Skip to content

Release history

Textpattern releases

Flexible, elegant and easy-to-use CMS.

Back to tool Latest release

All releases

2 shown

4.9.1 Security relevant
Security fixes
  • Resolved admin-side XSS vulnerability
  • Resolved access control regression with articles
Notable features
  • (Article)Image thumbnails can output any supported format
Full changelog
  • Maintenance release with security enhancements, general improvements and bug fixes.
  • Security: Resolved access control regression with articles. Many thanks to Federico Frascino.
  • Security: Resolved admin-side XSS vulnerability. Many thanks to Jan Jeffrie Galvez Salloman, aka '0xj4n'.
  • Changed: (Article)Image tags only output dimensions on demand.
  • Changed: <txp:article_image> skips empty images/thumbnails.
  • Changed: Valueless width/height/crop behaviour in (Article)Image tags.
  • Changed: Thumb path now permits virtual/multiple host setups.
  • Changed: Use publisher email and fallback if no/invalid sender is supplied (thanks, @jools-r ).
  • Fixed: Fatal error with UNIXTIME() changes in MariaDB 11.8+.
  • Fixed: Dynamic thumbnail MIME detection (thanks, rezozero/ambroisemaupate).
  • Fixed: PHP 5.6 support (thanks, pinalgirkar).
  • Fixed: Show template content even if theme is deleted (thanks, Mark Goodwin).
  • Fixed: Correct admin theme file scaffold for dynamic thumbnails.
  • Fixed: Reintroduce 'No' indicator if thumbnail is missing in Images list panel (thanks, @rwetzlmayr and @phiw13).
  • Fixed: Duplicate action only available for existing content.
  • Fixed: Assets created with no timestamp use time of creation, not Unix epoch.
  • Fixed: Internal errors with password reset email sending on PHP 8.5.
  • Added: (Article)Image thumbnails can output any supported format.
  • Vendors: jQuery UI 1.14.2.
View release on GitHub
4.9.0 Breaking risk
Breaking changes
  • Minimum PHP version raised to 5.6 (PHP 8.2+ recommended).
  • Minimum MySQL version raised to 5.5 (MySQL 8.0+ recommended).
Security fixes
  • Avoid directory traversal when uploading plugins.
Notable features
  • Support for newer PHP versions: 8.2, 8.3.1+, 8.4, and 8.5.
  • Full article previews directly from the Write panel.
  • Automatic dynamic thumbnail generation (tags and back‑end).
Full changelog
  • Feature release with support for PHP 8.5, MySQL 8.4, new functionality, security enhancements, improvements, and bug fixes.
  • Changed: Minimum system requirements increased to PHP 5.6 (PHP 8.2+ recommended, preferably with ongoing vendor support).
  • Changed: Minimum system requirements increased to MySQL 5.5 (MySQL 8.0+ recommended, preferably with ongoing vendor support).
  • Fixed: Remove 'br' tags from article image markup where >1 image is supplied (thanks, @jools-r).
  • Fixed: Pre+post textfilter callbacks were switched.
  • Fixed: Plugins import Textpack strings correctly.
  • Fixed: Prefs (multi-)select options.
  • Fixed: Improved support for images with EXIF orientation metadata (thanks, @jools-r).
  • Fixed: Avoid directory traversal when uploading plugins (thanks, @bg1).
  • Fixed: Compiled plugins upload on PHP 5.6.
  • Fixed: Windows-generated .zip plugins installable on UNIX/Linux.
  • Fixed: Restored empty 'height' and 'width' attributes behaviour of <txp:image />.
  • Fixed: Self-closing tag output for html5 doctype to silence validator (thanks, @jools-r).
  • Fixed: Ignore search in individual article mode.
  • Fixed: Take RFC 2616 mail headers setting into account for separator.
  • Fixed: Sandboxed article/body/excerpt preview (thanks, @grozdniyandy).
  • Added: Support for PHP 8.2, PHP 8.3.1+, PHP 8.4, and PHP 8.5.
  • Added: Full article previews directly from the Write panel.
  • Added: Filter articles by image.
  • Added: Admin Theme prefs.
  • Added: Automatic, dynamic thumbnail generation (tags and back-end).
  • Added: SVG image support (thanks, osadl and @jools-r).
  • Added: Activity indicator for extended duration file/image upload processes.
  • Added: Multi-edit for changing author language.
  • Added: In-use asset counters to the Users panel.
  • Added: Reload language packs from disk.
  • Added: Shift+Space shortcut for 'Tab' indent in textareas.
  • Added: Input length tooltip when appropriate.
  • Added: PHPMailer for third-party SMTP delivery. See Admin>Preferences>Mail.
  • Added: <txp:date /> tag.
  • Added: <txp:if_article_status /> tag.
  • Added: <txp:if_items_count /> tag.
  • Added: Global 'variable' attribute.
  • Added: Global 'offset' attribute can be set by URL parameters.
  • Added: 'parent' attribute to <txp:category />.
  • Added: 'inline' value to 'format' attribute of <txp:css /> (thanks, @jools-r).
  • Added: 'alias' attribute to <txp:evaluate />.
  • Added: Ability to serve files via 'type' attribute to <txp:file_download />.
  • Added: 'exclude' attribute to <txp:file_download_list /> and <txp:linklist />.
  • Added: Site production status values to 'process' attribute of <txp:hide />.
  • Added: 'level' attribute to <txp:if_category />.
  • Added: 'match', 'separator' attribute capability to <txp:if_yield />.
  • Added: 'exclude', 'month' and 'time' attributes to <txp:images />.
  • Added: 'lang' attribute to <txp:page_url />.
  • Added: 'target' attribute to <txp:popup />.
  • Added: 'filter' attribute to <txp:section_list /> and <txp:if_section />.
  • Added: Plugins can be uploaded from a URL by dragging to upload textarea.
