CHANGELOG Roundcube Webmail =========================== - Archive: Add Thunderbird compatible Month option (#5623) - Return "401 Unauthorized" status when login fails (#5663) - Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092) - Plugin API: Added 'show_bytes' hook (#5001) - subscriptions_option: show \\Noselect folders greyed out (#5621) - Add option to not indent quoted text on top-posting reply (#5105) - Removed global $CONFIG variable - Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759) - Support AUTHENTICATE LOGIN for IMAP connections (#5563) - Support LDAP GSSAPI authentication (#5703) - Allow contacts without an email address (#5079) - Localized timezone selector (#4983) - Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640) - Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772) - Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820) - Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799) - Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788) - Fix bug where HTML messages with @media styles could moddify style of page body (#5811) - Fix style issue on selected and unfocused message that is part of a thread (#5798) - Fix bug where a.button style from managesieve plugin could impact other elements (#5800) - Fix position of selected icon for (Mailvelope) Encrypt button - Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808) RELEASE 1.3.0 ------------- - Update to TinyMCE 4.5.7 - Fix bug where invalid recipients could be silently discarded (#5739) - Fix conflict with _gid cookie of Google Analytics (#5748) - Print error from CLI scripts when system/exec function is disabled (#5744) - Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747) - Fix bug where it wasn't possible to scroll folders list in Edge (#5750) - Fix folders list sorting on Windows - if php-intl is available (#5732) - Fix addressbook searching by gender (#5757) - Fix prevention from using % and * characters in folder name (#5762) - Fix POST parameter reflection in default_charset selector (#5768) - Enigma: Fix compatibility with assets_dir - Managesieve: Skip redundant LISTSCRIPTS command - Fix SQL syntax error on MariaDB 10.2 (#5774) - Fix bug where zipdownload ignored files with the same name (#5777) - Fix bug where it wasn't possible to set timezone to auto-detected value (#5782) RELEASE 1.3-rc -------------- - "Flattened" the larry theme: fresher look by removing shadows and gradients - Support logging to php://stdout (#5721) - Add support for DelSp=Yes in format=flowed messages (#5702) - Update to jQuery 3.2.1 - Update to TinyMCE 4.5.6 - Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678) - Enigma: Always use detached signatures (#5624) - Enigma: Fix handling of messages with nested PGP encrypted parts (#5634) - Minimize unwanted message loading in preview frame on drag (#5616) - Fix failing database schema check in all engines except mysql (#5730) - Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606) - Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598) - Fix missing thread expand icon on search result in widescreen mode (#5613) - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) - Fix bug where external content in src attribute of input/video tags was not secured (#5583) - Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587) - Fix bug where mail content frame couldn't be reset in some corner cases (#5608) - Fix bug where some classic skin images were not displayed in IE/Edge (#5614) - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628) - Fix regression where groups with email address were resolved to its members' addresses - Fix update of group name in the contacts list header on group rename (#5648) - Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630) - Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655) - Managesieve: Fix parser issue with empty lines between comments (#5657) - Managesieve: Fix possible defect in handling \r\n in scripts (#5685) - Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610) - Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820] - Fix bug where settings/upload.inc could not be used by plugins (#5694) - Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713) - Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695) - Fix undesired effects when postgres database uses different timezone than PHP host (#5708) - Installer: Fix DB schema initialization on MS SQL Server - Fix bug where base_dn setting was ignored inside group_filters (#5720) - Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114] RELEASE 1.3-beta ---------------- - Nicely handle contact deletion on contact edit (#5522) - vcard_attachments: Add possibility to attach contact vCard to