Totara Release Notes

Totara TXP 18.5, 17.18, 16.24, 15.30, 14.35, 13.43, 12.62, 11.62, 10.64, 9.70, 2.9.67 and 2.7.72 are now available

 
Riana Rossouw
Totara TXP 18.5, 17.18, 16.24, 15.30, 14.35, 13.43, 12.62, 11.62, 10.64, 9.70, 2.9.67 and 2.7.72 are now available
de Riana Rossouw - Monday, 22 de April de 2024, 21:22
Grupo Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards 

Release Team

Release 18.5 (23rd April 2024):

Important:

    TL-38202       Changed how the 'Use default section name' checkbox works when editing course section names

                   In the topics course format, when a section name is set to an empty string, the
                   default section name will be shown for that section. This is also true when the
                   name is set to {{null}}, except for section 0. When section 0’s name is set to
                   {{null}} the section name is hidden.

                   Previously, the ‘Edit topic’ form did not allow section name to be an empty
                   string; it was always set to {{null}} if the field was left blank, without
                   regard to the 'Use default section name' checkbox.

                   With this update, the ‘Edit topic’ form will continue to save null if the
                   section name field is blank, but will save '' (empty string) when the 'Use
                   default section name' checkbox is checked. This provides consistent behaviour
                   for all sections, and allows display of the default name for section 0.

                   This change means that the 'Use default section name' checkbox is now unchecked
                   for all sections. There is no change in how section names are displayed.


Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.

    TL-39830       Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version

                   Included in this upgrade 

                   * Fixed restriction bypass and potential RCE.
                   * Improved path validation on font through SVG inline styles.
                   * Prevented infinite recursion when parsing SVG document.

    TL-39847       Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report

                   When the sidebar filter is used on an embedded report, it will attempt to reload
                   the report via AJAX whenever one of its filters is changed. Unfortunately the
                   AJAX endpoint does not have any way to re-create the controls that are used to
                   limit the embedded report to just the data needed for the page. As a result, a
                   sidebar-filtered embedded report may include records that should not be visible
                   to the user.
                   
                   This patch fixes the issue by disabling AJAX on the sidebar filter when used on
                   embedded reports. When used like this, the sidebar filter will have ‘search’
                   and ‘clear’ buttons, and will reload the entire page just like other filters
                   do.

    TL-39908       Fixed security issue  CVE-2024-27354 and CVE-2024-27355

                   * Fixed the issue where attacker can construct malformed containing an extremely
                   large prime to cause a denial of service (CPU consumption for an isPrime
                   primality check)
                   * Fixed the issue when processing the ASN.1 object identifier of a certificate,
                   a sub identifier may be provided that leads to a denial of service (CPU
                   consumption for decodeOID)


Performance improvements:

    TL-39655       Improved the performance of selecting individuals for program assignments

Improvements:

    TL-39846       Improved block skip link behaviour

                   Block skip links will now take you to the skip link for the next block, instead
                   of an empty element.

    TL-40067       Improved notification status checkbox aria label
    TL-39890       Changed the main content skip link to point to the [role=main] div

                   This results in better behaviour in some screen readers that would previously
                   just read out "blank".


Bug fixes:

    TL-36300       Increased the character length on the checkbox group for multi choice questions in performance activities

                   Fixed to allow the long response options to take up more space before wrapping

    TL-36666       Made sure that re-certification windows account properly for daylight savings time
    TL-37134       Added new class listmarkerwide for adding more padding to list elements and applied it to book conent

                   This is to provide space for more than 2 digits in the value attribute of a list
                   item

    TL-37606       Added rotation of profile pictures when uploaded from phone
    TL-37687       Fixed files in approval workflows not saving if there were multiple editor fields on a form
    TL-38002       Made display of competencies in linked review element robust against assignment changes

                   Previously when a subject was unassigned from a competency that appeared in a
                   linked review item in  performance activity, there would be a “This competency
                   no longer exists” message. The patch changes that message to “The assignment
                   for this competency no longer exists”.
                   
                   The “This competency no longer exists” message now only appears if the
                   competency itself is deleted from the system.

