Totara Release Notes

Security Releases for Totara 2.2.38, 2.4.31, 2.5.28, 2.6.21 and 2.7.4 released 23rd June 2015

 
? ?
Security Releases for Totara 2.2.38, 2.4.31, 2.5.28, 2.6.21 and 2.7.4 released 23rd June 2015
door ? ? - Monday, 22 June 2015, 23:11 PM
 

Totara 2.2.38, 2.4.31, 2.5.28, 2.6.21 and 2.7.4 are all security releases because they include security fixes. We strongly recommend upgrading to these versions. These versions also contain various bug fixes and improvements.

 

Hugh Davenport at Catalyst NZ, Pavel Tsakalidis at Kineo UK, Rickard Skiold at xtractor, Russell England at Vision NV, and Tom Black at Kineo UK all have contributions in these releases - further details in the changelogs:

 

 

Release 2.7.4 (23rd June 2015):
==================================================

Security issues:

    TL-6566        Improved XSS prevention checks when serving untrusted files in IE
    TL-6576        Ensured Audience description is sanitised before display

                   Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
                   for this issue.

    TL-6613        Improved validation of local URLs
    TL-6614        Added a warning when a site is not using HTTPS and secure cookies.
    TL-6617        Added username enumeration warnings to the Security Overview report if self-registration is active or protectusernames is disabled.


Improvements:

    TL-5130        Added suspended user rule to dynamic Audiences

                   It is now possible to include or exclude users from a dynamic audience
                   based on whether or not they are suspended

    TL-6133        Improved performance of the main menu resulting in fewer database queries and file includes on each page view
    TL-6255        Added setting to allow users with inactive enrolments to be shown on course completion reports

                   Normally the course completion and activity completion reports within a
                   course do not show completion information for learners who do not have
                   existing active enrolments, but who may have completed activities in the
                   past when enrolled. Disabling this option on both reports will display all
                   completion data in these reports including for those learners with
                   suspended, expired or removed enrolments.

    TL-6303        Improved PDF export of Appraisals when question content results in a page break.
    TL-6329        Added "Use fixed expiry date" recertification option in Certifications

                   This adds a third option for how the expiry dates on certifications are
                   calculated. Details are provided in the help popups in the 'Certification'
                   tab when editing a certification. This patch also slightly changes the
                   behaviour of 'Use certification expiry date' - if a user's assignment (on
                   the 'Assignments' tab) has a completion due date then this date will be
                   used to calculate the expiry date the first time that the user certifies,
                   rather than just using the date that the user completed the certification.
                   The certification import tool has also been updated to support these
                   changes.

    TL-6358        Added config option to control the display of Hierarchy framework, type and item shortcodes

                   Previously whether Hierarchy shortcodes were displayed was defined in code.
                   This patch adds a new config setting under Advanced Features. If you had
                   previously made a customisation to the code (by setting constant
                   HIERARCHY_DISPLAY_SHORTNAMES in totara/hierarchy/lib.php to true) to enable
                   the display of Hierarchy shortcodes, you will need to re-enable the display
                   of shortcodes using the new configuation setting.

    TL-6452        Improved the performance of the course completion scheduled task
    TL-6523        Allowed users to navigate away from long-running report exports in Reportbuilder

                   Attempting to export a large report and then navigate away to any other
                   page while the export was still processing would result in an error: "Timed
                   out while waiting for session lock. Wait for your current requests to
                   finish and try again later." and then the system could then become unusable
                   for that user. Now the user can navigate away from the export safely (which
                   would cancel the export), or continue navigating the site in a different
                   browser window/tab (while waiting for the export window to complete).

    TL-6544        Changed certification Status strings in certification reports to better reflect the actual statuses

                   "Assigned" was changed to "Not certified"
                   "Completed" was changed to "Certified"
                   "Expired" and "In progress" were unchanged.

    TL-6558        Improved scalability of query in course completion

                   This was causing a database error on some platforms due to an oversized IN
                   query with large data sets.

    TL-6582        Fixed inconsistencies in site manager appearance-related capabilities

                   Previously the appearance related permission for a site manager was not
                   consistent comparing a new install and a permission reset. The
                   totara/core:appearance capabilty is now consistently used across all roles.

