diff --git a/CHANGELOG.md b/CHANGELOG.md
index a73bc1b3e..59e554066 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3293 +1,3294 @@
# Changelog Roundcube Webmail
## Unreleased
- Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
- Fix TinyMCE localization installation (#9266)
- Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
- Fix command injection via crafted im_convert_path/im_identify_path on Windows
- Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
+- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
## Release 1.5.6
- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
## Release 1.5.5
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
## Release 1.5.4
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
- Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
- Fix so N property always exists in a vCard export (#8771)
- Fix so rcmail::format_date() works with DateTimeImmutable input (#8867)
- Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)
## Release 1.5.3
- Enigma: Fix initial synchronization of private keys
- Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
- Fix various PHP8 warnings (#8392)
- Fix mail headers injection via the subject field on mail compose (#8404)
- Fix bug where small message/rfc822 parts could not be decoded (#8408)
- Fix setting HTML mode on reply/forward of a signed message (#8405)
- Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
- Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
- Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
- Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
- Fix bug where session could time out if DB and PHP timezone were different (#8303)
- Fix bug where DSN flag state wasn't stored with a draft (#8371)
- Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
- Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
- Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
- Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
## Release 1.5.2
- OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
- OAuth: fix expiration of short-lived oauth tokens (#8147)
- OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
- OAuth: no auto-redirect on imap login failures (#8370)
- OAuth: refresh access token in 'refresh' plugin hook (#8224)
- Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
- Fix password change with Directadmin driver (#8322, #8329)
- Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
- Fix handling of unicode/special characters in custom From input (#8357)
- Fix some PHP8 compatibility issues (#8363)
- Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
- Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
## Release 1.5.1
- Fix importing contacts with no email address (#8227)
- Fix so session's search scope is not used if search is not active (#8199)
- Fix some PHP8 warnings (#8239)
- Fix so dark mode state is retained after closing the browser (#8237)
- Fix bug where new messages were not added to the list on refresh if skip_deleted=true (#8234)
- Fix colors on "Show source" page in dark mode (#8246)
- Fix handling of dark_mode_support:false setting in skins meta.json - also when devel_mode=false (#8249)
- Fix database initialization if db_prefix is a schema prefix (#8221)
- Fix undefined constant error in Installer on Windows (#8258)
- Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
- Fix regression in setting of contact listing name (#8260)
- Fix bug in Larry skin where headers toggle state was reset on full page preview (#8203)
- Fix bug where \u200b characters were added into the recipient input preventing mail delivery (#8269)
- Fix charset conversion errors on PHP < 8 for charsets not supported by mbstring (#8252)
- Fix bug where adding a contact to trusted senders via "Always allow from..." button didn't work (#8264, #8268)
- Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
- Fix PHP fatal error on an undefined constant in contacts import action (#8277)
- Fix fetching headers of multiple message parts at once in rcube_imap_generic::fetchMIMEHeaders() (#8282)
- Fix bug where attachment download could sometimes fail with a CSRF check error (#8283)
- Fix an infinite loop when parsing environment variables with float/integer values (#8293)
- Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)
## Release 1.5.0
- Support displaying RTF content (including encapsulated HTML) from a TNEF attachment
- Disable the default spellchecker option using spell.roundcube.net (#8182)
- Newmail_notifier: Improved the notification sound (#8155)
- Fix size of Mailvelope iframe for PGP-inlined mail, again (#8126)
- Fix handling of group names with @ character in autocomplete and contacts widget (#8098)
- Fix Firefox infinate loading display on mail screen (#8128)
- Fix converting >1MB of HTML content into plain text (#8137)
- Fix bug where expanding a group in the recipient input could corrupt the input content (#7569)
- Fix fatal error/warning on invalid input to user parameter (#8152)
- Fix changing password with dovecot_passwdfile driver (#8145)
- Fix handling of headers that occur multiple times by show_additional_headers plugin (#8157)