    TL-38064       Fixed minor inconsistent styling of feedback form elements
    TL-38127       Fixed calendar mobile scroll issue
    TL-38173       Prevented duplicate program/certification assignment notification after removing an exception
    TL-38296       Fixed user report log string that was using "his" instead of "their"
    TL-38418       The config.php cache now updates only when configuration changes
    TL-38503       Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
    TL-38619       Improved bad performance of the "Synchronize audience members" task
    TL-38652       Fixed an issue preventing user access to a report when the default saved search is deleted or made private.
    TL-38692       Fixed missing user identity fields in quiz activity user override user selection menu
    TL-38722       Added information about placeholders to the help text for the 'Custom parameters' field in the 'External tool configuration' form
    TL-38859       Fixed email not updating in ui when changed and confirmed.
    TL-39007       Fixed an error when restoring a course that has custom role names
    TL-39046       Fixed error message appearing on course request page
    TL-39065       Updated course completions operations to now delete cache files for a single course to improve performance
    TL-39093       Changed performance activity participant selection notification to instant sending
    TL-39167       Fixed the incorrect timezone showing in user reports when forced timezone was set
    TL-39170       Added tenant user create post definition hook

                   This change introduced a new hook
                   \totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
                   user create form

    TL-39198       Fixed a bug where the course/program link would open twice when clicking on the name on a learning review item
    TL-39229       Fixed the legacy webapi 'core_course_update_courses' function removing course completion due dates
    TL-39311       Fixed the dropdown chevron in evidence page.
    TL-39397       Fixed the display of the actions/blank column in activity response reports when re-adding the column
    TL-39443       Fixed that h5p activity can not be duplicated on the course view page
    TL-39533       Fixed threads error in the course completion task when using a MSSQL database
    TL-39631       Fixed a mismatched variable name in a totara plans deletion message
    TL-39678       Added a missing table join for the course completion status in report builder
    TL-39682       Updated decimal custom field to properly support comma decimal separators
    TL-39687       Made “Course Search” block results page left aligned
    TL-39715       Added the correct styles to the data format selector that is used for downloading table data
    TL-39731       Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements
    TL-39821       Updated approval workflow submission process to correctly combine answers when the application changes from a later stage back to an earlier one
    TL-39912       Fixed an issue where goals included in a performance activity review element could not have their full details accessed
    TL-39948       Fixed that pathway course format passed incorrect course_id to the query 'format_pathway_get_course'
    TL-39970       Fixed regression cause by TL-38203 which prevented activity notifications from showing in activity contexts
    TL-40053       Fixed missing include in certification status audience rule

                   In some circumstances, the missing include could cause failures when dynamic
                   audiences based on the certification status rule were being updated.

    TL-39975       Added an accessible label to the expand/collapse arrow on collapsible topics
    TL-40072       Ensured that links in the current learning block are rendered with appropriate visual cues (such as underlines)

Tui front end framework:

    TL-39951       Fixed aria-labelledby link in Tui confimration and Tui information modals
    TL-40154       Progress tracker nav component now always obeys force vertical

Library updates:

    TL-34628       Upgraded jquery-ui to version 1.13.2

                   Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184


Release 17.18 (23rd April 2024):

Important:

    TL-38202       Changed how the 'Use default section name' checkbox works when editing course section names

                   In the topics course format, when a section name is set to an empty string, the
                   default section name will be shown for that section. This is also true when the
                   name is set to {{null}}, except for section 0. When section 0’s name is set to
                   {{null}} the section name is hidden.

                   Previously, the ‘Edit topic’ form did not allow section name to be an empty
                   string; it was always set to {{null}} if the field was left blank, without
                   regard to the 'Use default section name' checkbox.

                   With this update, the ‘Edit topic’ form will continue to save null if the
                   section name field is blank, but will save '' (empty string) when the 'Use
                   default section name' checkbox is checked. This provides consistent behaviour
                   for all sections, and allows display of the default name for section 0.

                   This change means that the 'Use default section name' checkbox is now unchecked
                   for all sections. There is no change in how section names are displayed.


Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.

    TL-39830       Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version

                   Included in this upgrade 

                   * Fixed restriction bypass and potential RCE.
                   * Improved path validation on font through SVG inline styles.
                   * Prevented infinite recursion when parsing SVG document.

    TL-39847       Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report

                   When the sidebar filter is used on an embedded report, it will attempt to reload
                   the report via AJAX whenever one of its filters is changed. Unfortunately the
                   AJAX endpoint does not have any way to re-create the controls that are used to
                   limit the embedded report to just the data needed for the page. As a result, a
                   sidebar-filtered embedded report may include records that should not be visible
                   to the user.
                   
