Security update

4.7--1.6
========

IMPORTANT : this release fixes two cross-site scripting (XSS) vulnerabilities
in nodereference.module :
- when a nodereference field is displayed using the 'plain' formatter
- when a nodereference field is edited using the 'autocomplete text field' widget
(only when _not_ using the 'advanced options - Views.module' for the field)

All sites using CCK / nodereference.module should consider upgrading to this release
as soon as possible.

Please see DRUPAL-SA-2007-019 for more information.

Features
--------

General
- #154827 Let modules know the 'dummy' node form built on the 'manage fields' tab
is requested by CCK admin UI (problem with userreviewmodule).
- #153101 Provide better explanation on the 'default value - php code' expected format.
- #151347 Refactor content_field('load') to make it more legible.

Field / widget modules
- #152892 Optionwidgets : Better help text for 'single on/off checkbox' widget label.
- #65133 / #152016 Nodereference : Added 'full node' and 'teaser' formatters.
- #126926 Nodereference : Skip node_load in 'title'-based formatters.

Bugfix
------

General
- #155416 Limit non standard CSS (transparency) to the field overview page.
- #149832 Use 'plain' format for views argument handler ($op = 'title').

5--1.6
======

IMPORTANT : this release fixes two cross-site scripting (XSS) vulnerabilities
in nodereference.module :
- when a nodereference field is displayed using the 'plain' formatter
- when a nodereference field is edited using the 'autocomplete text field' widget
(only when _not_ using the 'advanced options - Views.module' for the field)

All sites using CCK / nodereference.module should consider upgrading to this release
as soon as possible.

Please see DRUPAL-SA-2007-019 for more information.

Features
--------

General
- #154827 Let modules know the 'dummy' node form built on the 'manage fields' tab
is requested by CCK admin UI (problem with userreviewmodule).
- #153101 Provide better explanation on the 'default value - php code' expected format.
- #151347 Refactor content_field('load') to make it more legible.
- #136697 Make field form_alter easier, if fieldgroups are used.

Field / widget modules
- #152892 Optionwidgets : Better help text for 'single on/off checkbox' widget label.
- #65133 / #152016 Nodereference : Added 'full node' and 'teaser' formatters.
- #126926 Nodereference : Skip node_load in 'title'-based formatters.

Bugfix
------

General
- #162603 Fix 4.7 -> 5.0 upgrade path (create cache_content table before any update is run).

The seventh maintenance and security release of the 4.7.x series. Only fixes for a security vulnerability and other bugs have been committed. New features are only being added to the forthcoming 6.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2007-018: XSS Drupal 4.7.x, 5.x

In addition to this security vulnerability, the several bugs have been fixed since the 4.7.6 release:

• #32833 by fgm: Fixed documentation error.
• #114103 by adixon: New profile fields added to registration form show above Account Information.
• #117917 by webchick: Improved documentation for cookie domain.
• #68690 by mindless: New attachments not shown in node preview.
• #121876 by Darren Oh: drupal_to_js() converts empty arrays to objects.
• #133865 by Alexis: Incorrect use of form_set_error in user_login_validate().
• #130215: backport of #60664, 'Comment: duplicate ...' in watchdog, even when editing a comment.

The second maintenance and security release of the 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming 6.0 release.

This release fixes two security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcements:

• SA-2007-017: Drupal 5.x CSRF (revisions revert/delete, menu disable, comment delete)
• SA-2007-018: XSS Drupal 4.7.x, 5.x

In addition to these security vulnerabilities, the following bugs have been fixed since the 5.1 release:

• #113286 by maynich: Added missing t().
• #113290 by maynich: Added missing t().
• #104175: Fix disappearing fieldset title in firefox.
• #115213 by dorpy: Fix E_ALL problem.
• #111537 by jpetso: Add #weight to content type editing screen buttons.
• #107346 by asaddi: Postgres consitency fix.
• #107051 by webchick: Avoid showing duplicates in 'Who's online' block.

This release fixes a potential security vulnerability, though it is practically impossible to exploit. All sites using LoginToboggan should consider upgrading, but this should not be considered an urgent task. Please see DRUPAL-SA-2007-016 for more information.

In addition, this release includes the following bug fixes:

• FIXED: removed unneccessary textfield length for email confirmation
• FIXED: proper destination handling when a login attempt fails.

This release fixes a potential security vulnerability, though it is practically impossible to exploit. All sites using LoginToboggan should consider upgrading, but this should not be considered an urgent task. Please see DRUPAL-SA-2007-016 for more information.

In addition, this release includes the following changes: