Plone 2.5.3 (May 18, 2007)


This is an historical page intended for people who can't upgrade. Current versions of Plone can be found on the overview page

Important security fixes for potential XSS vulnerabilities, faster and more robust migration code, and more. A mandatory update.

For additional information about this project, please visit the overview page .

For installation instructions go to:

There may be hotfixes applicable to this release. Always check the Plone Hotfix Page before production deployment.

Available downloads

Release Notes

State Final release
License GPL
Release Manager Alec Mitchell
Released 2007/05/16 00:00:00 Universal

Includes fixes related to the Zope XSS vulnerability, more efficient and robust upgrade/migration code, re-enables user skin selection, i18n improvements and other bugfixes.

  • The recommended Zope version for this release is now 2.9.7+. It can optionally be used with Zope 2.8.9 by installing the latest Five 1.2.x release
  • Important: Running any earlier versions of Zope with this version of Plone will not work, since we require the security changes in Zope 2.9.7 (or 2.8.9 if you're still running your site on 2.8.x). The installers contain the correct versions, but if you're doing a manual install/setup, make sure you have the right version of Zope.

Change log

Plone 2.5.3 - Final - released May 16, 2007

  • Forbid catalog metadata names in Give Manager proxy so that ids can be checked even if listing the contents of the parent is forbidden. [alecm]
  • Further optimized the migrations from older Plone versions. We reindex the whole catalog once and only once, independent of the Plone version we start migrating from. [hannosch]
  • Made migration twice as fast, it was re-cataloging unnecessarily. [hazmat][limi]
  • Fix bad links between templates prefs_users_overview, prefs_user_details and prefs_user_membership (remove starting space and force portal_url) [encolpe]

Plone 2.5.3 - Release Candidate - released April 28, 2007

  • Fix improper uses of CatalogTool.searchResults where a dict was passed as the first argument in place of REQUEST. [nouri, maurits]
  • Reindex security recursively after group name update in stripGRUFLocalRolePrefix. Fixes [alecm]
  • Add back user skin cookie deletion on logout. Fixes [alecm]
  • Add POST-only protections to security critical methods (see [mj, bloodbare, alecm]
  • Set the current instance version on site creation so we can migrate properly. [wichert]
  • Fixed some bugs in addtoFavorites [ender]
  • Fixed cropping of utf8 encoded text (cropText script). This fixes [naro]
  • Fixed problems with migrating member data like a members full name. This closes [tesdal]
  • Add a new IHideFromBreadcrumbs interface. Items marked with this interface will not be shown in the breadcrumb trail. Mark the portal factory with this interface so it no longer polutes the breadcrumbs. [wichert]
  • Made CatalogTool.ExtensibleIndexableObjectWrapper a subclass of the CMFCore.CatalogTool.IndexableObjectWrapper class to ensure Plone doesn't miss on improvements made there. EIOW instances now proxy Zope3 interface declarations of the wrapped object. [mj]