Contao

TYPOlight has been a well-known CMS for years, and even after it re-branded users still kept up with it and currently hold it in high respect.

Contao uses an intuitive graphical user interface that successfully blends Ajax and Web 2.0 technologies for optimal usability and performance.

This successful mesh of technologies makes working with Contao an easy task, while also still providing the in-depth access most developers yearn from high-grade CMS products.

If WordPress is known for blogging, Drupal for complex websites and phpBB for forums, then Contao is most known for its higher degree of complexity that recommends it for large scale projects, portals and Intranets.

This means working with Contao can sometime be a little bit tricky and is recommended only for developers with a greater knowledge of PHP, regardless of the presence of a nice and fast UI in the Contao backend.

But that doesn't mean Contao is useless or hard to work with. It means you got to accept and learn to use the right tool for the right job.

What is new in this release:

• Fixed:
• Several directory separator issues.
• Handle bundle images in Image::get().
• Check if a custom folder is protected in the file picker.
• Do not make textareas required if they are replaced with an RTE.
• Correctly show the error messages in the login module.
• Map the referer in the old Session class.
• Store new record IDs in the persistent session bag.
• Correctly reload the page in the install tool.
• Correctly show the color picker images.
• Consolidate the custom sections markup.
• Correctly execute the symlinks command in the automator.
• Correctly handle an empty _locale attribute.
• Correctly switch between the page and file picker in the hyperlink element.

What is new in version 4.0.2:

• Fixed:
• Several directory separator issues.
• Handle bundle images in Image::get().
• Check if a custom folder is protected in the file picker.
• Do not make textareas required if they are replaced with an RTE.
• Correctly show the error messages in the login module.
• Map the referer in the old Session class.
• Store new record IDs in the persistent session bag.
• Correctly reload the page in the install tool.
• Correctly show the color picker images.
• Consolidate the custom sections markup.
• Correctly execute the symlinks command in the automator.
• Correctly handle an empty _locale attribute.
• Correctly switch between the page and file picker in the hyperlink element.

What is new in version 4.0.0:

• Fixed:
• Several directory separator issues.
• Handle bundle images in Image::get().
• Check if a custom folder is protected in the file picker.
• Do not make textareas required if they are replaced with an RTE.
• Correctly show the error messages in the login module.
• Map the referer in the old Session class.
• Store new record IDs in the persistent session bag.
• Correctly reload the page in the install tool.
• Correctly show the color picker images.
• Consolidate the custom sections markup.
• Correctly execute the symlinks command in the automator.
• Correctly handle an empty _locale attribute.
• Correctly switch between the page and file picker in the hyperlink element.

What is new in version 3.4.5 / 3.5.0-RC1 / 4.0.0-beta1:

• Fixed:
• A directory traversal vulnerability.

What is new in version 3.4.4:

• Fixed:
• A directory traversal vulnerability.

What is new in version 3.4.0:

• Fixed:
• Consider image size IDs when overriding the default image size.
• Do not require to set a media query in the image sizes.
• Fixed a potential directory traversal vulnerability.
• Fixed a severe XSS vulnerability. In this context, the insert tag flags base64_encode and base64_decode have been removed.
• Also use simple tokens for the newsletter subscription modules.
• Only show the root page languages in the meta wizard.
• Correctly create the initial version in the personal data module.
• Check if a DB driver has been configured in Config::isComplete().
• Correctly mark deleted versions in Versions::addToTemplate().
• Replace insert tags of RTE fields in the back end preview.
• Handle nested insert tags in strip_insert_tags().
• Correctly store the model in Dbafs::addResource().
• Send the request token when toggling the visibility of an element.
• Always apply the IE security fix in the Environment class.
• Replace leafo/lessphp with oyejorge/less.php.
• Show the correct root icon in the page/file picker.
• Add an empty option to the image size select menu.
• Nest wrapper elements in the back end preview.
• Correctly handle archives being part of multiple RSS feeds.
• Correctly handle 0 in utf8_convert_encoding().
• Send a 301 redirect to forward to the language root page.
• Handle SVG images in the default back end uploader.
• Added:
• Added the CSS units vw, vh, vmin and vmax.

