phpList 3.5.5 Release Candidate ready for testing

šŸ’» Development
1

Hi everyone,

A release candidate for phpList 3.5.5 is now available for testing.

This release includes additional security enhancements to avoid abuse from an authenticated user.

Changes have been made to address the following issues:

  1. Cross Site Scripting Vulnerability on ā€œSend a campaignā€ page: The ā€œSend a web pageā€ URL value has now been encoded and the emails set to receive the notifications are verified. You can check the following GitHub issues for details ā€“ 1, 2
  2. Cross Site Scripting Vulnerability on ā€œManage administratorsā€ ā€“ the email address of an admin has now been sanitized
  3. Cross Site Scripting Vulnerability on ā€œBounce rulesā€ ā€“ unnecessary JS action has now been removed
  4. Cross Site Scripting Vulnerability on ā€œName of the organisationā€ option of ā€œSettingsā€ page ā€“ the use of tags has now been restricted and JS disallowed
  5. Cross Site Scripting Vulnerability on ā€œImport subscribersā€ via SVG upload ā€“ tags in CSV import headers have now been ignored

Thanks to @Songohan22 for reporting the issues.

Other changes to look for

  • Avoided warnings about $pageroot when phplist is installed in the web root, and improved warning message to include values that donā€™t match ā€“ thanks to @duncanc, see the pull request
  • Removed redundant code following changes included in phpList 3.5.4 ā€“ thanks to @duncanc, see the pull request
  • added SameSite to the browsetrail cookie to handle warnings in Firefox ā€“ The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context ā€“ more information in the mantis issue, thanks to @duncanc for raising this

If you have experienced issues with previous installations please install this update and see if those issues are resolved.

Download the Release Candidate here (see also ā€˜Upgradingā€™).

Guidelines

Upgrading

Upgrade from releases older than phpList 3.3.7-RC1 following the usual upgrade process

Use the Automatic Updater if you are running phpList 3.3.7 or later.

Use your phpList as normal, and report any new problems that you find.

Activating the REST API

If you havenā€™t checked the REST API yet, you can see the dedicated chapter in the manual to help you get started with it: API and Integrations

Reporting issues

Report any issues you find with phpList3 to the phpList Bugtracker, selecting ā€œ3.5.5-RC1ā€ as the Product Version.

Use the usual bug fixing process if you know how to fix it.

Report any issues you find with phpList 4 core or REST API to the corresponding repo on GitHub.

Please read the contribution guide on how to contribute and how to run the unit tests and style checks locally.

Happy testing!