diff options
author | Lorry Tar Creator <lorry-tar-importer@lorry> | 2015-06-16 06:44:29 +0000 |
---|---|---|
committer | Lorry Tar Creator <lorry-tar-importer@lorry> | 2015-06-16 06:44:29 +0000 |
commit | f9f3ab3056d94292adb4ab2e1451645bee989769 (patch) | |
tree | cc5a62954d359d5aad449420bc7ec259b3edb79e /Changes | |
download | CGI-tarball-f9f3ab3056d94292adb4ab2e1451645bee989769.tar.gz |
Diffstat (limited to 'Changes')
-rw-r--r-- | Changes | 2132 |
1 files changed, 2132 insertions, 0 deletions
@@ -0,0 +1,2132 @@ +4.21 2015-06-16 + + [ RELEASE NOTES ] + - CGI.pm is now considered "done". See also "mature" and "legacy" + Features requests and none critical issues will be outright rejected. + The module is now in maintenance mode for critical issues only. + + - This release removes the AUTOLOAD and compile optimisations from CGI.pm + that were introduced into CGI.pm twenty (20) years ago as a response to + its large size, which meant there was a significant compile time penalty. + + - This optimisation is no longer relevant and makes the code difficult to + deal with as well as making test coverage metrics incorrect. Benchmarks + show that advantages of AUTOLOAD / lazy loading / deferred compile are + less than 0.05s, which will be dwarfed by just about any meaningful code + in a cgi script. If this is an issue for you then you should look at + running CGI.pm in a persistent environment (FCGI, etc) + + - To offset some of the time added by removing the AUTOLOAD functionality + the dependencies have been made runtime rather than compile time. The + POD has also been split into its own file. CGI.pm now contains around + 4000 lines of code, which compared to some modules on CPAN isn't really + that much + + - This essentially deprecates the -compile pragma and ->compile method. The + -compile pragma will no longer do anything, whereas the ->compile method + will raise a deprecation warning. More importantly this also REMOVES the + -any pragma because as per the documentation this pragma needed to be + "used with care or not at all" and allowing arbitrary HTML tags is almost + certainly a bad idea. If you are using the -any pragma and using arbitrary + tags (or have typo's in your code) your code will *BREAK* + + - Although this release should be back compatible (with the exception of any + code using the -any pragma) you are encouraged to test it throughly as if + you are doing anything out of the ordinary with CGI.pm (i.e. have bugs + that may have been masked by the AUTOLOAD feature) you may see some issues. + + - References: GH #162, GH #137, GH #164 + + [ SPEC / BUG FIXES ] + - make the list context warning in param show the filename rather than + the package so we have more information on exactly where the warning + has been raised from (GH #171) + - correct self_url when PATH_INFO and SCRIPT_NAME are the same but we + are not running under IIS (GH #176) + - Add the multi_param method to :cgi export (thanks to xblitz for the patch + and tests. GH #167) + - Fix warning for lack of HTTP_USER_AGENT in CGI::Carp (GH #168) + - Fix imports when called from CGI::Fast, restores the import of CGI functions + into the callers namespace for users of CGI::Fast (GH leejo/cgi-fast#11 and + GH leejo/cgi-fast#12) + - Fix regression of tmpFileName when calling with a plain string (GH #178, + thanks to Simon McVittie for the report and fix) + + [ FEATURES ] + - CGI::Carp now has $CGI::Carp::FULL_PATH for displaying the full path to the + offending script in error messages + - CGI now has env_query_string() for getting the value of QUERY_STRING from + the environment and not that fiddled with by CGI.pm (which is what + query_string() does) (GH #161) + - CGI::ENCODE_ENTITIES var added to control which chracters are encoded by + the call to the HTML::Entities module - defaults to &<>"' (GH #157 - the + \x8b and \x9b chars have been removed from this list as we are concerned + more about unicode compat these days than old browser support.) + + [ DOCUMENTATION ] + - Fix some typos (GH #173, GH #174) + - All *documentation* for HTML functionality in CGI has been moved into + its own namespace: CGI::HTML::Functions - although the functionality + continues to exist within CGI.pm so there are no code changes required + (GH #142) + - Add missing documentation for env variable fetching routines (GH #163) + + [ TESTING ] + - Increase test coverage (GH #3) + + [ INTERNALS ] + - Cwd made a TEST_REQUIRES rather than a BUILD_REQUIRES in Makefile.PL + (GH #170) + - AutoloadClass variables have been removed as AUTOLOAD was removed in + v4.14 so these are no longer necessary (GH #172 thanks to alexmv) + - Remove dependency on constant - internal DEBUG, XHTML_DTD and EBCDIC + constants changes to $_DEBUG, $_XHTML_DTD, and $_EBCDIC + +4.13 2014-12-18 + + [ RELEASE NOTES ] + - CGI::Pretty is now DEPRECATED and will be removed in a future release. + Please see GH #162 (https://github.com/leejo/CGI.pm/issues/162) for more + information and discussion (also GH #140 for HTML function deprecation + discussion: https://github.com/leejo/CGI.pm/issues/140) + + [ TESTING ] + - fix t\rt-84767.t for failures on Win32 platforms related to file paths + +4.11 2014-12-02 + + [ SPEC / BUG FIXES ] + - more hash key ordering bugs fixed in HTML attribute output (GH #158, + thanks to Marcus Meissner for the patch and test case) + + [ REFACTORING ] + - escapeHTML (and unescapeHTML) have been refactored to use the functions + exported by the HTML::Entities module (GH #157) + - change BUILD_REQUIRES to TEST_REQUIRES in Makefile.PL as these are test + dependencies not build dependencies (GH #159) + + [ DOCUMENTATION ] + - replace any remaining uses of indirect object notation (new Object) with + the safer Object->new syntax (GH #156) + +4.10 2014-11-27 + + [ SPEC / BUG FIXES ] + - favour -content-type arg in header if -type and -charset options are also + passed in (GH #155, thanks to kaoru for the test case). this change also + sorts the hash keys in the rearrange method in CGI::Util meaning the order + of the arrangement will always be the same for params that have multiple + aliases. really you shouldn't be passing in multiple aliases, but this will + make it consistent should you do that + + [ DOCUMENTATION ] + - fix some typos + +4.09 2014-10-21 + + [ RELEASE NOTES ] + - with this release the large backlog of issues against CGI.pm has been + cleared. All fixes have been made in the versions 4.00 and above so if + you are upgrading from 3.* you should thoroughly test your code against + recent versions of CGI.pm + - an effort has been made to retain back compatibility against previous + versions of CGI.pm for any fixes made, however some changes related to + the handling of temporary files may have consequences for your code + - please refer to the RELEASE NOTES for version 4.00 and above for all + recent changes and file an issue on github if there has been a regression. + - please do *NOT* file issues regarding HTML generating functions, these + are no longer being maintained (see perldoc for rationale) + + [ SPEC / BUG FIXES ] + - tweak url to DTRT when the web server is IIS (RT #89827 / GH #152) + - fix temporary file handling when dealing with multiple files in MIME uploads + (GH #154, thanks to GeJ for the test case) + +4.08 2014-10-18 + + [ DOCUMENTATION ] + - note that calling headers without a -charset may lead to a nonsensical + charset being added to certain content types due to the default and the + workaround + - remove documentation stating that calls to escapeHTML with a changed + charset force numeric encoding of all characters, because that does not + happen + - documentation tweaks for calling param() in list context and the addition + of multi_param() + + [ SPEC / BUG FIXES ] + - don't sub out PATH_INFO in url if PATH_INFO is the same as SCRIPT_NAME + (RT #89827) + - add multi_param() method to allow calling of param() in list context + without having to disable the $LIST_CONTEXT_WARN flag (see RELEASE NOTES + for version 4.05 on why calling param() in list context could be a bad + thing) + +4.07 2014-10-12 + + [ RELEASE NOTES ] + - please see changes for v4.05 + + [ TESTING ] + - typo and POD fixes, add test to check POD and compiles + +4.06 2014-10-10 + + [ RELEASE NOTES ] + - please see changes for v4.05 + + [ DOCUMENTATION ] + - make warning on list context call of ->param more lenient and don't + warn if called with no arguments + +4.05 2014-10-08 + + [ RELEASE NOTES ] + - this release includes *significant* refactoring of temporary file + handling in CGI.pm. See "Changes in temporary file handling" in perldoc + + - this release adds a warning for when the param method is called + in list context, see the Warning in the perldoc for the section + "Fetching the value or values of a single named parameter" for why + this has been added and how to disable this warning + + [ DOCUMENTATION ] + - change AUTHOR INFORMATION to LICENSE to please Kwalitee + + [ TESTING ] + - t/arbitrary_handles.t to check need for patch in RT #54055, it + turns out there is no need - the first argument to CGI->new can + be an arbitrary handle + - add test case for incorrect unescaping of redirect headers + (RT #61120) + - add tests for the handle method (RT #85074, thanks to TONYC@cpan.org) + + [ SPEC / BUG FIXES ] + - don't set binmode on STDOUT/STDERR/STDIN if a none standard layer + is already set on them on none UNIX platforms (RT #57524) + - make XForms:Model data accesible through POSTDATA/PUTDATA param + (RT #75628) + - prevent corruption of POSTDATA/PUTDATA when -utf8 flag is used and use + tempfiles to handle this data (RT #79102, thanks anonymous) + - unescape request URI *after* having removed the query string to prevent + removal of ? chars that are part of the original URI (and were encoded) + (RT #83265) + - fix q( to qq( in CGI::Carp so $@ is correct interpolated (RT #83360) + - don't call ->query_string in url unless -query is passed (RT #87790) + (optimisation and fits the current documented behaviour) + +4.04 2014-09-04 + + [ RELEASE NOTES ] + - this release removes some long deprecated modules/functions and + includes refactoring to the temporary file handling in CGI.pm. if + you are doing anything out of the ordinary with regards to temp + files you should test your code before deploying this update as + temp files may no longer be stored in previously used locations + + [ REMOVED / DEPRECATIONS ] + - startform and endform methods removed (previously deprecated, you + should be using the start_form and end_form methods) + - both CGI::Apache and CGI::Switch have been removed as these modules + 1) have been deprecated for *years*, and 2) do nothing whatsoever + + [ SPEC / BUG FIXES ] + - handle multiple values in X-Forwarded-Host header, we follow the + logic in most other frameworks and take the last value from the list + (RT #54487) + - reverse