HEX
Server: Apache
System: Linux 162-240-236-42.bluehost.com 3.10.0-1160.114.2.el7.x86_64 #1 SMP Wed Mar 20 15:54:52 UTC 2024 x86_64
User: bt667 (1004)
PHP: 8.2.29
Disabled: NONE
$ pwd: /var/softaculous/crafty/
Upload Files
File: //var/softaculous/crafty/changelog.txt
## VERSION_3_7_5 — 2025-11-14 (Livehelp JS Transparency & Icon Refresh)

### Highlights

- Finalized the “local embeds only” policy from 3.7.x  clarifying that every Crafty Syntax deploy must host its own tracking assets to meet 2025 privacy baselines.
- Removed the last obfuscated powered-by tag hiding in `livehelp_js.php`; the credit line now appears as a normal HTML anchor so auditors (and operators) can see exactly what ships in the bundle.
- Added a trailing `csrepeat_()` invocation to `livehelp_js.php` so the floating help icon re-checks operator presence and swaps artwork even after the visitor widget has been idle—most noticeable when the operator drops offline mid-session.
- Repacked the 3.7.5 ZIP to include the clean powered-by link plus the extra refresh call; anyone who grabbed the first 3.7.4 build on 2025‑11‑12 should download the updated archive dated late 2025‑11‑12 or newer.

### Status

- **Release published**: Distributed as `crafty_syntax-3.7.5.zip`; supersedes the late 3.7.4 refresh so partners have one canonical bundle.
- **Upgrade guidance**: If you previously patched to the early 3.7.4 ZIP, copy `livehelp_js.php` (and the updated scratchpad copy) from 3.7.5 so embeds honor the privacy+branding changes without a full reinstall.

## VERSION_3_7_4 — 2025-11-12 (Crafty Syntax Name Restoration)

### Highlights

- Reissued the 3.7.3 codebase under the restored **Crafty Syntax** brand; binaries now publish as `crafty_syntax-3.7.4.zip`.
- Updated headers, about boxes, installer copy, and powered-by strings to read “Crafty Syntax 3.7.4 (formerly Sales Syntax 3.7.3).”
- Refreshed the default login branding: swapped the package logo (`images/logo.png`) and updated `login.php` artwork/labels to show the Crafty Syntax identity.
- Restored the `2025_modern/operator.jpg` asset that was missing from the 3.7.3 package so the modern theme displays correctly in 3.7.4.
- Corrected the quick-upgrade path in `setup.php` to open a database connection before updating `livehelp_config.version`, ensuring the script actually writes `3.7.4` during the drop-in upgrade.
- Generated fresh MD5/SHA256 checksums for both the rebranded package and the archived Sales Syntax bundle so operators can verify integrity.
- Documented the rename across `public/what_was_crafty_syntax.php`, `public/crafty_syntax_evolved.php`, and the Crafty Syntax changelog alias.
- Notified auto-installer partners (Fantastico, Softaculous, Installatron) that the package is a branding update only—no schema or code changes.

### Status

- **Release published**: Use `crafty_syntax-3.7.4.zip` for new installs or upgrades; `salessyntax-3.7.3.zip` remains in `/archive/releases/` for historical reference.
- **Upgrade guidance**: Existing Sales Syntax 3.7.3 installs can drop in the rebranded files or continue running unchanged—functionality is identical.

---

## VERSION_3_7_3 — 2025-11-10 (Timezone Offset & Hardening Sweep)

### Highlights

- Removed the legacy `offset` column from fresh installs so `setup.php` no longer creates or references the misspelled field that broke MySQL import checks.
- Added a tolerant loader for existing databases: if a config row still exposes `offest`, the runtime maps it to `offset` on the fly and falls back to PHP’s active timezone when neither value is present.
- Replaced the admin “time offset” dropdown with a read-only notice that shows either the preserved legacy value or the resolved timezone identifier, avoiding undefined-index warnings during upgrades.
- Mirrored the fixes into the redistributed `/public/salessyntax` snapshot so hosted customers and LUPOPEDIA deployments stay aligned.
- Tightened the HTML embed generator (`htmltags.php`) to display a same-domain placement notice, preventing remote-site integration issues uncovered during shared-host testing.
- Tracking now requires local embeds only. To align with 2025 privacy expectations, remote cross-domain tracking was removed in 3.7.x. All installations must use relative paths on the host domain so visitors are not tracked on third-party sites.
- Sanitized mobile/iPhone settings updates (`cellphone`, `sessiontimeout`) with `filter_sql` so chat operators cannot inject SQL through the quick settings forms.
- Escaped the `see` parameter in `admin_connect.php` before injecting it into the XMLHTTP redirect URL, closing the reflected XSS the legacy admin widget relied on.
- Hardened `setup.php` redisplays by wrapping installer inputs in `cslh_escape`/`rawurlencode` and swapping the column-existence checks over to shared-host-friendly `SHOW COLUMNS` queries.
- Added `scripts/security_sweep.py` so maintainers can automatically flag risky patterns (`eval`, dynamic includes, raw `$_REQUEST`, unescaped `$UNTRUSTED` output) before shipping future patches.
- Completed fresh-install and upgrade validation on Windows (XAMPP) and Linux shared hosts to confirm timezone fallbacks, security fixes, and language loader updates behave consistently.
- Restored operator desktop cues: `admin_users_refresh.php` now escalates focus through nested frames (window.parent.bottomof → parent → top → self) before falling back to an alert, and wraps HTML5/EMBED chat sounds with autoplay-promise catches so operators hear the bell even when browsers block background playback.
- Standardized all “powered by” links to `https://lupopedia.com/?utm_source=poweredby&utm_campaign=poweredby`, removing obfuscation and legacy domains so embeds point at the LUPOPEDIA hub.
- Fixed `leavemessage.php` mail delivery: corrected the status update query, ensured department contact emails are honored, and fall back to `owner_email` so contact alerts always send when visitors leave a message.

