1 files changed, 445 insertions, 0 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index af126c3d3..f6974a3ae 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,448 @@
+Version 1.8.18
+(January 11, 2014 from https://github.com/Elgg/Elgg/tree/1.8)
+  Contributing Developers:
+   * Juho Jaakkola
+   * Steve Clay
+
+  Bugfixes:
+   * Fixes notify_user() broken in 1.8.17
+
+
+Version 1.8.17
+(January 1, 2014 from https://github.com/Elgg/Elgg/tree/1.8)
+  Contributing Developers:
+   * Brett Profitt
+   * Cash Costello
+   * Ed Lyons
+   * Evan Winslow
+   * Jeroen Dalsem
+   * Jerome Bakker
+   * Juho Jaakkola
+   * Matt Beckett
+   * Paweł Sroka
+   * Sem
+   * Steve Clay
+
+  Security Fixes:
+   * Specially-crafted request could return the contents of sensitive files.
+   * Reflected XSS attack was possible against 1.8 systems.
+   * The cryptographic key used for various purposes may have been generated with weak entropy, particularly on Windows.
+
+  Bugfixes:
+   * URLs with non-ASCII usernames again work
+   * Floated images are now properly cleared in content areas
+   * The activity page title now matches the document title
+   * Search again supports multiple comments on the same entity
+   * Blog archive sidebar now reverse chronological
+   * URLs with matching parens can now be auto-linked
+   * Log browser links for users now work
+   * Disabling over 50 objects should no longer result in an infinite loop
+   * Radio/checkbox inputs no longer have border radius (for IE10)
+   * User picker: the Only Friends checkbox again works
+   * Group bookmarklet no longer shown to non-members
+   * Widget reordering fixed when moving across columns
+   * Refuse to deactivate plugins needed as dependencies
+
+  Enhancements:
+   * Group member listings are ordered by name
+   * The system_log table can now store IPv6 addresses
+   * Web services auth_gettoken() now accepts email address
+   * List functions: no need to specify pagination for unlimited queries
+   * Htmlawed was upgraded to 1.1.16
+
+
+Version 1.8.16
+(June 25, 2013 from https://github.com/Elgg/Elgg/tree/1.8)
+  Contributing Developers:
+   * Brett Profitt
+   * Cash Costello
+   * Jeff Tilson
+   * Jerome Bakker
+   * Paweł Sroka
+   * Steve Clay
+
+  Security Fixes:
+   * Fixed avatar removal bug (thanks to Jerome Bakker for the first report of this)
+
+  Bugfixes:
+   * Fixed infinite loop when deleting/disabling an entity with > 50 annotations
+   * Fixed deleting log tables in log rotate plugin
+   * Added full text index for groups if missing
+   * Added workaround for IE8 and jumping user avatar
+   * Fixed pagination for members pages
+   * Fixed several internal cache issues
+   * Plus many more bug fixes
+
+
+Version 1.8.15
+(April 23, 2013 from https://github.com/Elgg/Elgg/tree/1.8)
+  Contributing Developers:
+   * Cash Costello
+   * Ismayil Khayredinov
+   * Jeff Tilson
+   * Juho Jaakkola
+   * Matt Beckett
+   * Paweł Sroka
+   * Sem
+   * Steve Clay
+   * Tom Voorneveld
+
+  Bugfixes:
+   * Not displaying http:// on profiles when website isn't set
+   * Fixed pagination display issue for small screens
+   * Not hiding subpages of top level pages that have been deleted
+   * Stop corrupting JavaScript views with elgg deprecation messages
+   * Fixed out of memory error due to query cache
+   * Fixed bug preventing users authorizing Twitter account access
+   * Fixed friends access level for editing pages
+   * Fixed uploading files within the embed dialog
+
+  Enhancements:
+   * Added browser caching of language JS files
+   * Adding nofollow on user posted URLs for spam deterrence (thanks to Hellekin)
+   * Auto-registering views for simplecache when their URL is requested
+   * Display helpful message for those who have site URL configuration issues
+   * Can revert to a previous revision with pages plugin
+   * Site owners can turn off posting wire messages to Twitter