the order of TEMP dir placement for WINDOWS: TEMP > TMP > WINDIR + (RT #71799, thanks to jeff@math.tntech.edu), this returns the behaviour + to pre e24d04e9bc5fda7722444b02fec135d8cc2ff488 but with the undefined + fix still in place + - refactor CGITempFile::find_tempdir to use File::Spec->tmpdir + (related: RT #71799) + - fix warnings when QUERY_STRING has empty key=value pairs (RT #54511) + - pad custom 500 status response messages to > 512 for MSIE (RT #81946) + - make Vars tied hash delete method return the value deleted from the hash + making it act like perl's delete (RT #51020) + + [ TESTING ] + - add .travis.yml (https://travis-ci.org) + - test case for RT #53966 - disallow filenames with ~ char + - test case for RT #55166 - calling Vars to get the filename does not return + a filehandle, so this cannot be used in the call to uploadinfo, also + update documentation for the uploadInfo to show that ->Vars should not be + used to get the filename for this method + - fix t/url.t to pass on Win32 platforms that have the SCRIPT_NAME env + variable set (RT #89992) + - add procedural call tests for upload and uploadInfo to confirm these work + as should (RT #91136) + + [ DOCUMENTATION ] + - tweak perldoc for -utf8 option (RT #54341, thanks to Helmut Richter) + - explain the HTML generation functions should no longer be used and that + they may be deprecated in a future release + +4.03 2014-07-02 + + [ REMOVED / DEPRECATIONS ] + - the -multiple option to popup_menu is now IGNORED as this did not + function correctly. If you require a menu with multiple selections + use the scrolling_list method. (RT #30057) + + [ SPEC / BUG FIXES ] + - support redirects in mod_perl2, or fall back to using env variable + for up to 5 redirects, when getting the query string (RT #36312) + - CGI::Cookie now correctly supports the -max-age argument, previously + if this was passed the value of the -expires argument would be used + meaning there was no way to supply *only* this argument (RT #50576) + - make :all actually import all methods, except for :cgi-lib, and add + :ssl to the :standard import (RT #70337) + + [ DOCUMENTATION ] + - clarify documentation regarding query_string method (RT #48370) + - links fixed in some perldoc (Thanks to Michiel Beijen) + + [ TESTING ] + - add t/changes.t for testing this Changes file + - test case for RT #31107 confirming multipart parsing is to spec + - improve t/rt-52469.t by adding a timeout check + +4.02 2014-06-09 + + [ NEW FEATURES ] + - CGI::Carp learns noTimestamp / $CGI::Carp::NO_TIMESTAMP to prevent + timestamp in messages (RT #82364, EDAVIS@cpan.org) + - multipart_init and multipart_start learn -charset option (RT #22737) + + [ SPEC / BUG FIXES ] + - Support multiple cookies when passing an ARRAY ref with -set-cookie + (RT #15065, JWILLIAMS@cpan.org) + + [ DOCUMENTATION ] + - Made licencing information consistent and remove duplicate comments + about licence details, corrected location to report bugs (RT #38285) + +4.01 2014-05-27 + + [ DOCUMENTATION ] + - CGI.pm hasn't been removed from core *just* yet, but will be soon: + http://perl5.git.perl.org/perl.git/commitdiff/e9fa5a80 + +4.00 2014-05-22 + + [ INTERNALS ] + - CGI::Fast split out into its own distribution, related files and tests removed + - developer test added for building with perlbrew + + [ DOCUMENTATION ] + - Update perldoc to explain that CGI.pm has been removed from perl core + - Make =head2 perldoc less shouty (RT #91140) + - Tickets migrated from RT to github issues (both CGI and CGI.pm distributions) + - Repointing bugtracker at newly forked github repo and note that Lee Johnson + is the current maintainer. + - Bump version to 4.00 for clear boundary of above changes + +Version 3.65 Feb 11, 2014 + + [INTERNALS] + - Update Makefile to refine where CGI.pm gets installed + (Thanks to bingo, rjbs: https://github.com/markstos/CGI.pm/pull/30) + +Version 3.64 Nov 23, 2013 + + [BUG FIXES] + - Avoid warning about "undefined variable in user_agent in some cases (RT#72882) + + [INTERNALS] + - Avoiding warning about "unitialized value" in when calling user_agent() in some cases. (RT#72882, perl@max-maurer.de) + - Update minimum required version in Makefile.PL to 5.8.1. It had already been + updated to 5.8.1 in the CGI.pm module in 3.53. + - Fix POD errors reported by newer pod2man (Thanks to jmdh) + - Typo fixes, (dsteinbrunner). + - use deprecate.pm on perls 5.19.0 and later. (rjbs). + + [DOCUMENTATION] + - Update CGI::Cookie docs to reflect that HttpOnly is widely supported now. + + +Version 3.63 Nov 12, 2012 + + [SECURITY] + - CR escaping for Set-Cookie and P3P headers was improved. There was potential + for newline injection in these headers. + (Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23) + +Version 3.62, Nov 9th, 2012 + + [INTERNALS] + - Changed how the deprecated endform function was defined for compatibility + with the development version of Perl. + - Fix failures in t/tmpdir.t when run as root + https://github.com/markstos/CGI.pm/issues/22, RT#80659) + + - Made it possible to force a sorted order for things like hash + attributes so that tests are not dependent on a particular hash + ordering. This will be required in modern perls which will + change the ordering per process. (Yves, RT#80659) + +Version 3.61 Nov 2nd, 2012 + + (No code changes) + + [INTERNALS] + - formatting of CGI::Carp documentation was improved. Thanks to benkasminbullock. + - un-TODO some tests in t/tmpdir.t that were passing in most cases. + More on this: + https://github.com/markstos/CGI.pm/issues/19# + https://github.com/markstos/CGI.pm/commit/cc73dc9807b0fabb56b3cdf1a9726588b2eda0f7 + +Version 3.60 Aug 15th, 2012 + + [BUG FIXES] + - In some caes, When unescapeHTML() hit something it didn't recognize with an ampersand and + and semicolon, it would throw away the semicolon and ampersand. It now does a better job. + of preserving content it doesn't recognize. Thanks to CEBJYRE@cpan.org (RT#75595) + - Remove trailing newline after <form> tag inserted by startform and start_form. It can + cause rendering problems in some cases. Thanks to SJOHNSTON@cpan.org (RT#67719) + - Workaround "Insecure Dependency" warning generated by some versions of Perl (RT#53733). + Thanks to degatcpan@ntlworld.com, klchu@lbl.gov and Anonymous Monk + + [DOCUMENTATION] + - Clarify that when -status is used, the human-readable phase should be included, per RFC 2616. + Thanks to SREZIC@cpan.org (RT#76691). + + [INTERNALS] + - More tests for header(), thanks to Ryo Anazawa. + - t/url.t has been fixed on VMS. Thanks to cberry@cpan.org (RT#72380) + - MANIFEST patched so that t/multipart_init.t is included again. Thanks to shay@cpan.org (RT#76189) + +Version 3.59 Dec 29th, 2011 + + [BUG FIXES] + - We no longer read from STDIN when the Content-Length is not set, preventing + requests with no Content-Length from freezing in some cases. This is consistent + with the CGI RFC 3875, and is also consistent with CGI::Simple. However, the old + behavior may have been expected by some command-line uses of CGI.pm. + Thanks to Philip Potter and Yanick Champoux. See RT#52469 for details: + https://rt.cpan.org/Public/Bug/Display.html?id=52469 + + [INTERNALS] + - remove tmpdirs more aggressively. Thanks to rjbs (RT#73288) + - use Text::ParseWords instead of ancient shellwords.pl. Thanks to AlexBio. + - remove use of define(@arr). Thanks to rjbs. + - spelling fixes. Thanks to Gregor Herrmann and Alessandro Ghedini. + - fix test count and warning in t/fast.t. Thanks to Yanick. + +Version 3.58 Nov 11th, 2011 + + [DOCUMENTATION] + - Clarify that using query_string() only has defined behavior when using the GET method. (RT#60813) + +Version 3.57 Nov 9th, 2011 + [INTERNALS] + - test failure in t/fast.t introduced in 3.56 is fixed. (Thanks to zefram and chansen). + - Test::More requirement has been bumped to 0.98 + +Version 3.56 Nov 8th, 2011 + + [SECURITY] + Use public and documented FCGI.pm API in CGI::Fast + CGI::Fast was using an FCGI API that was deprecated and removed from + documentation more than ten years ago. Usage of this deprecated API with + FCGI >= 0.70 or FCGI <= 0.73 introduces a security issue. + <https://rt.cpan.org/Public/Bug/Display.html?id=68380> + <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2766> + (Thanks to chansen) + + [INTERNALS] + - tmp files are now cleaned up on VMS ( RT#69210, thanks to cberry@cpan.org ) + - Fixed test failure: done_testing() added to url.t (Thanks to Ryan Jendoubi) + - Clarify preferred bug submission location in docs, and note that Mark Stosberg + is the current maintainer. + +Version 3.55 June 3rd, 2011 + + [THINGS THAT MAY BREAK YOUR CODE] + url() was fixed to return "PATH_INFO" when it is explicitly requested + with either the path=>1 or path_info=>1 flag. + + If your code is running under mod_rewrite (or compatible) and you are calling self_url() or + you are calling url() and passing path_info=>1, These methods will actually be + returning PATH_INFO now, as you have explicitly requested, or has self_url() + has requested on your behalf. + + The PATH_INFO has been omitted in such URLs since the issue was introduced + in the 3.12 release in December, 2005. + + This bug is so old your application may have come to depend on it or + workaround it. Check for application before upgrading to this release. + + Examples of affected method calls: + + $q->url(-absolute => 1, -query => 1, -path_info => 1 ) + $q->url(-path=>1) + $q->url(-full=>1,-path=>1) + $q->url(-rewrite=>1,-path=>1) + $q->self_url(); + +Version 3.54, Apr 28, 2011 + No code changes + + [INTERNALS] + - Address test failures in t/tmpdir.t, thanks to Niko Tyni. + Some tests here are failing on some platforms and have been marked as TODO. + +Version 3.53, Apr 25, 2011 + + [NEW FEATURES] + - The DELETE HTTP verb is now supported. + (RT#52614, James Robson, Eduardo Ari�o de la Rubia) + + [INTERNALS] + - Correct t/tmpdir.t MANIFEST entry. (RT#64949) + - Update minimum required Perl version to be Perl 5.8.1, which + has been out since 2003. This allows us to drop some hacks + and exceptions (Mark Stosberg) + +Version 3.52, Jan 24, 2011 + + [DOCUMENTATION] + - The documentation for multi-line header handling was been updated to reflect + the changes in 3.51. (Mark Stosberg, ntyni@iki.fi) + + [INTERNALS] + - Add missing t/tmpfile.t file. (RT#64949) + - Fix warning in t/cookie.t (RT#64570, Chris Williams, Rainer Tammer, Mark Stosberg) + - Fixed logic bug in t/multipart_init.t (RT#64261, Niko Tyni) + +Version 3.51, Jan 5, 2011 + + [NEW FEATURES] + - A new option to set $CGI::Carp::TO_BROWSER = 0, allows you to explicitly + exclude a particular scope from triggering printing to the browser when + fatatlsToBrowser is set. (RT#62783, Thanks to papowell) + - The <script> tag now supports the "charset" attribute. + (RT#62907, Thanks to Fabrice Metge) + - In