This release includes a number of bug fixes some administration improvements and some new security features.
Administration changes
The administration layout has been improved to better support RTL languages. This is part of an ongoing project to provide full RTL support throughout the editor.
Joomla! 1.7 ACL support has been improved (including a small fix related to the omission of the admin rule). Control Panel icons and items in the Options dialog will now respect the ACL settings.
The "support" links (Forum, FAQ, Documentation, Tutorials) in the Control Panel jave been merged into one link item.
New Security Parameters
Joomla! 1.5 and 1.7 both provide a Text Filter option for the Article Manager that, by default, removes applet,body,bgsound,base,basefont,embed,frame,frameset,head,html,id,iframe,ilayer,layer,link,meta,name,object,script,style,title,xml elements, as well as the action,background,codebase,dynsrc,lowsrc attributes. It is sometimes necessary to disable this filtering function for some user groups in order to insert media elements, scripts or iframes. Unfortunately fine-grained configuration with different filtering options for different user groups is not currently possible.
JCE Profiles are prefect for setting up specific configurations for different components, usergroups or users. This could allow for a more precise approach to element and attribute filtering using the Prohibited Elements, Prohibited Attributes and Extended Elements parameters (it will be necessary to have the Cleanup HTML option enabled and the Editor Toggle option disabled)
A Prohibited Elements parameter has existed existed for some time, with a limited default element list. This has been expanded in JCE 2.0.16 to include the full default list used by the Joomla! Text Filter. The difference here is that if you have certain plugins installed or options activated, the affected tags are automatically removed from the list, eg: with the Media Support option activated and the Allow Object and Allow Embed parameters enabled will remove the object and embed tags from the Prohibited Elements list. You can remove any of the other tags by adding them to the Extended Elements list (see below - the applet and frameset elements are allowed by adding them to the Extended Elements list)
A Prohibited Attributes parameter has also been added. This allows you to set a list of attributes that cannot be set for any element. This parameter supports a simple regular expression syntax, eg: on([a-z]+) will remove all event attributes such as onclick, onmouseover etc.
I will be publishing a tutorial soon on JCE 2.0.16 security tips.
For a full list of changes and bugs fixed see the Changelog