php-dotclear: update to 2.16

[Frédéric Fauberteau <frederic%fauberteau.org@localhost>]

Module Name:	pkgsrc-wip
Committed By:	Frédéric Fauberteau <frederic%fauberteau.org@localhost>
Pushed By:	frederic
Date:		Fri Apr 3 13:21:02 2020 +0200
Changeset:	912dfdf8625cb5daeaa0c4af99ef0af3527c411d

Modified Files:
	php-dotclear/Makefile
	php-dotclear/distinfo
Removed Files:
	php-dotclear/TODO

Log Message:
php-dotclear: update to 2.16

upstream changes:
-----------------
Dotclear 2.16 - 2020-03-13
===========================================================
* 🐘 PHP 5.6+ is required, PHP 7.4 compliance
* 🛡 Security: all requests from/to Dotclear and DotAddict servers use now HTTPS
* jQuery upgraded to 3.4.1, older version will be removed, jQuery not anymore requested for "Remember me" feature
* New "static" mode for home page
* Media description may now be updated
* Add <i [lang="…"]>…</i> support to Dotclear wiki, syntax: ££text[|lang]££
* Lib: Update Codemirror to 5.52.0
* Lib: Update CKEditor to 4.14.0
* Lib: Clearbricks now supports MySQL 8+
* 🐛 → Various bugs, a11y concerns and typos fixed
* 🌼 → Some locales and cosmetic adjustments

Dotclear 2.15.3 - 2019-11-28
===========================================================
* Fix: Avoid weird side-effect of JS minifier
* Fix: insertion of default type media (non image/audio/video) in XHTML entries
* Fix: Cope with old themes for 'remember me' string defined in JS

Dotclear 2.15.2 - 2019-10-01
===========================================================
* Fix: Ajax saving of files in theme editor when using codemirror
* Fix: Video insertion with CKEditor or LegacyEditor
* Fix: Badge position for dashboard modules counters

Dotclear 2.15.1 - 2019-08-29
===========================================================
* Fix: SQL request for CSP unsafe-inline setting
* Fix: CKEditor configuration for foreign language (unabled to save post modifications)

Dotclear 2.15 - 2019-08-13
===========================================================
* 🐘 PHP 5.6+ is required, PHP 7.3 compliance
* Add drag'n'drop sorting system for dashboard blocks
* Backend context is preserved on switching blog (as far as possible, depending on user's grants)
* No more inline javascript, default/install CSP directive modified accordingly
* Add settings (in maintenance plugin) for CSP system
* Set correct lang attribute (useful for browser/editor spelling) for content (post/page) depending on entry setting, and CK editor UI in user language
* Add spellcheck="true" attribute on input/textarea
* Refactoring of notices/messages system on backend
* Add undo/redo buttons to CKEditor toolbar
* Add title/legend reminder on media popup insertion (1st tab)
* Add font loading capabilities for ?pf= system - plugin are now able to load css fonts
* Add WebP image format support to Dotclear (may depends on your server PHP capabilities)
* Add <sub>…</sub> support in Dotclear wiki, syntax : _indice_
* Template system: Allow ?sub for category/categories attributes of tpl:EntryIf, and for url/urls attributes of tpl:CategoryIf
* Responsive tables/lists (posts, pages, users, …)
* Spams preview (administrative board) now shows HTML code rather than interpreted content
* Fix: port used behind reverse proxy (Clearbricks)
* Lib: Update Codemirror to 5.48.0
* Lib: Update CKEditor to 4.12.0
* 🗑 → No more flash players (flv,mp3)
* 🐛 → Various bugs, a11y concerns and typos fixed
* 🌼 → Some locales and cosmetic adjustments

Dotclear 2.14.3 - 2018-09-26
===========================================================
* 🛡 Security: Avoid XML upload in media manager
* Fix: Upgrade modification for media_exclusion default setting
* Fix: cope with PHP.ini setting memory_limit set to -1 (unlimited)