CGI::Cookie, "Max-Age" is now supported for better spec compliance. + (Mark Stosberg) + + [BUG FIXES] + - Setting charset() now works for all content types, not just "text/*". + (RT#57945, Thanks to Yanick and Gerv.) + - support for user temporary directories ($HOME/tmp) was commented out + in 2.61 but the documentation wasn't updated (Peter Gervai, Niko Tyni) + - setting $CGITempFile::TMPDIRECTORY before loading CGI.pm has been + working but undocumented since 3.12 (which listed it in Changes as + $CGI::TMPDIRECTORY) (Peter Gervai, Niko Tyni) + - unfortunately the previous change broke the runtime check for looking + for a new temporary directory if the current one suddenly became + unwritable (Peter Gervai, Niko Tyni) + - A bug was fixed in CGI::Carp triggered by certain death cases in + the BEGIN phase of parent classes. + (RT#57224, Thanks to UNERA, Yanick Champoux, Mark Stosberg) + - CGI::Cookie->new() now follows the documentation and returns undef + if the -name and -value args aren't provided. This new behavior is also + consistent with the docs and code of CGI::Simple::Cookie. (Mark Stosberg) + - CGI::Cookie->parse() now trims leading and trailing whitespace from cookie + elements as intended. The change also makes this part of the parsing + identical to CGI::Simple::Cookie (Mark Stosberg) + - Temp file handling was improved (RT#62762) + + [SECURITY] + - Further improvements have been made to guard against newline injections + in headers. (Thanks to Max Kanat-Alexander, Yanick Champoux, Mark Stosberg) + + [PERFORMANCE] + - Make EBCDIC a compile-time constant so there's zero overhead (and less + compiled code) in subroutines that test for it. (Tim Bunce) + - If you just want to use CGI::Cookie, CGI.pm will no longer be loaded + unless you call the bake() method, which requires it. (Mark Stosberg) + + [DOCUMENTATION] + - quit referring to the <link> tag as being "rarely used". (Victor Sanders) + - typo and whitespace fixes (RT#62785, thanks to scop@cpan.org) + - The -dtd argument to start_html() is now documented + (RT#60473, Thanks to giecrilj and steve@fisharerojo.org) + - CGI::Carp doc are updated to reflect that it can work with mod_perl 2.0. + - when creating a temporary file in the directory fails, the error message + could indicate the root of the problem better (Peter Gervai, Niko Tyni) + + [INTERNALS] + - Re-fixing https test in http.t. (RT#54768, thanks to SPROUT) + - param_fetch no longer triggers a warning when called with no arguments (ysth, Mark Stosberg) + +Version 3.50, Nov 8, 2010 + + [SECURITY] + 1. The MIME boundary in multipart_init is now random. + Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg + 2. Further improvements to handling of newlines embedded in header values. + An exception is thrown if header values contain invalid newlines. + Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux, + Lincoln Stein, Fr�d�ric Buclin and Mark Stosberg + + [DOCUMENTATION] + 1. Correcting/clarifying documentation for param_fetch(). Thanks to + Ren�e B�cker. (RT#59132) + + [INTERNALS] + 1. Fixing https test in http.t. (RT#54768) + 2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple. + +Version 3.49, Feb 5th, 2010 + + [BUG FIXES] + 1. Fix a regression since 3.44 involving a case when the header includes "Content-Length: 0". + Thanks to Alex Vandiver (RT#51109) + 2. Suppress uninitialized warnings under -w. Thanks to burak. (RT#50301) + 3. url() now uses virtual_port() instead of server_port(). Thanks to MKANAT and Yanick Champoux. (RT#51562) + 4. CGI::Carp now properly handles stringifiable objects, like Exception::Class throws (RT#39904) + + [SECURITY] + 1. embedded newlines are now filtered out of header values in header(). + Thanks to Mark Stosberg and Yanick Champoux. + + [DOCUMENTATION] + 1. README was updated to reflect that CGI.pm was moved under ./lib. + Thanks to Alex Vandiver. + + [INTERNALS] + 1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485) + 2. Attempt to avoid test failures with t/fast, thanks to Steve Hay. (RT#49599) + +Version 3.48, Sep 25, 2009 + + [BUG FIXES] + 1. <optgroup> default values are now properly escaped. + Thanks to #raleigh.pm and Mark Stosberg. (RT#49606) + 2. The change to exception handling in CGI::Carp introduced in 3.47 has been + reverted for now. It caused regressions reported in RT#49630. + Thanks to mkanat for the report. + + [DOCUMENTATION] + 1. Documentation for upload() has been overhauled, thanks to Mark Stosberg. + 2. Documentation for tmpFileName has been added. Thanks to Mark Stosberg and Nathaniel K. Smith. + 3. URLS were updated, thanks to Leon Brocard and Yanick Champoux. (RT#49770) + + [INTERNALS] + 1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485) + +Version 3.47, Sep 9, 2009 + + No code changes. + + [INTERNALS] + Re-release of 3.46, which did not contain a proper MANIFEST + +Version 3.46 + + [BUG FIXES] + 1. In CGI::Pretty, we no longer add line breaks after tags we claim not to format. Thanks to rrt, Bob Kuo and + and Mark Stosberg. (RT#42114). + 2. unescapeHTML() no longer falsely recognizes certain text as entities. Thanks to Pete Gamanche, Mark Stosberg + and Bob Kuo. (RT#39122) + 3. checkbox_group() now correctly includes a space before the "checked" attribute. + Thanks to Andrew Speer and Bob Kuo. (RT#36583) + 4. Fix case-sensitivity in http() and https() according to docs. Make https() + return list of keys in list context. Thanks to riQyRoe and Rhesa Rozendaal. (RT#12909) + 5. XHTML is now automatically disabled for HTML 4, as well as HTML 2 and HTML 3. Thanks to + Dan Harkless and Yanick Champoux. (RT#27907) + 6. Pre-compiling 'end_form' with ':form' switch now works. Thanks to ryochin and Yanick Champoux. (RT#41530) + 7. Empty name/values pairs are now properly saved and restored from filehandles. Thanks to rlucas and + Rhesa Rozendaal (RT#13158) + 8. Some differences between startform() and start_form() have been fixed. Thanks to Slaven Rezic and + Shawn Corey. (RT#22046) + 9. url_param() has been updated to be more consistent with the documentation and param(). + Thanks to Britton Kerin and Yanick Campoux. (RT#43587) + 10.hidden() now correctly supports multiple default values. + Thanks to david@dierauer.net and Russell Jenkins. (RT#20436) + 11.Calling CGI->new() no longer clobbers the value of $_ in the current scope. + Thanks to Alexey Tourbin, Bob Kuo and Mark Stosberg. (RT#25131) + 12.UTF-8 params should not get double-decoded now. + Thanks to Yves, Bodo, Burak G�rsoy, and Michael Schout. (RT#19913) + 13.We now give objects passed to CGI::Carp::die a chance to be stringified. + Thanks to teek and Yanick Champoux (RT#41530) + 14.Turning off autoEscape() now only affects the behavior of built-in HTML + generation fuctions. Explicit calls to escapeHTML() always escape HTML regardless + of the setting. Thanks to vindex, Bob Kuo and Mark Stosberg (RT#40748) + 15.In CGI::Fast, preferences set via pragmas are now preserved. + Thanks to heinst and Mark Stosberg (RT#32119) + + [DOCUMENTATION] + 1. remote_addr() is now documented. Thanks to Yanick Champoux. (RT#38884) + 2. In CGI::Pretty in the list of tags left unformatted was updated to match the code. Thanks to Mark Stosberg. (RT#42114) + 3. In CGI::Pretty, performance concerns are now documented. Thanks to Jochen, Rhesa Rozendaal and Mark Stosberg (RT#13223) + 4. A number of outdated Netscape references have been removed. Thanks to Mark Stosberg. + 5. The documentation has been purged of examples of using indirect object notation. Thanks to Mark Stosberg. + 6. Some POD formatting was fixed. Thanks to Dave Mitchell (RT#48935). + 7. Docs and examples were updated to highlight start_form instead of startform. + Thanks to Slaven Rezic. + 8. Note that CGI::Carp::carpout() doesn't work with in-memory filehandles. + Thanks to rhubbell and Mark Stosberg. + 9. The documentation for the -newstyle_urls is now less confusing. + Thanks to Ryan Tate and Mark Stosberg (RT#49454) + + [INTERNALS] + 1. Quit bundling an ancient copy of Test::More and and using a custom 'lib' path for the tests. Instead, Test::More + is now a dependency. Thanks to Ansgar and Mark Stosberg (RT#48811) + 2. Automated tests for hidden() have been added, thanks to Russel Jenkins and Mark Stosberg (RT#20436) + 3. t/util.t has been updated to use Test::More instead of a home-grown test function. Thanks to Bob Kuo. + +Version 3.45, Aug 14, 2009 + + [BUG FIXES] + 1. Prevent warnings about "uninitialized values" for REQUEST_URI, HTTP_USER_AGENT and other environment variables. + Patches by Callum Gibson, heiko and Mark Stosberg. (RT#24684, RT#29065) + 2. Avoid death in some cases when running under Taint mode on Windows. + Patch by Peter Hancock (RT#43796) + 3. Allow 0 to be used as a default value in popup_menu(). This was broken starting in 3.37. + Thanks to Haze, who was the first to report this and supply a patch, and pfschill, who pinpointed + when the bug was introduced. A regression test for this was also added. (RT#37908) + 4. Allow "+" as a valid character in file names, which fixes temp file creation on OS X Leopard. + Thanks to Andy Armstrong, and alech for patches. (RT#30504) + 5. Set binmode() on the Netware platform, thanks to Guenter Knauf (RT#27455) + 6. Don't allow a CGI::Carp error handler to die recursively. Print a warning and exit instead. + Thanks to Marc Chantreux. (RT#45956) + 7. The Dump() method now is fixed to escape HTML properly. Thanks to Mark Stosberg (RT#21341) + 8. Support for <optgroup> with scrolling_list() now works the same way as it does for popup_menu(). + Thanks to Stuart Johnston (RT#30097) + 9. CGI::Pretty now works properly when $" is set to ''. Thanks to Jim Keenan (RT#12401) + 10. Fix crash when used in combination with PerlEx::DBI. Thanks to Burak G�rsoy (RT#19902) + + [DOCUMENTATION] + 1. Several typos were fixed, Thanks to ambs. (RT#41105) + 2. A typo related to the nosticky pragma was fixed, thanks to Britton Kerin. (RT#43220) + 3. examples/nph-clock.cgi is now more portable, by calling localtime() rather than `/bin/date`, + thanks to Guenter Knauf. (RT#27456). + 4. In CGI::Carp, the SEE ALSO section was cleaned up, thanks to Slaven Rezic. (RT#32769) + 5. The docs for redirect() were updated to reflect that most headers are + ignored during redirection. Thanks to Mark Stosberg (RT#44911) + + [INTERNALS] + 1. New t/unescapeHTML.t test script has been added. It includes a TODO test for a pre-existing + bug which could use a patch. Thanks to Pete Gamache and Mark Stosberg (RT#39122) + 2. New test scripts have been added for user_agent(), popup_menu() and query_string(), scrolling_list() and Dump() + Thanks to Mark Stosberg and Stuart Johnston. (RT#37908, RT#43006, RT#21341, RT#30097) + 3. CGI::Carp and CGI::Util have been updated to have non-developer version numbers. + Thanks to Slaven Rezic. (RT#48425) + 4. CGI::Switch and CGI::Apache now properly