back to

phpList 3.5.5 Release Candidate ready for testing

Tags: #<Tag:0x00007efeccb89698>

Hi everyone,

A release candidate for phpList 3.5.5 is now available for testing.

This release includes additional security enhancements to avoid abuse from an authenticated user.

Changes have been made to address the following issues:

  1. Cross Site Scripting Vulnerability on “Send a campaign” page: The “Send a web page” URL value has now been encoded and the emails set to receive the notifications are verified. You can check the following GitHub issues for details – 1, 2
  2. Cross Site Scripting Vulnerability on “Manage administrators” – the email address of an admin has now been sanitized
  3. Cross Site Scripting Vulnerability on “Bounce rules” – unnecessary JS action has now been removed
  4. Cross Site Scripting Vulnerability on “Name of the organisation” option of “Settings” page – the use of tags has now been restricted and JS disallowed
  5. Cross Site Scripting Vulnerability on “Import subscribers” via SVG upload – tags in CSV import headers have now been ignored

Thanks to @Songohan22 for reporting the issues.

Other changes to look for

  • Avoided warnings about $pageroot when phplist is installed in the web root, and improved warning message to include values that don’t match – thanks to @duncanc, see the pull request
  • Removed redundant code following changes included in phpList 3.5.4 – thanks to @duncanc, see the pull request
  • added SameSite to the browsetrail cookie to handle warnings in Firefox – The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context – more information in the mantis issue, thanks to @duncanc for raising this

If you have experienced issues with previous installations please install this update and see if those issues are resolved.

Download the Release Candidate here (see also ‘Upgrading’).



Upgrade from releases older than phpList 3.3.7-RC1 following the usual upgrade process

Use the Automatic Updater if you are running phpList 3.3.7 or later.

Use your phpList as normal, and report any new problems that you find.

Activating the REST API

If you haven’t checked the REST API yet, you can see the dedicated chapter in the manual to help you get started with it: API and Integrations

Reporting issues

Report any issues you find with phpList3 to the phpList Bugtracker, selecting “3.5.5-RC1” as the Product Version.

Use the usual bug fixing process if you know how to fix it.

Report any issues you find with phpList 4 core or REST API to the corresponding repo on GitHub.

Please read the contribution guide on how to contribute and how to run the unit tests and style checks locally.

Happy testing!