session variable is set.

  Default: SourcePriority mv_pc mv_source

  Examples:

  Check the MV_SOURCE cookie for an affiliate name as well as the other defaults:
  SourcePriority mv_pc mv_source cookie-MV_SOURCE

  ...as above, but you don't want your affiliates using mv_pc:
  SourcePriority mv_source cookie-MV_SOURCE

  Check the cgi variable affid instead:
  SourcePriority affid

  Say you send affiliate traffic to other sites, and you don't want
  those sites to get credit for sales if a customer follows a banner from
  them back to your site:
  SourcePriority session mv_pc mv_source

  If you want affiliates who use the specialsource cgi variable instead of
  mv_source to get special treatment and can override customers who
  already have sessions:
  SourcePriority specialsource session mv_pc mv_source

  If you want to allow affiliates to get credit if there is a
  session but only if no other affiliate is already set:
  SourcePriority session-source mv_pc mv_source

* Add directive SourceCookie, support for persistent affiliate tracking.

  Setting SourceCookie defines the relevant attributes of a cookie to be
  maintained in conjunction with the usual session-only parameter
  $Session->{source}. Its usage eliminates the duration of the user's session as
  the limiting factor for applying credit to a referral.

  SourceCookie and SourcePriority would be expected to typically work in tandem,
  and thus the same cookie defined in both contexts. However, there is no such
  requirement to do so. Defining SourceCookie by itself merely makes the cookie
  available any time the core source routines set or manipulate
  $Session->{source}. That cookie may, or may not, be leveraged as an element in
  SourcePriority, which itself may look to a cookie not maintained by
  SourceCookie.

  SourceCookie supports the following attributes:

  * name (required)
  * expire (any format supported for [set-cookie])
  * domain
  * path
  * secure
  * autoreset

  autoreset is a boolean that, when true, will cause each request from the client
  to reset the cookie in the response, effectively refreshing the expiration time
  relative to the current time. Uses, for example, might include a desire to
  ensure that the source cookie last "forever" (autoreset + sufficiently long
  expire period) or for more obscure uses such as "Affiliate should last [value
  of expire] from the last request".

  Attributes may be positional in order of (name expire domain path secure), but
  it is recommended that they be expressed as key=value pairs for clarity.

  Example using both SourcePriority and SourceCookie together in catalog.cfg:

  SourcePriority mv_pc mv_source cookie-MV_SOURCE
  SourceCookie name=MV_SOURCE expire="180 days"

* Add reload of AutoModifier based on a prepended ! (exclamation point).
  Example:

     AutoModifier    !download  pricing:price_group

  The download attribute will be recomputed for the current sku when
  the cart is recalculated.

* Add ability to merge user logins with merged_user field. When the
  user logs in, their username is changed to the value of the ID in
  that field. No default, so not operational in standard demo catalog.
  Enabled with:

        UserDB  default   merged_user  merge_to

  That would look in the database field "merge_to" for a user name
  to change to.

* Force re-configure on compile_link --force.

* table_editor/flex_select: Add ability to link "edit record" to custom
  page with custom parameter. Also can now change "edit record to
  something else like "view user".

* Fix table editor bug found by Jeff Boes <jeff@endpoint.com> which
  prevented custom widget type from working.

* Add shorthand to allow beginning/ending year with date widget name
  (i.e. yearbegin1934, yearend0000 where 0000 means current year).

* Add ability to configure the number of levels and hash length for
  the directory structure of file-based sessions. Instead of a fixed
  value of 2 and 1 for levels and length, respectively, make two
  configuration parameters named SessionHashLevels and SessionHashLength

  Default is 2 and 1, respectively, matching the current values.

  This solves the problem of session IDs passed from CGI::Session or other
  modules that use a quasi-sequential session ID. You end up placing all
  sessions in the S/2 directory for a long time, followed by the S/3 directory,
  etc. A setting of:

    SessionHashLength   4
    SessionHashLevels   1

  would break sessions up into separate directories instead of putting all
  sessions in a huge directory.

