Textpattern CMS 4.0.6 released

After quite a while and lots of work from many, many people it’s finally here. We have fixed no less than six security issues. Because half of those can be used from the public side, updating is strongly recommended.

Updates should be seamless for the vast majority of people, otherwise make sure that all plugins are also updated to their most recent version, especially admin-side plugins.


File download

Zip format.
File size 339 kB | Created
File download

Gzip format.
File size 297 kB | Created

Changes since 4.0.5

  • Safer use of txp_login cookie + nonce (note: users are logged out after upgrading!)
  • Fixed XSS vulnerability (thanks DSecRG) and input validation in setup script.
  • Fixed XSS vulnerability and parameter value overflow in comments preview (thanks DSecRG)
  • Added missing escape in SQL query (admin side)
  • Fixed local file include vulnerability (publisher only) in textpattern/index.php (thanks DSecRG and Victor)
  • Fixed escape request method as shown on logs tab (thanks Victor)
  • New translations: Croatian, Korean, Português (Brasil), Serbian (Latin + Cyrillic), Turkish and Vietnamese
  • New tags: <txp:if_search_results> and <txp:search_term />.
  • <txp:thumbnail /> allows non-JS links to the full-size image
  • <txp:article_custom /> allows comma-separated lists for category, section and author attributes (thanks Manfre)
  • <txp:linklist /> allows comma-separated list for category attribute
  • <txp:file_download_list /> allows comma-separated list for category attribute
  • <txp:recent_articles /> allows comma-separated lists for category and section attribute
  • <txp:related_articles /> allows comma-separated list for section attribute
  • <txp:search_result_excerpt /> allows a custom breakattribute defaulting to an ellipsis
  • Several tags have been deprecated and will be replaced automatically during the upgrade: <txp:sitename />, <txp:request_uri />, <txp:s />, <txp:c />, <txp:q />, <txp:id />, <txp:pg />
  • Added ‘password reset’ functionality (with confirmation email) on the login screen
  • Update to jQuery 1.2.2 as a default JavaScript library
  • Fixed Textile list incompatibility with PHP 5.2.4 (and higher)
  • Fixed http-auth when using Lighttpd or (mostly) Apache + fastCGI
  • Fixed HTTPS protocol check for ISAPI with IIS
  • Fixed use of article tags on a sticky article page
  • Speed improvements (less SQL queries needed)
  • Pages, sections and styles can no longer be accidentally deleted if they are used on other tabs
  • Corrections in the tag builder
  • Refrain from showing sticky articles from non-frontpage sections in search results
  • Enable separate search section for messy URL mode
  • Plugin developers should note that using add_privs() for admin-side plugins is now required (used to be optional for publisher-only plugins) and the included HISTORY.txt contains other useful information.
  • Many, many minor improvements

Further reading

Forum thread for the announcement.


  1. Stellar! Ultra sound project management.

  2. I’m new to TXP, how does TXP 4.0.6 compare to Wordpress 2.3.2?

    Thanks in advance for any help.

  3. Duncan: for tha kind of cuestions it is better you visit de forum: forum.textpattern.io

  4. Ohh people you rocks…

  5. This update doesn’t seem to be as big as was the previous one, but nice job anyway! Thank you.

  6. thank you!!

    just upgrade, all ok!

  7. always great stuff from txp, thank you

  8. Thanks…

  9. I have been visiting this site for a long time, so i decided to show you my appreciation by making a comment.

    Jim Mirkalami

  10. This is great. A big thanks and congrats to the TXP DEV team!

    Forgive me if this is the wrong place for it, but is anyone having troubles when posting from MarsEdit to Textpattern 4.0.6 with Textile formatting being ignored?

  11. Thanks for the great work..

  12. Everything works fine — you’ve done a great job, as allways!

  13. Wordless…
    Just a wonderful product, now a little bit better. Keep the good work going!

  14. wonderful work..thx michael

Commenting has expired for this article.