What's New In v1.3.9h:
Download available here: http://sourceforge.net/projects/zencart/files/

Contains new Security Fixes

Updates include:
  • CHANGE-74 - Fix unsanitized inputs in some forms
  • CHANGE-84 - Add security token to forms, to prevent CSRF/XSS attacks
  • CHANGE-86 - Add session cookie handling switches to Sessions configuration screen in Admin to allow server-specific customization of cookie handling
  • BUGSFORUM-1530 - HTML editing in Admin UI caused undesirable display confusion due to aggressive security protections. Removed the need for whitelisting which was introduced in v1.3.9g (custom whitelist files can be removed)
  • BUGSFORUM-1542 - Added further sanity checks to linkpoint_api module to further prevent SGS-002301 errors
  • BUGSFORUM-1548 - Fix problem with improper address matching if PayPal returns a blank address in an Express Checkout transaction
  • BUGSFORUM-1557 - Fix deprecated PayPal EC API key names
  • BUGSFORUM-1559 - Fix minor table nesting issue
  • BUGSFORUM-1561 - minor messageStack error in admin upload class
  • BUGSFORUM-1562 - Admin page for "specials" - error in displayed info
  • BUGSFORUM-1565 - Fix problem with PayPal Express Checkout where shipping wasn't recalculated if shopping cart contents were altered midway through checkout.
  • BUGSFORUM-1566 - minor fix to error message handling in admin upload class
  • BUGSFORUM-1577 - Password must contain a minimum of x characters
  • BUGSFORUM-1262 - Fix HTMLarea error message on Safari browsers.
  • Authorize.net - Updated Fraud Detection Suite filter handling
  • Minor: Updated some payment modules to have 15 instead of 10 years shown for expiry dates when entering credit card details (Singapore is issuing such card dates)

If you're upgrading from v1.3.9a or b or c or d or e or f, you can simply update the files listed in EACH OF the various "Changelog for v1.3.9b" and "c" and "d" and "e" and "f" and "g" in the /docs/ folder of the download zip.
(There are no database changes between v1.3.9a-b-c-d-e-f-g-h.)
(there's no need to remove/re-install payment modules between "d" and "e" and "f" and "g" and "h")

If you're upgrading from v1.3.8a or older versions, you need to follow the FULL upgrade instructions, also in your /docs/ folder

It is advisable to clear your browser cache and cookies after upgrading, before attempting to access your Admin section. Old admin cookies may prevent you from logging in until you clear the cache and cookies and restart the browser.


Many people have asked about the "missing ?> at the end of some PHP files".
This is INTENTIONAL, and explained here: http://tutorials.zen-cart.com/index.php?article=313
It is NOT an error in the files or the download.