* Encoding and fallback for reading/writing files while in UTF-8 mode.

* New adjust_time() function allows time adjustment based on secs, mins, hours,
  days, weeks, months and years.  Also can string multiple adjustments together
  and compensate for daylight savings time changes over the adjustment period.

* _set_acl() in UserDB.pm now uses adjust_time() instead of time_to_seconds().

* Fix MaxQuantityField to allow a null, blank, or non-numerical entry in the
  field to represent that no maximum quantity should be enforced for that
  product.

* Minor updates to default robot detection configuration.

* Fix omission of media type in <link> output of [css].
  Patch by Thomas J.M. Burton <tom@globalfocusdm.com>.

* Allow synonym evalue for value in [if] checks.

* Add Vend::Safe abstraction to fix problems with UTF-8 inside Safe.

* Fix crash that occurred with an empty AutoModifier.

* Allow Interchange daemon to start with no Catalog declarations.

* Unbuffer output as soon as possible to make regular & error messages stay
  in sequence during startup.

* Abort daemon startup when required module is missing and clean up error output.

* Update broken getppid() detection for Perl 5.10.0.

* Do not specify a default charset if none is passed via MV_HTTP_CHARSET.
  Thanks to Raymond Cheng <rayonnet@hotmail.com> for pointing out the regression
  caused by this.

* Always log route_order errors regardless of errors_to setting.

* compile_link was confusing the -s socketfile option with the new -S status
  because Getopt::Long ignores option case by default. This fixes the problem
  by passing the no_ignore_case config parameter to Getopt::Long.

* If the flypage SpecialSub returned a non-existent SKU then a blank flypage
  would be displayed (with no data).  This is now fixed so that there is no
  difference to what happens without a SpecialSub.

* New areapage SpecialSub that allows you to change the page name passed to the
  [area] family of tags and functions before the tag processes the page name.

* Various UTF-8 support fixes.

* Add NoBlankLines option to and clean up error HTML in Interchange::Link.

* Fix XSS exploit in account creation username check error display (RT #306).
  Thanks to Carl Bailey for reporting the problem.

* Clean up UserDB error output by excluding Perl file & line output.

* Fix PreFork mode daemon restart problem. Now child processes are properly
  killed off.

* Make sure catalog TemplateDir and ErrorFile directives are safe when
  NoAbsolute is set.

* Fix problems with applying Interchange filters to UTF-8 content (RT #258).

Payment
-------

* Add PaypalExpress payment module from Lyn St George <info@zolotek.net>.

* Remove long-defunct BoA (Bank of America) payment module. Bank of America
  is a reseller for CyberSource so its module applies:
  http://www.bankofamerica.com/small_business/merchant_card_processing/index.cfm?template=internet_e_commerce

* Remove long-defunct CyberCash payment module.

* Deprecate Signio payment module, which uses an API that current Payflow
  Pro owner PayPal says they will no longer support after September 1, 2009.

* Add new PayflowPro payment module, which replaces Signio. Based on code by
  Tom Tucker.

* Allow extra parameters to be passed to Business::OnlinePayment.
  Changes by Bill Carr <bill@bottlenose-wine.com>.

* [pay-cert] tag now uses the new adjust_time() function instead of the older
  time_to_seconds().

* Remove CVV2 (Card Security Code) from default credit card encrypted block
  template so that it will not even be stored in encrypted form. This makes
  the default behavior compliant with section 3.2.2 of PCI-DSS 1.2:

  https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

  It is of course still possible to manually supply a template that stores
  the card security code in violation of PCI-DSS requirements, so developers
  should review any custom credit card encryption templates to make sure that
  the CVV2 is not included, and purge it from any historical data.

* Send correct level 2 card data with AuthorizeNet module. This improves the
  discount rate for a lot of card types.

* Linkpoint: Add CVV capability, and partial pay_cert payments

* Add SagePay and GoogleCheckout modules from Lyn St George.