    TL-6604        Improved appearance of Learning Plans tables on the My Learning pages for RTL languages
    TL-6626        Added new capability controls for access to activity modules plugin settings
    TL-6639        Updated the default content options for the My Team report to include temporary assignments

                   This change will only affect future installs and My Team reports that are
                   reset to default settings, to apply this change manually you can edit the
                   My Team report and on the content tab tick the "Records for user's
                   temporary reports" option.

    TL-6650        Changed program user assignments to defer large changes to happen on the next cron run

                   Previously, when saving changes to user assignments in a Program or
                   Certification, the new users were assigned when the save button was
                   clicked. This was causing pages to time out when assigning large audiences.
                   Now, the contents of the assignment tab are saved immediately but the users
                   are not assigned to the program until the next cron run occurs. On-screen
                   notifications have been added to indicate if pending assignments are
                   waiting for a cron run.

    TL-6735        Added logging whenever activity completion is unlocked
    TL-6756        Improved information provided by webservices logging


Bug fixes:

    TL-5978        Fixed inconsistent access control checks for Learning Plans

                   The behaviour has now been standardised throughout the code. Granting the
                   totara/plan:manageanyplan capability allows users to create and edit plans for any user.
                   Granting totara/plan:accessplan allows users to see and modify their own plans,
                   and allows staff managers to create and edit the plans of their staff.

    TL-6222        Fixed courses incorrectly being visible in the Courses section of the Navigation block when using audience-based visibility
    TL-6263        Fixed reaggregation of course completion

                   Course completion records would never be reaggregated on the cron run, if
                   the "Completion begins on enrolment" course setting was turned off when
                   course completion criteria were unlocked.

    TL-6319        Fixed rules for dynamic Audiences based on a text input user profile/custom field being empty
    TL-6360        Fixed setting of cancellation custom field value when calling facetoface_user_cancel_submission.
    TL-6372        Fixed course deletion so that deleting a course now removes that course from Programs and Certifications

                   Previously if a course was deleted and it was part of a program or
                   certification, then some actions e.g. setting up recertification would
                   cause an error on cron run. This patch ensures that no new orphaned
                   references will be created and also fixes any that currently exist.

    TL-6374        Fixed Reportbuilder 'last/next X days' date filters

                   The 'Is between today and X days before/after today' filters were
                   internally using a specific date rather than a relative number, resulting
                   in saved searches not working as intended. This filter will now always be
                   relative to the date on which it is used. Existing saved searches have been
                   converted, but it is possible that some may be incorrect (although all were
                   wrong without this patch). We advise that users check that saved searches
                   which contain date filters have the intended values.

                   Note that any users that are logged in and using these filters during the
                   upgrade progress may need to log out and back in to see the correct values.

    TL-6403        Fixed error message when displaying categories that contain only hidden courses
    TL-6419        Removed Temporary manager expiry date from Learner's position page when no temporary manager is assigned
    TL-6438        Fixed parameter validation when using the create/update courses web services
    TL-6440        Fixed create/edit capability permissions for Programs and Certifications
    TL-6466        Fixed dynamic Audience rules based off date/time custom fields

                   If the date/time custom field was set to a date after 2038 the rule
                   comparison broke, we switched the cast2int function to use bigint so the
                   comparison can take place.

    TL-6473        Fixed display of Reportbuilder report graph block for reports where a default sort column is specified
    TL-6508        Fixed unenrolled courses showing in My Current Courses home page block
    TL-6515        Fixed scheduling of HR Import, Reportbuilder export and Reportbuilder caching.

                   HR Import scheduling is now using the system timezone. Scheduled reports
                   are now using timezone of the user that created them.

    TL-6516        Fixed resetting of Certification message logs when the recertification window opens

                   When the window opens it tried to delete message logs for the users manager
                   as well as the user even though the manager records were never created.

    TL-6521        Fixed dynamic Audience date-based rules for first and last login dates
    TL-6539        Fixed Program due messages being sent to users who have current exceptions
    TL-6559        Fixed the Evidence report source showing records for deleted users
    TL-6560        Totara Messaging now consistently uses the support user email as the from address when no from user is provided

                   When sending a message, we now use the support_user email if no user is
                   specified. Send functions will also now support NOREPLY_USER.

    TL-6561        Added additional validation when trying to activate Appraisals containing aggregation questions

                   Stops activation of appraisals containing aggregation questions with no
                   selected aggregations

    TL-6562        Fixed Facetoface session custom fields showing PHP Notice and Warning errors when creating a new session
    TL-6579        Fixed ability to add aggregate rating questions to Appraisals when using a non-English language pack
    TL-6581        Improved handling of and recovery from missing Certification completion records

                   Due to various causes such as page timeouts, it is possible that some
                   certification completion records are not being created. This patch ensures
                   that the records are created when users access their certifications. A
                   check has been added to the certification cron task which will find any
                   users who are missing these records and will create them.

    TL-6587        Fixed HR Import log message if a user cannot be deleted
    TL-6589        Removed invalid CSS declaration

                   There was an @charset declaration in a certifications CSS stylesheet that
                   would cause invalid CSS when theme designer mode is turned off. This has
                   been removed.

    TL-6591        Removed unused CSS declarations

                   There were some unused Mozzilla Firefox CSS declarations that were causing
                   issues with custom CSS in Custom Totara Responsive

    TL-6592        Fixed the display of the completion status for deleted users in Record of Learning reports
    TL-6596        Fixed the unassigning of Audience members from system roles when an Audience is deleted
    TL-6597        Fixed blank rows appearing in the sorting default column on Reportbuilder columns tab
    TL-6598        Fixed Facetoface fullname column always showing 'reserved' in reports
    TL-6600        Fixed error when trying to create a user profile custom field after using the browser back button
    TL-6606        Fixed sending of course Reminder messages

                   When a feedback activity is added to a course, invitation and reminder
                   messages would sometimes not be sent, depending on the "Personal messages
                   between users" message output config settings. These reminder messages have
                   now been converted to standard Totara Alerts.

    TL-6608        Fixed order of icons for RTL languages in the Tasks block
    TL-6619        Fixed the error message when trying to delete an unknown post in the Forum
    TL-6628        Fixed error when trying to close an active Appraisal with no assigned users
    TL-6631        Fixed the line wrapping and display of preformatted text in Labels
    TL-6635        Fixed the formatting of exported columns in the Record of Learning: Certifications report

                   Removes the "overdue" and "X days remaining" warnings displayed on the
                   window opens and expiration date columns for exports of reports based off
                   the Record of Learning: Certifications source.

    TL-6647        Fixed the selection of stages to print when printing Appraisals
    TL-6652        Fixed the display of the 'roles that can view' column on the edit Appraisal page
    TL-6661        Fixed alphabetic ordering of user list when using 'Allocate spaces for team' page in a  Facetoface session, when manager reservations are enabled
    TL-6680        Improved display when adding a random quiz question to a quiz when using RTL languages
    TL-6681        Fixed behaviour of Feedback activity forms when form_change_checker is disabled

                   The form change checker detects if any form elements on the page have been
                   changed since last load. If the form change checker is disabled some of the
                   Feedback activity forms were generating errors.

    TL-6694        Prevented incorrect room booking conflicts from being shown when creating a Facetoface session
    TL-6697        Fixed Facetoface custom rooms on session duplication

                   If you duplicated a Facetoface session with a custom room, the room was not
                   duplicated leaving you with 2 sessions using the same custom room. If you
                   then removed the custom room from one session it was deleted, breaking the
                   other session.

    TL-6705        Fixed incorrect risk flag on Plan Evidence capability

                   totara/plan:editownsiteevidence capability was incorrectly marked as a
                   dataloss risk, which made the Security Overview report say the
                   Authenticated User role was incorrectly defined

    TL-6711        Fixed display of course default section title when using multilang filter on a course using the Demo course format
    TL-6720        Fixed role-based visibility access checks on the frontpage
    TL-6744        Fixed error message when adding linked courses to Learning Plan competencies or objectives


Contributions:

    * Hugh Davenport at Catalyst NZ - TL-6576
    * Pavel Tsakalidis at Kineo UK - TL-6452
    * Rickard Skiold at xtractor - TL-6560
    * Russell England at Vision NV - TL-6360
    * Tom Black at Kineo UK - TL-6516

 

Release 2.6.21 (23rd June 2015):
==================================================

Security issues:

    TL-6566        Improved XSS prevention checks when serving untrusted files in IE
    TL-6576        Ensured Audience description is sanitised before display

                   Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
                   for this issue.

    TL-6613        Improved validation of local URLs


Improvements:

    TL-5130        Added suspended user rule to dynamic Audiences

                   It is now possible to include or exclude users from a dynamic audience
                   based on whether or not they are suspended

    TL-6303        Improved PDF export of Appraisals when question content results in a page break.
    TL-6358        Added config option to control the display of Hierarchy framework, type and item shortcodes

                   Previously whether Hierarchy shortcodes were displayed was defined in code.
                   This patch adds a new config setting under Advanced Features. If you had
                   previously made a customisation to the code (by setting constant
                   HIERARCHY_DISPLAY_SHORTNAMES in totara/hierarchy/lib.php to true) to enable
                   the display of Hierarchy shortcodes, you will need to re-enable the display
                   of shortcodes using the new configuation setting.

    TL-6523        Allowed users to navigate away from long-running report exports in Reportbuilder

                   Attempting to export a large report and then navigate away to any other
                   page while the export was still processing would result in an error: "Timed
                   out while waiting for session lock. Wait for your current requests to
                   finish and try again later." and then the system could then become unusable
                   for that user. Now the user can navigate away from the export safely (which
                   would cancel the export), or continue navigating the site in a different
                   browser window/tab (while waiting for the export window to complete).

    TL-6544        Changed certification Status strings in certification reports to better reflect the actual statuses

                   "Assigned" was changed to "Not certified"
                   "Completed" was changed to "Certified"
                   "Expired" and "In progress" were unchanged.

    TL-6558        Improved scalability of query in course completion

                   This was causing a database error on some platforms due to an oversized IN
                   query with large data sets.

    TL-6604        Improved appearance of Learning Plans tables on the My Learning pages for RTL languages
    TL-6650        Changed program user assignments to defer large changes to happen on the next cron run

                   Previously, when saving changes to user assignments in a Program or
                   Certification, the new users were assigned when the save button was
                   clicked. This was causing pages to time out when assigning large audiences.
                   Now, the contents of the assignment tab are saved immediately but the users
                   are not assigned to the program until the next cron run occurs. On-screen
                   notifications have been added to indicate if pending assignments are
                   waiting for a cron run.

    TL-6735        Added logging whenever activity completion is unlocked


Bug fixes:

    TL-5978        Fixed inconsistent access control checks for Learning Plans

                   The behaviour has now been standardised throughout the code. Granting the
                   totara/plan:manageanyplan capability allows users to create and edit plans for any user.
                   Granting totara/plan:accessplan allows users to see and modify their own plans,
                   and allows staff managers to create and edit the plans of their staff.

    TL-6222        Fixed courses incorrectly being visible in the Courses section of the Navigation block when using audience-based visibility
    TL-6263        Fixed reaggregation of course completion

                   Course completion records would never be reaggregated on the cron run, if
                   the "Completion begins on enrolment" course setting was turned off when
                   course completion criteria were unlocked.

    TL-6319        Fixed rules for dynamic Audiences based on a text input user profile/custom field being empty
    TL-6372        Fixed course deletion so that deleting a course now removes that course from Programs and Certifications

                   Previously if a course was deleted and it was part of a program or
                   certification, then some actions e.g. setting up recertification would
                   cause an error on cron run. This patch ensures that no new orphaned
                   references will be created and also fixes any that currently exist.

    TL-6374        Fixed Reportbuilder 'last/next X days' date filters

                   The 'Is between today and X days before/after today' filters were
                   internally using a specific date rather than a relative number, resulting
                   in saved searches not working as intended. This filter will now always be
                   relative to the date on which it is used. Existing saved searches have been
                   converted, but it is possible that some may be incorrect (although all were
                   wrong without this patch). We advise that users check that saved searches
                   which contain date filters have the intended values.

                   Note that any users that are logged in and using these filters during the
                   upgrade progress may need to log out and back in to see the correct values.

    TL-6419        Removed Temporary manager expiry date from Learner's position page when no temporary manager is assigned
    TL-6440        Fixed create/edit capability permissions for Programs and Certifications
    TL-6466        Fixed dynamic Audience rules based off date/time custom fields

                   If the date/time custom field was set to a date after 2038 the rule
                   comparison broke, we switched the cast2int function to use bigint so the
                   comparison can take place.