Dotclear 2.14.2 - 2018-09-04
===========================================================
* 🛡 Security: Authenticated cross-site scripting (XSS) was possible due to the .ahtml (or .bhtml, .chtml, …) file extension being allowed in the media manager. Thank's Josiah Pierce for report (CVE-2018-16358)
* 🛡 Security: Unregister phar wrapper in order to avoid PHP Phar extension vulerability
* Fix: Enter key in some input fields were not redirect to the parent form
* Fix: Unable to save modified theme's files in theme editor, when Codemirror is used
* Fix: Back to the original global_filters() template function (will be rewritten in the next 2.15)

Dotclear 2.14.1 - 2018-08-17
===========================================================
* 🐘 PHP 5.6+ is required - PHP 5.5 is buggy with the 2.14 release
* Fix: install wizzard was broken
* Fix: smallest admin font size was set when saving user prefs
* Fix: minifying JS scripts may cause problems with regular expressions
* Fix: empty JS var was set for syntax coloration if disabled

Dotclear 2.14 - 2018-08-13
===========================================================
* 🛡 Security: Fix potential reflective XSS, thank's Zekvan Arslan for report (via Daniel Bishtawi from https://www.netsparker.com/)
* 🐘 PHP 7.2 compliance
* Use specialized fields whenever it's possible (email, …)
* Add definition list capabilities (dl, dt, dd) to wiki (= <term>, : <definition>)
* Add <sup>…</sup> support in wiki, syntax : ^exponant^
* Add syntax property/method to dblayer driver
* Replace some js oriented background fading by CSS3 animation
* Enhance some visual focus indicators
* Enhance key event management in popup (Esc, Enter, …)
* Template filters may now be extended (or modified) by 3rd party plugins (via behaviors)
* PSR-2 code formatting as far as possible (work in progress)
* Add two new ways to order tags (by oldest or newest associated post publication date)
* Update Codemirror to 5.38.0
* Update CKEditor to 4.9.2
* Update jQuery migrate plugin to 1.4.1
* Update jQuery UI (custom) 1.12.1
* Add a dark mode (via user preferences) for administration, CSS refactoring
* Animate some counters on dashboard icons (nb of comments, spam comments and posts)
* 🐛 → Various bugs and typos fixed
* 🌼 → Some locales and cosmetic adjustments

Dotclear 2.13.1 - 2018-01-27
===========================================================
* Fix: Weird behaviour of theme editor when typing any of "t", "r", "u" and "e" characters
* Fix: Unable to save an entry with dcLegacyEditor in XHTML mode, visual pane

Dotclear 2.13 - 2018-01-13
===========================================================
* 🐘 PHP 5.5+ is required
* 🛡 Security: New password management system (including silent migration)
* 🛡 Security: Add Referrer-Policy header in admin pages
* 🛡 Security: Fix potential XSS - thank's Trí Chim Trích for report
* Dotclear news are now displayed in async way by js
* Dotclear core update check is now done by async js - a forced check may still be done on <admin>/update.php page
* Add utf8mb4 driver (MySQL server 5.7.7+)
* Add target="blank" option in simpleMenu
* Update CKEditor from 4.6.2 to 4.7.3
* Update CodeMirror from 5.25.1 to 5.32.1
* Add required attribute for mandatory fields
* Fix: Avoid horizontal scrolling table when longest comment's usernames in list of comments
* Fix: Cope with MySQLi connection via socket
* Fix: Error messages markup and styling
* Fix: Set caret at the end of the inserted thing (img, url, blockquote, …) in Legacy editor if current selection is empty
* Fix: Cope with query part only in SimpleMenu URLs
* 🐛 → Various bugs and typos fixed
* 🌼 → Some locales and cosmetic adjustments

Dotclear 2.12.2 - merged in 2.13
===========================================================
* Fix: lang attribute was missing on entry alone contexts for currywurst and dotty templatesets
* Fix: Add http:// protocol before media.dotaddict.org for csp_admin_img
* Fix: tpl:sysIf blog_lang generated code
* Fix: Duplicate auto-generated URI (entries)
* Fix: Do not use border and background on select to use the system aspect of them in Firefox.
* Fix: For select element, target Safari to cope with font-size select/option problem.
* Fix: Error messages styling

Dotclear 2.12.1 - 2017-08-13
===========================================================
* Fix: 3rd party filters for template tags (std filters are not more modifiable)
* Fix: Media filename are now used without modification for media title on upload (advanced mode)

Dotclear 2.12 - 2017-07-27
===========================================================
* 🛡 Security: Fix potential XSS
* 🛡 Security: Enforce uniqness of the recovery key
* 🛡 Security: Switch hash method from sha1 to sha512 (new installation only)
* Two new values for base font size (37.5% and 87.5%)
* Adaptive admin font size is now optional
* Reduce base font size on very small devices
* Refactor some functions to closures
* No CSP directives in safe mode
* Add current blog domain for script and style CSP directives
* Backlinks:
  * Retrieving ping URLs, let trackback first, then pingback, then finally webmention
  * Get source post content to compose webmention excerpt and retrieve title
  * Use source post title as blog name if this one is unknown (Anonymous blog is used if neither title nor blog name are known)
* Datepicker's look refreshed
* Allow 3rd party additional headers (URL handler)
* Dublin core metadata removed
* Using theme\<theme_name> namespace for _public.php and _prepend.php, in order to simplify theme copy and hack
* Temporary password will have to be changed at first login (after resetting password)
* Add ukrainian language
* French help updated for theme editor
* Add an option to disable Dotclear updates check (super-admin only)
* Fix: Blogs’ admin (ie not super-admin) got back their blogs’ list but only super-admin may do actions
* Fix: Post/page edition layout on different screen sizes
* Fix: x-frame-options URL in admin
* Fix: Cope with several copies of a same smiley in content
* Fix: Allow 3rd party filters for template tags
* Fix: Use getURLFor instead of old getBase function for breadcrumb
* Fix: Give mysql/mysqli driver choice for DC 1.2 import
* Clearbricks lib update from 0.9 to 1.0
* jQuery lib update from 2.2.0 to 2.2.4 (last release of jQuery 2.n branch)
* CKEditor lib update from 4.6.1 to 4.6.2
* CodeMirror lib update from 5.15.3 to 5.25.1
* 🐛 → Various bugs and typos fixed
* 🌼 → Some locales and cosmetic adjustments
* 📣 Warning: Next major release (2.13) will require PHP 5.5+

Dotclear 2.11.2 - 2016-12-29
===========================================================
* Fix: Ensure compatibility with old version of PHP (5.3, 5.4)
* Fix: New path of CSP report for maintenance deletion task
* Fix: Broken entry preview
* Fix: Avoid outgoing link on images in media manager
* 🌼 → Do not include empty div as it disrupts CSS flexbox system

Dotclear 2.11.1 - 2016-12-28
===========================================================
* Fix: admin menu not visible and some plugin admin not accessible with PHP < 5.5

Dotclear 2.11 - 2016-12-28
===========================================================
* 🐘 PHP 5.3+ is required
* 🛡 Security : Prevents XSS injection in media title, thanks smarterbitbybit for report
* Cope with locale for sorting order if possible (work in progress)
* Rich-text-editor (xhtml) may be disabled for Blog/Category description, widget's textareas, …
* Add direct access to module's settings from plugins management page (depends on _define.php of modules)
* Menus (except favorites) are now lexically sorted (except "new post" item)
* Add Entry date as sort order in comments list
* Switch admin CSS to Sass/Compass (work in progress)
* Add 'l' and 'm' accesskey for editor toolbars, respectively for 'insert link' and 'select media' buttons
* Add new categories attribute to EntryIf template tag
* Remove Dublin-core metadata from <head> in template-sets
* ToolMan (js) not more used, thank's Tim Taylor for all this years together!
* Soft redesign of administration pages using responsive font-size and OS system fonts (IE 10+)
* Add a user preference to hide additional/secondary information
* Add actions on blog list, new sort order: blog status
* Update CKEditor to 4.6.1
* Open trackbacks with behaviors and add basic Webmention support
* Add First Publication mecanism and an option to auto-ping when fired
* Berlin theme is now based on Dotty template-set
* Move advanced and plugins blog’s prefs in two separate foldable sections
* Add legend and title insertion option for image insertion in entry
* Some notices and messages may be hidden
* Add urls attribute to CategoryIf template tag
* CSP: Move admin CSP admin/csp_report.txt to DC_VAR/csp/csp_report.json
* CSP: Violations are now stored only once in report if repeated
* a11y: Remove empty link (href=#) from admin
* Fix: Proxies may use standard HTTP(S) ports and SSL may now run through a proxy
* Fix: Prevents precondition failed during activated theme update
* 🐛 → Various bugs and typos fixed
* 🌼 → A lot of locales and cosmetic adjustments
* 🚽 → Housecleaning of no more used scripts, images, resources, IE 9- :-)