                   This patch fixes the issue by disabling AJAX on the sidebar filter when used on
                   embedded reports. When used like this, the sidebar filter will have ‘search’
                   and ‘clear’ buttons, and will reload the entire page just like other filters
                   do.

    TL-39908       Fixed security issue  CVE-2024-27354 and CVE-2024-27355

                   * Fixed the issue where attacker can construct malformed containing an extremely
                   large prime to cause a denial of service (CPU consumption for an isPrime
                   primality check)
                   * Fixed the issue when processing the ASN.1 object identifier of a certificate,
                   a sub identifier may be provided that leads to a denial of service (CPU
                   consumption for decodeOID)


Performance improvements:

    TL-39655       Improved the performance of selecting individuals for program assignments

Improvements:

    TL-39846       Improved block skip link behaviour

                   Block skip links will now take you to the skip link for the next block, instead
                   of an empty element.

    TL-40067       Improved notification status checkbox aria label
    TL-39890       Changed the main content skip link to point to the [role=main] div

                   This results in better behaviour in some screen readers that would previously
                   just read out "blank".


Bug fixes:

    TL-36300       Increased the character length on the checkbox group for multi choice questions in performance activities

                   Fixed to allow the long response options to take up more space before wrapping

    TL-36666       Made sure that re-certification windows account properly for daylight savings time
    TL-37134       Added new class listmarkerwide for adding more padding to list elements and applied it to book conent

                   This is to provide space for more than 2 digits in the value attribute of a list
                   item

    TL-37606       Added rotation of profile pictures when uploaded from phone
    TL-37687       Fixed files in approval workflows not saving if there were multiple editor fields on a form
    TL-37938       Fixed misaligned true/false question element in Lesson activity
    TL-38002       Made display of competencies in linked review element robust against assignment changes

                   Previously when a subject was unassigned from a competency that appeared in a
                   linked review item in  performance activity, there would be a “This competency
                   no longer exists” message. The patch changes that message to “The assignment
                   for this competency no longer exists”.
                   
                   The “This competency no longer exists” message now only appears if the
                   competency itself is deleted from the system.

    TL-38064       Fixed minor inconsistent styling of feedback form elements
    TL-38127       Fixed calendar mobile scroll issue
    TL-38173       Prevented duplicate program/certification assignment notification after removing an exception
    TL-38296       Fixed user report log string that was using "his" instead of "their"
    TL-38418       The config.php cache now updates only when configuration changes
    TL-38503       Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
    TL-38619       Improved bad performance of the "Synchronize audience members" task
    TL-38652       Fixed an issue preventing user access to a report when the default saved search is deleted or made private.
    TL-38692       Fixed missing user identity fields in quiz activity user override user selection menu
    TL-38722       Added information about placeholders to the help text for the 'Custom parameters' field in the 'External tool configuration' form
    TL-38859       Fixed email not updating in ui when changed and confirmed.
    TL-39007       Fixed an error when restoring a course that has custom role names
    TL-39046       Fixed error message appearing on course request page
    TL-39065       Updated course completions operations to now delete cache files for a single course to improve performance
    TL-39093       Changed performance activity participant selection notification to instant sending
    TL-39167       Fixed the incorrect timezone showing in user reports when forced timezone was set
    TL-39170       Added tenant user create post definition hook

                   This change introduced a new hook
                   \totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
                   user create form

    TL-39198       Fixed a bug where the course/program link would open twice when clicking on the name on a learning review item
    TL-39229       Fixed the legacy webapi 'core_course_update_courses' function removing course completion due dates
    TL-39397       Fixed the display of the actions/blank column in activity response reports when re-adding the column
    TL-39533       Fixed threads error in the course completion task when using a MSSQL database
    TL-39631       Fixed a mismatched variable name in a totara plans deletion message
    TL-39687       Made “Course Search” block results page left aligned
    TL-39731       Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements
    TL-39821       Updated approval workflow submission process to correctly combine answers when the application changes from a later stage back to an earlier one
    TL-40053       Fixed missing include in certification status audience rule

                   In some circumstances, the missing include could cause failures when dynamic
                   audiences based on the certification status rule were being updated.