    TL-6516        Fixed resetting of Certification message logs when the recertification window opens

                   When the window opens it tried to delete message logs for the users manager
                   as well as the user even though the manager records were never created.

    TL-6539        Fixed Program due messages being sent to users who have current exceptions
    TL-6540        Fixed shortname type for Face-to-face custom fields

                   If there is a problem saving your Face-to-face session with Custom session
                   field, please update Custom session field shortname and then update
                   Face-to-face session.

    TL-6559        Fixed the Evidence report source showing records for deleted users
    TL-6560        Totara Messaging now consistently uses the support user email as the from address when no from user is provided

                   When sending a message, we now use the support_user email if no user is
                   specified. Send functions will also now support NOREPLY_USER.

    TL-6581        Improved handling of and recovery from missing Certification completion records

                   Due to various causes such as page timeouts, it is possible that some
                   certification completion records are not being created. This patch ensures
                   that the records are created when users access their certifications. A
                   check has been added to the certification cron task which will find any
                   users who are missing these records and will create them.

    TL-6587        Fixed Totara Sync log message if a user cannot be deleted
    TL-6596        Fixed the unassigning of Audience members from system roles when an Audience is deleted
    TL-6598        Fixed Facetoface fullname column always showing 'reserved' in reports
    TL-6606        Fixed sending of course Reminder messages

                   When a feedback activity is added to a course, invitation and reminder
                   messages would sometimes not be sent, depending on the "Personal messages
                   between users" message output config settings. These reminder messages have
                   now been converted to standard Totara Alerts.

    TL-6608        Fixed order of icons for RTL languages in the Tasks block
    TL-6631        Fixed the line wrapping and display of preformatted text in Labels
    TL-6633        Fixed sharing of config and dbmeta caches by version

                   Configuring the config or database meta information caches to be shared by
                   version could lead to a notice and caches being over-shared regardless of
                   version.
                   This fix ensure that the version is properly loaded in early initialisation
                   situations when sharing has been configured to include version for these
                   two sites.

    TL-6635        Fixed the formatting of exported columns in the Record of Learning: Certifications report

                   Removes the "overdue" and "X days remaining" warnings displayed on the
                   window opens and expiration date columns for exports of reports based off
                   the Record of Learning: Certifications source.

    TL-6661        Fixed alphabetic ordering of user list when using 'Allocate spaces for team' page in a  Facetoface session, when manager reservations are enabled
    TL-6663        Fixed enforcement of required custom profile fields when self-registration is enabled and the registering user is currently logged-in as a guest
    TL-6680        Improved display when adding a random quiz question to a quiz when using RTL languages
    TL-6697        Fixed Facetoface custom rooms on session duplication

                   If you duplicated a Facetoface session with a custom room, the room was not
                   duplicated leaving you with 2 sessions using the same custom room. If you
                   then removed the custom room from one session it was deleted, breaking the
                   other session.

    TL-6744        Fixed error message when adding linked courses to Learning Plan competencies or objectives


Contributions:

    * Hugh Davenport at Catalyst NZ - TL-6576
    * Rickard Skiold at xtractor - TL-6560
    * Tom Black at Kineo UK - TL-6516

 

Release 2.5.28 (23rd June 2015):
==================================================

Security issues:

    TL-6566        Improved XSS prevention checks when serving untrusted files in IE
    TL-6576        Ensured Audience description is sanitised before display

                   Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
                   for this issue.

    TL-6613        Improved validation of local URLs


Improvements:

    TL-6358        Added config option to control the display of Hierarchy framework, type and item shortcodes

                   Previously whether Hierarchy shortcodes were displayed was defined in code.
                   This patch adds a new config setting under Advanced Features. If you had
                   previously made a customisation to the code (by setting constant
                   HIERARCHY_DISPLAY_SHORTNAMES in totara/hierarchy/lib.php to true) to enable
                   the display of Hierarchy shortcodes, you will need to re-enable the display
                   of shortcodes using the new configuation setting.

    TL-6544        Changed certification Status strings in certification reports to better reflect the actual statuses

                   "Assigned" was changed to "Not certified"
                   "Completed" was changed to "Certified"
                   "Expired" and "In progress" were unchanged.

    TL-6558        Improved scalability of query in course completion

                   This was causing a database error on some platforms due to an oversized IN
                   query with large data sets.