composed message (#4997) - Preserve message internal/received date on import in mbox format (#5559) - Zipdownload: Fix date format in mbox "From line" - Possibility to display QR code for contacts data (#5030) - Added identicon plugin - Widescreen layout aka three column view (#5093) - Unify automatic marking as \Seen in preview pane, full-page and extwin views (#5071) - Disable double-click on the list when preview pane is on (#5199) - Support hostname and hostname:port in force_https option (#5511) - Support ALLOW-FROM in x_frame_options (#5122) - Allow to omit a subject when sending an email (#5068) - Warn about too many disclosed recipients in composed email [max_disclosed_recipients] (#5132) - identity_select: Support Received header (#5085) - Plugin API: Added get_compose_responses hook (#5457) - Display error when trying to upload more files than specified in max_file_uploads (#5483) - Add missing sql upgrade file for 'ip' column resize in session table (#5465) - Do not show inline images of unsupported mimetype (#5463) - Password: Added replacement variables support in password_pop_host (#5539) - Password: Don't store passwords in temp files when using dovecotpw (#5531) - Password: Added LDAP PPolicy driver (#5364) - Password: Added cpanel_webmail driver (#5549) - Password: Added possibility to nicely redirect from other plugins on password expiration (#5468) - Implement separate action to mark all messages in a folder as \Seen (#5006) - Implement marking as \Seen in all folders or in a folder and its subfolders (#5076) - Archive: Don't reload messages list when it's not needed (#5225) - Archive: Add option to automatically mark archived messages as \Seen (#5142) - Improve randomness of password salts and random hashes (#5266) - Password/cPanel: Add support for hash authentication and reseller accounts (#5252) - Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136) - Center and scale images in attachment preview frame (#5421) - Added max_message_size option enforced when attaching files to a composed message (#4993) - Added Search button in quick search menus (#5312) - Implement "one click" attachment/messages/photo upload (#5024) - Squirrelmail_usercopy: Add option to define character set of data files - Removed useless 'created' column from 'session' table (#5389) - Dropped legacy browsers support (#5167) - Removed legacy_browser plugin - Removed hacks for IE < 10 - Update to jQuery 3.1.1 and jQuery-UI 1.12.0 - compile .min.js files with ECMASCRIPT5 option - Require PHP >= 5.4 - Add possibility to preview and download attachments in mail compose (#5053) - Add possibility to rename attachments in mail compose (#4996) - Remove backward compatibility "layer" of bc.php (#4902) - Support WEBP images in mail messages (#5362) - Support MathML in HTML message preview (#5182) - Rename Addressbook to Contacts (#5233) - Remove PHP mail() support, smtp_server is required now (#5340) - Display full message subject in onmouseover on truncated subject in mail view (#5346) - Enigma: Support GnuPG 2.1 (#5313) - Enigma: Support key generation for multiple identities (#5383) - Enigma: Import keys from key-server(s) (#5286) - Enigma: Search missing public keys on a key-server in mail compose (#5286) - Enigma: Delete user keys when using deluser.sh script - Enigma: Fix redundant list-secret-keys/list-public-keys calls on signing/encryption - Enigma: Implement PGP encryption and signing in one go (#5302) - Enigma: Display signature verification status for encrypted+signed messages (#5302) - Display different attachment icon on encrypted messages - Display different confirmation text when moving messages to Trash (#5220) - Indicate that a collapsed thread has flagged children (#5013) - Implemented message/rfc822 attachment preview - Update to jsTimezoneDetect 1.0.6 - Managesieve: Add (optional) RAW script editor (#5414) - Managesieve: Add option to automatically set vacation :from address (#5428) - Managesieve: Support 'string' test from variables extension [RFC 5229] (#5248) - Managesieve: Support 'duplicate' extension [RFC 7352] - Managesieve: Unhide advanced rule controls if there are inputs with errors - Managesieve: Display warning message when filter form contains errors - Control search engine crawlers via X-Robots-Tag header instead of and robots.txt (#5098) - Fixed redundancy in sql caching system and compatibility with Galera Cluster (#5439) - Removed redundant 'created' column from cache and cache_shared tables - Removed use of redundant data records - Added missing primary keys (dictionary, cache, cache_shared tables) - Fix so templating system does not mess with external (e.g. email) content (#5499) - Fix redundant keep-alive/refresh