  • Added: Plugin compilation directly from the Plugins panel.
  • Added: Plugin export to .zip.
  • Added: Compiled plugins can be uploaded via Browse... feature.
  • Added: Compatible plugin upgrades directly from the Plugins panel.
  • Added: Create and install new plugins directly from the Plugins panel.
  • Added: Plugin multi-edit option: revert to last installed code content.
  • Added: All plugin metadata exposed in the Plugin Edit panel.
  • Added: Latest text translations. Thank you to all our translators.
  • Added: Punjabi, Slovenian and Urdu (Pakistani dialect) language support.
  • Added: Trailing slash URL preference.
  • Added: File download header preference.
  • Added: Option to define a Content Security Policy header for the Textpattern admin-side via config.php.
  • Added: Support for aggregate window functions in compatible MySQL versions.
  • Added: metaWeblog.newMediaObject for image upload over the MovableType API (thanks, @Melonking906).
  • Changed: Pending articles may be displayed on the site.
  • Changed: Theme page maximum size increased from 64KB to 16MB.
  • Changed: Allow content dates prior to 01-01-1970, and beyond 03:14:07 UTC on 19 Jan 2038. Refer to Epochalypse/Year 2038 problem for info. Adjustments for non-Gregorian (AD) dates are performed.
  • Changed: Display/edit 'modified' date on Files panel.
  • Changed: Refactored article Save panel (thanks @jools-r, @phiw13, and @cara-tm).
  • Changed: File Edit panel has the ability to rename and delete files, and change the download counter value (thanks, adi).
  • Changed: Image Edit panel has the ability to delete images.
  • Changed: Image Edit panel includes published date/time, which can be altered.
  • Changed: Pre-flight check visibility toggle.
  • Changed: In-use languages can not be deleted.
  • Changed: Deprecate <txp:search_result_count />. Use `<txp:items_count /> instead.
  • Changed: Section-aware default search.
  • Changed: Image tags can take HTML attributes.
  • Changed: Enhancements to 'br' tag HTML5 compliance (thanks, @jools-r).
  • Changed: Enhancements to SVG handling relating to non-px dimensions (thanks, @jools-r).
  • Changed: Enhancements to 'extension' and 'size' attributes of <txp:images />.
  • Changed: Enhancements to RPC functionality (thanks, @Melonking906).
  • Changed: Admin-theme checksums computed independently. Unused admin themes can be deleted and will no longer trigger Diagnostics alert.
  • Changed: Multi-site scaffold optimisations.
  • Changed: Wildcards in file/image/link category queries.
  • Changed: <txp:header /> tag requires 'form' privilege.
  • Changed: Articles may use external URLs directly.
  • Changed: Some language keys renamed to avoid invalid name clashes.
  • Changed: Do not generate empty syndication feeds for feedless sections.
  • Changed: Removed 'noopener' from target="_blank" links (now default behaviour in all supported browsers) (thanks, @phiw13).
  • Changed: Removed 'aria-label' attributes where 'title' already exists.
  • Changed: Checksums use Tiger-192,3 instead of MD5. Fewer potential clashes.
  • Changed: Allow PHP scripting options off by default, and Diagnostics warning.
  • Changed: Plugins of all types trigger verify step (with improved security).
  • Changed: Extend character set that can be used in tag/attribute names.
  • Changed: Less collision-prone custom fields name processing.
  • Changed: Category & section description field sizes increased to 1023 characters.
  • Changed: Introduce primary keys for all database tables, replacing some old indexes.
  • Developer: Permitted concurrent logins. See Advanced Prefs.
  • Developer: Removed duplicate pluggable_ui callback for article_ui›categories (thanks, @jools-r).
  • Developer: Added pophelp support in plugin 'lang' directory.
  • Developer: Articles (list) panel callbacks:
    articles>fields and articles>from to manipulate the query
    articles>controls to affect the button area
    articles_ui>list.row (pluggable_ui) for adding table data
    articles>steps for plugins to register custom panel-level functionality.
  • Developer: Add pre+post article_submit callbacks on article post/save.
  • Developer: Add getAtts($tag) method for fetching tag attributes.
  • Developer: Reintroduce extend_col_1 markup area on Write panel.
  • Developer: Add lifecycle>loaded callback for plugins run from cache.
  • Developer: Introduce UI class library for building interface components.
  • Developer: Tag registration is now mandatory.
  • Developer: Some of the lesser-used tags are loaded on demand from their class
    to save memory. Plugins must call them via processTags() function.
  • Developer: Add safe_exists() function to database layer.
  • Developer: Move $thisversion and $txp_is_dev to constants.php.
  • Developer: 'Visitor logs' panel is now bound to the new 'lore' event name
    (was: 'log') to prevent conflicts with privacy filters.
  • Developer: File upload callbacks (file_uploaded and files_uploaded pre+post).
  • Developer: Activation emails can be skipped via hidden notify="skip" field.
  • Developer: Can add &checksums=1 on Diagnostics panel URL to verify checksums.
  • Vendors: Textile 4.1.4. (thanks, @gocom).
  • Vendors: DOMPurify 3.3.1.
  • Vendors: jQuery 3.7.1.
  • Vendors: jQuery UI 1.14.1.
  • Vendors: PHPMailer 6.12.0.
  • Vendors: PrismJS 1.30.0.
  • Vendors: UglifyJS 3.19.3.
View release on GitHub

Beta — feedback welcome: [email protected]