×

Warning

No id set in fabrik plugin declaration

Fabrik 2.0rc5 has now been released and is available in the downloads section

This is a security release. We strongly advise all users to upgrade to this version.

Many thanks to Masood at Joomlapex.com and Rochen hosting for pointing out this vunerablity.

For those of you interested in the details, we were taking the controller name from the URL using JRequest::getVar('controller'). getVar() does not remove "../" from the querystring variable so hackers were able to gain access to files out side of the root directory. This is was fixed by using JRequest::getCmd('controller') instead.

In addition, since 2.0rc4 the follow changes have been added:

Elements

  • fixed: fileupload element in none repeating joined group was not working correctly
  • fixed: cascading drop down in repeat group watching element outside of repeat group - selected options were incorrect and update not triggered when watched element changed

Tables

  • Adding sql_big_selects option to tables
  • added: 'earlier in year' and 'later in year' prefilter conditions - does mySQL dayofyear() comparision on date elements
  • general filter improvements
  • 'clearordering=1' in querystring now removes ordering from table
  • fixed: calculations with split's on elements in joined tables were producing incorrect queries and not returning calculations
  • changed: csv export now triggered in steps via ajax call -should allow for exporting larger files without running out of memory
  • added: csv table export, option to define how many records are parsed per ajax call

Forms

  • fixed: encrypted values were not available in email form plugin
  • Several changes to PayPal form plugin.
  • added: apply button option to forms

Groups

  • added a group randomise elements option
  • You can use place holders {table___element} in group labels
  • Randomize groups in form option

General

  • updated parseMessageForPlaceholder - now allows {var||default} syntax - allows you to state a default string to match on if var not matched
  • Email cloak plugin no longer run on table and form views

Joomla content plug-in

  • Use to hide the table title
  • Should now allow you to render form/detailed view in form intro text

{rokcomments}