What is new in version 3.3.4:

• Fixed:
• Restore permission to delete root pages for admin users.
• Pass the file IDs instead of their UUIDs to the file picker.
• Correctly handle double quotes in comments.
• Ignore hidden files when building the internal cache.
• Correctly pass the insert ID of the undo record.
• Update the vendor libraries (fixes various issues).

What is new in version 3.3.2:

• This bugfix release fixes issues with adding multiple rich text editor instances, with including style sheets in debug mode and with creating extensions using the extension creator.
• It also improves the Compass integration.

What is new in version 3.3.0:

• Fixed:
• Correctly show the comments in the "comments" element.
• Correctly store the file selection in "edit multiple" mode.
• Improve the UUID validation to prevent false positives.
• Correctly sort by date in the listing module.
• The back link in the "single article" view.
• Never cache insert tags if the output is not used on the website.
• Strip forbidden HTML tags in the markdown content element.
• Prevent parallel execution of the new command line scripts.

What is new in version 3.2.10:

• Fixes issues with file names containing special characters and improves the file synchronization and the handling of binary fields during theme import.
• The following plugins have been updates: Swipe, ACE, Datepicker, MooTools.

What is new in version 3.2.8:

• Fixed:
• Added the "href" values for active breadcrumb menus to the template.
• The file/page tree widget did not work properly in "edit multiple" mode.
• Preserve the referer ID when clicking the "switch to edit" button.
• Encode e-mail addresses in the "explanation" form field.
• Use a placeholder image if no thumbnail can be created.
• Pass additional arguments to the "replaceInsertTags" hook.

What is new in version 3.2.5:

• Fixed:
• Correctly load the parent pages in the navigation modules.
• Correctly encode URLs with GET parameters in the syndication links.
• Do not pass POST data to the deserialize() function, so it is not vulnerable to PHP object injection.
• Allow any character in passwords, especially the less-than symbol.
• Purge the image cache if a file is being renamed.

What is new in version 3.2.4:

• Fixed:
• The Russian translation of the TinyMCE "typolinks" plugins.
• Do not create multiple stylect layers upon Ajax changes.
• Some DCAs were missing the "rem" unit.
• Correctly trim the SQL statements in the Database class.
• Some broken back end icons.
• Show a hint in the news archive menu if there are no items.
• Prevent the back end tool tips from exceeding the screen width.

What is new in version 3.2.2:

• Fixed:
• Correctly support insert tags nested in shortened "iflng" tags.
• Do not require a foreign key to define a relation in the DCA.
• Use UUIDs as parent IDs in Dbafs::addResource().
• Correctly set the default language.
• Correctly update the order fields in the database updater.
• Do not override the "href" property in addImageToTemplate().
• Correctly handle URLs if page aliases are disabled.

What is new in version 3.2.0:

• Applied some minor fixes to the database installer.
• Slightly increased the contrast in the back end.
• Skip empty locale strings when building the language cache.
• Do not load a page from cache if a user is (potentially) logged in.
• Correctly link to FAQs using the "faq" insert tag.
• Correctly handle "toggle visibility" and drag and drop requests via Ajax.
• Correctly handle slashes and empty strings in the TinyMCE link tab.

What is new in version 3.1.5:

• Fixed:
• Correctly handle shorthand byte values.
• Correctly sort by date in the listing module.
• Correctly handle the autologin key if a member is duplicated.
• Correctly export pages as PDF.
• Also update the sitemap if a news/event feed is updated.

What is new in version 3.1.3:

• Dropped the database query cache.
• Do not redirect to protected pages after logout.
• Consider the additional arguments in Frontend::jumpToOrReload().
• Prevent article aliases from using reserved names.
• Correctly update the RSS feeds if a news item or event changes.
• Correctly link to news and calendar feeds via insert tag.

What is new in version 3.1.0:

• Fixed:
• Set the image dimensions if an image is added in TinyMCE.
• Pass the host and language to subpages when generating the menu.
• Improve the timeout calculation of the command scheduler to better support minutely jobs.
• Do not used cached scan() results in the Files class.
• Do not throw an exception during RSS feed generation if a news archive or calendar is linked to an invalid target page.
• Fix the tabindexes if there are multiple wizards on the same apge.
• Also support textareas when autofocusing input fields.
• Add a page to the XML sitemap even if it is not indexed internally.
• Correctly auto-create the page aliases.
• Limit the width of the table names in the version overview.

What is new in version 3.0.2:

• Modules and Hybrids included via content element were shown even if the content element was invisible or not published.
• Do not try to limit the template selection to a particular theme but show all available themes instead.
• Correctly build the comments subscription confirmation URL.
• Update the database if a file is being uploaded in the front end.
• Do not send a 404 header if an enclosure is requested and cannot be find by a module; there might be another module which can.

What is new in version 3.0.0:

• Updated:
• Updated all vendor scripts and assets to their latest version.
• Updated jQuery UI to version 1.9.1.
• Updated jQuery to version 1.8.2.
• Fixed:
• Handle existing folders during a theme import.
• Show an error message instead of an exception if a template cannot be imported in the install tool.
• Readded the "active" class to the custom navigation module.
• Always convert file IDs to paths when exporting themes.
• Mark active forward pages with "forward" instead of "active".
• Remove HTML tags when overriding the page title.
• Correctly route pages if the language is not added to the URL and there are multiple results or folder URL aliases.
• Do not cache pages if the request contains a token.
• Make the original element passed to a Hybrid object available.
• Show an error message instead of throwing an Exception if the file system and the database are out of sync.
• Removed the deprecated workarounds for storing .xml files in the root directory. Since the autogenerated .xml files now reside in the share/ subfolder, .xml files in the root directory will not be touched by Automator::purgeXmlFiles().
• Make sure the install tool and - after the version 3 update - the back end remain accessible if the Contao 3 files are just added to an existing Contao 2 installation (which is not recommended).
• Prevent deleting referenced content elements using "edit multiple".
• Removed some left-over ENT_COMPAT constants.
• The too simple folder hash algorithm caused issues with the file synchronization and was replaced with a more sophisticated one.
• Updated mediaelement.js to version 2.9.5 917).
• If folder URLs are enabled in the back end settings, generate folder URL aliases in the site structure.
• Readded the default value for textareas to the form generator.
• Readded the option to limit the file tree to a certain path.
• Improved:
• Added a hint that selected files can be dragged to re-order them.

What is new in version 2.11.5:

• Fixed:
• Crop theme preview images so they are not being distorted.
• The IDNA convert class did (again) not run under PHP 5.2.
• Fixed an issue with getImage() not working correctly when the $target parameter was set.
• Correctly check the permissions to manage undo steps.
• Fixed the issue with new pages being inserted into first-level pages having the wrong default page type.
• Limit the "inputUnit" fields in the style sheet generator to 20 characters so they are stored correctly in the database.
• Update the style sheets when changing the theme, in case the global style sheet variables have changed.

What is new in version 2.11.4:

• Fixed a critical privilege escalation vulnerability which allowed regular users to make themselves administrators.
• Support insert tags as external redirect target.
• Updated the CSS3PIE plugin to version 1.0.0.
• Re-applied the "autofocus the first field" patch.
• The pagination menu fix was missing in the listing, search and RSS reader modules.
• Added the "required" attribute to the captcha input field.
• Correctly tell Google Analytics to anonymize the visitor's IP.
• Correctly align stylect menus in Safari and Opera.

What is new in version 2.11.3:

• Fixed:
• Always check all modules when looking for runonce.php files.
• Correctly insert the date picker in the DOM tree.
• Open popup windows so they are not blocked.
• Replaced is_a() with instanceof in the simplepie plugin.
• Use round() instead of ceil() when resizing images.
• Correctly handle empty FAQ categories in the front end modules.

