5.0.0-alpha.2

Pre-release notes: https://getkirby.com/buzz/v5-alpha

4.4.0-rc.1

Tip

Pages section: if you are experiencing performance issues with a pages section and the table layout, you can try to use rawvalues: true to improve performance. This will use the unprocessed values from the content file, which is a lot more performant, but can result in some broken column previews (which would require processed values).

✨ Enhancements

• Link field: when selecting files, the current page is preselected #6458
• New auto option for (image: ) KirbyTag

  (image: cat.jpg width: auto height: auto)
  

  // config.php
  'kirbytext' => [
      'image' => [
          'width' => 'auto',
          'height' => 'auto',
      ]
  ];

• Image/Gallery blocks: added selector to change background #6430
• Pages, files and users dialogs use proper radio buttons/checkboxes to display selection #6044 #5930
• Site area: using icon defined in site blueprint #5936
• Added support for language-specific UUID urls #6312

  /en/@/page/1234
  /en/@/file/1234
  

• New google icon
• Allow access to the Kirby\Cms\License::HISTORY const #6503
• k-button: use title or text of a button to set aria-label #5899
• $permissions->for(), $modelpermissions->can() and $modelpermissions->cannot() accept a new $default parameter #6548
• Pages, files and users field: default empty string is now correct when only allowed to select one page/file/user #6565
• All fields have a .k-field-type-TYPE CSS class added #5009
• File uploads: preview uses image options from field/section #6611
• Change URL dialog: in multilang, show the language segment as part of the path preview #6607
• content.uuid.index option to prevent index lookup. Will throw an exception if a UUID model cannot be looked up from the cache alone. This requires you to keep a full UUID cache at all times but can be helpful for very large sites where any index lookup would run into memory limits. #6564
  • Use content.uuid.format to specify uuid-v4 as format.
• system.exception hook: return false to prevent error to be logged #5028
• Filename sanitization considers user language for better results #4972
• (image: ) KirbyTag: for local files, add width: auto and/or height: auto to include the actual image dimensions as attributes #5064

🐛 Bug fixes

• Using Cmd + S/Ctrl + S in nested structures/objects with date fields does not corrupt data anymore #6390
• Kirby\Exception\NotFoundException thrown during page rendering now redirects request to the error page (with 404); as Kirby\Exception\ErrorPageException already does #6553
• Link field preview: fixed overflow instead of wrapping for long links #6510
• Tags input: dropdown won't open anymore when max has been reached #6468
• Text block: fixed padding when replacing writer input with texture input #6484
• Panel topbar: fix overflow when breadcrumb gets very long #6348
• A::random() throws exception instead of error when $count is higher than array length #6555
• Fix focus helper for non-native inputs #6347
• Writer field: content with non-breaking changes doesn't anymore show up as changed always #6285
• Fixed new Http\Uri() for relative URLs with a colon inside #6331
• pattern attribute for Panel fields: fixed inconsistencies between frontend and backend validation #6585
• preview blueprint option now supports setting role-based permissions #6572
• $file->previewUrl() returns null if parent page preview is deactivated/not allowed for the user #6572
• Fixed parallel Panel search requests #6409
• Files field: store only filenames when UUIDs disabled and file belongs to the same page #5084
• Sections with table layout: fixed some issues with sorting rows that should be unsortable #6609
• Redirect language URLs with non-translated slugs #3550
• Fixed console error from views without a menu on narrow window widths #6487
• Prev-Next navigation isn’t always hidden anymore on user view

🧹 Housekeeping

• Fix support for .env files in the Panel Vite build config #6516
• Use SERVER as name for the Vite host override env variable #6516

3.10.1

✨ Enhancements

• Update Symfony YAML component to v6 #6161
• Update Composer dependencies

5.0.0-alpha.1

Pre-release notes: https://getkirby.com/buzz/v5-alpha

4.3.0

🎉 Features

• System view: added button to copy relevant system information #6416
• <k-button>: theme supports values suffixed with -icon now, e.g. positive-icon for filled buttons with only the icon colored

<k-button icon="heart" theme="negative-icon" variant="filled">Love</k-button>

✨ Enhancements

• Remove hard-coded restriction of supported servers #6415
• Plugin registration with named arguments #6337 Allow passing plugin info, e.g. version, as argument that gets merged with the info from composer.json

Kirby::plugin(
    name: 'my/plugin',
    extends: [],
    info: [
        'homepage' => 'https://my-plugin.example.com'
    ],
    version: '1.0.0'
);

• The update check in the Panel system view now offers free major updates if included in the activated license #5974
• New icons: text-top, text-middle, text-bottom https://feedback.getkirby.com/592 #6374