* Add Worldpay module from Andy Smith of tvcables.co.uk.

* Remove bloat that duplicates %z functionality in Vend::Util::logtime().

UserTag
-------

* [run-profile] now accepts ref attribute to check an arbitrary hash.

* Add empty attribute for [convert-date] to display a custom string
  instead of the current date when no proper date is passed.

* [component], [convert-date] and [css] now use the new adjust_time() function
  instead of the older time_to_seconds().

* [convert-date] has a new compensate_dst attribute that when set to 1 will
  compensate the adjusted time for daylight savings time changes.

* Fix bug in [convert-date] that skewed the time by one hour if the starting
  date was during daylight savings time and an adjustment was made.

* Fix regression in [convert-date] that caused it to display Sunday for every
  day of the week if a raw date was passed and the adjust attribute was not.
  Thanks to Marty Tennison <marty@dripdepot.com> for reporting the bug.

* Add maps of country names and updated international shipping services needed
  by USPS in [usps-query]. Thanks to Josh Lavin and Mat Jones.

SystemTag
---------

* The error is now not anymore automatically appended to the output of [error]
  when MV_ERROR_STD_LABEL has a value.

* [time] now uses adjust_time() instead of the older time_to_seconds().  There
  is also a new compensate_dst attribute that when set to 1 will compensate the
  adjusted time for daylight savings time changes.

Filter
------

* Make code/Filter/text2html.filter output valid code.
  Using double <br>'s instead of opening tag <p>.

* Strip all remaining HTML tags (not just b/i/u tags) in html2text filter.

* Require module Digest::SHA1 in the sha1 filter to raise error sooner if
  it's missing.

* Add strip_html filter.

Checks
------

* Allow custom error messages for email_only check.

* ISBN check can be advised to accept ISBN-10 or ISBN-13 numbers only.

Jobs
----

* Add job group name to error message on missing catalog.

Admin UI
--------

* Check/uncheck all facility for customers/items (#18).

* Allow file removal with uploadhelper widget (#180).

* Fix default shipmode on entry page due to incomplete [either] clause.

* Fix some broken HTML.

* Recognize Opera as DHTML browser. Thanks to Don Hathaway & Steve Graham.

* Add framekiller for clickjacking defense in template. Probably we are
  unlikely to have problems in the standard template, but you never know.

* Avoid problem of side-effect read-only variable table in file navigator.

* New user_merge specialsub is run from the [user-merge] tag when two users are
  merged.

* Keep ui_new_item present in the form (#31).

Standard demo
-------------

* Correct bug in ncheck_category GlobalSub.

* Recognize Opera as DHTML browser. Thanks to Don Hathaway & Steve Graham.

* Require forum users to be logged in, to prevent spam.

* Prevent an incomprehensible error when following an order link that was
  created on an mv_tmp_session page or other non-connecting session.

* Correct update of saved company value for shipping address (#125).

* Display company name in shipping & billing addresses.
  Thanks to Steve Graham <icdev@mrlock.com>.

* Correct min/max length for username entry to ship_addresses.html (#114).

* Refurbish standard/pages/quantity.html (#204).

* Add German locale translations (#40).

* Fix wrong URLs in language selection (#265).

* Have tab-delimited files sort by primary key so it's easier to diff and
  see real changes. Affects access, locale, mv_metadata, survey, and variable.

* Standardize encoding of sample locale table data to UTF-8.

* Remove spurious SQLite database configuration file and corrected others.

* Remove rarely used mass_setting admininstration page.

* Add company name to shipping and billing addresses and filter output
  with evalue.

Other
-----

* Added jEdit mode files for Interchange to eg/jedit. Thanks to Justin Otten.

* Added runtime dump-memory global UserTag and ActionMap for very low-level
  troubleshooting beyond what the structure files can offer.


------------------------------------------------------------------------------


Interchange 5.7.1 released 2008-11-13.


Core
----

* Perl 5.8.5 or newer is now required.