    TL-39975       Added an accessible label to the expand/collapse arrow on collapsible topics
    TL-40072       Ensured that links in the current learning block are rendered with appropriate visual cues (such as underlines)

Tui front end framework:

    TL-39951       Fixed aria-labelledby link in Tui confimration and Tui information modals

Library updates:

    TL-34628       Upgraded jquery-ui to version 1.13.2

                   Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184


Release 16.24 (23rd April 2024):

Important:

    TL-38202       Changed how the 'Use default section name' checkbox works when editing course section names

                   In the topics course format, when a section name is set to an empty string, the
                   default section name will be shown for that section. This is also true when the
                   name is set to {{null}}, except for section 0. When section 0’s name is set to
                   {{null}} the section name is hidden.

                   Previously, the ‘Edit topic’ form did not allow section name to be an empty
                   string; it was always set to {{null}} if the field was left blank, without
                   regard to the 'Use default section name' checkbox.

                   With this update, the ‘Edit topic’ form will continue to save null if the
                   section name field is blank, but will save '' (empty string) when the 'Use
                   default section name' checkbox is checked. This provides consistent behaviour
                   for all sections, and allows display of the default name for section 0.

                   This change means that the 'Use default section name' checkbox is now unchecked
                   for all sections. There is no change in how section names are displayed.


Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.

    TL-39830       Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version

                   Included in this upgrade 

                   * Fixed restriction bypass and potential RCE.
                   * Improved path validation on font through SVG inline styles.
                   * Prevented infinite recursion when parsing SVG document.

    TL-39847       Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report

                   When the sidebar filter is used on an embedded report, it will attempt to reload
                   the report via AJAX whenever one of its filters is changed. Unfortunately the
                   AJAX endpoint does not have any way to re-create the controls that are used to
                   limit the embedded report to just the data needed for the page. As a result, a
                   sidebar-filtered embedded report may include records that should not be visible
                   to the user.
                   
                   This patch fixes the issue by disabling AJAX on the sidebar filter when used on
                   embedded reports. When used like this, the sidebar filter will have ‘search’
                   and ‘clear’ buttons, and will reload the entire page just like other filters
                   do.

    TL-39908       Fixed security issue  CVE-2024-27354 and CVE-2024-27355

                   * Fixed the issue where attacker can construct malformed containing an extremely
                   large prime to cause a denial of service (CPU consumption for an isPrime
                   primality check)
                   * Fixed the issue when processing the ASN.1 object identifier of a certificate,
                   a sub identifier may be provided that leads to a denial of service (CPU
                   consumption for decodeOID)


Performance improvements:

    TL-39655       Improved the performance of selecting individuals for program assignments

Bug fixes:

    TL-36300       Increased the character length on the checkbox group for multi choice questions in performance activities

                   Fixed to allow the long response options to take up more space before wrapping

    TL-36666       Made sure that re-certification windows account properly for daylight savings time
    TL-37134       Added new class listmarkerwide for adding more padding to list elements and applied it to book conent

                   This is to provide space for more than 2 digits in the value attribute of a list
                   item

    TL-37606       Added rotation of profile pictures when uploaded from phone
    TL-38127       Fixed calendar mobile scroll issue
    TL-38296       Fixed user report log string that was using "his" instead of "their"
    TL-38418       The config.php cache now updates only when configuration changes
    TL-38503       Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
    TL-38652       Fixed an issue preventing user access to a report when the default saved search is deleted or made private.
    TL-38692       Fixed missing user identity fields in quiz activity user override user selection menu
    TL-38722       Added information about placeholders to the help text for the 'Custom parameters' field in the 'External tool configuration' form
    TL-39170       Added tenant user create post definition hook

                   This change introduced a new hook
                   \totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
                   user create form

    TL-39631       Fixed a mismatched variable name in a totara plans deletion message
    TL-39687       Made “Course Search” block results page left aligned
    TL-39731       Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements

Tui front end framework:

    TL-39951       Fixed aria-labelledby link in Tui confimration and Tui information modals

Library updates:

    TL-34628       Upgraded jquery-ui to version 1.13.2

                   Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184


Release 15.30 (23rd April 2024):

Important:

    TL-38202       Changed how the 'Use default section name' checkbox works when editing course section names

                   In the topics course format, when a section name is set to an empty string, the
                   default section name will be shown for that section. This is also true when the
                   name is set to {{null}}, except for section 0. When section 0’s name is set to
                   {{null}} the section name is hidden.