What is new in version 2.11.2:

• The bugfix release fixes two security vulnerabilities from which one can be considered serious.
• Fixed:
• Fixed an issue with the CSS3PIE url being incorrectly rewritten.
• Fixed a security vulnerability in the file manager which allowed back end users to download files from the tl_files directory even if they were not mounted in their profile.
• Fixed a potential XSS vulnerability in the undo module. The issue is not considered critical, because it requires the script tag to be in the list of allowed HTML tags, which is not the case by default.
• The IDNA convert class did not run under PHP 5.2.

What is new in version 2.11 RC 2:

• New methods in the File/Folder class
• New hooks
• Privacy settings

What is new in version 2.10.4:

• The bugfix release fixes a few minor issues, including resolving the script name when using the "fpm-fcgi" interface, triggering the command scheduler in the Internet Explorer 7 and 8 and purging the template cache after creating a new template.
• Also, the theme importer has been adjusted so deleted themes can be restored after an import.

What is new in version 2.10.3:

• The bugfix release fixes a few minor issues, including the site structure order for non-admin users, the creation of cache files on Windows serven and the handling of the postLogin and postLogout hooks in the user model.

What is new in version 2.10.2:

• The bugfix release fixes a potential XSS vulnerability and is therefore highly recommended.

What is new in version 2.10.1:

• The maintenance release provides stability fixes for the version 2.10 branch and updates TinyMCE to version 3.4.4 (which fixes a few IE9 issues).

What is new in version 2.10.0:

• Updated:
• TinyMCE to version 3.4.3.2.
• SwiftMailer to version 4.1.1.
• Changed:
• Replaced the runonce.php routine with a more practical one.
• Added:
• A "getUserNavigation" hook to modify the back end navigation.
• A more accessible accordion template.
• Fixed:
• The values of TinyMCE fields were not saved.
• The new color transparency settings led to incorrect format definitions.
• Do not allow to link internally to pages running under a different domain.
• The request token check broke FancyUpload.
• Support global style sheet variables in RGBA colors.
• Make the syntax highlighter initialization script XHTML compatible.
• Use GET requests to toggle the visibility of an element.
• Do not remove the cron.txt file when purging system/HTML.
• Updated the templates cache if a file is edited in the templates editor.
• Empty news lists did not show the "currently no items" note.
• Reapplied the id attributes for checkbox and radio button containers.
• Do not generate inactive layout sections.
• Do not show empty comment replies in the front end.
• Parse insert tags in comment replies.
• Do not cache a page if there is a login error.
• The lost password module did not use the dynamic widget class.
• Sort global CSS variables by key length.
• Verify the channel when subscribing to or unsubscribing from a newsletter.
• The Safe Mode Hack could not be set up with the install tool.
• Hide the internally used Punycode format from the user.
• Fixed a few minor issues.

What is new in version 2.10 RC 1:

• Several bugs have been fixed and all plugins have been updated.

What is new in version 2.9.5:

• Updated: updated TCPDF to version 5.9.061.
• Added: IE9 compatibility.
• Added: added the Swedish editArea translation.
• Fixed: the code editor did not show up in the file manager.
• Fixed: the RSS reader did not parse HTML code correctly.
• Fixed: not all option callbacks worked correctly in override multiple mode.
• Fixed: the textarea widget did not support the readonly attribute.
• Fixed: the personal data modules did not handle checkbox fields.
• Fixed some minor issues.

What is new in version 2.9.4:

• This maintenance release improves the CSS 3 support of the style sheet importer, adds two new hooks and fixes several smaller bugs.

What is new in version 2.9.3:

• Fixed: custom templates were not always shown in "override all" mode.
• Fixed: prevent the X_FORWARDED_FOR header against XSS attacks.
• Fixed: preserve the selector fields in the personal data module.
• Fixed: skip mounted folders in the file manager if they do not exist.
• Fixed: the quick navigation modules failed to work when aliases were disabled.
• Fixed some minor issues.

