| XOOPS 2.7.1-RC1 Released for Testing |
by Mamba on 2026/7/8 14:52:57![]() XOOPS 2.7.1-RC1 Released for Testing First release candidate for XOOPS 2.7.1. The 2.7.1 line is now feature-complete; from here only blocker fixes are expected before the final release. Please test upgrades and report anything unexpected. DOWNLOAD: https://github.com/XOOPS/XoopsCore27/releases What's Changed Security hardening • Tightened SQL identifier and ORDER BY handling across Criteria, kernel/block, and the system admin pages. • Required a security token on the upgrade apply-patch path; SQL dumps now live outside the web root and the download is gated. • Protector now inspects queryF() in its database-layer wrapper; the ModuleAdmin index menu output is escaped; module language files are loaded by basename only. • Added CAPTCHA and a persistent per-IP rate limit to the tell-a-friend form. • The upgrade wizard login now requires administrator-group membership. Dependency refresh • xoops/xmf updated to v1.3.1-RC1 (write paths migrated from queryF() to exec()). • Bundled xoops/helpers ^1.0, xoops/smartyextensions ^1.3 (adds QR support), tecnickcom/tcpdf ^6.10. • composer update sweep: php-debugbar 3.8.0, Smarty 4.5.7, symfony/var-dumper and symfony/yaml 7.4.14, webmozart/assert 2.4.1. What's Changed in 2.7.1 Beta • fix: preserve TinyMCE 7 language locale casing by @masskrdjn in #72 • docs(changelog): regenerate CHANGELOG.md by @github-actions[bot] in #70 • chore(sonar): scope S115/S3011 out of test sources by @mambax7 in #74 • test(editor): isolate the TinyMCE7 language test by @mambax7 in #75 • fix(system): hydrate module fields when cloning a block (#73) by @mambax7 in #77 • fix(editor): map XOOPS locale to TinyMCE 7 pack code (#76) by @mambax7 in #78 • chore(deps): bump SonarSource/sonarqube-scan-action from 8.0.0 to 8.1.0 by @dependabot[bot] in #79 • chore(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 by @dependabot[bot] in #80 • improve(core): consolidate theme-config normalisation across runtime readers by @mambax7 in #81 • 2.7.1 updates by @mambax7 in #82 • chore(deps): bump postcss from 8.5.8 to 8.5.15 in /htdocs/themes/xtailwind2 by @dependabot[bot] in #83 • fix(theme/default): keep inline rich text baseline aligned by @mambax7 in #84 • chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @dependabot[bot] in #85 • chore(deps): bump postcss from 8.5.8 to 8.5.15 in /htdocs/themes/xtailwind by @dependabot[bot] in #86 • feat(form): add XoopsFormTabTray tabbed widget + themed renderers by @mambax7 in #87 • refactor(form): introduce XoopsFormContainerInterface for container contract by @mambax7 in #90 • refactor(form): adopt XoopsFormContainerInterface in XoopsForm + foreach-by-ref container iteration by @mambax7 in #91 • Security/hardening pass by @mambax7 in #92 • chore(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 by @dependabot[bot] in #93 • chore(deps): bump SonarSource/sonarqube-scan-action from 8.1.0 to 8.2.0 by @dependabot[bot] in #94 • chore(deps): bump shivammathur/setup-php from 2.37.1 to 2.37.2 by @dependabot[bot] in #95 • Upgrade tool: Smarty 4→5 readiness gate, 2.7.0→2.7.1 step, and hardening by @mambax7 in #96 • add SmartyExtensions by @mambax7 in #97 • ci(codecov): make patch coverage informational by @mambax7 in #99 • Fix/profile search active filter by @mambax7 in #98 • dark-mode for xbootstrap5/xswatch5/xtailwind2 + register smartyextensions by @mambax7 in #100 • Chore/security tooling by @mambax7 in #101 • chore(phpstan): mark gitignored vendor excludePaths as optional by @mambax7 in #103 • chore(coderabbit): align test review instruction with PHPUnit ^11.2 by @mambax7 in #104 • Security: medium-tier hardening pass (pass 2) by @mambax7 in #102 • Security: medium/low defence-in-depth hardening (pass 3) by @mambax7 in #105 New Contributors • @masskrdjn made their first contribution in #72 Thank you!!!! |