Open Source e-Learning
  • Login

Breadcrumb Navigation

5.4.10 (stable)

Release 5.4.10 has been published on March 04, 2020
  • Please read the ILIAS 5.4 feature page for information about new and abandoned features and changed behaviour of this version.
  • You find information about first time installation here.
  • Instructions for updating ILIAS can be found here.
  • Please have a look at the page Required Software for 5.4, too.
If you use a customized skin/style, please change the skin settings for root user and default of installation to ‘delos‘ before upgrading from a 4.x version to 5.4.x. Otherwise you may not login any more due to templates changes in former versions.
ILIAS 5.4 comes with a new content style that substitutes the former content style. If you want to keep this outdated style, please create a new style with it before updating to 5.4. Own created styles won't be tackled.
ILIAS is free, open source software and published under the GNU General Public License (GPL).

Format: .zip
 
ILIAS-5.4.10.zip
Download (github.com)
192 MB, 2020-03-04
md5: 3d5d40064190a36aa6bddf874953cadd

Format: .tar.gz
 
ILIAS-5.4.10.tar.gz
Download (github.com)
177 MB, 2020-03-04
md5: 7c0121de51688f92f0e7004a095817f4 

Known Issues

  • none

Changed Behaviour

Escaping HTML/JS in all page editor contexts per default

To a certain extent ILIAS allows to included HTML/JS content in page editor content, e.g. in learning modules. This was a desired feature in the early days of ILIAS and enabled authors to extend the features of the standard editor.

In the context of wikis, this has been deactivated since the beginning (HTML is escaped in a way it is not interpreted by browsers), for other parts like blogs and portfolios it is possible to configure this behaviour.

Even if the page editor can log every change in its "page history", there has been an ongoing discussion between the trade-off of flexibility and security (possible XSS attacks), see e.g. https://docu.ilias.de/goto_docu_wiki_wpage_5406_1357.html

Since not everyone is aware of the implications and since this has been reported as a security issue multiple times now, all page editor contexts will escape HTML in a way it is not interpreted by browsers anymore. "Administration » Editing » ILIAS Page Editor" has been extended to allow the configuration for each context individually. If you trust your authors/users you may reactivate this in this administration setting.

Please note: This is only related to page editor content. HTML Learning modules and uploaded SCORM packages always allow to upload HTML and Javascript content. Do not give permission to create these resources to users you do not trust. Use the RBAC to set permissions accordingly or deactivate these components completely.

Fixed Bugs

The following bugs reported in Mantis have been resolved:
Security Fixes
  • Fixed several cross-site scripting (XSS) errors within the ILIAS editor. (elaborated and reported i. a. by members of the Informatik Institut, Hochschule Albstadt-Sigmaringen: Buck, Binal, Oertel and Prof. Dr. Heer)
#27715: [Cloud Object] Open Info Screen from Repository Dropdown (ttruffer)
#27490: [Course Management] Course: Wrong offset in CSV member export (smeyer)
#26799: [Course Management] Course/Memberships: Assigning local admin role fails if there is no admin left (rare case) (smeyer)
#27423: [Data Collection] crash when adding new view while local role(s) exists (ttruffer)
#27693: [Exercise] Error when trying to export exercise submissions (with deleted users) WITH PEER FEEDBACK (akill)
#27495: [Forum] Wrong value for "New" posts (mjansen)
#22717: [Learning Module ILIAS : Assessment Questions] Formatierungsfehler in der Präsentationsansicht bei Kprim Choice-Frage (bheyser)
#26491: [Learning Module ILIAS : Assessment Questions] Error in TEXT SUBSET QUESTION (bheyser)
#27110: [Learning Module ILIAS : Assessment Questions] Bei manchen Fragentypen wird ein leeres Texteingabefeld mit der Beschriftung qtitle vor der eigentlichen Frage angezeigt. (bheyser)
#26503: [Learning Module ILIAS : Assessment Questions] Missing language variable in text subset question (bheyser)
#26170: [Learning Module ILIAS : Assessment Questions] Incorrect display of "text subset questions" embedded in an ILIAS learning modul (too much content) (bheyser)
#27685: [Login, Auth & Registration] No error page on SAML error (mjansen)
#27744: [Mail] Wrong style for error message when sending of mail fails (mjansen)
#25774: [Main Menu] Main menu admin entry will not created until a user with visibility permissions logins (fschmid)
#27432: [News] Link to new file in course leads to error ("Call to a member function renderer() on null") (akill)
#26210: [News] Adding images to News doesn’t work properly if items are added from the News block (akill)
#27538: [Plugin Slots] Missing language module obj for INFO_TAB_VISIBILITY component (akill)
#24855: [Setup] php7.1 fuer Debian nicht vefuegbar (rbaumgartner)
#27735: [Survey] Survey error: Whoops\Exception\ErrorException thrown with message "sizeof(): Parameter must be an array or an object that imple (akill)
#26702: [System Check] Typo in German text of variable sysc#:#sysc_task_structure_desc (mbarz)
#27852: [Terms of Service] Title of User Agreement/ Terms of Service not changeable (mjansen)
#26468: [Test & Assessment] T&A Horizontal Ordering Question: count(): Parameter must be an array or an object that implements Countable (bheyser)
#26269: [Test & Assessment] PHP message: count(): Parameter must be an array or an object that implements Countable (bheyser)
#27657: [Test & Assessment] Test/Certificate: Bulk download only possible if the actor achieved a certicate (bheyser)
#27076: [Test & Assessment] Creating a formula question produces Error (bheyser)
#27396: [Test & Assessment] Show User's detailed results (Marked Pass) without selecting a user throws an error (bheyser)
#25329: [Test & Assessment] HTML Injection in Nachkorrektur (bheyser)
#24721: [Test & Assessment] Print-Preview: keine Übersetzung des Datums (bheyser)
#27395: [Test & Assessment] Copying a test failsn ("copy(): The second argument to copy() function cannot be a directory") (bheyser)
#26500: [Usability] date range filter does not allow empty values (user agreement history) (mjansen)