after session error on compose page (#5500) - Managesieve: Fix handling of scripts with nested rules (#5540) - Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544) - Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555) - Fix adding images to new identity signatures - Fix rsync error handling in installto.sh script (#5562) - Fix some advanced search issues with multiple addressbooks (#5572) - Fix so group/addressbook selection is retained on page refresh RELEASE 1.2.3 ------------- - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail()'s 5th argument - Fix To: header encoding in mail sent with mail() method (#5475) - Fix flickering of header topline in min-mode (#5426) - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447) - Fix decoding of GB2312/GBK text when iconv is not installed (#5448) - Fix regression where creation of default folders wasn't functioning without prefix (#5460) - Enigma: Fix bug where last records on keys list were hidden (#5461) - Enigma: Fix key search with keyword containing non-ascii characters (#5459) - Fix bug where deleting folders with subfolders could fail in some cases (#5466) - Fix bug where IMAP password could be exposed via error message (#5472) - Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452) - Fix "Illegal string offset" warning in rcube::log_bug() on PHP 7.1 (#5508) - Fix storing "empty" values in rcube_cache/rcube_cache_shared (#5519) - Fix missing content check when image resize fails on attachment thumbnail generation (#5485) - Fix displaying attached images with wrong Content-Type specified (#5527) RELEASE 1.2.2 ------------- - Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent) - Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371) - Enigma: Make recipient key searches case-insensitive (#5434) - Fix regression in resizing JPEG images with Imagick (#5376) - Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372) - Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370) - Wash position:fixed style in HTML mail for better security (#5264) - Fix bug where memcache_debug didn't work for session operations - Fix bug where Message-ID domain part was tied to username instead of current identity (#5385) - Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content - Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401) - Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404) - Fix so "All" messages selection is resetted on search reset (#5413) - Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403) - Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400) - Fix PHP warning when handling shared namespace with empty prefix (#5420) - Fix so folders list is scrolled to the selected folder on page load (#5424) - Fix so when moving to Trash we make sure the folder exists (#5192) - Fix displaying size of attachments with zero size - Fix so "Action disabled" error uses more appropriate 404 code (#5440) RELEASE 1.2.1 ------------- - Update TinyMCE to version 4.3.13 (#5309) - Fix bug where errors could have been not logged when per_user_logging=true - Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting - Fix so minified publickey.js (with cache-buster) is used when available (#5254) - Fix (replace) application/x-tar file extension test as it might not exist in nginx config (#5253) - Fix PHP warning when password_hosts is set, but is not an array (#5260) - Fix redundant keep-alive requests when session_lifetime is greater than ~20000 (#5273) - Fix so subfolders of INBOX can be set as Archive (#5274) - Fix bug where multi-folder search could choose a wrong folder in "this and subfolders" scope (#5282) - Fix bug where multi-folder search didn't work for unsubscribed INBOX (#5259) - Fix bug where "no body" alert could be displayed when sending mailvelope email - Enigma: Fix keys import from inside of an encrypted message (#5285) - Enigma: Fix malformed signed messages with force_7bit=true (#5292) - Enigma: Add possibility to configure gpg binary location (enigma_pgp_binary) - Enigma: Add possibility to export private keys (#5321) - Fix searching by email address in contacts with multiple addresses (#5291) - Fix handling of --delete argument in moduserprefs.sh script (#5296) - Workaround PHP issue by calling closelog() on script shutdown when using log_driver=syslog (#5289) - Fix so upgrade script makes sure program/lib directory does not contain old libraries (#5287) - Fix subscription checkbox state on error in folder subscribe/unsubscribe action (#5243) - Fix bug where microsecond format in logged date didn't work in some cases - Fix conflict in new_user_dialog and password_force_new_user settings (#5275) - Don't create multipart/alternative messages with empty