set their VERSION in their own name space. + Thanks to Alexey Tourbin (RT#11941,RT#11942) + +Version 3.44, Jul 30, 2009 + + 1. Patch from Kurt Jaeger to allow HTTP PUT even if the content length is unknown. + 2. Patch from Pavel merdin to fix a problem for one of the FireFox addons. + 3. Fixed issue in mod_perl & fastCGI environment of cookies returned from + CGI->cookie() leaking from one session to another. + +Version 3.43, Apr 06, 2009 + + 1. Documentation patch from MARKSTOS@cpan.org to replace all occurrences of + "new CGI" with CGI->new()" to reflect best perl practices. + 2. Patch from Stepan Kasal to fix utf-8 related problems in perl 5.10 + +Version 3.42, Sep 08, 2008 + + 1. Added patch from Renee Baecker that makes it possible to subclass + CGI::Pretty. + 2. Added patch from Nicholas Clark to allow ~ characters in temporary directories. + 3. Added patch from Renee Baecker that fixes the inappropriate escaping of fields + in multipart headers. + +Version 3.41, Aug 25, 2008 + + 1. Fix url() returning incorrect path when query string contains escaped newline. + 2. Added additional windows temporary directories and environment variables, courtesy patch from Renee Baecker + 3. Added a handle() method to the lightweight upload + filehandles. This method returns a real IO::Handle object. + 4. Added patch from Tony Vanlingen to fix deep recursion warnings in CGI::Pretty. + +Version 3.40, Aug 06, 2008 + + 1. Fixed CGI::Fast docs to eliminate references to a "special" + version of Perl. + 2. Makefile.PL now depends on FCGI so that CGI::Fast installs properly. + 3. Fix script_name() call from Stephane Chazelas. + +Version 3.39, Jun 29, 2008 + + 1. Fixed regression in "exists" function when using tied interface to CGI via $q->Vars. + +Version 3.38, Jun 25, 2008 + + 1. Fix annoying warning in http://rt.cpan.org/Ticket/Display.html?id=34551 + 2. Added nobr() function http://rt.cpan.org/Ticket/Display.html?id=35377 + 3. popup_menu() allows multiple items to be selected by default, satisfying + http://rt.cpan.org/Ticket/Display.html?id=35376 + 4. Patch from Renee Backer to avoid doubled <http-equiv> headers. + 5. Fixed documentation bug that describes what happens when a + parameter is empty (e.g. "?test1="). + 6. Fixed minor warning described at http://rt.cpan.org/Public/Bug/Display.html?id=36435 + 7. Fixed overlap of attribute and parameter space described in http://rt.perl.org/rt3//Ticket/Display.html?id=24294 + +Version 3.37, Apr 22, 2008 + + 1. Fix pragmas so that they persist over modperl invocations (e.g. RT 34761) + 2. Fixed handling of chunked multipart uploads; thanks to Michael Bernhardt + who reported and fixed the problem. + +Version 3.36 + + 1. Fix CGI::Cookie to support cookies that are separated by "," instead of ";". + +Version 3.35, Mar 27, 2008 + + 1. Resync with bleadperl, primarily fixing a bug in parsing semicolons in uploaded filenames. + +Version 3.34, Mar 18, 2008 + + 1. Handle Unicode %uXXXX escapes properly -- patch from DANKOGAI@cpan.org + 2. Fix url() method to not choke on path names that contain regex characters. + +Version 3.33, Jan 02, 2008 + + 1. Remove uninit variable warning when calling url(-relative=>1) + 2. Fix uninit variable warnings for two lc calls + 3. Fixed failure of tempfile upload due to sprintf() taint failure in perl 5.10 + +Version 3.32, Dec 27, 2007 + + 1. Patch from Miguel Santinho to prevent sending premature headers under mod_perl 2.0 + +Version 3.31, Nov 30, 2007 + + 1. Patch from Xavier Robin so that CGI::Carp issues a 500 Status code rather than a 200 status code. + 2. Patch from Alexander Klink to select correct temporary directory in OSX Leopard so that upload works. + 3. Possibly fixed "wrapped pack" error on 5.10 and higher. + +Version 3.30 + + 1. Patch from Mike Barry to handle POSTDATA in the same way as PUT. + 2. Patch from Rafael Garcia-Suarez to correctly reencode unicode values as byte values. + +Version 3.29, Apr 16, 2007 + + 1. The position of file handles is now reset to zero when CGI->new is called. + (Mark Stosberg) + 2. uploadInfo() now works across multiple object instances. Also, the first + tests for uploadInfo() were added as part of the fix. (CPAN bug 11895, with + contributions from drfrench and Mark Stosberg). + +Version 3.28, Mar 29, 2007 + + 1. Applied patch from Allen Day that makes Cookie parsing RFC2109 compliant + (attribute/values can be separated by commas as well as semicolons). + 2. Applied patch from Stephan Struckmann that allows script_name() to be set correctly. + 3. Fixed problem with url(-full) in which port number appears twice. + +Version 3.27, Feb 27, 2007 + + 1. Applied patch from Steve Taylor that allows checkbox_groups to be + disabled with a new -disabled=> option. + +Version 3.26 + + 1. Fixed alternate stylesheet behavior so that it is insensitive to order of declarations. + 2. Patch from John Binns to allow users to provide a callback to CGI::Carp. + 3. Added "~" as an unreserved character in escape(). + 4. Patch from Chris Fedde to prevent HTTP_HOST from inhibiting SERVER_PORT in url() generation. + 5. Fixed outdated documentation (and behavior) of -language in start_html -script option. + 6. Fixed bug in seconds calculation in CGI::Util::expire_calc. + +Version 3.25, Sep 28, 2006 + + 1. Fixed the link to the Netscape frames page. + 2. Added ability to specify an alternate stylesheet. + 3. Add support for XForms POST submssion both as application/xml or as multipart/related + +Version 3.24 + + 1. In startform(), if request_uri() returns undef, then falls back + to self_url(). This should rarely happen except when run outside of + the CGI environment. + 2. image button alignment options were mistakenly being capitalized, causing xhtml validation to fail. + +Version 3.23, Aug 23, 2006 + + 1. Typo in upload() persisted, now fixed for real. Thanks to + Emanuele Zeppieri for correct patch and regression test. + +Version 3.22, Aug 23, 2006 + + 1. Typo in upload() function broke uploads. Now fixed (CPAN bug 21126). + +Version 3.21, Aug 21, 2006 + + 1. Don't try to read data at all when POST > $POST_MAX. + 2. Fixed bug that caused $cgi->param('name',undef,'value') to unset param('name') entirely. + 3. Fixed bug in which upload() sometimes returns empty. (CPAN bug #12694). + 4. Incorporated patch from BURAK@cpan.org to support HTTPcookies (CPAN bug 21019). + +Version 3.20 + + 1. Patch from David Wheeler for CGI::Cookie->bake(). Uses mod_perl headers_out->add() + rather than headers_out->set(). + 2. Fixed problem identified by Andrei Voronkov in which start_form() output was screwed + up when initial argument begins with a dash and subsequent arguments do not. + 3. Quashed uninitialized variable warnings coming from script_name(), url() and other + functions that require access to the PATH_INFO environment variable. + +Version 3.19 + + 1. Added patch from Stephen Frost that allows one to suppress use of the temp file that is + created during uploads. + 2. Fixed problem noted by Martin Foster in which regular expression meta-character terms + in the path information were not quoted, causing URL parsing + to fail on URLs that contained metacharacters (such as +). + 3. More fixes to the url() method. + 4. Removed "hack to fix broken PATH_INFO in MSII". + +Version 3.18 + + 1. Doc typo fixes. + 2. Patch from Steve Peters to default the document type to match the charset. + 3. Fixed param() so that param(-name=>'foo',-values=>[]) sets the parameter to empty list. + +Version 3.17, Feb 24, 2006 + + 1. Added patch from Mike Hanafey which caused 0 arguments to CGI::Cookie->new() to + be treated as empty. + 2. Patch to CGI::Carp from Peter Whaite to fix the unfixable problem of CGI::Carp + not behaving correctly in an eval() context. + 3. CGI::Fast->new() calls CGI->_reset_globals to avoid contamination of one session + with another's variables. + 4. Fixed upload failure on files that contain semicolons in their names. + +Version 3.16, Feb 8, 2006 + + 1. header() -charset option now works even when the MIME type is not "text". + 2. Fixed documentation for cookie() function and fastCGI. + 3. Upload filehandles now only closed automatically on Windows systems. + 4. Apache::Cookie compatibility fix from David Wheeler + 5. CGI::Carp->fatalsToBrowser() does not work correctly with + mod_perl 2. No workaround is known. + 6. Fixed text status code associated with 302 redirects. Should be "Found" + but was "Moved". + 7. Fixed charset in start_html() and header() to be in synch. + +Version 3.15, Dec 7, 2005 + + 1. Remove extraneous "?" from self_url() when URI contains a ? but no query string. + +Version 3.14, Dec 6, 2005 + + 1. Fixed broken scrolling_list() select attribute. + +Version 3.13, Dec 4, 2005 + + 1. Removed extraneous empty "?" from end of self_url(). + +Version 3.12, Dec 4, 2005 + + 1. Fixed virtual_port so that it works properly with https protocol. + 2. Fixed documentation for upload_hook(). + 3. Added POSTDATA documentation. + 4. Made upload_hook() work in function-oriented mode. + 5. Fixed POST_MAX behavior so that it doesn't cause client to hang. + 6. Disabled automatic tab indexes and added new -tabindex pragma to + turn automatic indexes back on. + 7. The url() and self_url() methods now work better in the context of Apache + mod_rewrite. Be advised that path_info() may give you confusing results + when mod_rewrite is active because Apache calculates the path info *after* + rewriting. This is mostly worked around in url() and self_url(), but you + may notice some anomalies. + 8. Removed empty (and non-validating) <div> from code emitted by end_form(). + 9. Fixed CGI::Carp to work correctly with Mod_perl 1.29 in an Apache 2 environment. + 10. Setting $CGI::TMPDIRECTORY should now be effective. + +Version 3.11, Aug 3, 2005 + + 1. Killed warning in CGI::Cookie about MOD_PERL_API_VERSION + 2. Fixed append() so that it works in function mode. + 3. Workaround for a bug that appears in Apache2 versions through 2.0.54 + in which SCRIPT_NAME and PATH_INFO are incorrect if the additional path_info + contains a double slash. This workaround will handle the common case of + http://mysite.com/cgi-bin/log.cgi/http://www.some.other.site/args, but will + not handle the uncommon case of a ScriptAlias directive that adds additional + path information to the end of the translated URI. + +Version 3.10, May 13, 2005 + + 1. Added Apache2::RequestIO, which is necessary for mp2 interoperability. + +Version 3.09, May 5, 2005 + + 1. Fixed tabindex="0" when using CGI to create forms without a prior start_html + 2. Removed warning about non-numeric MOD_PERL_API_VERSION. + +Version 3.08, Apr 20, 2005 + + 1. update support for mod_perl 2.0. versions prior to + mod_perl 1.999_22 (2.0.0-RC5) are no longer supported. + +Version 3.07, Mar 14, 2005 + + 1. Fixed typo in mod_perl detection. + +Version 3.06, Mar 09, 2005 + + 1. Fixed bare