+   * Search results are sorted by relevance
+
+  Dropped Plugins:
+   * Twitter widget due to changes in Twitter API and terms of service
+   * OAuth API plugin due to conflicts with the Twitter API plugin
+
+
+Version 1.8.14
+(March 12, 2013 from https://github.com/Elgg/Elgg/tree/1.8)
+  Contributing Developers:
+   * Aday Talavera
+   * Brett Profitt
+   * Cash Costello
+   * Ed Lyons
+   * German Bortoli
+   * Hellekin Wolf
+   * iionly
+   * Jerome Bakker
+   * Luciano Lima
+   * Matt Beckett
+   * Paweł Sroka
+   * Sem
+   * Steve Clay
+
+  Security Fixes:
+   * Fixed a XSS vulnerability when accepting URLs on user profiles
+   * Fixed bug that exposed subject lines of messages in inbox
+   * Added requirement for CSRF token for login
+
+  Bugfixes:
+   * Strip html tags from tag input
+   * Fixed several display issues for IE7
+   * Fixed several issues with blog drafts
+   * Fixed repeated token timeout errors
+   * Fixed JavaScript localization for non-English languages
+
+  Enhancements:
+   * Web services fall back to json if the viewtype is invalid
+
+
+Version 1.8.13
+(January 29, 2013 from https://github.com/Elgg/Elgg/tree/1.8)
+  Contributing Developers:
+   * Cash Costello
+   * Juho Jaakkola
+   * Kevin Jardine
+   * Krzysztof Różalski
+   * Steve Clay
+
+  Security Fixes:
+   * Added validation of Twitter usernames in Twitter widget
+
+  Bugfixes:
+   * CLI usages with walled garden fixed
+   * Upgrading from < 1.8 to 1.8 fixed
+   * Default widgets fixed
+   * Quotes in object titles no longer result in "qout" in URLs
+   * List of my groups is ordered now
+   * Language string river:comment:object:default is defined now
+   * Added language string for comments: generic_comment:on
+
+  Enhancements:
+   * Added confirm dialog for resetting profile fields (adds language string profile:resetdefault:confirm)
+
+
+Version 1.8.12
+(January 4th, 2013 from https://github.com/Elgg/Elgg/tree/1.8)
+  Contributing Developers:
+   * Brett Profitt
+   * Cash Costello
+   * Jerome Bakker
+   * Matt Beckett
+   * Paweł Sroka
+   * Sem
+   * Steve Clay
+
+  Bugfixes:
+   * Added an AJAX workaround for the rewrite test.
+   * Code cleanup to prevent some notices and warnings.
+   * Removed "original_order" in menu item anchor tags.
+   * Site menu's selected item correctly persists through content pages.
+   * Static caches rewritten and improved to prevent stale data being returned.
+   * Installation: Invalid characters in admin username are handled correctly.
+   * Messages: Fixed inbox link in email notifications.
+   * The Wire: Fixed objects not displaying correctly when upgrading from 1.7.
+
+  Enhancements:
+   * Performance improvements and improved caching in entity loading.
+   * Added upgrade locking to prevent concurrent upgrade attempts.
+   * Replaced xml_to_object() and autop() with GPL / MIT-compatible code.
+   * Error messages (register_error()) only fade after being clicked.
+   * Groups: Added a sidebar entry to display membership status and a link to
+     group notification settings.
+   * Groups: Added pending membership and invitation requests to the sidebar.
+   * Groups: Better redirection for invisible and closed groups.
+   * Search: User profile fields are searched.
+   * Pages: Subpages can be reassigned to new parent pages.
+   * Twitter: Login with twitter supports persistent login and correctly forwards
+     after login.
+
+
+Version 1.8.11
+(December 5th, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+  Bugfix:
+   * Fixed fatal error in group creation form
+
+
+Version 1.8.10
+(December 4th, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+  Contributing Developers:
+   * Krzysztof Różalski
+   * Lars Hærvig
+   * Paweł Sroka
+   * RiverVanRain
+   * Sem
+   * Steve Clay
+
+  Security Enhancements:
+   * Cached metadata respects access restrictions to fix problems with profile
+     field display.
