Release notes Plone 4.3.20

This is the last ever release of the Plone 4.3 series!
You should be moving to Plone 5.2 by now.
See also the release schedule: https://plone.org/download/release-schedule

Note that support for Python 2.6 was dropped a while ago.
It might still work, but you should use Python 2.7.

Some highlights of 4.3.20 are:

- Integrated PloneHotfix20200121 for increased security.

- Moved the security check if a url is in the portal to a small separate package: Products.isurlinportal.
  You can immediately use this on Plone 4.3 and higher.
  Keep an eye on updates for this package: newer versions will increase the security.
  Often the impact of fixes is too small to warrant a real security hotfix package,
  but we want to do more regular fixes here.

- Use Products.isurlinportal 1.1.0 with security hardening against whitespace:
  https://github.com/plone/Products.isurlinportal/issues/1

- Removed broken X-XSS-Protection header from classic theme and unstyled theme.

- Products.PluggableAuthService:
  Added new events to be able to notify when a principal is added to or removed from a group.
  Notify these events when principals are added or removed to a group in ZODBGroupManager.
  See https://github.com/zopefoundation/Products.PluggableAuthService/issues/17

- z3c.autoinclude:
  When environment variable Z3C_AUTOINCLUDE_DEBUG is set,
  log which packages are being automatically included.