call to script() in start_html + 2. Moved Fh::DESTROY out of autoloaded functions so as to avoid + clobbering $@ when CGI functions are executed in an eval{} + context. + 3. mod_perl 2.0 version detection patch in CGI::Cookie provided by + Allen Day. + 4. autoEscape() flag is now respected when generating extra + attributes. + 5. Tests for *tag start/end generation from Shlomi Fish. + 6. Support for can() method provided by Ron Savage. + 7. Fix for lang='' when outputting XHTML. + 8. Added support for chunked transfer encoding, as suggested by + Hakan Ardo + 9. Fixed clobbering of row and column headers in tableized radio + and checkbox groups, as reported by Nicolas Thierry-Mieg. + 10. <Label> tags are now associated with form elements, as suggested + by accessibility guidelines. + 11. The <?xml> directive produced by start_html is now turned off by + default and the charset is specified in a <meta> directive. Apparently + IE6 (and maybe some versions of Opera) were getting confused by this. + 12. Support for tab indexes. + 13. Retired the HTML docs. The POD docs are now primary documentation. + 14. CGI::Carp now correctly detects and handles Apache::Dispatch. + 15. CGI::Util::utf8_chr now correctly sets the UTF8 flag on 5.006 or + higher perls (fix courtesy Slaven Rezic). + + +Version 3.05, Apr 12, 2004 + + 1. Fixed uninitialized variable warning on start_form() when running + from command line. + 2. Fixed CGI::_set_attributes so that attributes with a - are handled + correctly. + 3. Fixed CGI::Carp::die() so as to avoid problems from _longmess() + clobbering @_. + 4. If HTTP_X_FORWARDED_HOST is defined (i.e. running under a proxy), + the various functions that return HOST will use that instead. + 5. Fix for undefined utf8() call in CGI::Util. + 6. Changed the call to warningsToBrowser() in + CGI::Carp::fatalsToBrowser to call only after HTTP header is sent + (thanks to Didier Lebrun for noticing). + 7. Patches from Dan Harkless to make CGI.pm validatable against HTML + 3.2. + 8. Fixed an extraneous "foo=bar" appearing when extra style + parameters passed to start_html; + 9. Fixed cross-site scripting bug in startform() pointed out by Dan + Harkless. + 10. Fixed documentation to discuss list context behavior of + form-element generators explicitly. + 11. Fixed incorrect results from end_form() when called in OO manner. + 12. Fixed query string stripping in order to handle URLs containing + escaped newlines. + 13. During server push, set NPH to 0 rather than 1. This is supposed + to fix problems with Apache. + 14. Fixed incorrect processing of multipart form fields that contain + embedded quotes. There's still the issue of how to handle ones + that contain embedded semicolons, but no one has complained (yet). + 15. Fixed documentation bug in -style argument to start_html() + 16. Added -status argument to redirect(). + +Version 3.04, Jan 18, 2004 + + 1. Fixed the problem with mod_perl crashing when "defaults" button + pressed. + +Version 3.03, Jan 13, 2004 + + 1. Fix upload hook functionality + 2. Workaround for CGI->unescape_html() + 3. Bumped version numbers in CGI::Fast and CGI::Util for 5.8.3-tobe + +Version 3.02 + + 1. Bring in Apache::Response just in case. + 2. File upload on EBCDIC systems now works. + +Version 3.01, Dec 10, 2003 + + 1. No fix yet for upload failures when running on EBCDIC server. + 2. Fixed uninitialized glob warnings that appeared when file + uploading under perl 5.8.2. + 3. Added patch from Schlomi Fish to allow debugging of PATH_INFO from + command line. + 4. Added patch from Steve Hay to correctly unlink tmp files under + mod_perl/windows + 5. Added upload_hook functionality from Jamie LeTaul + 6. Workarounds for mod_perl 2 IO issues. Check that file upload and + state saving still working. + 7. Added code for underreads. + 8. Fixed misleading description of redirect() and relative URLs in + the POD docs. + 9. Workaround for weird interaction of CGI::Carp with Safe module + reported by William McKee. + 10. Added patches from Ilmari Karonen to improve behavior of + CGI::Carp. + 11. Fixed documentation error in -style argument. + 12. Added virtual_port() method for finding out what port server is + listening on in a virtual-host aware fashion. + +Version 3.00, Aug 18, 2003 + + 1. Patch from Randal Schwartz to fix bug introduced by cross-site + scripting vulnerability "fix." + 2. Patch from JFreeman to replace UTF-8 escape constant of 0xfe with + 0xfc. Hope this is right! + + Version 2.99 + + 1. Patch from Steve Hay to fix extra Content-type: appearing on + browser screen when FatalsToBrowser invoked. + 2. Patch from Ewann Corvellec to fix cross-site scripting + vulnerability. + 3. Fixed tmpdir routine for file uploading to solve problem that + occurs under mod_perl when tmpdir is writable at startup time, but + not at session time. + + Version 2.98 + + 1. Fixed crash in Dump() function. + + Version 2.97 + + 1. Sigh. Uploaded wrong 2.96 to CPAN. + + Version 2.96 + + 1. More bugfixes to the -style argument. + + Version 2.95 + + 1. Fixed bugs in start_html(-style=>...) support introduced in 2.94. + + Version 2.94 + + 1. Removed warning from reset() method. + 2. Moved + + and tags into the :html3 group. Hope this removes undefined CGI::Area + errors. + + Changed CGI::Carp to play with mod_perl2 and to (hopefully) restore + reporting of compile-time errors. + + Fixed potential deadlock between web server and CGI.pm when aborting + a read due to POST_MAX (reported by Antti Lankila). + + Fixed issue with tag-generating function not incorporating content + when first variable undef. + + Fixed cross-site scripting bug reported by obscure. + + Fixed Dump() function to return correctly formed XHTML - bug + reported by Ralph Siemsen. + + Version 2.93 + + 1. Fixed embarassing bug in mp1 support. + + Version 2.92 + + 1. Fix to be P3P compliant submitted from MPREWITT. + 2. Added CGI->r() API for mod_perl1/mod_perl2. + 3. Fixed bug in redirect() that was corrupting cookies. + 4. Minor fix to behavior of reset() button to make it consistent with + submit() button (first time this has been changed in 9 years). + 5. Patch from Dan Kogai to handle UTF-8 correctly in 5.8 and higher. + 6. Patch from Steve Hay to make CGI::Carp's error messages appear on + MSIE browsers. + 7. Added Yair Lenga's patch for non-urlencoded postings. + 8. Added Stas Bekman's patches for mod_perl 2 compatibility. + 9. Fixed uninitialized escape behavior submitted by William Campbell. + 10. Fixed tied behavior so that you can pass arguments to tie() + 11. Fixed incorrect generation of URLs when the path_info contains + + and other odd characters. + 12. Fixed redirect(-cookies=>$cookie) problem. + 13. Fixed tag generation bug that affects -javascript passed to + start_html(). + + Version 2.91 + + 1. Attribute generation now correctly respects the value of + autoEscape(). + 2. Fixed endofrm() syntax error introduced by Ben Edgington's patch. + + Version 2.90 + + 1. Fixed bug in redirect header handling. + 2. Added P3P option to header(). + 3. Patches from Alexey Mahotkin to make CGI::Carp work correctly with + object-oriented exceptions. + 4. Removed inaccurate description of how to set multiple cookies from + CGI::Cookie pod file. + 5. Patch from Kevin Mahony to prevent running out of filehandles when + uploading lots of files. + 6. Documentation enhancement from Mark Fisher to note that the + import_names() method transforms the parameter names into valid + Perl names. + 7. Patch from Dan Harkless to suppress lang attribute in <html> tag + if specified as a null string. + 8. Patch from Ben Edgington to fix broken XHTML-transitional 1.0 + validation on endform(). + 9. Custom html header fix from Steffen Beyer (first letter correctly + upcased now) + 10. Added a -verbatim option to stylesheet generation from Michael + Dickson + 11. Faster delete() method from Neelam Gupta + 12. Fixed broken Cygwin support. + 13. Added empty charset support from Bradley Baetz + 14. Patches from Doug Perham and Kevin Mahoney to fix file upload + failures when uploaded file is a multiple of 4096. + + Version 2.89 + + 1. Fixed behavior of ACTION tag when POSTING to a URL that has a + query string. + 2. Added Patch from Michael Rommel to handle multipart/mixed uploads + from Opera + + Version 2.88 + + 1. Fixed problem with uploads being refused under Perl 5.8 when under + Taint mode. + 2. Fixed uninitialized variable warnings under Perl 5.8. + 3. Fixed CGI::Pretty regression test failures. + + Version 2.87 + + 1. Security hole patched: when processing multipart/form-data + postings, most arguments were being untainted silently. Returned + arguments are now tainted correctly. This may cause some scripts + to fail that used to work (thanks to Nick Cleaton for pointing + this out and persisting until it was fixed). + 2. Update for mod_perl 2.0. + 3. Pragmas such as -no_xhtml are now respected in mod_perl + environment. + + Version 2.86 + + 1. Fixes for broken CGI::Cookie expiration dates introduced in 2.84. + + Version 2.85 + + 1. Fix for broken autoEscape function introduced in 2.84. + + Version 2.84 + + 1. Fix for failed file uploads on Cygwin platforms. + 2. HTML escaping code now replaced 0x8b and 0x9b with unicode + references < and *#8250; + + Version 2.83 + + 1. Fixed autoEscape() documentation inconsistencies. + 2. Patch from Ville Skytt� to fix a number of XHTML inconsistencies. + 3. Added Max-Age to list of CGI::Cookie headers. + + Version 2.82 + + 1. Patch from Rudolf Troller to add attribute setting and option + groups to form fields. + 2. Patch from Simon Perreault for silent crashes when using CGI::Carp + under mod_perl. + 3. Patch from Scott Gifford allows you to set the program name for + CGI::Carp. + + Version 2.81 + + 1. Removed extraneous slash from end of stylesheet tags generated by + start_html in non-XHTML mode. + 2. Changed behavior of CGI::Carp with respect to eval{} contexts so + that output behaves properly in mod_perl environments. + 3. Fixed default DTD so that it validates with W3C validator. + + Version 2.80 + + 1. Fixed broken messages in CGI::Carp. + 2. Changed checked="1" to checked="checked" for real XHTML + compatibility. + 3. Resurrected REQUEST_URI code so that url() works correctly with + multiviews. + + Version 2.79 + + 1. Changes to CGI::Carp to avoid "subroutine redefined" error + messages. + 2. Default DTD is now XHTML 1.0 Transitional + 3. Patches to support all HTML4 tags. + + Version 2.78 + + 1. Added ability to change encoding in <?xml> assertion. + 2. Fixed the old escapeHTML('CGI') ne "CGI" bug + 3. In accordance with XHTML requirements, there are no longer any + minimized attributes, such as "checked". + 4. Patched bug which caused file uploads of exactly 4096 bytes to be + truncated to 4094 (thanks to Kevin Mahony) + 5. New tests and fixes to CGI::Pretty (thanks to Michael Schwern). + + Version 