* Fixed regression in Vend::Table::DBI::set_slice for the following usage
  pattern (RT #200):

  $Db{table}->set_slice('', %parms));

* Quell bogus warnings from Encode::Alias (#224). Thanks to Andy
  <ic@tvcables.co.uk> and Rene Hertell <icdevgroup@hertell.com>.

* Added Nunavut to the list of valid Canadian provinces (#231). Thanks to
  Mathew Jones for the report.

* Fix vulnerability where a string passed in the mv_order_item CGI variable is
  displayed verbatim without any input sanitation if there is a valid sku in
  mv_sku. Thanks to Mat from Bibliopolis for discovering and reporting the
  vulnerability.

* Refined error message for missing actions.

* Vend::Interpolate::interpolate_html returns undef on undefined input text.
  This allows to determine whether $Tag->include fails or just produces an
  empty string.

* Fixed deficiency in Levies, where multiple handling modes separated by null
  would not work as in the old subtotal calculation model.

* Correct cookie-clearing function in UserDB.

* Extend MaxQuantityField config directive to support fields prefixed with
  '=' or '?'.

  By default, there's no behavior change and specification of
  'MaxQuantityField f1 f2' sets max quantity to f1 + f2.

  With f1 =f2, max quantity is unconditionally set to f2.

  With f1 ?f2, max quantity is set to f2 only if f2 > 0.

  By Cameron B. Prince <cameron@princeinternet.com>.

* Allow SQL EXPLAIN and SHOW along with SELECT, for queries.
  Thanks to Frederic Steinfels.

* Allow explicit manual table exports even when NoExportExternal is enabled,
  using the force option to &Vend::Data::export_database.

* Fixed database typing problem for HIDE_FIELD. Reported by Sonny Cook.

* Support "secure cookies", which are sent only over SSL connections.
  From a patch by Frederic Steinfels <fst@highdefinition.ch>.

* Allow XML posts by e.g. Google Checkout, which broke in Interchange 5.6.0
  (RT #219). By Andy <ic@tvcables.co.uk>.

* Currently the only order cleanup available, i.e., functions to run after all
  data in the session has been used for order functions, is the bottom of the
  receipt page, if you happen to know that is the place to do it.

  Provide the new OrderCleanup catalog directive which takes a routine name
  and is an authoritative place to perform such actions, in the same vein as
  AutoLoad and AutoEnd. Implementation possibilites include profiles to be
  run at the end or a SpecialSub.

* Fixed problem with new-style shipping configuration reading a mixed-case
  option.

* Corrected logic flaw that applied UTF-8 handling in some cases where it
  shouldn't have. Fixed by David Christensen <david@endpoint.com>.

Search
------

* mv_force_coordinate (fc) added to force coordinated search. Normally,
  when the number of search field does not match the number of search
  strings (specs), coordinated mode is automatically turned off. With
  'fc', number of search specs is adjusted to match the number of search
  fields, either by filling the array with last-set mv_searchspec, or by
  trimming excess values. Useful when you want to search for one string in
  multiple fields in coordinated mode.

* Removed trailing whitespace from text file headers.

* Under rare circumstances the missing search can fall through in a block
  below, which caused an internal server error in the following code line:

	$obj->{matches} = scalar @{$obj->{mv_results}};

  This is now mitigated by an empty mv_results array and results in a search
  error as one would expect.

* Refining searches with properties in Swish search:

    sf=distribution
    se=lenny

    se=postgresql

  This also reverts the workaround for #111.

UserTag
-------

* srcliteral attribute added to [button] tag. Setting srcliteral avoids
  the image existence check for the src attribute.

* [run-profile] removes automatically generated profiles only.

* scratch attribute added to [capture-page] to store the resulting page in a
  scratch variable, supplied by Phil Smith.

* lines attribute added to [nitems] to show the number of lines in the shopping
  cart instead of the sum of the items (#225).

* Made [capture-page] aware of mapped output (#197, #226).

