Skip to content

Textpattern

Productivity & Wikis

A flexible, elegant, fast and easy-to-use PHP-based content management system

Track releases GitHub Website
PHP Latest 4.9.1 · 3mo ago Security brief →

Features

  • PHP‑based web CMS for building websites
  • Supports multi‑site installations via .tar.gz/.tar.xz archives
  • Provides detailed system requirements and upgrade guides

Recent releases

View all 2 releases →
4.9.1 Security relevant
Security fixes
  • Resolved admin-side XSS vulnerability
  • Resolved access control regression with articles
Notable features
  • (Article)Image thumbnails can output any supported format
Full changelog
  • Maintenance release with security enhancements, general improvements and bug fixes.
  • Security: Resolved access control regression with articles. Many thanks to Federico Frascino.
  • Security: Resolved admin-side XSS vulnerability. Many thanks to Jan Jeffrie Galvez Salloman, aka '0xj4n'.
  • Changed: (Article)Image tags only output dimensions on demand.
  • Changed: <txp:article_image> skips empty images/thumbnails.
  • Changed: Valueless width/height/crop behaviour in (Article)Image tags.
  • Changed: Thumb path now permits virtual/multiple host setups.
  • Changed: Use publisher email and fallback if no/invalid sender is supplied (thanks, @jools-r ).
  • Fixed: Fatal error with UNIXTIME() changes in MariaDB 11.8+.
  • Fixed: Dynamic thumbnail MIME detection (thanks, rezozero/ambroisemaupate).
  • Fixed: PHP 5.6 support (thanks, pinalgirkar).
  • Fixed: Show template content even if theme is deleted (thanks, Mark Goodwin).
  • Fixed: Correct admin theme file scaffold for dynamic thumbnails.
  • Fixed: Reintroduce 'No' indicator if thumbnail is missing in Images list panel (thanks, @rwetzlmayr and @phiw13).
  • Fixed: Duplicate action only available for existing content.
  • Fixed: Assets created with no timestamp use time of creation, not Unix epoch.
  • Fixed: Internal errors with password reset email sending on PHP 8.5.
  • Added: (Article)Image thumbnails can output any supported format.
  • Vendors: jQuery UI 1.14.2.
View release on GitHub
4.9.0 Breaking risk
Breaking changes
  • Minimum PHP version raised to 5.6 (PHP 8.2+ recommended).
  • Minimum MySQL version raised to 5.5 (MySQL 8.0+ recommended).
Security fixes
  • Avoid directory traversal when uploading plugins.
Notable features
  • Support for newer PHP versions: 8.2, 8.3.1+, 8.4, and 8.5.
  • Full article previews directly from the Write panel.
  • Automatic dynamic thumbnail generation (tags and back‑end).
Full changelog
  • Feature release with support for PHP 8.5, MySQL 8.4, new functionality, security enhancements, improvements, and bug fixes.
  • Changed: Minimum system requirements increased to PHP 5.6 (PHP 8.2+ recommended, preferably with ongoing vendor support).
  • Changed: Minimum system requirements increased to MySQL 5.5 (MySQL 8.0+ recommended, preferably with ongoing vendor support).
  • Fixed: Remove 'br' tags from article image markup where >1 image is supplied (thanks, @jools-r).
  • Fixed: Pre+post textfilter callbacks were switched.
  • Fixed: Plugins import Textpack strings correctly.
  • Fixed: Prefs (multi-)select options.
  • Fixed: Improved support for images with EXIF orientation metadata (thanks, @jools-r).
  • Fixed: Avoid directory traversal when uploading plugins (thanks, @bg1).
  • Fixed: Compiled plugins upload on PHP 5.6.
  • Fixed: Windows-generated .zip plugins installable on UNIX/Linux.
  • Fixed: Restored empty 'height' and 'width' attributes behaviour of <txp:image />.
  • Fixed: Self-closing tag output for html5 doctype to silence validator (thanks, @jools-r).
  • Fixed: Ignore search in individual article mode.
  • Fixed: Take RFC 2616 mail headers setting into account for separator.