2.77 + + 1. No new features, but released in order to fix an apparent CPAN + bug. + + Version 2.76 + + 1. New esc.t regression test for EBCDIC translations courtesy Peter + Prymmer. + 2. Patches from James Jurach to make compatible with FCGI-ProcManager + 3. Additional fields passed to header() (like -Content_disposition) + now honor initial capitalization. + 4. Patch from Andrew McNaughton to handle utf-8 escapes (%uXXXX + codes) in URLs. + + Version 2.752 + + 1. Syntax error in the autoloaded Fh::new() subroutine. + 2. Better error reporting in autoloaded functions. + + Version 2.751 + + 1. Tiny tweak to filename regular expression function on line 3355. + + Version 2.75 + + 1. Fixed bug in server push boundary strings (CGI.pm and CGI::Push). + 2. Fixed bug that occurs when uploading files with funny characters + in the name + 3. Fixed non-XHTML-compliant attributes produced by textfield() + 4. Added EPOC support, courtesy Olaf Flebbe + 5. Fixed minor XHTML bugs. + 6. Made escape() and unescape() symmetric with respect to EBCDIC, + courtesy Roca, Ignasi <ignasi.roca@fujitsu.siemens.es> + 7. Removed uninitialized variable warning from CGI::Cookie, provided + by Atipat Rojnuckarin <rojnuca@yahoo.com> + 8. Fixed bug in CGI::Pretty that causes it to print partial end tags + when the $INDENT global is changed. + 9. Single quotes are changed to character entity ' for compatibility + with URLs. + + Version 2.74 + + September 13, 2000 + 1. Quashed one-character bug that caused CGI.pm to fail on file + uploads. + + Version 2.73 + + September 12, 2000 + 1. Added -base to the list of arguments accepted by url(). + 2. Fixes to XHTML support. + 3. POST parameters no longer show up in the Location box. + + Version 2.72 + + August 19, 2000 + 1. Fixed the defaults button so that it works again + 2. Charset is now correctly saved and restored when saving to files + 3. url() now works correctly when given scripts with %20 and other + escapes in the additional path info. This undoes a patch + introduced in version 2.47 that I no longer understand the + rationale for. + + Version 2.71 + + August 13, 2000 + 1. Newlines in the value attributes of hidden fields and other form + elements are now escaped when using ISO-Latin. + 2. Inline script and style sections are now protected as CDATA + sections when XHTML mode is on (the default). + + Version 2.70 + + August 4, 2000 + 1. Fixed bug in scrolling_list() which omitted a space in front of + the "multiple" attribute. + 2. Squashed the "useless use of string in void context" message from + redirects. + + Version 2.69 + + 1. startform() now creates default ACTION for POSTs as well as GETs. + This may break some browsers, but it no longer violates the HTML + spec. + 2. CGI.pm now emits XHTML by default. Disable with -no_xhtml. + 3. We no longer interpret &#ddd sequences in non-latin character + sets. + + Version 2.68 + + 1. No longer attempts to escape characters when dealing with non + ISO-8861 character sets. + 2. checkbox() function now defaults to using -value as its label, + rather than -name. The current behavior is what has been + documented from the beginning. + 3. -style accepts array reference to incorporate multiple stylesheets + into document. + + 1. Fixed two bugs that caused the -compile pragma to fail with a + syntax error. + + Version 2.67 + + 1. Added XHTML support (incomplete; tags need to be lowercased). + 2. Fixed CGI/Carp when running under mod_perl. Probably broke in + other contexts. + 3. Fixed problems when passing multiple cookies. + 4. Suppress warnings from _tableize() that were appearing when using + -w switch with radio_group() and checkbox_group(). + 5. Support for the header() -attachment argument, which can give + pages a default file name when saving to disk. + + Version 2.66 + + 1. 2.65 changes in make_attributes() broke HTTP header functions + (including redirect), so made it context sensitive. + + Version 2.65 + + 1. Fixed regression tests to skip tests that require implicit fork on + machines without fork(). + 2. Changed make_attributes() to automatically escape any HTML + reserved characters. + 3. Minor documentation fix in javascript example. + + Version 2.64 + + 1. Changes introduced in 2.63 broke param() when retrieving parameter + lists containing only a single argument. This is now fixed. + 2. self_url() now defaults to returning parameters delimited with + semicolon. Use the pragma -oldstyle_urls to get the old "&" + delimiter. + + Version 2.63 + + 1. Fixed CGI::Push to pull out parameters correctly. + 2. Fixed redirect() so that it works with default character set + 3. Changed param() so as to returned empty string '' when referring + to variables passed in query strings like 'name1=&name2' + + Version 2.62 + + 1. Fixed broken ReadParse() function, and added regression tests + 2. Fixed broken CGI::Pretty, and added regression tests + + Version 2.61 + + 1. Moved more functions from CGI.pm proper into CGI/Util.pm. + CGI/Cookie should now be standalone. + 2. Disabled per-user temporary directories, which were causing grief. + + Version 2.60 + + 1. Fixed junk appearing in autogenerated HTML functions when using + object-oriented mode. + + Version 2.59 + + 1. autoescape functionality breaks too much existing code, removed + it. + 2. use escapeHTML() manually + + Version 2.58 + + This is the release version of 2.57. + + Version 2.57 + + 1. Added -debug pragma and turned off auto reading of STDIN. + 2. Default DTD updated to HTML 4.01 transitional. + 3. Added charset() method and the -charset argument to header(). + 4. Fixed behavior of escapeHTML() to respect charset() and to escape + nasty Windows characters (thanks to Tom Christiansen). + 5. Handle REDIRECT_QUERY_STRING correctly. + 6. Removed use_named_parameters() because of dependency problems and + general lameness. + 7. Fixed problems with bad HREF links generated by url(-relative=>1) + when the url is like /people/. + 8. Silenced a warning on upload (patch provided by Jonas Liljegren) + 9. Fixed race condition in CGI::Carp when errors occur during parsing + (patch provided by Maurice Aubrey). + 10. Fixed failure of url(-path_info=>1) when path contains % signs. + 11. Fixed warning from CGI::Cookie when receiving foreign cookies that + don't use name=value format. + 12. Fixed incompatibilities with file uploading on VMS systems. + + Version 2.56 + + 1. Fixed bugs in file upload introduced in version 2.55 + 2. Fixed long-standing bug that prevented two files with identical + names from being uploaded. + + Version 2.55 + + 1. Fixed cookie regression test so as not to produce an error. + 2. Fixed path_info() and self_url() to work correctly together when + path_info() modified. + 3. Removed manify warnings from CGI::{Switch,Apache}. + + Version 2.54 + + 1. This will be the last release of the monolithic CGI.pm module. + Later versions will be modularized and optimized. + 2. DOMAIN tag no longer added to cookies by default. This will break + some versions of Internet Explorer, but will avoid breaking + networks which use host tables without fully qualified domain + names. For compatibility, please always add the -domain tag when + creating cookies. + 3. Fixed escape() method so that +'s are treated correctly. + 4. Updated CGI::Pretty module. + + Version 2.53 + + 1. Forgot to upgrade regression tests before releasing 2.52. NOTHING + ELSE HAS CHANGED IN LIBRARY + + Version 2.52 + + 1. Spurious newline in checkbox() routine removed. (courtesy John + Essen) + 2. TEXTAREA linebreaks now respected in dump() routine. (courtesy + John Essen) + 3. Patches for DOS ports (courtesy Robert Davies) + 4. Patches for VMS + 5. More fixes for cookie problems + 6. Fix CGI::Carp so that it doesn't affect eval{} blocks (courtesy + Byron Brummer) + + Version 2.51 + + 1. Fixed problems with cookies not being remembered when sent to IE + 5.0 (and Netscape 5.0 too?) + 2. Numerous HTML compliance problems in cgi_docs.html; fixed thanks + to Michael Leahy + + Version 2.50 + + 1. Added a new Vars() method to retrieve all parameters as a tied + hash. + 2. Untainted tainted tempfile name so that script doesn't fail on + terminal unlink. + 3. Made picking of upload tempfile name more intelligent so that + doesn't fail in case of name collision. + 4. Fixed handling of expire times when passed an absolute timestamp. + 5. Changed dump() to Dump() to avoid name clashes. + + Version 2.49 + + 1. Fixes for FastCGI (globals not getting reset) + 2. Fixed url() to correctly handle query string and path under + MOD_PERL + + Version 2.48 + + 1. Reverted detection of MOD_PERL to avoid breaking PerlEX. + + Version 2.47 + + 1. Patch to fix file upload bug appearing in IE 3.01 for + Macintosh/PowerPC. + 2. Replaced use of $ENV{SCRIPT_NAME} with $ENV{REQUEST_URI} when + running under Apache, to fix self-referencing URIs. + 3. Fixed bug in escapeHTML() which caused certain constructs, such as + CGI->image_button(), to fail. + 4. Fixed bug which caused strong('CGI') to fail. Be careful to use + CGI::strong('CGI') and not CGI->strong('CGI'). The latter will + produce confusing results. + 5. Added upload() function, as a preferred replacement for the + "filehandle as string" feature. + 6. Added cgi_error() function. + 7. Rewrote file upload handling to return undef rather than dieing + when an error is encountered. Be sure to call cgi_error() to find + out what went wrong. + + Version 2.46 + + 1. Fix for failure of the "include" tests under mod_perl + 2. Added end_multipart_form to prevent failures during qw(-compile + :all) + + Version 2.45 + + 1. Multiple small documentation fixes + 2. CGI::Pretty didn't get into 2.44. Fixed now. + + Version 2.44 + + 1. Fixed file descriptor leak in upload function. + 2. Fixed bug in header() that prevented fields from containing double + quotes. + 3. Added Brian Paulsen's CGI::Pretty package for pretty-printing + output HTML. + 4. Removed CGI::Apache and CGI::Switch from the distribution. + 5. Generated start_* shortcuts so that start_table(), end_table(), + start_ol(), end_ol(), and so forth now work (see the docs on how + to enable this feature). + 6. Changed accept() to Accept(), sub() to Sub(). There's still a + conflict with reset(), but this will break too many existing + scripts! + + Version 2.43 + + 1. Fixed problem with "use strict" and file uploads (thanks to Peter + Haworth) + 2. Fixed problem with not MSIE 3.01 for the power_mac not doing file + uploads right. + 3. Fixed problem with file upload on IIS 4.0 when authorization in + use. + 4. -content_type and '-content-type' can now be provided to header() + as synonyms for -type. + 5. CGI::Carp now escapes the ampersand BEFORE escaping the > and < + signs. + 6. Fixed "not an array reference" error when passing a hash reference + to radio_group(). + 7. Fixed non-removal of uploaded TMP files on NT platforms which + occurs when