+   * Group RSS feeds are restricted to valid entities
+
+  Enhancements:
+   * UX: Added a list of Administrators in the admin area
+   * UX: Limiting message board activity stream entries to excerpts
+   * Performance: Prefetching river entries
+   * Performance: Plugin entities are cached
+
+  Bugfixes:
+   * Removed superfluous commas in JS files to fix IE compatibility.
+   * API: Fixed Twitter API.
+   * Performance: Outputting valid ETags and expires headers.
+
+
+Version 1.8.9
+(November 11, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+ Contributing Developers:
+  * Brett Profitt
+  * Cash Costello
+  * Evan Winslow
+  * Jeroen Dalsem
+  * Jerome Bakker
+  * Matt Beckett
+  * Paweł Sroka
+  * Sem
+  * Steve Clay
+
+ Security Enhancements:
+  * Sample CLI installer cannot break site
+  * Removed XSS vulnerabilities in titles and user profiles
+
+ Enhancements:
+  * UX: A group's owner can transfer ownership to another member
+  * UX: Search queries persist in the search box
+  * Several (X)HTML validation improvements
+  * Improved performance via more aggressive entity and metadata caching
+  * BC: 1.7 group profile URLs forward correctly
+
+ Bugfixes:
+  * UX: Titles containing HTML tokens are never mangled
+  * UX: Empty user profile values saved properly
+  * UX: Blog creator always mentioned in activity stream (not user who published it)
+  * UI: Fixed ordering of registered menu items in some cases
+  * UI: Embed dialog does not break file inputs
+  * UI: Datepicker now respects language
+  * UI: More reliable display of access input in widgets
+  * UI: Group edit form is sticky
+  * UI: Site categories are sticky in forms
+  * API: Language fallback works in Javascript
+  * API: Fallback to default viewtype if invalid one given
+  * API: Notices reported for missing language keys
+  * Memcache now safe to use; never bypasses access control
+  * BC: upgrade shows comments consistently in activity stream
+
+
+Version 1.8.8
+(July 11, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+ Contributing Developers:
+  * Cash Costello
+  * Miguel Rodriguez
+  * Sem
+
+ Enhancements:
+  * Added a delete button on river items for admins
+
+ Bugfixes:
+  * Fixed the significant bug with htmlawed plugin that caused duplicate tags
+
+
+Version 1.8.7
+(July 10, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+ Contributing Developers:
+  * Cash Costello
+  * Evan Winslow
+  * Ismayil Khayredinov
+  * Jeroen Dalsem
+  * Jerome Bakker
+  * Matt Beckett
+  * Miguel Rodriguez
+  * Paweł Sroka
+  * Sem
+  * Steve Clay
+
+ Enhancements:
+  * Better support for search engine friendly URLs
+  * Upgraded htmlawed (XSS filtering)
+  * Internationalization support for TinyMCE
+  * Public access not available for walled gardens
+  * Better forwarding and messages when they cannot view content because logged out
+
+ Bugfixes:
+  * Fatal errors due to type hints downgraded to warnings
+  * Group discussion reply notifications work again
+  * Sending user to inbox when deleting a message
+  * Fixed location profile information when it is an array
+  * Over 30 other bug fixes.
+
+
+Version 1.8.6
+(June 18, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+ Contributing Developers:
+  * Cash Costello
+  * Evan Winslow
+  * Ismayil Khayredinov
+  * Jeff Tilson
+  * Jerome Bakker
+  * Paweł Sroka
+  * Sem
+  * Steve Clay
+
+ Enhancements:
+  * New ajax spinner
+  * Detecting docx, xlsx, and pptx files in file plugin
+  * Showing ajax spinner when uploading file with embed plugin
+
+ Bugfixes:
+  * Fixed some language caching issues.
+  * Users can add sub-pages to another user's page in a group.
+  * Over 30 other bug fixes.