- Fix bug where vertical scrollbar in new HTML message bounced back on scroll (#8046)
- Fix displaying inline images with incorrectly declared content-type (#8158)
- Fix so addr-spec with missing closing angle bracket can be parsed (#8164)
- Fix handling of spellcheck connection errors (#8172)
- Fix a couple of PHP8 warnings (#8175, #8176)
- Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177)
- Fix password/token length check on OAuth login (#8178)
- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
- Fix SQL injection via some session variables
- Fix handling of dark_mode_support:false setting in skins meta.json (#8186)
- Fix security issues regarding server name and trusted_host_patterns setting
## Release 1.5-rc
- Upgrade to TinyMCE 5.8.2
- SMTP XCLIENT support (#7893, #6411)
- Add IDN homograph attack (spoofing) detection [CVE-2019-15237] (#6891)
- Add configuration options for subject prefixes (#7929, #4981)
- Support IMAP LITERAL- extension [RFC 7888] (#6878)
- Warn the user about a potential data leak on mail bounce or forward (#7993)
- Make the Empty action available for every non-empty folder, not only Trash (#7948)
- Remove (incorrect) use of Return-Receipt-To header (#8069)
- Submit various simple dialog forms with the Enter key (#7133)
- Add RFC2231 support to rcube_mime_decode (#7390)
- Plugin API: Allow modification of 'error' argument in 'message_send_error' hook (#7914)
- OAuth: add plugin hooks `oauth_login` and `oauth_refresh_token` for oauth events (#8028, #8040)
- Debug_logger: Fix the main plugin functionality and documentation (#8041)
- Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
- Enigma: Fix invalid expiration dates of PGP keys on a 32bit system (#7531)
- Enigma: Display an information that public and private keys are stored on the server (#7941)
- Enigma: Optional support for passwordless keys (#7265)
- Managesieve: Fix removing nested rules in scripts (#8011)
- Managesieve: Support XOAUTH2, requires Net_Sieve 1.4.5 (#7925)
- Managesieve: Added ability to remove 'redirect' option from UI (#7922)
- New_user_dialog: Use the 'identity_update' hook (#8023)
- Password: Fix broken 'hmail' driver (#7966)
- Password: Set password_minimum_length to 8 by default (#8003)
- Vcard_attachments: Improve handling of multiple contacts (#7027)
- Fix inserting a group from non-default source using the Insert contact(s) dialog (#8095)
- Fix invalid search fields after search scope change (#6919)
- Fix so "Always allow from..." button appears also when allow_images=3 (#7961)
- Fix Elastic's pretty select scroll position in Chrome (#7964)
- Fix bug where invalid non-unicode characters in JSON output could make the UI unresponsive (#7955)
- Fix PHP 8 fatal error when allowing images in an email (#7968)
- Fix so session expiration is more precise and do not depend on the garbage collector (#7576)
- Fix bug where imap_conn_options settings were ignored (#7912)
- Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
- Fix bug when sending an email and recipient's email address contains a trailing dot (#7899)
- Fix bug where the list page wasn't reset when changing a folder on mail view page (#7932)
- Fix so selecting the same folder to reset search resets also the page number (#7125)
- Fix login page rendering after oauth failure (#7812,#7923)
- Fix bug where assigning users to groups via menu (not drag'n'drop) could fail in Elastic theme (#7973)
- Fix HTML5 parser issue with a messy HTML code from Outlook (#7356)
- Fix handling of multiple link references with the same index in plain text message (#8021)
- Fix various actions on folders with angle brackets in name (#8037)
- Fix inconsistent fowarding actions statuses on drafts (#8039)
- Fix bug where `start` and `reversed` attributes of `ol` tag were ignored (#8059)
- Fix bug where consecutive LDAP searches could return wrong results (#8064)
- Fix bug where plus characters in attachment filename could have been ignored (#8074)
- Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
- Fix handling of custom sender addresses with names (#8106)
- Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
## Release 1.5-beta
- Require PHP >= 5.5
- Support PHP 8.0 (#7625)
- Require php-intl
- Remove use of Net_IDNA2 package
- Require GuzzleHttp\Client
- Upgrade to TinyMCE 5.5.1
- Upgrade to jQuery 3.5.1 (#7464)
- Update build tools (#7800, #7804, #7497):
- jsshrink.sh: Replace google-closure-compiler with UglifyJS
- cssshrink.sh: Replace yuicompressor with csso
- require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css for Less files compilation
- Automatically collected recipients and trusted senders (#6904)
- Added configurable Collected Recipients addressbook source (#4971)
- Added configurable Trusted Senders addressbook source (#5046)
- Added 'contact_exists' hook
- Added separate "trusted senders" options for show_images and mdn_request preferences (#7614)
- Contact form mode: private/business (#7630)
- OAuth/XOauth support (#7425, #6933)
- Cache refactoring (#6312)
- Added special value 'email' to login_username_filter, it changes also logon input type (#7179)
