Topic: LuxCal 5.3.3 - MySQL and SQLite - released 24 December 2024
In this new LuxCal version 5.3.3 you will find some interesting new features and improvements. Furthermore a number of technical issues have been addressed and a few bugs have been fixes.
>>>> FOR THIS VERSION THE MINIMUM PHP VERSION REQUIRED IS 7 <<<<
And again John from Denmark, the best beta-tester of the universe, spent a considerable amount of time beta testing this new version and helped to make the LuxCal Web Calendar a better product. Thank you John!
Hereafter you will find a full summary of all changes since the previous LuxCal version 5.3.2.
New features / improvements
• In the Event Edit/Add window in the notification section an icon has been added right next to the list with recipients. When this icon is clicked a list opens from which recipients can be selected. This list contains 1) a list with the recipients lists from the reciplists folder, 2) the registered recipients and 3) a list with all recipients specified in the file +recipients.txt. The latter file can for instance contain often used recipients, who are not registered. It is still possible to also manually type recipients in the "To" field.
• The previous info text editor has been upgraded to a general text editor which can be used to edit the info-text in the right side bar, the file with public (not registered) recipients and the recipients list files, which can can be added to the recipients in its entirety.
• In notification recipients list files on each line text starting with a #-character is treated as comments and will be flushed.
• A new "display" (display4) has been added, which shows the events in a very compact list with each event on one single line. For details see www.luxsoft.eu - Demos - Displays.
• When a public user (not logged in) visits the calendar or one of the displays for the first time, the calendar / display user interface language will be the same as the browser language. If no browser language is found or if it is not a valid calendar language, the default language specified on the settings page will be taken.
• A setting has been added to the Settings page to enable the logging of all notification messages sent by email, Telegram and SMS. The message log can be viewed on a new page "Notification Message Log", which is available to users with admin or manager rights, via an option in the ☰ menu.
• For the MySQL version of the calendar, independent of the MySQL database in use, the Search function is now always case-insensitive. For the SQLite version it was already always case-insensitive.
• When entering event times on mobile devices the decimal keypad will be forced, which makes entering times easier. To separate hours from minutes the . (period) or , (comma) on the decimal keypad can be used.
• The HTML <sub> and <sup> tags are now allowed in the event title and description fields, so that chemical and mathematical formulas can be used.
• In the configuration section of display0, 1 and 2 the PDF button can now also be enabled for logged in users only.
• In email and telegram notification messages the label in front of the date and time field is now just "Date" when no event times have been specified.
Technical issues
• In the catMenu function the $selected variable was set twice.
• The use of the addslashes and htmlspecialchars functions to "escape" quotes in the pop text of the "pop" and "popM" functions is overkill and could possibly create problems for some browser. Both functions have been replaced by a new "unQuote" function, which only replaces single and double quotes by the respective HTML entities ' and ". HTML tags are left intact.
• The JPCERT/CC in Japan reported an SQL injection vulnerability (ID: JVN#91510849) caused by the retrieve function, due to the fact that a possible external filter, including it's values, is directly embedded in the SQL statement. In all scripts which are calling the retrieve function the values are now separated from the filter and introduced in a prepared statement with placeholders.
• The JPCERT/CC in Japan reported a path traversal vulnerability (IDs JVN#89939615 and JVN#01069027, describing the same problem), caused by the dloarder script. The validation part of the dloader.php script has been redesigned to solve this vulnerability.
• The JPCERT/CC in Japan reported an SQL injection vulnerability (ID JVN#26024080), caused by the script that produces the pdf file with events. Solved by using a prepared SQL statement.
• On the Search page the wild cards _ and & have been replaced by the more common ? and *.
• In fields title, venue, description, and extra fields, the "'" character is replaced by &apos (HTML5) instead of ' (HTML401).
• For the function htmlspecialchars the flag ENT_HTML5 has been added to the flag ENT_QUOTES, so that single quotes are converted to ' (HTML5) rather than ' (HTML401).
• Stray <td>-tag removed in the top bar of the Event Edit/Add window.
• In the event functions and day marking functions newE, editE, newM and editM the mode and state parameters were not used and have been removed.
• The name and value of the repeat box OK button were not used and have been removed.
• The Set Repetition box is now properly centered.
• The Dutch and Polish language files have been updated.
• In the Day Marking window the option "rolling" has been removed from the repeat section. Rolling is not relevant for day markings.
• In the colgroup of the left column, the <col> tag had a redundant </col> tag, which has been removed. The HTML <col> tag has no closing tag.
• Detection of "all day" and "no time" simplified.
• In the IDtoDD and ITtoDT functions, a date or a time starting with '9' is converted to an empty date or time. This simplifies the calling scripts, which don't need to test on '9' before calling these functions.
• Rather than composing the event time on the spot, these scripts are now using the makeTime function.
• Incrementing the hit counter is now better protected with a file lock. Before, occasionally at random moments the counter file could be deleted.
• If the php.ini setting allow_url_fopen is disabled, then the function file_get_contents cannot be used to communicate with Telegram. Web hosts sometimes disable this setting to avoid Remote File Inclusion (RFI) attacks and unauthorized access. Therefore, if the php.ini setting allow_url_fopen is disabled, the calendar switches to the cURL library for the communication with Telegram.
• The True Type fonts files, used when printing the birthday calendar, have been updated. They caused PHP 'deprecation' warning messages when running the calendar with PHP 8.2.
Bug fixes
• When on the admin's Category page the IDs are not identical to the sequence numbers, then when in the Options Panel one single category has been selected, when adding a new event the default category in the Add Event window will not be the selected category in the Options Panel. Solved.
• In the array $evtArr the event end date was not converted to ISO format. For multi-day events this resulted in the "full" date / time of notification messages in a garbled end date.
• The conditions to determine the value of the variables $ald and $ntm were not enclosed in brackets and therefore for the search page and the displays "all day" was shown for events with no time (blank).
• In LuxCal V5.3.1 a bug was introduced which resulted in the fact that events that need approval, but are not yet approved were visible to other users. Events that need approval should only be visible to other users after approval by a user with manager rights.