It’s summer, and SPIP 2.1.1 hits the beaches

Hi there,
A new version of SPIP has been released this summer.
At about 3 months after the release of version 2.1, the new 2.1.1 is poking its head out of its shell already.
As per usual, you can download it here:

  • New in : SPIP 2.1

The major reason for releasing this version is due to the discovery of a potential JavaScript code injection attack which has been corrected in the new release. Some other less serious errors have also been eliminated and a few extra features have been added.

The exhaustive list of changes can be viewed in the CHANGELOG file found in the root of your SPIP installation.

And a simplified list of these changes is detailed here below for your reading pleasure:

  • the SQL virtual server is updated following the unification of its error processing routines for all database ports (the PostGres port in particular has been subject to numerous regressions);
  • the management of multiple or multi-server SQL databases is now more consistent and intuitive.
  • certain tags and functions with holes have been corrected, specifically to possibly enable plugins with another tool other than the CFG plugin. This entails:
    • the #PLUGIN tag which now supplies all of the information featured in the plugin.xml file
    • the #URL_ECRIRE tag, which returns an empty string if its argument is an unavailable script
    • the #ACTION_FORMULAIRE tag, which has its first argument equal to #ENV{action} by default
    • the plugins_afficher_plugin_dist function which automatically supplies alink to the configurer_NAME_OF_THE_PLUGIN script or template if there is one
    • the maj_while funciton which now nows have to make updates to the tables used by a plugin
    • the lire_meta, ecrire_meta, and effacer_meta functions which can be applied to other tables of meta data other than the standard table.
  • the #INTRODUCTION tag now works for sections like it has always done for articles (includes the #DESCRIPTIF field data)
  • all of the LOGO_xxx tags now work according to the same standards:
    • #LOGO_xxx{200, 0} produces the same as [(#LOGO_xxx|image_reduire{200, 0})] ;
    • LOGO_DOCUMENT** returns the correct path to the thumbnail file
  • a single document can now bee marked as being linked to several objects (articles,...)
  • correction of a bug found in complex CVT forms
  • output of statistics in CSV format
  • addition of the type='mime/type' on [<emb1>->doc1] links
  • checking the status of an article when requesting its status to be changed, in order to avoid repeat proposition of an article already published (#1932)
  • in the event of a dead SQL connection, a old reusable cache must pass through gunzip
  • use the native json_encode() funciton when there is one
  • manage the session caches in flat format and no longer in a sub-directory; use the data in the cache rather than filemtime.
  • correction of a major bug in the management of header('HTTP/1.1 404 Not Found');
  • improvement in the lignes_longues code which introduced spaces willy-nilly
  • enable searching a forum by IP address, and display of all the links if they’ve been hacked with [style=position:relative left:-999px]
  • a TEST mode: judiciously placed define() functions used to invalidate microblogs and sending emails
  • securing JavaScript code in the informer_auteur function (credit: Dotsafe)
  • delete the date check on articles which are really old (Mathieu Lopes)
  • IPv6 compatibility for the IP field in the spip_forum table (Senjamin Sonntag)
  • correction of a bug in lignes_longues used in the forums (multiple spaces introduced by error in the 2.1 release)
  • the post_insertionpipeline, used in plugins for attaching objects pending the creation of the principal object in the database + correction of the pre_insertion pipeline for spip_auteurs
  • security on the declaration of external databases (Thomas Sutton)
  • taking into account of progid:DXImageTransform.Microsoft.AlphaImageLoader(src=...) in the CSS compressor
  • inclusion of function files when using the matrix
  • correction of the "W" bug in certain versions of Opera and IE which trigger the saving of the article currently being edited (#1940)
  • reintroduction of accent marks in passwords (which were messed up when passed through sha256) (#1945)
  • correction of the speed bug occurring when saving revisions (patch per device)
  • correction of the form_hidden function with HTML URLs
  • administrators can once again change their email addresses without needing to make email confirmations (bug introduced in 2.1)
  • emptying of the path cache for var_mode=recalcul even if the admin cookie has been lost
  • var2js is now compliant with json_encode
  • correction of the loss of context for "propre" or "arbo" URLs of the form: article32.html
  • direction_css can be used on template CSS files (if the template has the .css.html file extension)
  • the charger_filtre() function for loading and looking for a filter from PHP code
  • #PLUGIN{xxx,tout} enables the retrieval of all of the info in the plugin (Eric)
  • correction of a bug in indirect pagination when the pagination step is dynamically specified
  • notification calls on instituerbreve and instituersite

Note also that if you have stayed using version 2.0, a new version has been generated to correct the security hole, which you can download here :

See you again soon !
Ben, on behalf of the SPIP team

But since we’re also into the common "hype/modern/marketing" trends, we also use mass information distribution systems such as:
-  twiiiiiter :
-  Farcebook :
-  identica :

Author Mark Published : Updated : 06/08/22

Translations : English, français