- Allow array in smtp_host config (#7296)
- Support proxy for server-side HTTP requests (#7658)
- By default do not set the User-Agent header (#7731)
- Add possibility to (re-)define field mapping on contacts import from a CSV file (#7045, #6668)
- Move "On request for return receipt" from "Mailbox View" to "Displaying Messages" (#7614)
- Support RFC8438: IMAP STATUS=SIZE - for faster folder size calculation (#7269)
- MySQL: Use utf8mb4 charset and utf8mb4_unicode_ci collation (#6535, #7113)
- Allow NULL in users.preferences column in postgres and sqlite db, the same as for other engines (#7767)
- Support for language codes up to 16 chars long (e.g. es-419) in database schema (#6851)
- Relaxed domain name validation for extended TLDs support (#5588)
- Allow opening application/octet-stream attachments according to filename extension (#6821)
- Added support for INSERT OR REPLACE queries (#6771)
- Allow skins to define which layout options they support (#7235)
- Extract RFC2231 attachment name from message headers (#6729, #6783)
- Add support for SameSite cookie attribute via session_samesite option (req PHP >= 7.3.0) (#6772)
- Change folders sorting so shared/other users namespaces are listed last (#5012)
- Display a warning and do not try to open empty attachments (#7332)
- Return 204 rather than 404 on missing contact photo (#7777)
- Add 'reconnect' plugin to retry IMAP connection (#7844)
- Plugin API: Added 'message' argument to 'message_compose_body' hook
- Plugin API: Added 'preferences' parameter to 'user_create' hook (#7692)
- Elastic: Dark mode (#6709)
- Elastic: Display email size on the list of messages (#7162)
- Elastic: Replace properties sidebar with a dialog on the attachment preview page (#7635)
- Elastic: Minimize forms/colors blink on page load
- Elastic: Improve mail header "detailed mode" (#7224)
- Elastic: Moving single recipients between recipient inputs with drag-n-drop (#5069)
- Elastic: Display a special icon for other users and shared namespace roots (#5012)
- Elastic: Support space-separated email addresses in recipient input (#6529, #6457)
- Elastic: Remember list checkbox selection state (#7148)
- Elastic: Add "Open in new window" in mail compose (#7260)
- Elastic: Make custom less files optional (#7497)
- Elastic: Prevent from opening mail preview in a new window on touch devices using double tap (#7732)
- Templates: Add support for expressions in object attributes (#7237)
- Templates: Add support for nested if conditions (#6818)
- Templates: Make [space][slash] ending of condition objects optional (#6954)
- Mailvelope: Fix size of iframe for PGP-inlined mail (#7348)
- Mailvelope: Add config option to use Main Keyring (#7348, #7157)
- Mailvelope: Add config option to set the size for new keys (#7348)
- Mailvelope: Always ask before discarding email currently being composed (#7348)
- Mailvelope: Fix unnecessary warning to re-add attachments when restoring a draft (#7348)
- Archive: Added options to split archive by year or year+month and folder (#7216)
- Enigma: Support ECC key generation - when using GnuPG >= 2.1.7 (#6853)
- Managesieve: Add support for 'spamtest' extension - RFC3685 (#6950)
- Managesieve: Allow display name with email address in vacation :from field (#6760)
- Managesieve: Improve UX on custom header input (#7207)
- Managesieve: Fix bug where activation of forward/vacation rule could activate a wrong script (#7423)
- Managesieve: Fix bug where forward/vacation rule could end up being duplicated (#7349)
- new_user_identity: Fix missing password for user-specific LDAP operations (#7667)
- Password: Added 'pwned' password strength driver (#7274)
- Password: Added Mail-in-a-Box (miab) driver (#7824)
- Password: Added TinyCP driver (#7510)
- Password: Added httpapi driver to connect to generic HTTP/HTTPS APIs (#7439)
- Password: Added dovecot_passwdfile driver (#5786)
- Password: Removed old 'cpanel' driver, 'cpanel_webmail' driver renamed to 'cpanel' (#7780)
- Fix handling of address groups in email headers by ignoring their names (#7663)
- Fix so message flags are updated on refresh also for multifolder search results (#7774)
- Fix so IMAP ID command is send only after authentication (#7517)
- Fix bug where it wasn't possible to save Spanish (Latin America) locale preference (#7784)
- Fix mail search error on invalid search_mods definition (#7789)
- Fix error when dealing with message/rfc822 attachments using Gmail IMAP (#6854)
- Fix ISO-2022-JP-MS encoding issues (#7091)
- Fix so messages in threads with no root aren't displayed separately (#4999)
- Fix so anchor tags without href attribute are not modified (#7413)
- Fix invalid IMAP SEARCH command in some rare case on messages cache synchronization (#7895)
- Fix so allowing remote resources does not add an entry to browser history (#6620)
## Release 1.4.11
- Display a nice error informing about no PHP8 support
- Elastic: Fix compatibility with Less v3 and v4 (#7813)
- Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
- Fix errors in MSSQL database update scripts (#7853)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
## Release 1.4.10
- Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
- Fix folder list issue whan special folder is a subfolder (#7647)
- Fix Elastic's folder subscription toggle in search result (#7653)
- Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]
## Release 1.4.9
- Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
- Add missing localization for some label/legend elements in userinfo plugin (#7478)
- Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
- Fix restoring Cc/Bcc fields from local storage (#7554)
- Fix jstz.min.js installation, bump version to 1.0.7
- Fix link to closure compiler in bin/jsshrink.sh script (#7567)
- Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
- Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
- Fix empty space on mail printouts in Chrome (#7604)
- Fix empty output from HTML5 parser when content contains XML tag (#7624)
- Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
- Fix so autocompletion list does not hide on scroll inside it (#7592)
## Release 1.4.8
- Fix support for an error as a string in message_before_send hook (#7475)
- Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
- Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
- Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
- Managesieve: Allow angle brackets in out-of-office message body (#7518)
- Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
- Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
- Fix incorrect rewriting of internal links in HTML content (#7512)
- Fix handling links without defined protocol (#7454)
- Fix paging of search results on IMAP servers with no SORT capability (#7462)
- Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
- Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
## Release 1.4.7
- Fix bug where subfolders of special folders could have been duplicated on folder list
- Increase maximum size of contact jobtitle and department fields to 128 characters
- Fix missing newline after the logged line when writing to stdout (#7418)
- Elastic: Fix context menu (paste) on the recipient input (#7431)
- Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
- Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace [CVE-2020-15562]
## Release 1.4.6
- Installer: Fix regression in SMTP test section (#7417)
## Release 1.4.5
- Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
- Fix so the database setup description is compatible with MySQL 8 (#7340)
- Markasjunk: Fix regression in jsevent driver (#7361)
- Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
- Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
- Password: Fix issue with Modoboa driver (#7372)
- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
- Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
- Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
- Fix error when user-configured skin does not exist anymore (#7271)
- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
- Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
## Release 1.4.4
- Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
- Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
- Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
- Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
- Elastic: Fix color of a folder with recent messages (#7281)
- Elastic: Restrict logo size in print view (#7275)
- Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
- Fix missing contact display name in QR Code data (#7257)
- Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
- Fix regression in testing database schema on MSSQL (#7227)
- Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
- Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
- Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
- Fix handling keyservers configured with protocol prefix (#7295)
- Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
- Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
- Fix so imap error message is displayed to the user on folder create/update (#7245)
- Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
- Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
- Fix characters encoding in group rename input after group creation/rename (#7330)
- Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
- Make install-jsdeps.sh script working without the 'file' program installed (#7325)
- Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages [CVE-2020-12625]
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings [CVE-2020-12641]
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option [CVE-2020-12640]
- Security: Fix CSRF bypass that could be used to log out an authenticated user [CVE-2020-12626] (#7302)
## Release 1.4.3
- Enigma: Fix so key list selection is reset when opening key creation form (#7154)
- Enigma: Fix so using list checkbox selection does not load the key preview frame
- Enigma: Fix generation of key pairs for identities with IDN domains (#7181)
- Enigma: Display IDN domains of key users and identities in UTF8
- Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205)
- Managesieve: Fix bug where it wasn't possible to save flag actions (#7188)
- Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137)