text/plain part (#5283) - Use contact_search_name format in popup on results in compose contacts search - Fix handling of 'mailto' and 'error' arguments in message_before_send hook (#5347) - Fix missing localization of HTML editor when assets_dir != INSTALL_PATH - Fix handling of blockquote tags with mixed case on html2text conversion (#5363) - Fix javascript errors in IE on page with iframe that points to another domain RELEASE 1.2.0 ------------- - Enigma: Added enigma_debug option - Fix message list multi-select/deselect issue (#5219) - Fix bug where getting HTML editor content could steal focus from other form controls (#5223) - Fix bug where contact search menu fields where always unchecked in Larry skin - Fix autoloading of 'html' class - Fix bug where Encrypt button appears when switching editor to HTML (#5235) - Fix XSS issue in href attribute on area tag (#5240) RELEASE 1.2-rc -------------- - Managesieve: Refactored script parser to be 100x faster - Enigma: added option to force users to use signing/encryption - Enigma: Added option to attach public keys to sent mail (#5152) - Enigma: Handle messages with text before an encrypted block (#5149) - Enigma: Handle encrypted/signed content inside message/rfc822 attachments - Enigma: Fix missing html/plain switch on multipart/signed messages (#4963) - Enigma: Disable format=flowed for signed plain text messages (#4960) - Enigma: Fix handling of encrypted + signed messages (#4950) - Enigma: Fix invalid boundary use in signed messages structure - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955) - Save copy of original .htaccess file when using installto.sh script (#4947) - Fix regression where some message attachments could be missing on edit/forward (#4939) - Fix regression in displaying contents of message/rfc822 parts (#4937) - Fix handling of message/rfc822 attachments on replies and forwards (#4938) - Fix PDF support detection in Firefox > 19 (#4941) - Fix path traversal vulnerability in setting a skin [CVE-2015-8770] (#4945) - Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#4944) - Fix .htaccess rewrite rules to not block .well-known URIs (#4943) - Fix mail view scaling on iOS (#4915) - Fix PHP7 warning "session_start(): Session callback expects true/false return value" (#4948) - Fix XSS issue in SVG images handling [CVE-2015-8864, CVE-2016-4068] (#4949) - Fix missing language name in "Add to Dictionary" request in HTML mode (#4951) - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958) - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961) - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964) - Plugin API: Added addressbook_export hook - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966) - Hide DSN option in Preferences when smtp_server is not used (#4967) - Fix handling of body parameter in mail compose request - Protect download urls against CSRF using unique request tokens [CVE-2016-4069] (#4957) - newmail_notifier: Refactor desktop notifications - Fix so contactlist_fields option can be set via config file - Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782) - Fix performance in reverting order of THREAD result - Fix converting mail addresses with @www. into mailto links (#5197) RELEASE 1.2-beta ---------------- - Update TinyMCE to version 4.2 - Added support for Redis session handler - Removed some deprecated methods: https://github.com/roundcube/roundcubemail/commit/454b0b1c - Remove backward compatibility "layer" of bc.php (#4902) - Add possibility to define date format in write operations for ldap attributes (#3956) - Display attachment size in compose (#1329) - Added possibility to drag-n-drop attachments from mail preview to compose window - Implemented mail messages searching with predefined date interval - PGP encryption support via Mailvelope integration - PGP encryption support via Enigma plugin - PHP7 compatibility fixes (#4836) - Security: Added brute-force attack prevention via login rate limit (#4922) - Security: Added options to validate username/password on logon (#4884) - Security: Improve randomness of security tokens (#4899) - Security: Use random security tokens instead of hashes based on encryption key (#4829) - Security: Improved encrypt/decrypt methods with option to choose the cipher_method (#4492) - Make optional adding of standard signature separator - sig_separator (#3276) - Optimize folder_size() on Cyrus IMAP by using special folder annotation (#4894) - Make optional hidding of folders with name starting with a dot - imap_skip_hidden_folders (#4870) - Add option to enable HTML editor always, except when replying to plain text messages (#4352) - Emoticons: Added option to switch on/off emoticons in compose