Dotclear 2.10.4 - 2016-11-02
===========================================================
* PostgreSQL < 9.1 fix

Dotclear 2.10.3 - 2016-11-01
===========================================================
* Security: Fix CVE-2016-7903: Password Reset Address Spoof — Thank's Hongkun Zeng for report
* Security: Fix CVE-2016-7902: Media Manager, unrestricted File Upload — Thank's Hongkun Zeng for report
* CSP: Cope with external sources used in editor's iframe to preview public external content
* Fix: Cope with post.post_position field during flat import
* Fix: Prevents precondition failed during currently activated theme update
* Fix: Remove unecessary header (cope by dotclear) in page plugin
* Fix: Let some proxies playing with standard http and https ports
* Fix: Let SSL runs through a proxy, it may be ok, sometimes
* 🐛 → Various bugs and typos fixed

Dotclear 2.10.2 - 2016-08-17
===========================================================
* Update fails with PostgreSQL db support → fixed

Dotclear 2.10.1 - 2016-08-15
===========================================================
* CSP (Content-Security-Policies) :
  * Fix default directive for new installation
  * Cope with media public URL for media manager
  * Cope with blog public URL for post/page preview
* Codemirror lib is now packed as the other Javascript lib are

Dotclear 2.10 - 2016-08-13
===========================================================
* Security: Prevents .htaccess upload, thanks wiswat
* Security: Prevents download of a zip media folder outside root media folder, thanks wiswat
* Security: Prevents sort of SSRF/XSPA vulnerability in feed import, thanks wiswat
* Security: Prevents reflected XSS in meda manager, thanks Chen Ruiqi
* Security: Fix somes vulnerabilities in blogroll plugin, thanks Onur Yılmaz - Netsparker (https://www.netsparker.com)
* Fix mix-content preview
* Pure CSS3 sticky footer for admin pages (aka « footer de merde »)
* Add missing breadcrumb styles for blowup theme
* Currently logged super-admin may now change it's id wihtout loosing access at next login
* The favorites icons may now be hidden from dashboard in user preferences
* Number of posts/pages/comments are now displayed at top of lists, including quick filters depending on their status
* Search widget has now a placeholder option (HTML5 only)
* Add Apache 2.4+ directives in .htaccess
* New favorites media folders (displayed at the top of recent folder list) in media manager
* New pure HTML5 template set named dotty cloned from currywurst templateset
* Codemirror lib updated (2.35.0 → 5.15.2) and moved to core:
  * 40+ Codemirror themes are available — set in user preferences
  * Fullscreen mode has been added (F11 switching key)
  * 3rd party plugins may now load and run it with dcPage::jsLoadCodeMirror() and dcPage::jsRunCodeMirror(), see themeEditor plugin for example
* New mark button for legacy editor (HTML5 only)
* New with_category attribute for tpl:Entries
* Add a /var directory:
  * Set with DC_VAR constant in inc/config.php
  * Admin URL of a var file should be retrieve with dcPage::getVF()
  * Public URL of a var file should be retrieve with dcBlog::getVF()
  * 3rd party plugins should create their own folder inside /var (aka DC_VAR) to keep it correctly organized
* Emails and web site have been added to the comments filters' list
* Some columns for posts and pages lists are now optional — set in user preferences
* Add Post URL sample in blog parameters
* CKEditor lib update (4.5.8 → 4.6.0)
* Wiki syntax: new ") <text>" mark to generate aside blocks
* CSP (Content Security Policies) have been implemented on admin pages:
  * settings may be adjusted in system settings / about:config → system (see csp_admin… values)
  * violation reports will be stored in admin/csp_report.txt (PHP 5.4+ only)
  * new behaviour adminPageHTTPHeaderCSP may be used by 3rd party to adjust CSP directives
* New behaviour adminPageHTTPheaders
* New "Go Top" button displayed for long admin pages
* 🐛 → Various bugs and typos fixed
* 🌼 → Some locales and cosmetic adjustments