* Added name and id to list of [image] pass-through attributes.

* We are vulnerable to cross-site scripting problems any time there is a
  <input value="[value foo]"> call. You can get around this, of course,
  with <input value="[value name=foo keep=1 filter=encode_entities]">
  instead. That is a bit of a mess, though, so I added an alias for that
  called "evalue".

  You call it with [evalue address1], which is identical to
  [value keep=1 filter="encode_entities" name=address1].

* Make backup-database tag work even when NoExportExternal is enabled.

* Add [set-cookie secure=1] option for SSL-only cookies.

OrderCheck
----------

* Added ISBN-13 support to isbn order check and relocated it to code/OrderCheck.

Filters
-------

* Fixed regression in html2text filter to re-allow paragraph attributes such as
  <p align="center">.

Widgets
-------

* Prevent cross-site scripting problem in the country-select widget. Found and
  fixed by Josh Lavin of Perusion.

* Allow passing custom JavaScript to country_select.widget by adding country_js
  and state_js options. It will rewrite "this.form" with the correct form name
  at runtime. By Josh Lavin. Useful e.g. for calling check_tax like this:

  state_js="check_tax(this.form)"

Admin UI
--------

* Prevent whitespace leaking into CREDIT_CARDS_ACCEPTED variable (#209).

* Sort customer orders by order date, descending (was arbitrary).
  (By Rene Hertell, RT #203.)

* Someone removed email_copy field from userdb table, which meant that
  email was not sent to customers by default on status updates. Changed
  to default to yes if email_copy field not present in user table.

* Added tracking_number field to order status if field exists in orderline,
  and handle it in update_order_status tag.

Payment
-------

* If the tmp/wget directory (or more properly "$Vend::Cfg->{ScratchDir}/wget")
  directory did not exist, use_wget mode failed. Changed code to make
  directory if non-existent, and give better error if by some strange chance
  a file existed there.

* Authorize.net fixes by Josh Lavin of Perusion:

  Allow mv_transaction_id to be sent when mv_order_number has not yet been
  created (the case with all newer catalogs, as they use tid.counter).

  Allow Business Checking type of 'CCD' (defaults to WEB if not set or sent).

Standard demo
-------------

* Added SQLite support.

* Disabled product comment to prevent spam showing up on default installations.

* Provide reasonable defaults for shipping mode and country at checkout to avoid
  "not enough information" errors.

* Increased default length of orderline.order_number to 24.

* Modified include/checkout forms to use evalue. There are undoubtedly many
  other places it should be put in. But until this is evaluated properly I
  don't want to do it all over the place. You can do so with this one liner,
  at least pretty reliably:

     perl -pi -e 's{value="\[(value\s+[-\w]+\])}{value="[e$1}g'

  I think we have gotten rid of all VALUE= uppercase kind of things,
  but if not we should now.

Packaging
---------

* Numerous Debian packaging and localization updates.

* Modernize RPM packaging:

  Bundled version of HTML::Entities has been removed, so don't look for it.

  Update syntax used for chown and find.

  Install all man pages to section 8, so the man page for Interchange's
  crontab script doesn't conflict with the system crontab program, and since
  Interchange's "binaries" aren't typically in PATH anyway.

  Stop using deprecated RPM PreReq tag.

  Explicitly require Safe::Hole and Set::Crontab, which the RPM dependency
  checker misses.

  Force use of /usr/lib, not /usr/lib64, on x86_64. We're not installing
  binaries (except the cgi-bin which is in /var/www anyway) and many things
  depend on the /usr/lib location.

  Require Perl 5.8.8 or newer for build and installation to be compatible
  with system threaded Perl.

  Use interchange-* helper scripts directly from SPECS/ in source tarball,
  instead of copying. Enables use of rpmbuild -ta directly on tarball.

  Don't check for IniConf.pm anymore as it's part of dist/lib now.


------------------------------------------------------------------------------


Interchange 5.7.0 never formally released.


(end)