Navigate CMS Update: 2.9.5
26
Mar '22
Mar '22
0
Comments
Comments
The Navigate CMS team has just released a software update which includes a collection of security fixes, bugs resolved and library upgrades. The most important vulnerability detected has been reported by the security researcher Roberto Cruz. Thank you very much for your help!
Full changelog:
+ nvweb list: support returning webuser vote value as a percentage "vote%"
+ nvweb list: return a product or element score as a percentage "score%"
* nvweb list: urlencode extra paginator url parameters
* nvweb list: fixed products retrieval query
+ nvweb list: added attribute "return" settable to "array" to retrieve the nvlist results as an array (useful in theme/plugin development)
+ nvweb nvlist_conditional by="product" offer="$url_parameter_name" (allows finding products by the offer flag depending on a user filter request)
+ nvweb nvlist conditional by="brand" image="true|false" (useful to display a placeholder image when a brand has no logo defined)
+ nvweb conditional: added by="request" value="x" to add content only when a url parameter is present
* nvweb cart: replaced some <p> elements for <div> with a class name
+ properties: new attribute "class" to be added into links when requesting properties of type "link"
* nvweb_prepare_link function now ignores URLs using "mailto:" and "javascript:" descriptors
* nvweb metatags: set a default title for "not_found" template
+ nvweb menu: added attribute to modify the submenu indicator when rendered as a select component
* files: removed unused code
+ structure: enabled cache for the tree hierarchy and renamed some internal functions
* debugger: rewritten "time elapsed" functions to avoid depending on a plugin
* comments: in the navigate "in reply to" field, the date of the parent comment must be before the one editing
+ websites: added option to define a whitelist of hosts where the website can connect to using cURL
+ added library "jycr753/ip-utils" via composer https://github.com/jycr753/ip-utils
+ added library "jalle19/php-whitelist-check" via composer https://github.com/Jalle19/php-whitelist-check
* core: in core_http_request require url to be a real http(s) request to prevent security issues
* files: small interface fixes
- files: remove adobe flash folder type option
* files: fix media browser pagination
* items, products, properties, blocks, structure: fixed code to prevent sql injection vulnerabilities (thanks github user @Paper-Submission-2021)
+ media browser: define a set of prioritary objects that will appear before any other (f.e. used when creating a new folder)
+ core_curl_post: added new parameter "referrer"
* nvweb breadcrumbs: allow passing separator=""
* nvweb breadcrumbs: added optional parameter "wrapper" which can be "li" or "div"
* nvweb_object_enabled: identify infinite html symbol as a valid date
* user.class: remove deprecated code in quicksearch function
* nvweb list comments: apply passed list filters instead of using the current page info
+ nvweb webuser: added new parameter sign_up="true" in mode "customer_account" to show a registration form next to the login form
* files: improve focal point interface and provide more accurate results
+ nvweb conditional now accepts the "not" attribute to negate any result
+ nvweb webuser: added styles and javascript for new sign_up interaction in mode "customer_account"
+ nvweb votes: added mode "percentage" (score from 0 to 100 with 2 decimals, based on score from 0 to 10)
+ products: added column "Brand" in navigate list (and enabled it for sorting)
+ nvweb conditional by="cart" value="empty"
+ nvweb product mode="add_to_cart" quantity_tag_id="input_id_where_to_find_the_quantity" (if different than 1)
+ nvweb menu: exclude="123,45" (IDs of the structure objects to exclude)
+ nvweb menu: active_class="menu_option_active" (class name for the current active object in the page)
+ nvweb menu: mode="select" select_tag_id="abc" (ID for the <select> tag) auto_jump="false" (do not auto redirect when selecting an option from a select menu)
+ nvlist_conditional by="position" positions="1,3,5" (declare specific numeric positions for the condition to be satisfied, first object is 1)
+ nvweb list: added filters for "brand", "brands", "price" and "offer"; example:[{'price':{'gte':'$price-min'}},{'brands':{'in':'$brands'}},{'offer': 'true'}]
* nvweb list: reorganize code (phase 1)
+ nvweb blocks: new parameter "icon_classes" (to add classes to every icon shown in a list of links block type)
* themes: prevent reflected XSS attack when requesting theme_info