editor (#2076) - Emoticons: Added option to switch on/off emoticons in plain text messages - Emoticons: All emoticons-related functionality is handled by the plugin now - Installer: Add button to save generated config file in system temp directory (#3553) - Remove common subject prefixes Re:, Re[x]:, Re-x: on reply (#4882) - Added GSSAPI/Kerberos authentication plugin - krb_authentication - Password: Allow temporarily disabling the plugin functionality with a notice - Require Mbstring and OpenSSL extensions (#5166) - Add --config and --type options to moduserprefs.sh script (#4651) - Implemented memcache_debug and apc_debug options - Installer: Remove system() function use (#4695) - Password plugin: Added 'kpasswd' driver by Peter Allgeyer - Add initdb.sh to create database from initial.sql script with prefix support (#4722) - Plugin API: Added disabled_plugins an disabled_buttons options in html_editor hook - Plugin API: Added html2text hook - Plugin API: Added message_part_body hook - Plugin API: Added message_ready hook - Plugin API: Add special onload() method to execute plugin actions before startup (session and GUI initialization) - Implemented UI element to jump to specified page of the messages list (#1677) - Fix searching of contacts to allow remote images for known senders (#4886) - Fix bug where clicking date column with 'arrival' sorting would switch to sorting by 'date' (#4690) - Fix bug where message content could overlap attachments list in Larry skin (#4876) - Fix so microseconds macro (u) in log_date_format works (#4855) - Fix so unrecognized TNEF attachments are displayed on the list of attachments (#5138) - Fix so database_attachments::cleanup() does not remove attachments from other sessions (#4907) - Fix responses list update issue after response name change (#4917) - Fix bug where message preview was unintentionally reset on check-recent action (#4921) - Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#4905) - Fix redundant blank lines when using HTML and top posting (#4927) - Fix redundant blank lines on start of text after html to text conversion (#4928) - Fix HTML sanitizer to skip in output (#4932) - Fix invalid LDAP query in ACL user autocompletion (#4934) RELEASE 1.1.3 ------------- - Fix closing of nested menus (#4854) - Fix so E_DEPRECATED errors from PEAR libs are ignored by error_reporting change (#4770) - Fix compatibility with PHP 5.3 in rcube_ldap class (#4842) - Get rid of Mail_mimeDecode package dependency (#4836) - Fix "Importing..." message does not hide on error (#4840) - Fix Compose action in addressbook for results from multiple addressbooks (#4834) - Fix bug where some messages in multi-folder search couldn't be viewed/printed/downloaded (#4843) - Fix unintentional messages list page change on page switch in compose addressbook (#4844) - Fix race-condition in saving user preferences and loading plugin config (#4845) - Fix so plain text signature field uses monospace font (#4848) - Fix so links with href == content aren't added to links list on html to text conversion (#4847) - Fix handling of non-break spaces in html to text conversion (#4849) - Fix self-reply detection issues (#4852) - Fix multi-folder search result sorting by arrival date (#4858) - Fix so *-request@ addresses in Sender: header are also ignored on reply-all (#4860) - Update to TinyMCE 4.1.10 (#5164) - Fix draft removal after a message is sent and storing sent message is disabled (#4869) - Fix so imap folder attribute comparisons are case-insensitive (#4868) - Fix bug where new messages weren't added to the list in search mode - Fix wrong positioning of message list header on page scroll in Webkit browsers (#4646) - Fix some javascript errors in rare situations (#4853) - Fix error when using back button after sending an email (#4628) - Fix removing signature when switching to identity with an empty sig in HTML mode (#4872) - Disable links list generation on html-to-text conversion of identities or composed message (#4850) - Fix "washing" of style elements wrapped into many lines - Fix so input field (e.g. search box) does not loose focus on list load (#4862) - Fix so css of one html part does not apply to other text parts on message display (#4887) - Fix XSS issue in drag-n-drop file uploads [CVE-2015-8105] (#4900) - Fix handling of plus character in mailto: links (#4891) - Fix so adding CC/BCC recipients from the sidebar unhides compose form fields in Classic skin (#4874) - Fix so gc.sh script removes also expired sessions from sql database (#4893) - Fix support for Mozilla-based browsers, e.g. Pale Moon (#4895) - Fix various issues with Turkish (and similar) locales (#4896) - Fix so In-Reply-To header is set also for MDN