- Password: Make chpass-wrapper.py Python 3 compatible (#7135)
- Elastic: Fix disappearing sidebar in mail compose after clicking Mail button
- Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose
- Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143)
- Elastic: Fix text selection in recipient inputs (#7129)
- Elastic: Fix missing Close button in "more recipients" dialog
- Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174)
- Fix regression where "Open in new window" action didn't work (#7155)
- Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165)
- Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923)
- Fix recipient duplicates in print-view when the recipient list has been expanded (#7169)
- Fix bug where files in skins/ directory were listed on skins list (#7180)
- Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117)
- Fix display issues with mail subject that contains line-breaks (#7191)
- Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170)
- Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196)
- Fix using unix:///path/to/socket.file in memcached driver (#7210)
## Release 1.4.2
- Add support for PHPUnit 6 and 7 (#6870)
- Plugin API: Make actionbefore, before, actionafter and after events working with plugin actions (#7106)
- Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028)
- Managesieve: Fix so modifier type select wasn't hidden after hiding modifier select on header change
- Managesieve: Fix filter selection after removing a first filter (#7079)
- Markasjunk: Fix marking more than one message as spam/ham with email_learn driver (#7121)
- Password: Fix kpasswd and smb drivers' double-escaping bug (#7092)
- Enigma: Add script to import keys from filesystem to the db storage (for multihost)
- Installer: Fix DB Write test on SQLite database ("database is locked" error) (#7064)
- Installer: Fix so SQLite DSN with a relative path to the database file works in Installer
- Elastic: Fix contrast of warning toasts (#7058)
- Elastic: Simple search in pretty selects (#7072)
- Elastic: Fix hidden list widget on mobile/tablet when selecting folder while search menu is open (#7120)
- Fix so type attribute on script tags is not used on HTML5 pages (#6975)
- Fix unread count after purge on a folder that is not currently selected (#7051)
- Fix bug where Enter key didn't work on messages list in "List" layout (#7052)
- Fix bug where deleting a saved search in addressbook caused display issue on sources/groups list (#7061)
- Fix bug where a new saved search added after removing all searches wasn't added to the list (#7061)
- Fix bug where a new contact group added after removing all groups from addressbook wasn't added to the list
- Fix bug where Ctype extension wasn't required in Installer and INSTALL file (#7049)
- Fix so install-jsdeps.sh removes Bootstrap's sourceMappingURL (#7035)
- Fix so use of Ctrl+A does not scroll the list (#7020)
- Fix/remove useless keyup event handler on username input in logon form (#6970)
- Fix bug where cancelling switching from HTML to plain text didn't set the flag properly (#7077)
- Fix bug where HTML reply could add an empty line with extra indentation above the original message (#7088)
- Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107)
- Fix so displayed maximum attachment size depends also on 'max_message_size' (#7105)
- Fix bug where 'skins_allowed' option didn't enforce user skin preference (#7080)
- Fix so contact's organization field accepts up to 128 characters (it was 50)
- Fix bug where listing tables in PostgreSQL database with db_prefix didn't work (#7093)
- Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109)
- Fix bug where next message wasn't displayed after delete in List mode (#7096)
- Fix so number of contacts in a group is not limited to 200 when redirecting to mail composer from Contacts (#6972)
- Fix malformed characters in HTML message with charset meta tag not in head (#7116)
## Release 1.4.1
- Elastic: Change HTML editor widget to improve form flow (#6992)
- Elastic: Fix position of mobile floating action button (#7038)
- Managesieve: Fix locked UI after opening filter frame (#7007)
- Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
- Fix bug where cache keys could exceed length limit specified in db schema (#7004)
- Fix invalid Signature button state after escaping Mailvelope mode (#7015)
- Fix so 401 error is returned only on failed logon requests (#7010)
- Fix db_prefix handling in queries with `TRUNCATE TABLE ` and `UNIQUE ` (#7013)
- Fix so update.sh script warns about changed defaults (#7011)
- Fix tables listing routine when DSN contained a database with unsupported suffix (#7034)
- Fix so Elastic is also a default in jqueryui plugin (#7039)
- Fix bug where the Installer would not warn about required schema upgrade (#7042)
## Release 1.4.0
- Elastic: Resizable columns (#6929)
- Elastic: Fix position and style of auto-complete dropdown on small screens (#6951)
- Elastic: Fix initial focus on recipients input in mail compose screen
- Elastic: Fix inserting responses at cursor position (#6971)
- Elastic: Fix unread filter icon and search state on folder change (#6978)
- Elastic: Fix regression where Encrypt button wasn't displayed in mail compose toolbar (#6982)
- Elastic: Fix regression where recipient input didn't update internal input state (#6988)
- Enigma: Fix bug where signing option was set to disabled after saving a draft in Elastic skin (#6515)
- Redis: Improve error handling and phpredis 5.X support (#6888)
- Archive: Fix bug where next email was not displayed after Archive button use (#6965)
- Archive: Fix missing Archive icon in folder selector popup in Elastic
- Fix bug where cache keys were not case-sensitive on MySQL/MSSQL (#6942)
- Fix so an error is logged when encryption fails (#6948)
- Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
- Fix and document skin_logo setup (#6981)
## Release 1.4-rc2
- Update to jQuery 3.4.1
- Clarified 'address_book_type' option behavior (#6680)
- Added cookie mismatch detection, display an error message informing the user to clear cookies
- Renamed 'log_session' option to 'session_debug'
- Removed 'delete_always' option (#6782)
- Don't log full session identifiers in userlogins log (#6625)
- Support $HasAttachment/$HasNoAttachment keywords (#6201)
- Support PECL memcached extension as a session and cache storage driver (experimental)
- Switch to IDNA2008 variant (#6806)
- installto.sh: Add possibility to run the update even on the up-to-date installation (#6533)
- Plugin API: Add 'render_folder_selector' hook
- Added 'keyservers' option to define list of HKP servers for Enigma/Mailvelope (#6326)
- Added flag to disable server certificate validation via Mysql DSN argument (#6848)
- Select all records on the current list page with CTRL + A (#6813)
- Use Left/Right Arrow keys to faster move over threaded messages list (#6399)
- Changes in `display_next` setting (#6795):
- Move it to Preferences > User Interface > Main Options
- Make it apply to Contacts interface too
- Make it apply only if deleting/moving a previewed message/contact
- Redis: Support connection to unix socket
- Put charset meta specification before a title tag, add page title automatically (#6811)
- Elastic: Various internal refactorings
- Elastic: Add Prev/Next buttons on message page toolbar (#6648)
- Elastic: Close search options on Enter key press in quick-search input (#6660)
- Elastic: Changed some icons (#6852)
- Elastic: Changed read/unread icons (#6636)
- Elastic: Changed "Move to..." icon (#6637)
- Elastic: Add hide/show for advanced preferences (#6632)
- Elastic: Add default icon on Settings/Preferences lists for external plugins (#6814)
- Elastic: Add indicator for popover menu items that open a submenu (#6868)
- Elastic: Move compose attachments/options to the right side (#6839)
- Elastic: Add border/background to attachments list widget (#6842)
- Elastic: Add "Show unread messages" button to the search bar (#6587)
- Elastic: Fix bug where toolbar disappears on attachment menu use in Chrome (#6677)
- Elastic: Fix folders list scrolling on touch devices (#6706)
- Elastic: Fix non-working pretty selects in Chrome browser (#6705)
- Elastic: Fix issue with absolute positioned mail content (#6739)
- Elastic: Fix bug where some menu actions could cause a browser popup warning
- Elastic: Fix handling mailto: URL parameters in contact menu (#6751)
- Elastic: Fix keyboard navigation in some menus, e.g. the contact menu
- Elastic: Fix visual issue with long buttons in .boxwarning (#6797)
- Elastic: Fix handling new-line in text pasted to a recipient input
- Elastic: Fix so search is not reset when returning from the message preview page (#6847)
- Larry: Fix regression where menu actions didn't work with keyboard (#6740)
- ACL: Display user/group names (from ldap) instead of acl identifier
- Password: Added ldap_exop driver (#4992)
- Password: Added support for SSHA512 password algorithm (#6805)
- Managesieve: Fix bug where global includes were requested for vacation (#6716)
- Managesieve: Use RFC-compliant line endings, CRLF instead of LF (#6686)
- Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
- Enigma: For verified signatures, display the user id associated with the sender address (#5958)
- Enigma: Fix bug where revoked users/keys were not greyed out in key info
- Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
- Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
- Enigma: Fix bug where signature verification could have been skipped for some message structures (#6838)
- Fix language selection for spellchecker in html mode (#6915)
- Fix css styles leak from replied/forwarded message to the rest of the composed text (#6831)
- Fix invalid path to "add contact" icon when using assets_path setting
- Fix invalid path to blocked.gif when using assets_path setting (#6752)
- Fix so advanced search dialog is not automatically displayed on searchonly addressbooks (#6679)
- Fix so an error is logged when more than one attachment plugin has been enabled, initialize the first one (#6735)
- Fix bug where flag change could have been passed to a preview frame when not expected
- Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713)