                   Previously, the ‘Edit topic’ form did not allow section name to be an empty
                   string; it was always set to {{null}} if the field was left blank, without
                   regard to the 'Use default section name' checkbox.

                   With this update, the ‘Edit topic’ form will continue to save null if the
                   section name field is blank, but will save '' (empty string) when the 'Use
                   default section name' checkbox is checked. This provides consistent behaviour
                   for all sections, and allows display of the default name for section 0.

                   This change means that the 'Use default section name' checkbox is now unchecked
                   for all sections. There is no change in how section names are displayed.


Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.

    TL-39830       Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version

                   Included in this upgrade 

                   * Fixed restriction bypass and potential RCE.
                   * Improved path validation on font through SVG inline styles.
                   * Prevented infinite recursion when parsing SVG document.

    TL-39847       Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report

                   When the sidebar filter is used on an embedded report, it will attempt to reload
                   the report via AJAX whenever one of its filters is changed. Unfortunately the
                   AJAX endpoint does not have any way to re-create the controls that are used to
                   limit the embedded report to just the data needed for the page. As a result, a
                   sidebar-filtered embedded report may include records that should not be visible
                   to the user.
                   
                   This patch fixes the issue by disabling AJAX on the sidebar filter when used on
                   embedded reports. When used like this, the sidebar filter will have ‘search’
                   and ‘clear’ buttons, and will reload the entire page just like other filters
                   do.

    TL-39908       Fixed security issue  CVE-2024-27354 and CVE-2024-27355

                   * Fixed the issue where attacker can construct malformed containing an extremely
                   large prime to cause a denial of service (CPU consumption for an isPrime
                   primality check)
                   * Fixed the issue when processing the ASN.1 object identifier of a certificate,
                   a sub identifier may be provided that leads to a denial of service (CPU
                   consumption for decodeOID)


Performance improvements:

    TL-39655       Improved the performance of selecting individuals for program assignments

Bug fixes:

    TL-36785       Fixed PHP 8.0 related bug in phpspreadsheet library
    TL-37134       Added new class listmarkerwide for adding more padding to list elements and applied it to book conent

                   This is to provide space for more than 2 digits in the value attribute of a list
                   item

    TL-37606       Added rotation of profile pictures when uploaded from phone
    TL-38127       Fixed calendar mobile scroll issue
    TL-38296       Fixed user report log string that was using "his" instead of "their"
    TL-38418       The config.php cache now updates only when configuration changes
    TL-38503       Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
    TL-38692       Fixed missing user identity fields in quiz activity user override user selection menu
    TL-39170       Added tenant user create post definition hook

                   This change introduced a new hook
                   \totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
                   user create form

    TL-39687       Made “Course Search” block results page left aligned
    TL-39731       Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements

Tui front end framework:

    TL-39951       Fixed aria-labelledby link in Tui confimration and Tui information modals

Library updates:

    TL-34628       Upgraded jquery-ui to version 1.13.2

                   Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184


Release 14.35 (23rd April 2024):

Important:

    TL-38202       Changed how the 'Use default section name' checkbox works when editing course section names

                   In the topics course format, when a section name is set to an empty string, the
                   default section name will be shown for that section. This is also true when the
                   name is set to {{null}}, except for section 0. When section 0’s name is set to
                   {{null}} the section name is hidden.

                   Previously, the ‘Edit topic’ form did not allow section name to be an empty
                   string; it was always set to {{null}} if the field was left blank, without
                   regard to the 'Use default section name' checkbox.

                   With this update, the ‘Edit topic’ form will continue to save null if the
                   section name field is blank, but will save '' (empty string) when the 'Use
                   default section name' checkbox is checked. This provides consistent behaviour
                   for all sections, and allows display of the default name for section 0.

                   This change means that the 'Use default section name' checkbox is now unchecked
                   for all sections. There is no change in how section names are displayed.


Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.

    TL-39830       Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version

                   Included in this upgrade 

                   * Fixed restriction bypass and potential RCE.
                   * Improved path validation on font through SVG inline styles.
                   * Prevented infinite recursion when parsing SVG document.

    TL-39847       Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report

                   When the sidebar filter is used on an embedded report, it will attempt to reload
                   the report via AJAX whenever one of its filters is changed. Unfortunately the
                   AJAX endpoint does not have any way to re-create the controls that are used to
                   limit the embedded report to just the data needed for the page. As a result, a
                   sidebar-filtered embedded report may include records that should not be visible
                   to the user.
                   