What is new in version 2.9.2:

• Updated TCPDF to version 5.9.023
• Updated MooTools Core to version 1.2.5
• Updated TinyMCE to version 3.3.9.2
• Updated mediaboxAdvanced to version 1.2.5
• Added: allow external images in HTML newsletters
• Added: added insert tags for acronyms and abbreviations
• Added: add class "sibling" to pages on the same level in the navigation menu
• Fixed: do not allow insert tags in comments
• Fixed: check for custom layout sections during the theme import
• Fixed: only send the comments notification once
• Fixed: skipping the first item of a news list did not work correctly
• Fixed: allow column width 0 in page layouts
• Fixed: consider the protocol when loading scripts from the Google CDN
• Fixed: textareas in the back end were cut off in Opera
• Fixed: the task history could not be collapsed
• Fixed: the link insert tags showed the page title instead of the page name
• Fixed: do not show empty fieldset legends in the form generator
• Fixed: preserve curly brackets when replacing simple tokens
• Fixed: the style sheet importer did not support some CSS3 selectors
• Fixed: textual date insert tags were not replaced when loaded from cache
• Fixed: the image insert tag did not output the image dimensions
• Fixed: clear the $_GET array after rendering the event list module
• Fixed: do not aggregate style sheets with a @font-face selector
• Fixed: news insert tags did not handle entities correctly
• Fixed: do not show the FTP and database passwords in the install tool
• Fixed: minor fixes for the TimePeriod widget
• Fixed: update the CSS files after an old version of a record has been restored
• Fixed: custom page templates were not shown in "override all" mode
• Fixed: incorrect event sorting
• Fixed: do not execute hooks in the extension manager
• Fixed: check for existing files when renaming files in the file manager
• Fixed: check redirect pages for circular references
• Fixed: fixed a few minor spelling issues
• Fixed some minor issues

What is new in version 2.9.1:

• Updated TinyMCE to version 3.3.8.
• Improved the theme exporter to skip back end templates.
• Improved the theme importer to check for existing custom templates.
• Added: added a Safari patch for the EditArea plugin.
• Added: added a Swedish translation to the TinyMCE typolinks plugin.
• Added: added a warning to the login screen if cookies are not allowed.
• Fixed: the listing module always showed the primary key column.
• Fixed: empty article teaser drop-down menu when only a root page was mounted.
• Fixed: the hyperlink element did not handle mailto-links correctly.
• Fixed: the table sort script did not handle tag replacements correctly.
• Fixed: the version 2.9 database update failed when upgrading from version 2.6.
• Fixed: the maximum front end image width was not calculated correctly.
• Fixed: custom image gallery templates threw an exception the back end.
• Fixed: fixed an XSS vulnerability in the front end.
• Fixed: the feed generator did not always use the correct publication date.
• Fixed: fixed two style sheet importer issues.
• Fixed: the front end preview links did not work with URL rewriting enabled.
• Fixed: not all browser languages were checked when looking for a website root.
• Fixed: the front end cache only worked with rewritten URLs.
• Fixed: recursive duplication of a page created an empty record.
• Fixed: the comments form was not displayed if an element was protected.
• Fixed: change the link title when nodes are expanded or collapsed.
• Fixed: do not add pages with robots="noindex" to the XML sitemap.
• Fixed some minor issues.

