Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See CVE-2015-0269 for more information.
Consider the error reporting level in the install tool (see #7593).
Handle variables and functions when importing style sheets (see #7448).
Fix an infinite recursion problem in the FilesModel class (see #7588).
Fix the position of the input field hints (see #7561).
Do not apply the GDlib maximum dimensions to SVG images (see #7435).
Do not show the diff icon if a record has been deleted (see #7429).
Remove a left-over headline from the ce_text.xhtml template (see #7502).
Preserve comments when exporting CSS files (see #7482).
Fix the LESS import path in the Combiner (see #7533).
Hide the width and height attributes if there is a sizes attribute (see #7500).
Remove the hardcoded figcaption width (see #7549).
Only load the model in the file/page picker if the class exists (see #7490).
Romanize style sheet names (see #7526).
Add the username to the "account has been locked" log entry (see #7551).
Consider the suhosin.memory_limit when raising the PHP limits (see #7035).
Added two missing exclude flags in the tl_page data container (see #7522).
Send an UTF-8 charset header in the die_nicely() function (see #7519).
Correctly validate dates in the Widget class (see #7498).
Back port the fixes from #7475 and #7473.
Send the same cache headers for cached and uncached pages (see #7455).
Fix the current() expects parameter 1 to be array issue (see #6739).
Correctly replace the *_teaser insert tags (see #7488).
Adjust the last and previous login labels (see #7426).
Unset the postUnsafeRaw cache in Input::setPost() (see #7481).
Consider image size IDs when overriding the default image size (see #7470).
Do not require to set a media query in the image sizes.
Fixed a potential directory traversal vulnerability.
Fixed a severe XSS vulnerability. In this context, the insert tag flags
base64_encode and base64_decode have been removed.
Also use simple tokens for the newsletter subscription modules (see #7446).
Only show the root page languages in the meta wizard (see #7112).
Correctly create the initial version in the personal data module (see #7415).
Check if a DB driver has been configured in Config::isComplete() (see #7412).
Correctly mark deleted versions in Versions::addToTemplate() (see #7442).
Replace insert tags of RTE fields in the back end preview (see #7428).
Handle nested insert tags in strip_insert_tags().
Correctly store the model in Dbafs::addResource() (see #7440).
Send the request token when toggling the visibility of an element (see #7406).
Always apply the IE security fix in the Environment class (see #7453).
Added the CSS units vw, vh, vmin and vmax (see #7417).
Replace leafo/lessphp with oyejorge/less.php (see 7012).
Show the correct root icon in the page/file picker (see #7409).
Add an empty option to the image size select menu (see #7436).
Nest wrapper elements in the back end preview (see #7434).
Correctly handle archives being part of multiple RSS feeds (see #7398).
Correctly handle 0 in utf8_convert_encoding() (see #7403).
Send a 301 redirect to forward to the language root page (see #7420).
Handle SVG images in the default back end uploader.
Pass the parent ID of a page to the navigation template (see #7391).
Support the "min", "max" and "step" attributes on number fields (see #7363).
Show the database query duration in debug mode (see #7323).
Added the "executeResize" hook (see #7404).
Handle disabled modules in the module loader.
Support responsive images and the <picture> element (see #7296).
Added the "compareThemeFiles", "extractThemeFiles" and "exportTheme" hooks.
Use the image meta data in Controller::addEnclosuresToTemplate() (see #6746).
Add the dir="rtl" attribute if the page language is RTL (see #7171).
Export .sql files in the theme folder and allow to reimport them (see #7048).
Do not mark pages as active if there are query parameters (see #7189).
Use addImageToTemplate() in the ContentHyperlink class (see #7296).
Removed the H2 sub-headlines in the back end (see #7248).
Only create one DcaExtractor instance per table (see #7324).
Add a CSS class indicating the number of columns in a gallery (see #7138).
Allow to switch between the page and file picker in TinyMCE (see #6974).
Show a message if logging in is required to comment (see #7031).
Added the "sendNewsletter" hook (see #7222).
Make the pagination template more flexible (see #7174).
Limit the selectable file types depending on the element type (see #7003).
Prevent timing attacks when verifying passwords (see #7115, #5853).
Hide the "start" and "stop" fields if an element is not published (see #7148).
Support the backlink configuration setting in the parent view (see #7083).
Added a regex to check for nonnegative natural numbers (see #4392). This also includes the "minval" and "maxval" flags to specify a miminum or maximum value.
Optionally hide files without matching meta data in downloads (see #6874).
Preserve the original CSS ID and classes in the alias elements (see #6638).
Do not directly query the INFORMATION_SCHEMA database (see #7302).
Added the "doNoTrim" flag to the Widget class (see #4287).
Support simple tokens in registration and lost password mails (see #7101).
Consider the options array in Model::countBy() (see #7033).
Support SVG and SVGZ images (see #7108, #5908).
Move the mime types array to a configuration file (see #6843).
Added the sort flag to the eval section of the DCA (see #4072).
Added the "onundo_callback" (see #7258).
Consider the values of referenced fields in the back end search (see #4376).
Add an option to export style sheets (see #7049).
Added widget-* CSS classes to front end form fields (see #7041).
Make the loading order of the style sheets configurable (see #6937).
Remove the rel="author support (see #7291).
Added $item['isTrail'] to the navigation menu templates (see #7096).
Handle data- and ng- attributes in Widget::addAttributes() (see #7095).
Add the class "tableless" to the member_ templates (see #7207).
Added the |async flag to $GLOBALS['TL_JAVASCRIPT'] (see #7172).
Added the "link_name" insert tag (see #7218).
Simplify the "member_grouped" template (see #7015).
Make the front controller classes overwritable.