  • Fixed: Sandboxed article/body/excerpt preview (thanks, @grozdniyandy).
  • Added: Support for PHP 8.2, PHP 8.3.1+, PHP 8.4, and PHP 8.5.
  • Added: Full article previews directly from the Write panel.
  • Added: Filter articles by image.
  • Added: Admin Theme prefs.
  • Added: Automatic, dynamic thumbnail generation (tags and back-end).
  • Added: SVG image support (thanks, osadl and @jools-r).
  • Added: Activity indicator for extended duration file/image upload processes.
  • Added: Multi-edit for changing author language.
  • Added: In-use asset counters to the Users panel.
  • Added: Reload language packs from disk.
  • Added: Shift+Space shortcut for 'Tab' indent in textareas.
  • Added: Input length tooltip when appropriate.
  • Added: PHPMailer for third-party SMTP delivery. See Admin>Preferences>Mail.
  • Added: <txp:date /> tag.
  • Added: <txp:if_article_status /> tag.
  • Added: <txp:if_items_count /> tag.
  • Added: Global 'variable' attribute.
  • Added: Global 'offset' attribute can be set by URL parameters.
  • Added: 'parent' attribute to <txp:category />.
  • Added: 'inline' value to 'format' attribute of <txp:css /> (thanks, @jools-r).
  • Added: 'alias' attribute to <txp:evaluate />.
  • Added: Ability to serve files via 'type' attribute to <txp:file_download />.
  • Added: 'exclude' attribute to <txp:file_download_list /> and <txp:linklist />.
  • Added: Site production status values to 'process' attribute of <txp:hide />.
  • Added: 'level' attribute to <txp:if_category />.
  • Added: 'match', 'separator' attribute capability to <txp:if_yield />.
  • Added: 'exclude', 'month' and 'time' attributes to <txp:images />.
  • Added: 'lang' attribute to <txp:page_url />.
  • Added: 'target' attribute to <txp:popup />.
  • Added: 'filter' attribute to <txp:section_list /> and <txp:if_section />.
  • Added: Plugins can be uploaded from a URL by dragging to upload textarea.
  • Added: Plugin compilation directly from the Plugins panel.
  • Added: Plugin export to .zip.
  • Added: Compiled plugins can be uploaded via Browse... feature.
  • Added: Compatible plugin upgrades directly from the Plugins panel.
  • Added: Create and install new plugins directly from the Plugins panel.
  • Added: Plugin multi-edit option: revert to last installed code content.
  • Added: All plugin metadata exposed in the Plugin Edit panel.
  • Added: Latest text translations. Thank you to all our translators.
  • Added: Punjabi, Slovenian and Urdu (Pakistani dialect) language support.
  • Added: Trailing slash URL preference.
  • Added: File download header preference.
  • Added: Option to define a Content Security Policy header for the Textpattern admin-side via config.php.
  • Added: Support for aggregate window functions in compatible MySQL versions.
  • Added: metaWeblog.newMediaObject for image upload over the MovableType API (thanks, @Melonking906).
  • Changed: Pending articles may be displayed on the site.
  • Changed: Theme page maximum size increased from 64KB to 16MB.
  • Changed: Allow content dates prior to 01-01-1970, and beyond 03:14:07 UTC on 19 Jan 2038. Refer to Epochalypse/Year 2038 problem for info. Adjustments for non-Gregorian (AD) dates are performed.
  • Changed: Display/edit 'modified' date on Files panel.
  • Changed: Refactored article Save panel (thanks @jools-r, @phiw13, and @cara-tm).
  • Changed: File Edit panel has the ability to rename and delete files, and change the download counter value (thanks, adi).
  • Changed: Image Edit panel has the ability to delete images.
  • Changed: Image Edit panel includes published date/time, which can be altered.
  • Changed: Pre-flight check visibility toggle.
  • Changed: In-use languages can not be deleted.
  • Changed: Deprecate <txp:search_result_count />. Use `<txp:items_count /> instead.