What is new in version 2.9.1 RC1:

• Updated the Extension Repository to version 2
• Changed the theme file extension to "cto" (#1986)
• Moved the comments template menu to the module settings
• Modified the behavior of the specialchars() function (#1860)
• Modified the theme importer to check for missing fields and layout sections
• Improved the BBCode parser to always look for a closing tags (#1943)
• Improved the FileTree widget to reload via Ajax after using the popup file manager (#1980)
• Improved the Safe Mode Hack to only establish an FTP connection for write operations (#1957)
• Improved the iflng insert tag to support nested tags (#1515)
• Replaced uniqid('', true) with uniqid(mt_rand(), true)
• Removed Google Analytics support (still available through moo_analytics.tpl) (#2006)
• Added: added a TextStore widget to store plain text passwords
• Added: automatically increase the comments headline level (#1794)
• Added: added support for the different image resize modes to TinyMCE (#1712)
• Added: moved the global UTF8_LOOKUP_TABLE to a separate file (#1965)
• Added: added SSL/TLS support to the e-mail class (#1773)
• Added: added an additional confirmation to the "send newsletter" button (#1929)
• Added: added an option to skip featured news in the news list (#1378)
• Added: the group membership updater is now available for all checkbox fields (#1946)
• Added: throw a 404 error if URL rewriting is active and the URL contains the index.php fragment (#1844)
• Added: added an option to set the back end theme and FancyUpload on user level (#1726)
• Added: added an option to extend the mime types array of the File class (#1352)
• Added: use the code editor (EditArea) for all HTML and code fields (#1477)
• Added: add the file modification time to CSS and JavaScript files in the page header (#1830)
• Added: added FTP-SSL support to the FTP class (Safe Mode Hack) (#1968)
• Added: optionally display all news archive items if no period has been selected (#1393)
• Added: allow a dynamic primary key in the listing module (#1932)
• Added: limit the maximum number of records if a user chooses the "show all records" option (#1256)
• Added: allow to resume an interrupted newsletter sending process by defining the start cycle (#1481)
• Added: optionally load the MooTools scripts from a content delivery network
• Added: findInSet now supports option_callbacks in addition to static options (#1914)
• Added: load subpalettes from drop-down menus (#1156)
• Added: added a "parseArticles" hook to modify news items (#1632)
• Fixed: recoverable error in the registration module (#1926)
• Fixed: the event list did not show a "read more" link when redirecting to an article (#1944)
• Fixed: the textarea widget did not ignore the maxlength attribute (#1960)
• Fixed: replaced "uk" with "gb" in the countries list (#1803)
• Fixed: limit imported theme files to system/tmp, templates and the files directory (#1977)
• Fixed: check the table names during a theme import to prevent data injections (#1978)
• Fixed: the theme importer did not strip special characters from the file name (#1974)
• Fixed: the Encryption class did not handle empty strings (#2004)
• Fixed: the file manager showed a toggle button even if there were no valid files (#1993)
• Fixed: group modules by theme in the corresponding content element (#1992)
• Fixed: the templates target folder drop-down menu only showed the first level (#1953)
• Fixed: do not show unrelated templates in the template group menu (#1994)
• Fixed: adjusted the module links in the back end to the new theme URLs (#1972)
• Fixed: the image alt attribute could not be empty (#2009)
• Fixed: do not link a news headline if the item does not contain text (#1987)
• Fixed: error_403 and error_404 pages did not automatically generate an article (#2005)
• Fixed: do not check palettes in "override all" mode (#1982)
• Fixed: changed the theme icon order according to the system defaults (#2025)
• Fixed: corrected a few spelling mistakes and translation issues (#2032)
• Fixed: subpalettes were not inserted correctly when loaded via Ajax (#2039)
• Fixed: the DC_File driver did not support multi-text fields (#2045)
• Fixed: do not remove line breaks from mails sent with the form generator (#1959)
• Fixed: mandatory checkboxes and radio buttons were not handled correctly (#1921)
• Fixed: do not set access rights for every new page but inherit them from the parent page (#2042)
• Fixed: convert special characters in the output of the user insert tag (#1890)
• Fixed: the "generateFrontendUrl" hook was not applied to the search index (#1879)
• Fixed a few minor issues

What is new in version 2.7.5:

• Fixed issue with newsletter subscriptions not being activated
• Fixed issue with events spanning multiple months not displaying correctly
• Optimized function trimsplit() to handle large amounts of data

Requirements:

• PHP 5 or higher