Updates should be seamless for the vast majority of people, otherwise make sure that all plugins are also updated to their most recent version, especially admin-side plugins.


File download


File size 339 kB | Created
File download


File size 297 kB | Created

Changes since 4.0.5

  • Safer use of txp_login cookie + nonce (note: users are logged out after upgrading!)
  • Fixed XSS vulnerability (thanks DSecRG) and input validation in setup script.
  • Fixed XSS vulnerability and parameter value overflow in comments preview (thanks DSecRG)
  • Added missing escape in SQL query (admin side)
  • Fixed local file include vulnerability (publisher only) in textpattern/index.php (thanks DSecRG and Victor)
  • Fixed escape request method as shown on logs tab (thanks Victor)
  • New translations: Croatian, Korean, Português (Brasil), Serbian (Latin + Cyrillic), Turkish and Vietnamese
  • New tags: <txp:if_search_results> and <txp:search_term />.
  • <txp:thumbnail /> allows non-JS links to the full-size image
  • <txp:article_custom /> allows comma-separated lists for category, section and author attributes (thanks Manfre)
  • <txp:linklist /> allows comma-separated list for category attribute
  • <txp:file_download_list /> allows comma-separated list for category attribute
  • <txp:recent_articles /> allows comma-separated lists for category and section attribute
  • <txp:related_articles /> allows comma-separated list for section attribute
  • <txp:search_result_excerpt /> allows a custom breakattribute defaulting to an ellipsis
  • Several tags have been deprecated and will be replaced automatically during the upgrade: <txp:sitename />, <txp:request_uri />, <txp:s />, <txp:c />, <txp:q />, <txp:id />, <txp:pg />
  • Added ‘password reset’ functionality (with confirmation email) on the login screen
  • Update to jQuery 1.2.2 as a default JavaScript library
  • Fixed Textile list incompatibility with PHP 5.2.4 (and higher)
  • Fixed http-auth when using Lighttpd or (mostly) Apache + fastCGI
  • Fixed HTTPS protocol check for ISAPI with IIS
  • Fixed use of article tags on a sticky article page
  • Speed improvements (less SQL queries needed)
  • Pages, sections and styles can no longer be accidentally deleted if they are used on other tabs
  • Corrections in the tag builder
  • Refrain from showing sticky articles from non-frontpage sections in search results
  • Enable separate search section for messy URL mode
  • Plugin developers should note that using add_privs() for admin-side plugins is now required (used to be optional for publisher-only plugins) and the included HISTORY.txt contains other useful information.
  • Many, many minor improvements

Further reading

Forum thread for the announcement.