drupal 6.11

The eleventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-005 - Drupal core - Cross site scripting

In addition to this security vulnerability, the following bugs have been fixed since the 6.10 release:

• #376408 follow up by pwolanin: search_nodeapi() lacked break in switch; resulted in issue in logic not code flow
• #197864 by vito_swat, alpritt, Murz, catch: Use hook_term_path() in forum module instead of hook_link_alter(); simplfies code, improves performance and compatibility.
• #314314 by bastos, Dave Reid, mr.baileys, Pasqualle: fix invalid XHTML markup in update.php output
• #372914 by chx, pwolanin, webchick: Menu link title localization was broken when a non-t callback was used
• #395086 by Freso: call trim() before truncate_utf8() in comment module for better quality truncation.
• #404244 by cwgordon7: minor code style fix in openid_help().
• #357031 by hinfox, dereine, aaronbauman: trigger_nodeapi() passed a4 twice and did not pass a3 to the action when the action type was other then node
• #141965 by jeffschuler: taxonomy_term_path() and its phpdoc block was separated by one blank line, thus disconnecting it for the API docs parser
• #408962 by brianV: improve phpdoc documentation for menu_tree_collect_node_links() and menu_tree_check_access().
• #290561 by mustafau, AlexisWilke: aggregator_save_category() should ask for the last insert ID in 'aggregator_category', not 'aggregator' when saving.
• #292565 by lyricnz, Damien Tournoud, Jody Lynn, kleinmp, John Morahan, akalsey: Make forms work on 404 and 403 pages. Remove any fake destination set by drupal_not_found() or drupal_access_denied() so that we can properly redirect from those pages.
• #325810 by darren.ferguson, miglius: in tableheader.js $('td'+ location.hash).offset() does not alway return an object, which breaks all JavaScript on the page, so check for the return value before using it.
• #297972 by wilson98, scor, Steven Jones, yched, heyrocker: make the batch API compatible with drupal_execute(), so things like creating a CCK type or adding fields to it (by submitting forms programatically) are possible in update functions
• #365996 by sammys: the correct full name for the timestamp field in postgresql is timestamp without time zone; improve compatibility with PostgreSQL / schema module
• #279233 by Aren Cambre, jbomb: Message printed when email is not being possible to send was informal and had a grammar problem.
• - Patch #316515 by jmburnz, momendo: fixed position of OpenID logo.
• - Patch #372414 by JohnAlbin: don't output empty div when no comment exist.
• - Patch #228477 by anuradha: corrected Sinhala language.
• - Patch #286374 by jhodgdon: fixed documentation of file_save_upload() validators.
• #382096 by Arancaytar: clean up #maxlength use in the installer; remove arbitrary 45 character limits, put reasonable limits in place where it makes sense
• #330084 by c960657: Remove unnecessary duplication of the From header value in Reply-to; standards indicate setting the From header should be sufficient
• #385602 by Damien Tournoud, desbeers: log messages were not remembered on node preview
• #437120 by mfb: avoid double escaping of taxonomy term names in feed links and channel titles
• #437930 by soxofaan: remove unnecessary tabindex attribute from login form; makes altering harder
• #160226 by kymmx, karschsp, Dave Reid, Berdir: statistics module was matching on prefixes of node paths instead of the node paths themselves (and possible subtabs)
• #401304 by Darren Oh: make conditional in statistics_link() more explicit to catch node related invocations
• #363262 follow up by Dave Reid: fix phpdoc comments on update functions to properly mark update functions added after 6.0 was released
• #317775 by Starminder, pwolanin: do not store the menu router table serialized in cache, since it cases more performance problems then it solves
• #282852 by Arancaytar, will_in_wi: remove negative margin on .node in Garland, so nodes do no overlap the messages area on the page
• #227228 by ilmaestro, gpk, ball.in.th, catch, andypost: use per-table cache_flush variables to avoid not flushing all but the first table when multiple tables are cleared
• #445600 by Rob Loach: allow for as few as 1 required word in submission of a node of a content type if the admin wants to set so
• #343415 by Damien Tournoud: the form cache is not automatically cleared on submit if the page cache is activated
• Rolling back #343415 given disputes around its change in Drupal 7.
• #229660 by Dave Reid: use theme('username', ...) to display usernames on the user contact page
• #447700 by dww: Earl Miles is not update.module maintainer anymore
• #431148 by pwolanin, dww: Make it easier to visually distinguish security updates on Updates report
• #396224 by pwolanin: Further harden template file name discovery
• #220592 by dww and pwolanin: Always use the database for caching in update module, so that drupal.org project data persists. Improves both local and drupal.org site performance.