# CiviCRM 4.7.26
-Released November 8, 2017
+Released Nov 1, 2017
-- **[Synopsis](#synopsis)**
-- **[Features](#features)**
-- **[Bugs resolved](#bugs)**
-- **[Miscellany](#misc)**
+- **[Security advisories](#security)**
- **[Credits](#credits)**
-- **[Feedback](#feedback)**
-## <a name="synopsis"></a>Synopsis
+## <a name="security"></a>Security advisories
-| *Does this version...?* | |
-|:----------------------------------------------------------- |:-------:|
-| Fix security vulnerabilities? | |
-| Change the database schema? | |
-| Alter the API? | |
-| Require attention to configuration options? | |
-| Fix problems installing or upgrading to a previous version? | |
-| Introduce features? | |
-| Fix bugs? | |
-## <a name="features"></a>Features
-
-### WordPress Integration
-
-- **[CRM-17633](https://issues.civicrm.org/jira/browse/CRM-17633) WordPress in own directory breaks CiviCRM ([11031](https://github.com/civicrm/civicrm-core/pull/11031) and [105](https://github.com/civicrm/civicrm-wordpress/pull/105))**
-
-- **[CRM-21243](https://issues.civicrm.org/jira/browse/CRM-21243) Logo in WP menu doesn't follow standard ([118](https://github.com/civicrm/civicrm-wordpress/pull/118))**
-
-### Core CiviCRM
-
-- **[CRM-21229](https://issues.civicrm.org/jira/browse/CRM-21229) Manage Group page is slow if you have smart groups ([11033](https://github.com/civicrm/civicrm-core/pull/11033))**
-
-- **[CRM-21201](https://issues.civicrm.org/jira/browse/CRM-21201) Tax recalculated when pay later contribution is completed using Pay Now ([11026](https://github.com/civicrm/civicrm-core/pull/11026))**
-
-- **[CRM-20852](https://issues.civicrm.org/jira/browse/CRM-20852) Show tax term in UI (eg. VAT) ([10640](https://github.com/civicrm/civicrm-core/pull/10640))**
-
-- **[CRM-21234](https://issues.civicrm.org/jira/browse/CRM-21234) Missing subdivisions of Tajikistan ([11041](https://github.com/civicrm/civicrm-core/pull/11041))**
-
-- **[CRM-21114](https://issues.civicrm.org/jira/browse/CRM-21114) file to case doesn't transfer activity assignees ([10912](https://github.com/civicrm/civicrm-core/pull/10912))**
-
-- **[CRM-21195](https://issues.civicrm.org/jira/browse/CRM-21195) Adding the ability to add icons to menu items ([11028](https://github.com/civicrm/civicrm-core/pull/11028), [11025](https://github.com/civicrm/civicrm-core/pull/11025), and [10996](https://github.com/civicrm/civicrm-core/pull/10996))**
-
-- **[CRM-21216](https://issues.civicrm.org/jira/browse/CRM-21216) Replace member_BAO_membershiptype_getMembershipTypesByOrg with API equivalent ([11029](https://github.com/civicrm/civicrm-core/pull/11029) and [11020](https://github.com/civicrm/civicrm-core/pull/11020))**
-
-- **[CRM-21220](https://issues.civicrm.org/jira/browse/CRM-21220) Invoice due date format spacing correction ([11024](https://github.com/civicrm/civicrm-core/pull/11024))**
-
-- **[CRM-21160](https://issues.civicrm.org/jira/browse/CRM-21160) Make event_type_id available in event message templates. ([10977](https://github.com/civicrm/civicrm-core/pull/10977))**
-
-- **[CRM-21199](https://issues.civicrm.org/jira/browse/CRM-21199) Remove dependancy for 'Default invoice payment page' ([11003](https://github.com/civicrm/civicrm-core/pull/11003))**
-
-- **[CRM-21182](https://issues.civicrm.org/jira/browse/CRM-21182) Activity API - fetch case details ([10979](https://github.com/civicrm/civicrm-core/pull/10979))**
-
-- **[CRM-20889](https://issues.civicrm.org/jira/browse/CRM-20889) Toggle check_number field on backoffice form as payment form fields ([10680](https://github.com/civicrm/civicrm-core/pull/10680))**
-
-- **[CRM-21157](https://issues.civicrm.org/jira/browse/CRM-21157) Convert civicrm_subscription_history.date to timestamp from datetime for new installs ([10954](https://github.com/civicrm/civicrm-core/pull/10954))**
-
-- **[CRM-20630](https://issues.civicrm.org/jira/browse/CRM-20630) Find Activities: search criteria passing with URL parameters ([10957](https://github.com/civicrm/civicrm-core/pull/10957))**
-
-- **[CRM-21038](https://issues.civicrm.org/jira/browse/CRM-21038) Billing and CC fields shown when payment processor not selected. ([10826](https://github.com/civicrm/civicrm-core/pull/10826))**
-
-- **[CRM-21086](https://issues.civicrm.org/jira/browse/CRM-21086) Allow Inline View of Files Instead of Download ([10883](https://github.com/civicrm/civicrm-core/pull/10883))**
-
-- **[CRM-21106](https://issues.civicrm.org/jira/browse/CRM-21106) Move financial type ACL clause for reports into extension ([10904](https://github.com/civicrm/civicrm-core/pull/10904))**
-
-- **[CRM-21168](https://issues.civicrm.org/jira/browse/CRM-21168) WordPress plugin wiki/support links are incorrect ([116](https://github.com/civicrm/civicrm-wordpress/pull/116))**
-
-- **[CRM-21170](https://issues.civicrm.org/jira/browse/CRM-21170) Provide option
- to filter by contact id & external id
- ([10966](https://github.com/civicrm/civicrm-core/pull/10966))
-
-### CiviReport
-
-- **[CRM-21236](https://issues.civicrm.org/jira/browse/CRM-21236) Make contact custom fields available in Membership Detail report ([11042](https://github.com/civicrm/civicrm-core/pull/11042))**
-
-- **[CRM-21063](https://issues.civicrm.org/jira/browse/CRM-21063) Survey detail report lacks date options ([10857](https://github.com/civicrm/civicrm-core/pull/10857))**
-
-- **[CRM-21125](https://issues.civicrm.org/jira/browse/CRM-21125) permit class assignment on links in reports ([10922](https://github.com/civicrm/civicrm-core/pull/10922))**
-
-### CiviEvent
-
-- **[CRM-12167](https://issues.civicrm.org/jira/browse/CRM-12167) Add support for admin-only fee / price field value options ([10902](https://github.com/civicrm/civicrm-core/pull/10902))**
-
-### CiviContribute
-
-- **[CRM-21205](https://issues.civicrm.org/jira/browse/CRM-21205) batch list does not display accurate currency ([11008](https://github.com/civicrm/civicrm-core/pull/11008))**
-
-- **[CRM-20276](https://issues.civicrm.org/jira/browse/CRM-20276) When editing a contribution the value in civicrm_financial_item_amount is not updated ([10970](https://github.com/civicrm/civicrm-core/pull/10970))**
-
-### CiviEvent, CiviReport, Internationalisation
-
-- **[CRM-21196](https://issues.civicrm.org/jira/browse/CRM-21196) Event reports localization ([10997](https://github.com/civicrm/civicrm-core/pull/10997))**
-
-### CiviCase
-
-- **[CRM-21113](https://issues.civicrm.org/jira/browse/CRM-21113) find cases: search by case ID and subject ([10911](https://github.com/civicrm/civicrm-core/pull/10911))**
-
-## <a name="bugs"></a>Bugs resolved
-
-### Core CiviCRM
-
-- **[CRM-20636](https://issues.civicrm.org/jira/browse/CRM-20636) Notice fix while updating membership without payment ([10412](https://github.com/civicrm/civicrm-core/pull/10412))**
-
-- **[CRM-18367](https://issues.civicrm.org/jira/browse/CRM-18367) Fatal error on Contribution logging summary report (possibly remove - see comment) ([10987](https://github.com/civicrm/civicrm-core/pull/10987))**
-
-- **[CRM-21247](https://issues.civicrm.org/jira/browse/CRM-21247) User Record link (in the Actions section of a contact record summary) is broken ([11057](https://github.com/civicrm/civicrm-core/pull/11057))**
-
-- **[CRM-21241](https://issues.civicrm.org/jira/browse/CRM-21241) Spinning logo is too jumpy ([11046](https://github.com/civicrm/civicrm-core/pull/11046))**
-
-- **[CRM-21238](https://issues.civicrm.org/jira/browse/CRM-21238) Fatal error on Drupal /user and /user/% ([11049](https://github.com/civicrm/civicrm-core/pull/11049))**
-
-- **[CRM-21110](https://issues.civicrm.org/jira/browse/CRM-21110) Relationships tab on contact summary runs query twice ([11009](https://github.com/civicrm/civicrm-core/pull/11009))**
-
-- **[CRM-15861](https://issues.civicrm.org/jira/browse/CRM-15861) Offline membership renewal doesn't display priceset choices ([10887](https://github.com/civicrm/civicrm-core/pull/10887))**
-
-- **[CRM-21223](https://issues.civicrm.org/jira/browse/CRM-21223) Number and Money fields are not set to NULL in the database ([11037](https://github.com/civicrm/civicrm-core/pull/11037))**
-
-- **[CRM-21227](https://issues.civicrm.org/jira/browse/CRM-21227) Fix issues in CRM_Core_Page_run test suite following merge of PR #10435 ([11032](https://github.com/civicrm/civicrm-core/pull/11032))**
-
-- **[CRM-21202](https://issues.civicrm.org/jira/browse/CRM-21202) DataTables warning: table id=dupePairs ([11004](https://github.com/civicrm/civicrm-core/pull/11004))**
-
-- **[CRM-21198](https://issues.civicrm.org/jira/browse/CRM-21198) Completing payment for partially paid membership doesn't change membership status ([11006](https://github.com/civicrm/civicrm-core/pull/11006))**
-
-- **[CRM-20653](https://issues.civicrm.org/jira/browse/CRM-20653) CRM_Utils_Request::retrieve() does not support non-truthy defaults ([10435](https://github.com/civicrm/civicrm-core/pull/10435))**
-
-- **[CRM-20226](https://issues.civicrm.org/jira/browse/CRM-20226) Parent Group do not inherit child group contacts ([11011](https://github.com/civicrm/civicrm-core/pull/11011))**
-
-- **[CRM-20999](https://issues.civicrm.org/jira/browse/CRM-20999) Multiple elements share same id `auto_renew` value on live contribution page. ([10834](https://github.com/civicrm/civicrm-core/pull/10834))**
-
-- **[CRM-16836](https://issues.civicrm.org/jira/browse/CRM-16836) Basic Search form group select does not respect ACLs ([11013](https://github.com/civicrm/civicrm-core/pull/11013))**
-
-- **[CRM-21189](https://issues.civicrm.org/jira/browse/CRM-21189) Add permission for Close and reopen Batch ([10983](https://github.com/civicrm/civicrm-core/pull/10983))**
-
-- **[CRM-21134](https://issues.civicrm.org/jira/browse/CRM-21134) e-notice errors when using a processor extension ([10935](https://github.com/civicrm/civicrm-core/pull/10935))**
-
-- **[CRM-21117](https://issues.civicrm.org/jira/browse/CRM-21117) Line item not shown in mails when paying later for membership priceset ([10978](https://github.com/civicrm/civicrm-core/pull/10978))**
-
-- **[CRM-21183](https://issues.civicrm.org/jira/browse/CRM-21183) Updating Partially paid contribution to Completed doesn't update membership ([10981](https://github.com/civicrm/civicrm-core/pull/10981))**
-
-- **[CRM-21178](https://issues.civicrm.org/jira/browse/CRM-21178) Custom fields of type "Link" are no longer clickable ([10985](https://github.com/civicrm/civicrm-core/pull/10985))**
-
-- **[CRM-21169](https://issues.civicrm.org/jira/browse/CRM-21169) Fix broken inline edit for profiles ([10964](https://github.com/civicrm/civicrm-core/pull/10964))**
-
-- **[CRM-20657](https://issues.civicrm.org/jira/browse/CRM-20657) Multiple events purchased from webform lists only single participant details in mail received ([10439](https://github.com/civicrm/civicrm-core/pull/10439))**
-
-- **Fixing type (missing function call) in example for hook_civicrm_alterAngular ([10952](https://github.com/civicrm/civicrm-core/pull/10952))**
-
-- **[NFC] comments clean up in test classes. ([10963](https://github.com/civicrm/civicrm-core/pull/10963))**
-
-- **[CRM-21172](https://issues.civicrm.org/jira/browse/CRM-21172) Fix 'Edit Contact Information' link on contact dashboard ([10969](https://github.com/civicrm/civicrm-core/pull/10969))**
-
-- **[CRM-20892](https://issues.civicrm.org/jira/browse/CRM-20892) Same mailing open in two windows can overwrite data on scheduled mailings ([10953](https://github.com/civicrm/civicrm-core/pull/10953))**
-
-- **templates/CRM/PCP/Form/Campaign.tpl: remove comment (not relevant). ([10959](https://github.com/civicrm/civicrm-core/pull/10959))**
-
-- **Correct spelling. ([10955](https://github.com/civicrm/civicrm-core/pull/10955))**
-
-- **Civilint civicrm_og_sync module ([489](https://github.com/civicrm/civicrm-drupal/pull/489))**
-
-- **Civilint civicrm_user.inc ([490](https://github.com/civicrm/civicrm-drupal/pull/490))**
-
-- **Lint CiviCRM Rules module ([477](https://github.com/civicrm/civicrm-drupal/pull/477))**
-
-- **Remove CiviTest.module.sample as been replaced with the CiviCRM Dev Docs ([492](https://github.com/civicrm/civicrm-drupal/pull/492))**
-
-- **NFC Civilint civicrm_group_roles module ([479](https://github.com/civicrm/civicrm-drupal/pull/479))**
-
-- **Run Civilint against first half of civicrm_handler_field files ([485](https://github.com/civicrm/civicrm-drupal/pull/485))**
-
-- **Civilint views plugins files ([483](https://github.com/civicrm/civicrm-drupal/pull/483))**
-
-- **Lint Civitheme module ([475](https://github.com/civicrm/civicrm-drupal/pull/475))**
-
-- **Civilint civicrm_handler_field_website.inc ([484](https://github.com/civicrm/civicrm-drupal/pull/484))**
-
-- **(NFC) Lint civicrm.config.php.drupal ([474](https://github.com/civicrm/civicrm-drupal/pull/474))**
-
-- **Civilint Some views files and HookTest file ([476](https://github.com/civicrm/civicrm-drupal/pull/476))**
-
-- **NFC Civilint civicrm_member_roles ([480](https://github.com/civicrm/civicrm-drupal/pull/480))**
-
-- **NFC Civilint civicrm_contact_ref module ([481](https://github.com/civicrm/civicrm-drupal/pull/481))**
-
-- **CiviCRM / Drupal Rules: Show all groups ([478](https://github.com/civicrm/civicrm-drupal/pull/478))**
-
-### CiviGrant, CiviReport
-
-- **[CRM-20460](https://issues.civicrm.org/jira/browse/CRM-20460) Grant Report incorrect where clause ([11036](https://github.com/civicrm/civicrm-core/pull/11036))**
-
-### CiviCRM API, Core CiviCRM, Import
-
-- **[CRM-21109](https://issues.civicrm.org/jira/browse/CRM-21109) Creating contacts is slow, part 2 of 2: Smart group caching ([10943](https://github.com/civicrm/civicrm-core/pull/10943))**
-
-### Backdrop Integration
-
-- **[CRM-21217](https://issues.civicrm.org/jira/browse/CRM-21217) Enable E2E tests for Backdrop CMS ([11021](https://github.com/civicrm/civicrm-core/pull/11021))**
-
-### Dedupe
-
-- **[CRM-20217](https://issues.civicrm.org/jira/browse/CRM-20217) phone based dedupe rule fails to match when importing ([9925](https://github.com/civicrm/civicrm-core/pull/9925))**
-
-### CiviContribute
-
-- **[CRM-21221](https://issues.civicrm.org/jira/browse/CRM-21221) Precedence order logic bug in Contribution.completetransaction ([11027](https://github.com/civicrm/civicrm-core/pull/11027))**
-
-- **[CRM-20750](https://issues.civicrm.org/jira/browse/CRM-20750) Incorrect financial trxn entries when payment instrument is changed on backoffice Contribution edit form ([10980](https://github.com/civicrm/civicrm-core/pull/10980) and [10920](https://github.com/civicrm/civicrm-core/pull/10920))**
-
-### CiviMember
-
-- **[CRM-20881](https://issues.civicrm.org/jira/browse/CRM-20881) Backend Membership status set to pending if contribution status label 'Completed' is renamed ([10670](https://github.com/civicrm/civicrm-core/pull/10670))**
-
-### Accounting Integration, CiviContribute
-
-- **[CRM-21187](https://issues.civicrm.org/jira/browse/CRM-21187) Fix: Completing an existing contribution using completetransaction does not respect currency on financial_trxn record ([10982](https://github.com/civicrm/civicrm-core/pull/10982))**
-
-### CiviEvent
-
-- **[CRM-21127](https://issues.civicrm.org/jira/browse/CRM-21127) Event API return request params format is partially outdated ([10984](https://github.com/civicrm/civicrm-core/pull/10984))**
-
-- **[CRM-21133](https://issues.civicrm.org/jira/browse/CRM-21133) Price set error with NULL financial types ([10947](https://github.com/civicrm/civicrm-core/pull/10947))**
-
-### Import
-
-- **[CRM-16964](https://issues.civicrm.org/jira/browse/CRM-16964) Importing contact custom data doesn't respect the Fill option ([10838](https://github.com/civicrm/civicrm-core/pull/10838))**
-
-### Drupal Integration Modules
-
-- **[CRM-20937](https://issues.civicrm.org/jira/browse/CRM-20937) civicrm engage breaks birth date field ([464](https://github.com/civicrm/civicrm-drupal/pull/464))**
-
-### WordPress Integration
-
-- **[CRM-21166](https://issues.civicrm.org/jira/browse/CRM-21166) WP-CLI commands fail due to whitespace in regex ([115](https://github.com/civicrm/civicrm-wordpress/pull/115))**
-
-## <a name="misc"></a>Miscellany
+- **[CIVI-SA-2017-08](https://civicrm.org/advisory/civi-sa-2017-08-xss-in-html-link-attributes)** XSS in HTML link attributes
+- **[CIVI-SA-2017-09](https://civicrm.org/advisory/civi-sa-2017-09-shell-injection-vulerabilty-in-smarty)** Shell injection vulerabilty in Smarty
+- **[CIVI-SA-2017-10](https://civicrm.org/advisory/civi-sa-2017-10-xss-scripting-in-preimum-product-name)** XSS scripting in preimum product name
+- **[CIVI-SA-2017-11](https://civicrm.org/advisory/civi-sa-2017-11-xss-in-dedupe-rules)** XSS in dedupe rules
+- **[CIVI-SA-2017-12](https://civicrm.org/advisory/civi-sa-2017-12-xss-in-tag-description)** XSS in tag description
+- **[CIVI-SA-2017-13](https://civicrm.org/advisory/civi-sa-2017-13-selectedchild-url-paramater-not-properly-validated-for-civicrm-message)** SelectedChild URL parameter not properly validated
+- **[CIVI-SA-2017-14](https://civicrm.org/advisory/civi-sa-2017-14-xss-in-search-critiera-description)** XSS in Search Critiera Description
+- **[CIVI-SA-2017-15](https://civicrm.org/advisory/civi-sa-2017-15-extension-key-not-properly-validated-when-adding-or-disabling-or)** Extension key not properly validated
+- **[CIVI-SA-2017-16](https://civicrm.org/advisory/civi-sa-2017-16-sql-injection-risk-in-civireports-listing)** SQL injection risk in CiviReports
## <a name="credits"></a>Credits
This release was developed by the following code authors:
-AGH Strategies - Alice Frumin, Andrew Hunt; Australian Greens - Seamus Lee; Blackfly Solutions - Alan Dixon; Chris Burgess; Circle Interactive - Dave Jenkins; CiviCRM - Coleman Watts, Tim Otten; CiviDesk - Sunil Pawar, Yashodha Chaku; CompuCorp - Camilo Rodriguez, Michael Devery, Omar Abu Hussein; Coop SymbioTIC - Mathieu Lutfy; Eli Lisseck; Francesc Bassas i Bullich; Fuzion - Jitendra Purohit; Ginkgo Street Labs - Frank Gómez; JMA Consulting - Monish Deb, Pradeep Nayak; Kacper Warda; Left Join Labs - Sean Madsen; Lighthouse Design and Consulting - Brian Shaughnessy; MJW Consulting - Matthew Wire; Pawel Nowak; Progressive Technology Project - Jamie McClelland; Skvare - Mark Hanna; Tadpole Collective - Kevin Cristiano; Third Sector Design - Michael McAndrew; Wikimedia Foundation - Eileen McNaughton
+Australian Greens - Seamus Lee; Left Join Labs - Sean Madsen
Most authors also reviewed code for this release; in addition, the following
reviewers contributed their comments:
-adzil; AGH Strategies - Alice Frumin, Andrew Hunt; artfulrobot; Artful Robot - Rich Lott; Australian Greens - Seamus Lee; Blackfly Solutions - Alan Dixon; Chris Burgess; Christian Wach; Circle Interactive - Dave Jenkins, Martin Castle; civicrm-builder; CiviCRM - Coleman Watts, Tim Otten; CiviDesk - Nicolas Ganivet, Sunil Pawar, Yashodha Chaku; CompuCorp - Michael Devery, Omar Abu Hussein; Coop SymbioTIC - Mathieu Lutfy, Samuel Vanhove; Dave Greenberg; Eli Lisseck; ericfg; Francesc Bassas i Bullich; Freeform Solutions - Herb van den Dool; Fuzion - Jitendra Purohit; gboudrias; Ginkgo Street Labs - Frank Gómez; JMA Consulting - Joe Murray, Monish Deb, Pradeep Nayak; John Kingsnorth; Joinery - Allen Shaw; Joseph Lacey; jules54; Kacper Warda; Korlon - Stuart Gaston; Left Join Labs - Sean Madsen; Lighthouse Design and Consulting - Brian Shaughnessy; Marc Brazeau; MC3 - Graham Mitchell; Megaphone Technology Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; mmauroy; mohamedziada; Openflows - Eric Goldhagen; otetard; Pawel Nowak; Progressive Technology Project - Jamie McClelland; Semper IT - Karin Gerritsen; Skvare - Mark Hanna; Tadpole Collective - Kevin Cristiano; Third Sector Design - Michael McAndrew; Web Access - Kurund Jalmi; Wikimedia Foundation - Eileen McNaughton; ximapmi
-
-## <a name="feedback"></a>Feedback
-
-These release notes are edited by Alice Frumin and Andrew Hunt. If you'd like
-to provide feedback on them, please login to https://chat.civicrm.org/civicrm
-and contact `@agh1`.
+CiviCRM - Coleman Watts; JMA Consulting - Monish Deb; Wikimedia Foundation -
+Eileen McNaughton
projects / civicrm-core.git / blobdiff