---

## Deployment Status (Completed)

- Shared-hosting verification completed on Windows and Linux environments; 3.7.3 is cleared for packaging and distribution to hosted customers.

### Status

- **Patch released**: Tagged as 3.7.3 within 48 hours to unblock installers seeing the `offest` typo and shore up shared-host security.
- **Packaging**: Prepare and distribute the refreshed ZIP bundle to partners; continue monitoring support tickets for any residual timezone edge cases ahead of the planned timezone-schema audit during LUPOPEDIA rollout.
- **Verification**: Final security_sweep.py run, admin console debug regression tests, and fresh install/upgrade retests all pass with no new findings; package is ready for delivery.

---

## VERSION_3_7_2 — 2025-11-10 (Installatron Compliance & Branding Refresh)

### Highlights

- Rebased the working tree on the original 3.7.1 payload (`public/salessyntax/`) so all new fixes start from the shipped, unmodified theme.
- Retired the legacy `filter_html()` sanitizer and swapped every call site to native escaping helpers (`cslh_escape`, `htmlspecialchars`, `rawurlencode`) to eliminate double-sanitization flags raised by Installatron.
- Modernized the visitor typing beacon in `livehelp.php` (and mirrored scripts) to prefer `fetch`/`XMLHttpRequest` while keeping the `<img>`/`GETForm` fallbacks for browsers stuck in 2005.
- Removed obsolete upgrade prompts (`pp.gif`, `gopro.png`, “Go Pro” copy) now that unbranded features ship by default.
- Updated footer credits across operator/admin pages to read: `Sales Syntax Live Help 2003 - 2025 ( a product of Lupopedia LLC )`.
- Added an opt-in `2025_modern` theme (responsive layout, flex-based header/footer, refreshed offline/connecting screens) without disturbing existing templates.
- Mobile and iPhone operator consoles now submit chats through modern `fetch` with `GETForm2` fallback, keeping the `postmessage` workflow intact for legacy browsers.
- Logged the remediation plan in `plan_for_sales_syntax_3_7_2.md` so future patches stay aligned with Installatron requirements.
- Introduced hosted documentation stubs (`howto`, `qa`, `updates`) and new public landing pages (`account.php`, `support.php`, `directory.php`, `members.php`). Added an operator-facing notice on `scratch.php` explaining why the 3.7.2 release preserves the 2012-era UI (to keep diff baselines intact) and how LUPOPEDIA 1.0.0 will layer in modern tooling plus AI-driven migration of community customizations.
- Refreshed `javascript/xmlhttp.js` to use a shared `fetch` wrapper with automatic fallbacks to the legacy `GETForm` helpers, keeping polling/typing scripts functional on older browsers while modern installs run via `fetch`.
- Packaging/testing: preparing the clean 3.7.2 ZIP and verifying shared-host installs with the modernized AJAX pathways.
- Updated configuration helpers so generated URLs drop the domain entirely (always relative paths). This avoids mixed-content issues—legacy installs that were `http://` now call AJAX endpoints over the current scheme (`https://` when needed) without breaking.

### Status

- **Release in preparation**: Regression testing and packaging still pending before tagging 3.7.2.
- **Next steps**: Mirror the modern typing helpers into mobile/iPhone/external clients, refresh shared `xmlhttp.js`, and produce Installatron-ready ZIP + changelog.

---

## VERSION_3_7_1 — 2025-11-09 (Security Patch & LUPOPEDIA Integration)

### Highlights

- Hardened every public visitor entry point (`livehelp.php`, `user_connect.php`, `user_chat_*`, `user_top.php`, `user_qa.php`) to reuse already-sanitized department/tab/offset integers before building redirects, query strings, or embedded JavaScript.
- Sanitized visitor-supplied hidden fields in lost-password and chat-color forms so remote widgets and password-reset flows cannot inject markup when rendered off-site.
- Refreshed the powered-by link in `livehelp_js.php`, allowing brand swaps to point directly to LUPOPEDIA while preserving the optional creditline toggle.
- Expanded the session fingerprinting ladder (`get_ipaddress`) to honor modern proxy/CDN headers, preferring public IPs and falling back safely so legacy installs maintain tracking accuracy.
- Packaged the release as the LUPOPEDIA migration baseline: the core now ships with the full Sales Syntax codebase, layered-pop-up heritage, and 3.7.1 security posture.
- Added LUPOPEDIA-side scaffolding: `livehelps` parent table (Migration 1071), CSV export guidance, and updated public docs (`public/crafty_syntax_evolved.php`, `public/what_was_crafty_syntax.php`) so operators understand the upgrade path.

### Recommended Action

- Apply 3.7.1 (latest GPL release) before migrating. PORTUNUS and LUPO warn or block imports when `livehelps.version = '3.7.0'`.
- After patching, regenerate CSV snapshots so `livehelps_rows.csv` reflects the sanitized schema and `version,3.7.1`.
@ Telegram