    TL-6650        Changed program user assignments to defer large changes to happen on the next cron run

                   Previously, when saving changes to user assignments in a Program or
                   Certification, the new users were assigned when the save button was
                   clicked. This was causing pages to time out when assigning large audiences.
                   Now, the contents of the assignment tab are saved immediately but the users
                   are not assigned to the program until the next cron run occurs. On-screen
                   notifications have been added to indicate if pending assignments are
                   waiting for a cron run.

    TL-6664        Improved the performance of Reportbuilder management pages
    TL-6735        Added logging whenever activity completion is unlocked

Bug fixes:

    TL-5978        Fixed inconsistent access control checks for Learning Plans

                   The behaviour has now been standardised throughout the code. Granting the
                   totara/plan:manageanyplan capability allows users to create and edit plans for any user.
                   Granting totara/plan:accessplan allows users to see and modify their own plans,
                   and allows staff managers to create and edit the plans of their staff.

    TL-6222        Fixed courses incorrectly being visible in the Courses section of the Navigation block when using audience-based visibility
    TL-6263        Fixed reaggregation of course completion

                   Course completion records would never be reaggregated on the cron run, if
                   the "Completion begins on enrolment" course setting was turned off when
                   course completion criteria were unlocked.

    TL-6319        Fixed rules for dynamic Audiences based on a text input user profile/custom field being empty
    TL-6374        Fixed Reportbuilder 'last/next X days' date filters

                   The 'Is between today and X days before/after today' filters were
                   internally using a specific date rather than a relative number, resulting
                   in saved searches not working as intended. This filter will now always be
                   relative to the date on which it is used. Existing saved searches have been
                   converted, but it is possible that some may be incorrect (although all were
                   wrong without this patch). We advise that users check that saved searches
                   which contain date filters have the intended values.

                   Note that any users that are logged in and using these filters during the
                   upgrade progress may need to log out and back in to see the correct values.

    TL-6440        Fixed create/edit capability permissions for Programs and Certifications
    TL-6516        Fixed resetting of Certification message logs when the recertification window opens

                   When the window opens it tried to delete message logs for the users manager
                   as well as the user even though the manager records were never created.

    TL-6539        Fixed Program due messages being sent to users who have current exceptions
    TL-6581        Improved handling of and recovery from missing Certification completion records

                   Due to various causes such as page timeouts, it is possible that some
                   certification completion records are not being created. This patch ensures
                   that the records are created when users access their certifications. A
                   check has been added to the certification cron task which will find any
                   users who are missing these records and will create them.

    TL-6633        Fixed sharing of config and dbmeta caches by version

                   Configuring the config or database meta information caches to be shared by
                   version could lead to a notice and caches being over-shared regardless of
                   version.
                   This fix ensure that the version is properly loaded in early initialisation
                   situations when sharing has been configured to include version for these
                   two sites.

    TL-6663        Fixed enforcement of required custom profile fields when self-registration is enabled and the registering user is currently logged-in as a guest
    TL-6680        Improved display when adding a random quiz question to a quiz when using RTL languages
    TL-6744        Fixed error message when adding linked courses to Learning Plan competencies or objectives


Contributions:

    * Hugh Davenport at Catalyst NZ - TL-6576
    * Tom Black at Kineo UK - TL-6516

 

Release 2.4.31 (23rd June 2015):
==================================================


Security issues:

    TL-6566        Improved XSS prevention checks when serving untrusted files in IE
    TL-6576        Ensured Audience description is sanitised before display

                   Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
                   for this issue.

    TL-6613        Improved validation of local URLs


Improvements:

    TL-6558        Improved scalability of query in course completion

                   This was causing a database error on some platforms due to an oversized IN
                   query with large data sets.


Bug fixes:

    TL-6680        Improved display when adding a random quiz question to a quiz when using RTL languages


Contributions:

    * Hugh Davenport at Catalyst NZ - TL-6576

 

Release 2.2.38 (23rd June 2015):
==================================================


Security issues:

    TL-6566        Improved XSS prevention checks when serving untrusted files in IE
    TL-6576        Ensured Audience description is sanitised before display

                   Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
                   for this issue.

    TL-6613        Improved validation of local URLs


Contributions:

    * Hugh Davenport at Catalyst NZ - TL-6576