Welcome to phpList 3.2.5
Note: This release contains several security fixes – you should upgrade as soon as possible.
phpList 3.2.5 includes several great new features, important bug fixes, and improved security. My favourite is the new domain statistics table, which provides a clear overview of your subscriber list cleanliness, highlighting domains with a high percentage of unconfirmed or blacklisted subscribers.
The admin attribute placeholders feature will be a bonus for those of you using sub-accounts (multiple administrators) with phpList; it can be used to automatically attribute campaigns to their sender, providing a more personal touch to your messages.
The new automatic image embedding feature is a ‘set-once and forget’ method of ensuring that images are always delivered, regardless of the recipient’s mail client configuration.
I would like to personally thank everyone who has contributed to this release. I’m pleased to welcome several new contributors in this version – individual thanks are included below.— Anna Morris, phpList community manager
- Domain statistics
- The Domain statistics page has a new table identifying domains with high numbers of unconfirmed subscribers. Read about it on the phpList.com blog.
- Admin Attribute Placeholders Simplification
- phpList includes a multi-user account system which allows multiple administrators to manage campaigns and subscribers independently. References to dynamic information about the currently logged in administrator, including administrator attributes, are now possible in campaigns and templates. To sign emails with the name of the currently logged in administrator, follow these steps:
- Set up attributes for the administrator in question, such as First Name and Role:
- Edit your campaign template to include the following Admin attribute placeholders:
[LISTOWNER.ATTRIBUTE]which refers to the owner of the list or
[OWNER.ATTIBUTE]which refers to the owner/creator of the campaign.
- In this example I have added “This message was sent by :
- Then, when the mail is sent, even if it is sent by the superuser account rather than the sub-admin who owns the list, the admin attributes will be inserted correctly.
- This helps bring both a personal touch and a sense of ownership and accountability to the campaign: the subscriber knows who they are speaking to and the account managers know who is responsible for the mail.
- Please note that
[LISTOWNER.ATTRIBUTE]will only work if all the lists are owned by the same person, which is the usual procedure for a sub-account. The the superuser has access to all lists, so should be careful not to mix lists of multiple ownership if using admin attribute placeholder. The superuser may change the ownership of lists. Campaigns are “owned” by the person who created them and that ownership cannot be changed.
- Embed images from external domains
- A new feature contributed by bertpoort, this allows phpList to automatically embed all external images within an HTML email campaign. Often images in campaigns the are blocked by mail clients by default. One way to ensure your images are viewed is to embed them. This works especially well for logos and small images.
- This feature is enabled by setting the following configuration option in your phpList config file:
- Then when you add an external image to your campaign using a URL:
- It will be embedded in the email automatically, so it doesn’t get blocked by mail clients.
- Big thanks to Bertpoort for creating this feature.
- Larger box for regex entry
- We have increased the size of the text box for adding bounce processing regex, which makes it easier to review and tweak your work.
- Lists membership “traffic light” summary
- A great new feature created by Duncan Cameron allows phpList users to see, at a glance, the activity status of list members in the list summary data. In green, we have the active subscribers, in Orange the unconfirmed and in red the blacklisted.
- This new feature can help you see the current size, potential size and and efficacy of a list.
This release contains several security fixes, you should upgrade as soon as possible. If you don’t know how to upgrade, or don’t have time, you can look at paid support move to phpList.com where upgrades are automatic.
The Following security issues were resolved in this version:
- 0018118: CSRF issue which allowed a user to edit a campaign draft they did not have access to, thanks to Mickael Dorigny, bug hunter.
- 0017974: XSS issue which allowed a user to execute code via the database by manipulating the test campaign email recipient address, thanks to Julienl.
- 0018089: update Apache htaccess config files to be compatible with Apache 2.4.
- 0018049: Password reset links can now use HTTPS links.
- Parallel processing sent totals fix
- Privileges / list ownership when resending on sub-admins fix
- 0018088: Thanks to sdanisch for discovering and fixing a bug with the list selection privileges of sub-admins, who were able to send to lists they did not own when re-sending a previously sent campaign. This has now been fixed.
- Send from browser process messages fix
- 0018072: Thanks to duncan his work on a bug affecting those sending from the browser. The messages sent progress was not being displayed, now it is.
- Links in notification emails
- 0018025: Thanks to nettrustnz for reporting an issue with broken links in email notifications, this has now been fixed.
- Forward to a friend subject line bug
- 0018031: Big thanks to Ehaver282 for spotting a bug introduced in phpList 3.2.0 with the new Campaign Meta Data feature. Forward to a friend mails were taking the meta subject rather than campaign subject. Great catch Ehaver282!
- Issues deleting attribute value
- Some people experienced an error ” Error: you do not have sufficient access” when trying to delete an attribute value. This has now been fixed.
- All-digit second level domains
- All-digit second level domains, for example email@example.com.IT, will no longer be rejected as invalid by the “check for valid email” feature.
0017971: For those of you using the parallel processing feature, launched in phpList 3.2.0, the issue with incorrect reporting of send statistics has been corrected. Thanks to duncan for his work on this.
Technical features and fixes
- Plugins to control authentication
- This change allows a plugin to authenticate an admin before the login form is displayed. This will be useful for single sign on (SSO).
- Setting smtp_options for phpMailer
- This feature allows e.g. configuring phpMailer to avoid certificate checking on SSL connections, which is useful for systems which use self-signed certificates.
CKEditor updated: configuration affected
This release of phplist includes a new version of phpList’s CKEditor plugin that has a significant change. The plugin now loads the editor’s files from a content delivery network, instead of including a copy of CKEditor within the plugin.
For most installations this should not cause a problem. However if you have installed a separate copy of CKEditor, for example to use extra CKEditor plugins, then you will need to make a configuration change in order to continue using that.
In the CKEditor group on the Settings page there is a new configuration setting, “URL of ckeditor.js”. The default value refers to the content delivery network. If you want to use a local copy of ckeditor.js then you need to change the setting to refer to that file.
For example, if you have installed CKEditor in the root of your web site in the directory /myckeditor, then the setting should be /myckeditor/ckeditor.js
The old setting “Path to CKeditor” is no longer used.
See here for more information.