receipts (#4897) - Fix missing HTTP_X_FORWARDED_FOR address in generated Received header - Fix issue where Content-Length of some attachments could be set to wrong value causing browser errors (#4877) RELEASE 1.1.2 ------------- - Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#4807) - Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below] - Fix handling of %-encoded entities in mailto: URLs (#4799) - Fix zipped messages downloads after selecting all messages in a folder (#4797) - Fix vpopmaild driver of password plugin - Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#4798) - Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#4796) - Fix message list header in classic skin on window resize in Internet Explorer (#4732) - Fix so text/calendar parts are listed as attachments even if not marked as such (#4795) - Fix lack of signature separator for plain text signatures in html mode (#4802) - Fix font artifact in Google Chrome on Windows (#4803) - Fix bug where forced extwin page reload could exit from the extwin mode (#4801) - Fix bug where some unrelated attachments in multipart/related message were not listed (#4805) - Fix mouseup event handling when dragging a list record (#4808) - Fix bug where preview_pane setting wasn't always saved into user preferences (#4809) - Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#4814) - Fix security issue in contact photo handling (#4817) - Fix possible memcache/apc cache data consistency issues (#4820) - Fix bug where imap_conn_options were ignored in IMAP connection test (#4822) - Fix bug where some files could have "executable" extension when stored in temp folder (#4815) - Fix attached file path unsetting in database_attachments plugin (#4823) - Fix issues when using moduserprefs.sh without --user argument (#4825) - Fix potential info disclosure issue by protecting directory access (#4816) - Fix blank image in html_signature when saving identity changes (#4833) - Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#4827) - Fix XSS vulnerability in _mbox argument handling (#4837) RELEASE 1.1.1 ------------- - ACL: Allow other plugins to adjust the list of permissions and groups to edit - Add possibility to print contact information (of a single contact) - Add possibility to configure max_allowed_packet value for all database engines (#4772) - Improved handling of storage errors after message is sent - Update to TinyMCE 4.1.9 - Unified request* event arguments handling, added support for _unlock and _action parameters - Security: Generate random hash for the per-user local storage prefix (#4768) - Fix refreshing of drafts list when sending a message which was saved in meantime (#4745) - Fix saving/sending emoticon images when assets_dir is set - Fix PHP fatal error when visiting Vacation interface and there's no sieve script yet (#4778) - Fix setting max packet size for DB caches and check packet size also in shared cache - Fix needless security warning on BMP attachments display (#4771) - Fix handling of some improper constructs in format=flowed text as per the RFC3676[4.5] (#4773) - Fix performance of rcube_db_mysql::get_variable() - Fix missing or not up-to-date CATEGORIES entry in vCard export (#4766) - Fix fatal errors on systems without mbstring extension or mb_regex_encoding() function (#4769) - Fix cursor position on reply below the quote in HTML mode (#4759) - Fix so "over quota" errors are displayed also in message compose page - Fix duplicate entries suppression in autocomplete result (#4776) - Fix "Non-static method PEAR::isError() should not be called statically" errors (#4770) - Fix parsing invalid HTML messages with BOM after (#4777) - Fix duplicate entry on timezones list in rcube_config::timezone_name_from_abbr() (#4779) - Fix so localized folder name is displayed in multi-folder search result (#4750) - Fix javascript error after creating a folder which is a subfolder of another one (#4781) - Fix bug where subject of sent/saved message was removed if mbstring wasn't installed (#4780) - Fix missing vcard_attachment icon on messages list (#4783) - Fix storing signatures with big images in MySQL database (#4785) - Fix Opera browser detection in javascript (#4786) - Fix so search filter, scope and fields are reset on folder change - Fix rows count when messages search fails (#4760) - Fix bug where spellchecking in HTML editor do not work after switching editor type more than once (#4789) - Fix bug where TinyMCE area height was too small on slow network connection (#4788) - Fix backtick character handling in sql queries (#4790) - Fix redirect URL for attachments loaded in an iframe when behind a proxy (#4724) - Fix menu container references to point to the actual