- Fix bug where HTML messages with a xml:namespace tag were not rendered (#6697)
- Fix TinyMCE download location (#6694)
- Fix so "Open in new window" consistently displays "external window" interface (#6659)
- Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)
- Fix bug where external content (e.g. mail body) was passed to templates parsing code (#6640)
- Fix bug where attachment preview didn't work with x_frame_options=deny (#6688)
- Fix so bin/install-jsdeps.sh returns error code on error (#6704)
- Fix bug where bmp images couldn't be displayed on some systems (#6728)
- Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
- Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
- Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746)
- Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793)
- Fix bug where selection of columns on messages list wasn't working
- Fix bug in converting multi-page Tiff images to Jpeg (#6824)
- Fix bug where handling multiple messages from multi-folder search result could not work (#6845)
- Fix bug where unread count wasn't updated after moving multi-folder result (#6846)
- Fix wrong messages order after returning to a multi-folder search result (#6836)
- Fix some PHP 7.4 compat. issues (#6884, #6866)
- Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898)
- Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
- Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)
- Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
## Release 1.4-rc1
- Changed 'password_charset' default to 'UTF-8' (#6522)
- Add skins_allowed option (#6483)
- SMTP GSSAPI support via krb_authentication plugin (#6417)
- Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
- Removed 'referer_check' option (#6440)
- Use constant prefix for temp file names, don't remove temp files from other apps (#6511)
- Ignore 'Sender' header on Reply-All action (#6506)
- deluser.sh: Add option to delete users who have not logged in for more than X days (#6340)
- HTML5 Upload Progress - as a replacement for the old server-side solution (#6177)
- Update to TinyMCE 4.8.2
- Update to jQuery-MiniColors 2.3.4
- Prevent from using deprecated timezone names from jsTimezoneDetect
- Force session.gc_probability=1 when using custom session handlers (#6560)
- Support simple field labels (e.g. LetterHub examples) in csv imports (#6541)
- Add cache busters also to images used by templates (#6610)
- Plugin API: Added 'raise_error' hook (#6199)
- Plugin API: Added 'common_headers' hook (#6385)
- Plugin API: Added 'ldap_connected' hook
- Enigma: Update to OpenPGPjs 4.2.1 - fixes user name encoding issues in key generation (#6524)
- Enigma: Fixed multi-host synchronization of private and deleted keys and pubring.kbx file
- Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
- Managesieve: Fix bug where custom header or variable could be lost on form submission (#6594)
- Markasjunk: Integrate markasjunk2 features into markasjunk - marking as non-junk + learning engine (#6504)
- Password: Added 'modoboa' driver (#6361)
- Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)
- Password: Fix bug where new users could skip forced password change (#6434)
- Password: Allow drivers to override default password comparisons (eg new is not same as current) (#6473)
- Password: Allow drivers to override default strength checks (eg allow for 'not the same as last x passwords') (#246)
- Password: Allow drivers to define password strength rules displayed to the user
- Password: Allow separate password saving and strength drivers for use of strength checking services (#5040)
- Password: Add zxcvbn driver for checking password strength (#6479)
- Password: Disallow control characters in passwords
- Password: Add support for Plesk >= 17.8 (#6526)
- Elastic: Improved datepicker displayed always in parent window
- Elastic: On touch devices display attachment icons on messages list (#6296)
- Elastic: Make menu button inactive if all subactions are inactive (#6444)
- Elastic: On mobile/tablet jump to the list on folder selection (#6415)
- Elastic: Various improvements on mail compose screen (#6413)
- Elastic: Support new-line char as a separator for pasted recipients (#6460)
- Elastic: Improved UX of search dialogs (#6416)
- Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445)
- Elastic: Fix too small height of mailvelope mail preview frame (#6600)
- Elastic: Add "status bar" for mobile in mail composer
- Elastic: Add selection options on contacts list (#6595)
- Elastic: Fix unintentional layout preference overwrite (#6613)
- Elastic: Fix bug where Enigma options in mail compose could sometimes be ignored (#6515)
- Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433)
- Fix regression where drafts were not deleted after sending the message (#6756)
- Fix so max_message_size limit is checked also when forwarding messages as attachments (#6580)
- Fix so performance stats are logged to the main console log also when per_user_logging=true
- Fix malformed message saved into Sent folder when using big attachments and low memory limit (#6498)
- Fix incorrect IMAP SASL GSSAPI negotiation (#6308)