server runs on non-C drive (thanks to Steve Kilbane + for finding this one). + + Version 2.42 + + 1. Too many screams of anguish at changed behavior of url(). Is now + back to its old behavior by default, with options to generate all + the variants. + 2. Added regression tests. "make test" now works. + 3. Documentation fixes. + 4. Fixes for Macintosh uploads, but uploads STILL do not work pending + changes to MacPerl. + + Version 2.41 + + 1. url() method now includes the path info. Use script_name() to get + it without path info(). + 2. Changed handling of empty attributes in HTML tag generation. Be + warned! Use table({-border=>undef}) rather than + table({-border=>''}). + 3. Changes to allow uploaded filenames to be compared to other + strings with "eq", "cmp" and "ne". + 4. Changes to allow CGI.pm to coexist more peacefully with + ActiveState PerlEX. + 5. Changes to prevent exported variables from clashing when importing + ":all" set in combination with cookies. + + Version 2.40 + + 1. CGI::Carp patched to work better with mod_perl (thanks to Chris + Dean). + 2. Uploads of files whose names begin with numbers or the Windows + \\UNC\shared\file nomenclature should no longer fail. + 3. The <STYLE> tag (for cascading style sheets) now generates the + required TYPE attribute. + 4. Server push primitives added, thanks to Ed Jordan. + 5. Table and other HTML3 functions are now part of the :standard set. + 6. Small documentation fixes. + + TO DO: + 1. Do something about the DTD mess. The module should generate + correct DTDs, or at least offer the programmer a way to specify + the correct one. + 2. Split CGI.pm into CGI processing and HTML-generating modules. + 3. More robust file upload (?still not working on the Macintosh?). + 4. Bring in all the HTML4 functionality, particular the accessibility + features. + + Version 2.39 + + 1. file uploads failing because of VMS patch; fixed. + 2. -dtd parameter was not being properly processed. + + Version 2.38 + + I finally got tired of all the 2.37 betas and released 2.38. The main + difference between this version and the last 2.37 beta (2.37b30) are + some fixes for VMS. This should allow file upload to work properly on + all VMS Web servers. + + Version 2.37, various beta versions + + 1. Added a CGI::Cookie::parse() method for lucky mod_perl users. + 2. No longer need separate -values and -labels arguments for + multi-valued form elements. + 3. Added better interface to raw cookies (fix courtesy Ken Fox, + kfox@ford.com) + 4. Added param_fetch() function for direct access to parameter list. + 5. Fix to checkbox() to allow for multi-valued single checkboxes + (weird problem). + 6. Added a compile() method for those who want to compile without + importing. + 7. Documented the import pragmas a little better. + 8. Added a -compile switch to the use clause for the long-suffering + mod_perl and Perl compiler users. + 9. Fixed initialization routines so that FileHandle and type globs + work correctly (and hash initialization doesn't fail!). + 10. Better deletion of temporary files on NT systems. + 11. Added documentation on escape(), unescape(), unescapeHTML() and + unescapeHTML() subroutines. + 12. Added documentation on creating subclasses. + 13. Fixed problem when calling $self->SUPER::foo() from inheriting + subclasses. + 14. Fixed problem using filehandles from within subroutines. + 15. Fixed inability to use the string "CGI" as a parameter. + 16. Fixed exponentially growing $FILLUNIT bug + 17. Check for undef filehandle in read_from_client() + 18. Now requires the UNIVERSAL.pm module, present in Perl 5.003_7 or + higher. + 19. Fixed problem with uppercase-only parameters being ignored. + 20. Fixed vanishing cookie problem. + 21. Fixed warning in initialize_globals() under mod_perl. + 22. File uploads from Macintosh versions of MSIE should now work. + 23. Pragmas now preceded by dashes (-nph) rather than colons (:nph). + Old style is supported for backward compatibility. + 24. Can now pass arguments to all functions using {} brackets, + resolving historical inconsistencies. + 25. Removed autoloader warnings about absent MultipartBuffer::DESTROY. + 26. Fixed non-sticky checkbox() when -name used without -value. + 27. Hack to fix path_info() in IIS 2.0. Doesn't help with IIS 3.0. + 28. Parameter syntax for debugging from command line now more + straightforward. + 29. Added $DISABLE_UPLOAD to disable file uploads. + 30. Added $POST_MAX to error out if POSTings exceed some ceiling. + 31. Fixed url_param(), which wasn't working at all. + 32. Fixed variable suicide problem in s///e expressions, where the + autoloader was needed during evaluation. + 33. Removed excess spaces between elements of checkbox and radio + groups + 34. Can now create "valueless" submit buttons + 35. Can now set path_info as well as read it. + 36. ReadParse() now returns a useful function result. + 37. import_names() now allows you to optionally clear out the + namespace before importing (for mod_perl users) + 38. Made it possible to have a popup menu or radio button with a value + of "0". + 39. link() changed to Link() to avoid overriding native link function. + 40. Takes advantage of mod_perl's register_cleanup() function to clear + globals. + 41. <LAYER> and <ILAYER> added to :html3 functions. + 42. Fixed problems with private tempfiles and NT/IIS systems. + 43. No longer prints the DTD by default (I bet no one will complain). + 44. Allow underscores to replace internal hyphens in parameter names. + 45. CGI::Push supports heterogeneous MIME types and adjustable delays + between pages. + 46. url_param() method added for retrieving URL parameters even when a + fill-out form is POSTed. + 47. Got rid of warnings when radio_group() is called. + 48. Cookies now moved to their very own module. + 49. Fixed documentation bug in CGI::Fast. + 50. Added a :no_debug pragma to the import list. + + Version 2.36 + + 1. Expanded JavaScript functionality + 2. Preliminary support for cascading stylesheets + 3. Security fixes for file uploads: + + Module will bail out if its temporary file already exists + + Temporary files can now be made completely private to avoid + peeking by other users or CGI scripts. + 4. use CGI qw/:nph/ wasn't working correctly. Now it is. + 5. Cookie and HTTP date formats didn't meet spec. Thanks to Mark + Fisher (fisherm@indy.tce.com) for catching and fixing this. + + p + + Version 2.35 + + 1. Robustified multipart file upload against incorrect syntax in + POST. + 2. Fixed more problems with mod_perl. + 3. Added -noScript parameter to start_html(). + 4. Documentation fixes. + + Version 2.34 + + 1. Stupid typo fix + + Version 2.33 + + 1. Fixed a warning about an undefined environment variable. + 2. Doug's patch for redirect() under mod_perl + 3. Partial fix for busted inheritence from CGI::Apache + 4. Documentation fixes. + + Version 2.32 + + 1. Improved support for Apache's mod_perl. + 2. Changes to better support inheritance. + 3. Support for OS/2. + + Version 2.31 + + 1. New uploadInfo() method to obtain header information from uploaded + files. + 2. cookie() without any arguments returns all the cookies passed to a + script. + 3. Removed annoying warnings about $ENV{NPH} when running with the -w + switch. + 4. Removed operator overloading throughout to make compatible with + new versions of perl. + 5. -expires now implies the -date header, to avoid clock skew. + 6. WebSite passes cookies in $ENV{COOKIE} rather than + $ENV{HTTP_COOKIE}. We now handle this, even though it's O'Reilly's + fault. + 7. Tested successfully against new sfio I/O layer. + 8. Documentation fixes. + + Version 2.30 + + 1. Automatic detection of operating system at load time. + 2. Changed select() function to Select() in order to avoid conflict + with Perl built-in. + 3. Added Tr() as an alternative to TR(); some people think it looks + better that way. + 4. Fixed problem with autoloading of MultipartBuffer::DESTROY code. + 5. Added the following methods: + + virtual_host() + + server_software() + 6. Automatic NPH mode when running under Microsoft IIS server. + + Version 2.29 + + 1. Fixed cookie bugs + 2. Fixed problems that cropped up when useNamedParameters was set to + 1. + 3. Prevent CGI::Carp::fatalsToBrowser() from crapping out when + encountering a die() within an eval(). + 4. Fixed problems with filehandle initializers. + + Version 2.28 + + 1. Added support for NPH scripts; also fixes problems with Microsoft + IIS. + 2. Fixed a problem with checkbox() values not being correctly saved + and restored. + 3. Fixed a bug in which CGI objects created with empty string + initializers took on default values from earlier CGI objects. + 4. Documentation fixes. + + Version 2.27 + + 1. Small but important bug fix: the automatic capitalization of tag + attributes was accidentally capitalizing the VALUES as well as the + ATTRIBUTE names (oops). + + Version 2.26 + + 1. Changed behavior of scrolling_list(), checkbox() and + checkbox_group() methods so that defaults are honored correctly. + The "fix" causes endform() to generate additional <INPUT + TYPE="HIDDEN"> tags -- don't be surpised. + 2. Fixed bug involving the detection of the SSL protocol. + 3. Fixed documentation error in position of the -meta argument in + start_html(). + 4. HTML shortcuts now generate tags in ALL UPPERCASE. + 5. start_html() now generates correct SGML header: + <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> + + 6. CGI::Carp no longer fails "use strict refs" pragma. + + Version 2.25 + + 1. Fixed bug that caused bad redirection on destination URLs with + arguments. + 2. Fixed bug involving use_named_parameters() followed by + start_multipart_form() + 3. Fixed bug that caused incorrect determination of binmode for + Macintosh. + 4. Spelling fixes on documentation. + + Version 2.24 + + 1. Fixed bug that caused generation of lousy HTML for some form + elements + 2. Fixed uploading bug in Windows NT + 3. Some code cleanup (not enough) + + Version 2.23 + + 1. Fixed an obscure bug that caused scripts to fail mysteriously. + 2. Fixed auto-caching bug. + 3. Fixed bug that prevented HTML shortcuts from passing taint checks. + 4. Fixed some -w warning problems. + + Version 2.22 + + 1. New CGI::Fast module for use with FastCGI protocol. See pod + documentation for details. + 2. Fixed problems with inheritance and autoloading. + 3. Added TR() (<tr>) and PARAM() (<param>) methods to list of + exported HTML tag-generating functions. + 4. Moved all CGI-related I/O to a bottleneck method so that this can + be overridden more easily in mod_perl (thanks to Doug MacEachern). + 5. put() method as substitute for print() for use in mod_perl. + 6. Fixed crash in tmpFileName() method. + 7. Added tmpFileName(), startform() and endform() to export list. + 8. Fixed problems with attributes in HTML shortcuts. + 9. Functions that don't actually need access