+
+
+Version 1.8.5
+(May 17, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+ 
+ Contributing Developers:
+  * Brett Profitt
+  * Evan Winslow
+  * Sem
+  * Steve Clay
+  * Jeroen Dalsem
+  * Jerome Bakker
+
+ Security Enhancements:
+  * Fixed possible XSS vulnerability if using a crafted URL.
+  * Fixed exploit to bypass new user validation if using a crafted form.
+  * Fixed incorrect caching of access lists that could allow plugins
+    to show private entities to non-admin and non-owning users. (Non-exploitable)
+
+ Bugfixes:
+  * Twitter API: New users are forwarded to the correct page after creating 
+                 an account with Twitter.
+  * Files: PDF files are downloaded as "inline" to display in the browser.
+  * Fixed possible duplication errors when writing metadata with multiple values.
+  * Fixed possible upgrade issue if using a plugin uses the system_log hooks.
+  * Fixed problems when enabling more than 50 metadata or annotations.
+
+ API:
+  * River entries' timestamps use elgg_view_friendly_time() and can be 
+     overridden with the friendly time output view.
+
+
+Version 1.8.4
+(April 24, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+ Contributing Developers:
+   * Adayth Talavera
+   * Brett Profitt
+   * Cash Costello
+   * Evan Winslow
+   * Ismayil Khayredinov
+   * Janek Lasocki-Biczysko
+   * Jerome Baker
+   * Sem
+   * Steve Clay
+   * Webgalli
+
+ Security Enhancements:
+  * Fixed an issue in the web services auth.get_token endpoint that
+    would give valid auth tokens to invalid credentials. Thanks to
+    Christian for reporting this!
+  * Fixed an that could show which plugins are loaded on a site.
+
+ Enhancements:
+  * UI: All bundled plugins' list pages display a no content message if there is nothing to list.
+  * UI: Site default access is limited to core access levels.
+  * UI: Showing a system message to the admin if plugins are disabled with the "disabled"
+    magic file.
+  * UI: Added transparent backgrounds for files and pages icons.
+  * External (Site) Pages: If in Wall Garden mode, Site Pages use the Walled Garden
+    theme when logged out.
+  * UI: Database errors only show the query to admin users.
+  * UI: Cannot set the data path to a relative path in installation or site settings.
+  * UI: Cleaned up notifications for bundled plugins.
+  * UI: Hiding crop button if no avatar is uploaded.
+  * UI: Bundled plugins are displayed with a gold border in the plugin admin area.
+  * UI: Can see all the categories a plugin belongs to.
+  * Web Services: Multiple tokens allowed for users.
+  * API: More efficient entity loading.
+  * API: Added IP address to system log.
+  * API: Languages are cached.
+  * API: ElggBatch supports disabling offsets for callbacks that delete entities.
+  * API: Cleaned up the boot process.
+  * API: Fixed situation in which the cache isn't properly cleared if a file can't be unlinked.
+
+ Bugfixes:
+  * UI: Tags display in the case they were saved.
+  * UI: Friendly titles keep -s.
+  * UI: Removed pagination in friends widget.
+  * UI: Profile settings actions correctly displays error messages as errors.
+  * UI: Tag search works for tags with spaces.
+  * UI: Fixed river display for friending that happens during registration.
+  * Groups: Link for managing join requests is restored in the sidebar.
+  * Walled Garden: Cron and web services endpoints are exposed as public sites.
+  * The Wire: UTF usernames are correctly linked with @ syntax.
+  * The Wire: No longer selecting the "Mine" tab for users who aren't you.
+  * Blogs: Notifications restored.
+  * Message Board: Fixed delete.
+  * Groups: Forwarding to correct page if trying to access closed group.
+  * API: entities loaded via elgg_get_entities_from_relationship() have the correct time_created.
+  * API: Deleting entities recursively works when code is logged out.
+  * API: Fixed multiple uses of deprecated functions.
+
+
 Version 1.8.3
 (January 12, 2012 from https://github.com/Elgg/Elgg/tree/1.8)