  • Changed: Section-aware default search.
  • Changed: Image tags can take HTML attributes.
  • Changed: Enhancements to 'br' tag HTML5 compliance (thanks, @jools-r).
  • Changed: Enhancements to SVG handling relating to non-px dimensions (thanks, @jools-r).
  • Changed: Enhancements to 'extension' and 'size' attributes of <txp:images />.
  • Changed: Enhancements to RPC functionality (thanks, @Melonking906).
  • Changed: Admin-theme checksums computed independently. Unused admin themes can be deleted and will no longer trigger Diagnostics alert.
  • Changed: Multi-site scaffold optimisations.
  • Changed: Wildcards in file/image/link category queries.
  • Changed: <txp:header /> tag requires 'form' privilege.
  • Changed: Articles may use external URLs directly.
  • Changed: Some language keys renamed to avoid invalid name clashes.
  • Changed: Do not generate empty syndication feeds for feedless sections.
  • Changed: Removed 'noopener' from target="_blank" links (now default behaviour in all supported browsers) (thanks, @phiw13).
  • Changed: Removed 'aria-label' attributes where 'title' already exists.
  • Changed: Checksums use Tiger-192,3 instead of MD5. Fewer potential clashes.
  • Changed: Allow PHP scripting options off by default, and Diagnostics warning.
  • Changed: Plugins of all types trigger verify step (with improved security).
  • Changed: Extend character set that can be used in tag/attribute names.
  • Changed: Less collision-prone custom fields name processing.
  • Changed: Category & section description field sizes increased to 1023 characters.
  • Changed: Introduce primary keys for all database tables, replacing some old indexes.
  • Developer: Permitted concurrent logins. See Advanced Prefs.
  • Developer: Removed duplicate pluggable_ui callback for article_ui›categories (thanks, @jools-r).
  • Developer: Added pophelp support in plugin 'lang' directory.
  • Developer: Articles (list) panel callbacks:
    articles>fields and articles>from to manipulate the query
    articles>controls to affect the button area
    articles_ui>list.row (pluggable_ui) for adding table data
    articles>steps for plugins to register custom panel-level functionality.
  • Developer: Add pre+post article_submit callbacks on article post/save.
  • Developer: Add getAtts($tag) method for fetching tag attributes.
  • Developer: Reintroduce extend_col_1 markup area on Write panel.
  • Developer: Add lifecycle>loaded callback for plugins run from cache.
  • Developer: Introduce UI class library for building interface components.
  • Developer: Tag registration is now mandatory.
  • Developer: Some of the lesser-used tags are loaded on demand from their class
    to save memory. Plugins must call them via processTags() function.
  • Developer: Add safe_exists() function to database layer.
  • Developer: Move $thisversion and $txp_is_dev to constants.php.
  • Developer: 'Visitor logs' panel is now bound to the new 'lore' event name
    (was: 'log') to prevent conflicts with privacy filters.
  • Developer: File upload callbacks (file_uploaded and files_uploaded pre+post).
  • Developer: Activation emails can be skipped via hidden notify="skip" field.
  • Developer: Can add &checksums=1 on Diagnostics panel URL to verify checksums.
  • Vendors: Textile 4.1.4. (thanks, @gocom).
  • Vendors: DOMPurify 3.3.1.
  • Vendors: jQuery 3.7.1.
  • Vendors: jQuery UI 1.14.1.
  • Vendors: PHPMailer 6.12.0.
  • Vendors: PrismJS 1.30.0.
  • Vendors: UglifyJS 3.19.3.
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
867
Forks
109
Languages
PHP JavaScript CSS
View on GitHub Homepage

Community & Support

Community Sponsor / Fund

Similar tools

Umbraco
Concrete 5 CMS
Plainpad
Strapi
Joomla!

Beta — feedback welcome: [email protected]