* navigate_download: prevent arbitrary file read vulnerability
* nvweb list: reorganize code (phase 2)
+ nvweb list: return a product or element score as a percentage "score%"
* nvweb list: urlencode extra paginator url parameters
* nvweb list: fixed products retrieval query
+ nvweb list: added attribute "return" settable to "array" to retrieve the nvlist results as an array (useful in theme/plugin development)
+ nvweb nvlist_conditional by="product" offer="$url_parameter_name" (allows finding products by the offer flag depending on a user filter request)
+ nvweb nvlist conditional by="brand" image="true|false" (useful to display a placeholder image when a brand has no logo defined)
+ nvweb conditional: added by="request" value="x" to add content only when a url parameter is present
* nvweb cart: replaced some <p> elements for <div> with a class name
+ properties: new attribute "class" to be added into links when requesting properties of type "link"
* nvweb_prepare_link function now ignores URLs using "mailto:" and "javascript:" descriptors
* nvweb metatags: set a default title for "not_found" template
+ nvweb menu: added attribute to modify the submenu indicator when rendered as a select component
* files: removed unused code
+ structure: enabled cache for the tree hierarchy and renamed some internal functions
* debugger: rewritten "time elapsed" functions to avoid depending on a plugin
* comments: in the navigate "in reply to" field, the date of the parent comment must be before the one editing
+ websites: added option to define a whitelist of hosts where the website can connect to using cURL
+ added library "jycr753/ip-utils" via composer https://github.com/jycr753/ip-utils
+ added library "jalle19/php-whitelist-check" via composer https://github.com/Jalle19/php-whitelist-check
* core: in core_http_request require url to be a real http(s) request to prevent security issues
* files: small interface fixes
- files: remove adobe flash folder type option
* files: fix media browser pagination
* items, products, properties, blocks, structure: fixed code to prevent sql injection vulnerabilities (thanks github user @Paper-Submission-2021)
+ media browser: define a set of prioritary objects that will appear before any other (f.e. used when creating a new folder)
+ core_curl_post: added new parameter "referrer"
* nvweb breadcrumbs: allow passing separator=""
* nvweb breadcrumbs: added optional parameter "wrapper" which can be "li" or "div"
* nvweb_object_enabled: identify infinite html symbol as a valid date
* user.class: remove deprecated code in quicksearch function
* nvweb list comments: apply passed list filters instead of using the current page info
+ nvweb webuser: added new parameter sign_up="true" in mode "customer_account" to show a registration form next to the login form
* files: improve focal point interface and provide more accurate results
+ nvweb conditional now accepts the "not" attribute to negate any result
+ nvweb webuser: added styles and javascript for new sign_up interaction in mode "customer_account"
+ nvweb votes: added mode "percentage" (score from 0 to 100 with 2 decimals, based on score from 0 to 10)
+ products: added column "Brand" in navigate list (and enabled it for sorting)
+ nvweb conditional by="cart" value="empty"
+ nvweb product mode="add_to_cart" quantity_tag_id="input_id_where_to_find_the_quantity" (if different than 1)
+ nvweb menu: exclude="123,45" (IDs of the structure objects to exclude)
+ nvweb menu: active_class="menu_option_active" (class name for the current active object in the page)
+ nvweb menu: mode="select" select_tag_id="abc" (ID for the <select> tag) auto_jump="false" (do not auto redirect when selecting an option from a select menu)
+ nvlist_conditional by="position" positions="1,3,5" (declare specific numeric positions for the condition to be satisfied, first object is 1)
+ nvweb list: added filters for "brand", "brands", "price" and "offer"; example:[{'price':{'gte':'$price-min'}},{'brands':{'in':'$brands'}},{'offer': 'true'}]
* nvweb list: reorganize code (phase 1)
+ nvweb blocks: new parameter "icon_classes" (to add classes to every icon shown in a list of links block type)
* themes: prevent reflected XSS attack when requesting theme_info
* navigate_download: prevent arbitrary file read vulnerability
* nvweb list: reorganize code (phase 2)
You can view all source code changes in our Github repository.
To auto update your Navigate CMS instance, sign in as an Administrator and access the Configuration > Update function. You may also download the update package from SourceForge and apply it manually.
0 Comments