- Fix so unicode in local part of the email address is also supported in recipient inputs (#6490)
- Fix bug where autocomplete list could be displayed out of screen (#6469)
- Fix style/navigation on error page depending on authentication state (#6362)
- Fix so invalid smtp_helo_host is never used, fallback to localhost (#6408)
- Fix custom logo size in Elastic (#6424)
- Fix listing the same attachment multiple times on forwarded messages
- Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
- Fix inconsistent offset for various time zones - always display Standard Time offset (#6531)
- Fix dummy Message-Id when resuming a draft without Message-Id header (#6548)
- Fix handling of empty entries in vCard import (#6564)
- Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
- Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
- Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
- Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599)
- Fix missing CSRF token on a link to download too-big message part (#6621)
- Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
## Release 1.4-beta
- Added new skin with mobile support - the Elastic
- Support Redis cache
- Email Resent (Bounce) feature (#4985)
- Improved Mailvelope integration
- Added private key listing and generating to identity settings
- Enable encrypt & sign option if Mailvelope supports it
- Allow contacts without an email address (#5079)
- Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
- Support for IMAP folders that cannot contain both folders and messages (#5057)
- Update to jQuery-3.3.1
- Update to jQuery-minicolors 2.2.6
- Update to TinyMCE 4.7.13
- Remove sample PHP configuration from .htaccess and .user.ini files (#5850)
- Extend skin_logo setting to allow per skin logos (#6272)
- Use Masterminds/HTML5 parser for better HTML5 support (#5761)
- Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
- Display an error when clicking disabled link to register protocol handler (#6079)
- Add option trusted_host_patterns (#6009, #5752)
- Support additional connect parameters in PostgreSQL database wrapper
- Use UI dialogs instead of confirm() and alert() where possible
- Display value of the SMTP message size limit in the error message (#6032)
- Show message flagged status in message view (#5080)
- Skip redundant INSERT query on successful logon when using PHP7
- Replace display_version with display_product_version (#5904)
- Extend disabled_actions config so it accepts also button names (#5903)
- Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
- Add Message-ID to the sendmail log (#5871)
- Add option to hide folders in share/other-user namespace or outside of the personal namespace root (#5073)
- Archive: Fix archiving by sender address on cyrus-imap
- Archive: Style Archive folder also on folder selector and folder manager lists
- Archive: Add Thunderbird compatible Month option (#5623)
- Archive: Create archive folder automatically if it's configured, but does not exist (#6076)
- Enigma: Add button to send mail unencrypted if no key was found (#5913)
- Enigma: Add options to set PGP cipher/digest algorithms (#5645)
- Enigma: Multi-host support
- Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
- Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
- Managesieve: Support filter action with custom IMAP flags (#6011)
- Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
- Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
- Managesieve: Support enabling the plugin for specified hosts only (#6292)
- Password: Support host variables in password_db_dsn option (#5955)
- Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
- Password: Added password_username_format option (#5766)
- subscriptions_option: show \\Noselect folders greyed out (#5621)
- zipdownload: Added option to define size limit for multiple messages download (#5696)
- vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
- Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
- Composer: Fix certificate validation errors by using packagist only (#5148)
- Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882)
- Support _filter and _scope as GET arguments for opening mail UI (#5825)
- Various improvements for templating engine and skin behaviours
- Support conditional include
- Support for 'link' objects
- Support including files with path relative to templates directory
- Use
FirefoxFirefox";
$washer = new rcube_washtml;
$washed = $washer->wash($html);
$this->assertRegExp('|href="http://test\.com"|', $washed, "Link href with newlines (#1488940)");
$this->assertRegExp('|href="http://domain\.com"|', $washed, "Link href with no protocol (#7454)");
}
/**
* Test XSS in area's href (#5240)
*/
function test_href_area()
{
$html = '
'
. 'Internet Explorer
'
. ''
. '
'
. 'Internet Explorer
'
. '';
$washer = new rcube_washtml;
$washed = $washer->wash($html);
$this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
$this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
$this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
}
/**
* Test removing of object tag, but keeping innocent children
*/
function test_object()
{
$html = "