to the CGI object now no + longer generate a default one. May speed things up slightly. + 10. Aesthetic improvements in generated HTML. + 11. New examples. + + Version 2.21 + + 1. Added the -meta argument to start_html(). + 2. Fixed hidden fields (again). + 3. Radio_group() and checkbox_group() now return an appropriate + scalar value when called in a scalar context, rather than + returning a numeric value! + 4. Cleaned up the formatting of form elements to avoid unesthetic + extra spaces within the attributes. + 5. HTML elements now correctly include the closing tag when + parameters are present but null: em('') + 6. Added password_field() to the export list. + + Version 2.20 + + 1. Dumped the SelfLoader because of problems with running with taint + checks and rolled my own. Performance is now significantly + improved. + 2. Added HTML shortcuts. + 3. import() now adheres to the Perl module conventions, allowing + CGI.pm to import any or all method names into the user's name + space. + 4. Added the ability to initialize CGI objects from strings and + associative arrays. + 5. Made it possible to initialize CGI objects with filehandle + references rather than filehandle strings. + 6. Added the delete_all() and append() methods. + 7. CGI objects correctly initialize from filehandles on NT/95 systems + now. + 8. Fixed the problem with binary file uploads on NT/95 systems. + 9. Fixed bug in redirect(). + 10. Added '-Window-target' parameter to redirect(). + 11. Fixed import_names() so that parameter names containing funny + characters work. + 12. Broke the unfortunate connection between cookie and CGI parameter + name space. + 13. Fixed problems with hidden fields whose values are 0. + 14. Cleaned up the documentation somewhat. + + Version 2.19 + + 1. Added cookie() support routines. + 2. Added -expires parameter to header(). + 3. Added cgi-lib.pl compatibility mode. + 4. Made the module more configurable for different operating systems. + 5. Fixed a dumb bug in JavaScript button() method. + + Version 2.18 + + 1. Fixed a bug that corrects a hang that occurs on some platforms + when processing file uploads. Unfortunately this disables the + check for bad Netscape uploads. + 2. Fixed bizarre problem involving the inability to process uploaded + files that begin with a non alphabetic character in the file name. + 3. Fixed a bug in the hidden fields involving the -override directive + being ignored when scalar defaults were passed. + 4. Added documentation on how to disable the SelfLoader features. + + Version 2.17 + + 1. Added support for the SelfLoader module. + 2. Added oodles of JavaScript support routines. + 3. Fixed bad bug in query_string() method that caused some parameters + to be silently dropped. + 4. Robustified file upload code to handle premature termination by + the client. + 5. Exported temporary file names on file upload. + 6. Removed spurious "uninitialized variable" warnings that appeared + when running under 5.002. + 7. Added the Carp.pm library to the standard distribution. + 8. Fixed a number of errors in this documentation, and probably added + a few more. + 9. Checkbox_group() and radio_group() now return the buttons as + arrays, so that you can incorporate the individual buttons into + specialized tables. + 10. Added the '-nolabels' option to checkbox_group() and + radio_group(). Probably should be added to all the other + HTML-generating routines. + 11. Added the url() method to recover the URL without the entire query + string appended. + 12. Added request_method() to list of environment variables available. + 13. Would you believe it? Fixed hidden fields again! + + Version 2.16 + + 1. Fixed hidden fields yet again. + 2. Fixed subtle problems in the file upload method that caused + intermittent failures (thanks to Keven Hendrick for this one). + 3. Made file upload more robust in the face of bizarre behavior by + the Macintosh and Windows Netscape clients. + 4. Moved the POD documentation to the bottom of the module at the + request of Stephen Dahmen. + 5. Added the -xbase parameter to the start_html() method, also at the + request of Stephen Dahmen. + 6. Added JavaScript form buttons at Stephen's request. I'm not sure + how to use this Netscape extension correctly, however, so for now + the form() method is in the module as an undocumented feature. Use + at your own risk! + + Version 2.15 + + 1. Added the -override parameter to all field-generating methods. + 2. Documented the user_name() and remote_user() methods. + 3. Fixed bugs that prevented empty strings from being recognized as + valid textfield contents. + 4. Documented the use of framesets and added a frameset example. + + Version 2.14 + + This was an internal experimental version that was never released. + + Version 2.13 + + 1. Fixed a bug that interfered with the value "0" being entered into + text fields. + + Version 2.01 + + 1. Added -rows and -columns to the radio and checkbox groups. No + doubt this will cause much grief because it seems to promise a + level of meta-organization that it doesn't actually provide. + 2. Fixed a bug in the redirect() method -- it was not truly HTTP/1.0 + compliant. + + Version 2.0 + + The changes seemed to touch every line of code, so I decided to bump + up the major version number. + 1. Support for named parameter style method calls. This turns out + to be a big win for extending CGI.pm when Netscape adds new HTML + "features". + 2. Changed behavior of hidden fields back to the correct "sticky" + behavior. This is going to break some programs, but it is for + the best in the long run. + 3. Netscape 2.0b2 broke the file upload feature. CGI.pm now handles + both 2.0b1 and 2.0b2-style uploading. It will probably break again + in 2.0b3. + 4. There were still problems with library being unable to distinguish + between a form being loaded for the first time, and a subsequent + loading with all fields blank. We now forcibly create a default + name for the Submit button (if not provided) so that there's + always at least one parameter. + 5. More workarounds to prevent annoying spurious warning messages + when run under the -w switch. -w is seriously broken in perl + 5.001! + + Version 1.57 + + 1. Support for the Netscape 2.0 "File upload" field. + 2. The handling of defaults for selected items in scrolling lists and + multiple checkboxes is now consistent. + + Version 1.56 + + 1. Created true "pod" documentation for the module. + 2. Cleaned up the code to avoid many of the spurious "use of + uninitialized variable" warnings when running with the -w switch. + 3. Added the autoEscape() method. v + 4. Added string interpolation of the CGI object. + 5. Added the ability to pass additional parameters to the <BODY> tag. + 6. Added the ability to specify the status code in the HTTP header. + + Bug fixes in version 1.55 + + 1. Every time self_url() was called, the parameter list would grow. + This was a bad "feature". + 2. Documented the fact that you can pass "-" to radio_group() in + order to prevent any button from being highlighted by default. + + Bug fixes in version 1.54 + + 1. The user_agent() method is now documented; + 2. A potential security hole in import() is now plugged. + 3. Changed name of import() to import_names() for compatibility with + CGI:: modules. + + Bug fixes in version 1.53 + + 1. Fixed several typos in the code that were causing the following + subroutines to fail in some circumstances + 1. checkbox() + 2. hidden() + 2. No features added + + New features added in version 1.52 + + 1. Added backslashing, quotation marks, and other shell-style escape + sequences to the parameters passed in during debugging off-line. + 2. Changed the way that the hidden() method works so that the default + value always overrides the current one. + 3. Improved the handling of sticky values in forms. It's now less + likely that sticky values will get stuck. + 4. If you call server_name(), script_name() and several other methods + when running offline, the methods now create "dummy" values to + work with. + + Bugs fixed in version 1.51 + + 1. param() when called without arguments was returning an array of + length 1 even when there were no parameters to be had. Bad bug! + Bad! + 2. The HTML code generated would break if input fields contained the + forbidden characters ">< or &. You can now use these characters + freely. + + New features added in version 1.50 + + 1. import() method allows all the parameters to be imported into a + namespace in one fell swoop. + 2. Parameters are now returned in the same order in which they were + defined. + + Bugs fixed in version 1.45 + + 1. delete() method didn't work correctly. This is now fixed. + 2. reset() method didn't allow you to set the name of the button. + Fixed. + + Bugs fixed in version 1.44 + + 1. self_url() didn't include the path information. This is now fixed. + + New features added in version 1.43 + + 1. Added the delete() method. + + New features added in version 1.42 + + 1. The image_button() method to create clickable images. + 2. A few bug fixes involving forms embedded in <PRE> blocks. + + New features added in version 1.4 + + 1. New header shortcut methods + + redirect() to create HTTP redirection messages. + + start_html() to create the HTML title, complete with the + recommended <LINK> tag that no one ever remembers to include. + + end_html() for completeness' sake. + 2. A new save() method that allows you to write out the state of an + script to a file or pipe. + 3. An improved version of the new() method that allows you to restore + the state of a script from a file or pipe. With (2) this gives you + dump and restore capabilities! (Wow, you can put a "121,931 + customers served" banner at the bottom of your pages!) + 4. A self_url() method that allows you to create state-maintaining + hypertext links. In addition to allowing you to maintain the state + of your scripts between invocations, this lets you work around a + problem that some browsers have when jumping to internal links in + a document that contains a form -- the form information gets lost. + 5. The user-visible labels in checkboxes, radio buttons, popup menus + and scrolling lists have now been decoupled from the values sent + to your CGI script. Your script can know a checkbox by the name of + "cb1" while the user knows it by a more descriptive name. I've + also added some parameters that were missing from the text fields, + such as MAXLENGTH. + 6. A whole bunch of methods have been added to get at environment + variables involved in user verification and other obscure + features. + + Bug fixes + + 1. The problems with the hidden fields have (I hope at last) been + fixed. + 2. You can create multiple query objects and they will all be + initialized correctly. This simplifies the creation of multiple + forms on one page. + 3. The URL unescaping code works correctly now. |