• Previous versions of Vanilla contained an XSS security hole in the ajax/updatecheck.php file.

• mark
• Sanyi

• Vanilla 1.1.6 could not be installed with MySql < 4.1.
• Vanilla installer now fully support SSL servers.

All fixed issues

• dinoboff
• mumpitz
• Pifman
• x00

• Vanilla 1.1.6 can now set cookies with the secure or httponly option.
• Vanilla 1.1.6 can encrypt the UserID saved in cookie for the “remember me”.

Thanks to Reed Loden for the bug reports and patches for these two issues.

• Diverse CSS fixes.
• Fixed a CSRF check optimisation.
• Fixed incompatibility of sql query with MySql “ONLY_FULL_GROUP_BY” mode.
• Authenticator and UserManager do not use php session directly (leave it to PeopleSession).
• UserManager could not send email on registration and change of role with php 4.1.x and 4.2.x.
• Remove duplicate BASE_URL in registration email link (patch from Reed Loden).
• Add SSL support to the installer.

• Added delegation: PostRemoveCategory.
• Vanilla 1.1.6+ Allows other tables than LUM_User to bypass the table prefix.
• Added default utf8 charset to vanilla table (on installation).
• Replace first “comment delete” option by the “Delete discussion” one.
• Improve configuration file parser (they won’t require to end with “>?”).
• Added a file_get_contents for php 4.1.x and 4.2.x.
• Made jQuery compatible with Prototype (use $() for Prototype and jQuery() for jQuery).
• Added a new discussion option to move discussions. A user needs a “Move any discussion” permission or to own the discussion to have access to this feature.

• dinoboff
• edavis
• hst
• izaak
• Mark O'Sullivan
• Reed Loden
• [-Stash-]
• sirlancelot
• SubJunk
• Wallphone

• Fixed a minor bug on login page.
• Fixed a php4 incompatibility bug with the integrity checker.
• Removed integrity check on the installation page (the md5 signature doesn’t seem be portable yet).

• Fixed XSS vulnerability in member's Personal Information form. Thanks to James Bercegay from Gulftech Security Research.
• Fixed XSS vulnerability on registration form, thanks to James Bercegay for this one as well.
• Now regenerating the remember-me cookie when a user changing password.
• Fixed CSRF vulnerability in ajax/UpdateCheck.php.
• Fixed CSRF vulnerability with the sign-out page. Thanks to ggaudrea.
• Strengthened users' password storage. Thanks to squirrel for reporting the issue and helping fixing it.

• Fixed a bug that kept some calls to RemoveTab from working properly.
• Fixed various bugs in the installer when using a custom database prefix.
• Better validation of a new discussion’s category.
• Fixed paging bug in search result links to multi-page discussions.
• Fixed wrong encoding on the “Terms of Service” page.
• Fixed CSS font naming (added quote around font names and default generic font).
• Inserted missing success message on password change.
• Inserted missing closing DIV tag on people sign-in page.
• Corrected edit discussion form title.
• Fixed People delegation bug.
• Replaced hard-coded table and field names with configuration settings in various server-side Ajax files.
• Fixed typo in Head::AddStyleSheet().
• Fixed various comparison and assignment typos (== instead of = ).
• Better support for UTF-8 in search.
• Fixed typo in AddDaysToTimeStamp().
• Added support for ssl hosted images and icons on profiles.
• Encoded the return url in the sign-in link.
• Restricted duplicate user name validation when saving profile.
• Fixed some IE6 CSS bugs.
• Fixed bug preventing the use of numeric database prefix.

• Installer displays warning when using a blank database password.
• Added various delegates.
• Added Discussion::DiscussionPrefix().
• DiscussionManager::GetDiscussionList() can now pull discussions from multiple categories at once.
• Simplified build for deployment (see http://lussumo.com/docs/doku.php?id=vanilla:installingfromsvn).
• Added JS and CSS source file to package.
• Added Session::GetCsrfValidationKey() to retrieve the CSRF validation key.
• Added PHPdocumentor-like comments to SqlBuilder
• Added new option to SqlBuilder::AddWhere() for mix of OR and AND operators.
• Added integrity checker (for debugging purpose).
• Edited CHMOD instructions.
• Added jQuery.js (version 1.2.6) in previous of future use in Vanilla 1.2
• Added persistent object factory references.

• DCLXVI
• Dinoboff
• edavis
• gerry22
• ggaudrea
• James Bercegay
• Pogo
• Mark O'Sullivan
• mattucf
• Minisweeper
• miquel
• MySchizoBuddy
• np
• pbear
• Pere
• sirlancelot
• SirNot
• squirrel
• Stoli Vanil
• timfire
• WallPhone
• Wanderer