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=912dfdf8625cb5daeaa0c4af99ef0af3527c411d

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 php-dotclear/Makefile | 2 +-
 php-dotclear/TODO     | 2 --
 php-dotclear/distinfo | 8 ++++----
 3 files changed, 5 insertions(+), 7 deletions(-)

diffs:
diff --git a/php-dotclear/Makefile b/php-dotclear/Makefile
index 4d915d5979..e3b2f1aa30 100644
--- a/php-dotclear/Makefile
+++ b/php-dotclear/Makefile
@@ -1,6 +1,6 @@
 # $NetBSD$
 
-DISTNAME=	dotclear-2.9.1
+DISTNAME=	dotclear-2.16
 PKGNAME=	${PHP_PKG_PREFIX}-${DISTNAME}
 CATEGORIES=	www
 MASTER_SITES=	https://download.dotclear.org/latest/ \
diff --git a/php-dotclear/TODO b/php-dotclear/TODO
deleted file mode 100644
index 66d495b5e4..0000000000
--- a/php-dotclear/TODO
+++ /dev/null
@@ -1,2 +0,0 @@
-Please investigate and try to address the following security vulnerabilites:
- CVE-2018-5689, CVE-2018-5690, CVE-2018-16358
diff --git a/php-dotclear/distinfo b/php-dotclear/distinfo
index d09aada696..82ad12018e 100644
--- a/php-dotclear/distinfo
+++ b/php-dotclear/distinfo
@@ -1,9 +1,9 @@
 $NetBSD$
 
-SHA1 (dotclear-2.9.1.tar.gz) = 8fd53e04a8fb8d482047224dcf78eca485c3b69e
-RMD160 (dotclear-2.9.1.tar.gz) = f427e5d164c6cf3b743758e461a5972ada71621b
-SHA512 (dotclear-2.9.1.tar.gz) = 09630bf45a51ab986cbdb83aceb74b1c48c4406d5fcad7f8c49dff60cdbe55d96ad6f041cacb7e2df4dc7e83f3dac77f722774c720792145782a2b68a576d9d4
-Size (dotclear-2.9.1.tar.gz) = 2664581 bytes
+SHA1 (dotclear-2.16.tar.gz) = cabff2922b11dd2f486148cce5716b075874a39f
+RMD160 (dotclear-2.16.tar.gz) = 86c6c701b71a7823f49688e8283ec4010a651946
+SHA512 (dotclear-2.16.tar.gz) = 604e28c20a59d381c243fe89e41872f2a94a32aa7af95a954e95bef6a935b65e88f7731182a4f510db96142665468c61061022b055bfd65fd7e6e209acc6fbf8
+Size (dotclear-2.16.tar.gz) = 3759792 bytes
 SHA1 (patch-admin_install_index.php) = 7abbb34e307f2eb17a243feaca7d1cdee5948afa
 SHA1 (patch-admin_install_wizard.php) = dedc2135305ea8dd6e7282ee0957ca43917abf17
 SHA1 (patch-inc_config.php.in) = cd5b8f5693089c3c319c4755f7b86f7e80970bd1