                   This patch fixes the issue by disabling AJAX on the sidebar filter when used on
                   embedded reports. When used like this, the sidebar filter will have ‘search’
                   and ‘clear’ buttons, and will reload the entire page just like other filters
                   do.

    TL-39908       Fixed security issue  CVE-2024-27354 and CVE-2024-27355

                   * Fixed the issue where attacker can construct malformed containing an extremely
                   large prime to cause a denial of service (CPU consumption for an isPrime
                   primality check)
                   * Fixed the issue when processing the ASN.1 object identifier of a certificate,
                   a sub identifier may be provided that leads to a denial of service (CPU
                   consumption for decodeOID)


Bug fixes:

    TL-36785       Fixed PHP 8.0 related bug in phpspreadsheet library
    TL-38127       Fixed calendar mobile scroll issue
    TL-38296       Fixed user report log string that was using "his" instead of "their"
    TL-38418       The config.php cache now updates only when configuration changes
    TL-39687       Made “Course Search” block results page left aligned
    TL-39731       Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements

Tui front end framework:

    TL-39951       Fixed aria-labelledby link in Tui confimration and Tui information modals

Library updates:

    TL-34628       Upgraded jquery-ui to version 1.13.2

                   Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184


Release 13.43 (23rd April 2024):

Important:

    TL-38202       Changed how the 'Use default section name' checkbox works when editing course section names

                   In the topics course format, when a section name is set to an empty string, the
                   default section name will be shown for that section. This is also true when the
                   name is set to {{null}}, except for section 0. When section 0’s name is set to
                   {{null}} the section name is hidden.

                   Previously, the ‘Edit topic’ form did not allow section name to be an empty
                   string; it was always set to {{null}} if the field was left blank, without
                   regard to the 'Use default section name' checkbox.

                   With this update, the ‘Edit topic’ form will continue to save null if the
                   section name field is blank, but will save '' (empty string) when the 'Use
                   default section name' checkbox is checked. This provides consistent behaviour
                   for all sections, and allows display of the default name for section 0.

                   This change means that the 'Use default section name' checkbox is now unchecked
                   for all sections. There is no change in how section names are displayed.


Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.

    TL-39830       Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version

                   Included in this upgrade 

                   * Fixed restriction bypass and potential RCE.
                   * Improved path validation on font through SVG inline styles.
                   * Prevented infinite recursion when parsing SVG document.

    TL-39847       Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report

                   When the sidebar filter is used on an embedded report, it will attempt to reload
                   the report via AJAX whenever one of its filters is changed. Unfortunately the
                   AJAX endpoint does not have any way to re-create the controls that are used to
                   limit the embedded report to just the data needed for the page. As a result, a
                   sidebar-filtered embedded report may include records that should not be visible
                   to the user.
                   
                   This patch fixes the issue by disabling AJAX on the sidebar filter when used on
                   embedded reports. When used like this, the sidebar filter will have ‘search’
                   and ‘clear’ buttons, and will reload the entire page just like other filters
                   do.

    TL-39908       Fixed security issue  CVE-2024-27354 and CVE-2024-27355

                   * Fixed the issue where attacker can construct malformed containing an extremely
                   large prime to cause a denial of service (CPU consumption for an isPrime
                   primality check)
                   * Fixed the issue when processing the ASN.1 object identifier of a certificate,
                   a sub identifier may be provided that leads to a denial of service (CPU
                   consumption for decodeOID)


Bug fixes:

    TL-38127       Fixed calendar mobile scroll issue
    TL-38296       Fixed user report log string that was using "his" instead of "their"
    TL-39687       Made “Course Search” block results page left aligned

Tui front end framework:

    TL-39951       Fixed aria-labelledby link in Tui confimration and Tui information modals

Library updates:

    TL-34628       Upgraded jquery-ui to version 1.13.2

                   Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184


Release 12.62 (23rd April 2024):

Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.


Release 11.62 (23rd April 2024):

Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.


Release 10.64 (23rd April 2024):

Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.


Release 9.70 (23rd April 2024):

Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.


Release 2.9.67 (23rd April 2024):

Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.


Release 2.7.72 (23rd April 2024):

Security issues:

    TL-38661       Fixed XSS when previewing course upload data

                   The course upload preview contained an XSS risk for users uploading unsafe data.