• (video: ) KirbyTag: support for disablepictureinpicture attribute #6413
• Editor: new insertNode util #6383
• CSS data-theme with color names #6407
• New download prop for k-link (and respective k-button when passing a link) to set the download attribute #6417
• Page section: Show Add button also in sections only showing listed/unlisted pages when all allowed blueprints create new child pages directly as listed/unlisted https://feedback.getkirby.com/181
• Dropdown options can emit global Panel events on click now, which can be used e.g. when extending setting dropdowns in a plugin to react in JS with an action when option is clicked https://feedback.getkirby.com/638 #6411
• Panel notifications support theme prop #6423
• New window.panel.notification.info(message). #6423
• Upload dialog: better preview icons and separate components for upload items and a single upload item #6424
• QrCode class: methods accept new $border argument #6445 (thanks @rasteiner)
• Added lab examples for k-login and k-login-code. #6365
• Updated PR template #6464

🐛 Bug fixes

• Editor: nodeInputRule only overwrites matched selection #6385
• Writer: inline nodes are included when inline: true mode is active #6386
• File create format option is not applied to non-images anymore #6359
• Non existing media files no longer throw error 500: the thumbnail configuration could not be found #6453
• Fix deprecation warning in router #5895
• Panel search fixed when UUIDs are disabled (thanks to @toebu) #6395
• Fixes Title and Link text translations for the different usages: #6402
  • Writer field email dialog hasTitle field
  • Textarea field email dialog has Link text field
• File upload: fix sort number #6380
• Fix tab badges #6427
• CalendarInput: fix when no value #6422
• DateInput: fix clearing #6392
• Upload dialog: allows @, . and _ in filenames to be consistent with other filename rules #6462
• $file->changeName() now sanitizes new filenames with. included correctly #6462
• Fix line break when label in block preview fields is too long (thanks @tobimori) #6452

☠️ Deprecated

• Plugin registration: Passing info or root in plugin extends array. Instead pass these as standalone named arguments.
• <k-login> is deprecated. Use <k-login-form> instead.
• <k-login-code> is deprecated. Use <k-login-code-form> instead.

♻️ Refactored

• Reusing link and button props in higher-up components #6417
• Introduce new App::currentLanguage() method #6434
• Refactor App::language() to introduce new current option which creates a more predicatable way to
  fetch languages in content, translation and future version methods. #6434
• Clean up of components code for k-login and k-login-code. #6365
• Moved all login-related Vue components into same location #6463
• Aligned some of the component names #6463

🧹 Housekeeping

• Upgrade to eslint 9 #6396
• Used Rector to improve code quality. #6431

4.2.0

🎉 Features

• New api option for Sections to define API endpoints just like for fields #6246

✨ Enhancements

• Added option to change the number of threads for the ImageMagick driver (thanks to @caplod) #6210

<?php

return [
  'thumbs' => [
    'driver' => 'im',
    'threads' => 2
  ]
];

• Video block now also supports local videos by default #6113
• Significantly improved file sorting performance (thanks @rasteiner) #6112
• The login form can now be prefilled for testing use cases with the new value prop of the k-login-view component #6364
• Lab: $helpers docs #6257 #6287
• Improved Panel favicons for dark mode, including media attribute support for custom Panel favicons #5657
• Updated icons: expand, collapse, divider and chart
• Support non string scalar values in where clause builder for 2 arguments (thanks @SeriousKen) #6291
• Add native validity to range input #6253
• Added native validity to calendar, date, time, timoptions inputs #6254
• Enhanced options for database table creation: #6303
  • Adds unsigned option for integers. Defaults to true to maintain backwards compatibility.
  • Adds size option for varchars. Defaults to 255 to maintain backwards compatibility.
  • Adds float type to create a floating point columns.
  • Adds decimal type to create decimal columns with precision and decimal_places options. The new features are aimed at MySQL and are ignored in SQLite as they are not supported. Float and decimal both map to REAL columns in SQLite.
• Improve k-user-avatar #6325
• Translatable panel menu titles #6311
• Allow unknown file extensions to be selected in file open dialog (thanks to @rasteiner) #6263
• Added pagination to the file browser in the link field #6288
• Date and time field interpret a few more input formats correctly #6362
• Table layout: allow modifying default columns #6335

🐛 Bug fixes

• A::prepend() now behaves the same as A::append() (just opposite side) for non-associative arrays #6219
• Translatable range tooltip #6221
• Disabled inputs don't show placeholders anymore #6163
• Choice inputs have similar disabled styling as other fields
• alpha and hue inputs: setting custom min and max props would break the inputs. Those props aren't falsely exposed anymore. #6251
• colorname input: props that were falsely exposed are now correctly unset #6255
• search input: props that were falsely exposed are now correctly unset #6256
• Fixed fallback null value for Text\KirbyTag::parent() #6220
• Fixed upgrade status for PHP version strings with extra information (thanks @SeriousKen) #6262
• Database\Query: Fixed using BETWEEN or NOT BETWEEN in →where() clause (thanks @SeriousKen) #6292
• Database: Fixed handling of boolean values in prepared statements (thanks @SeriousKen) #6297
• Fix for Date::round() not taking timezone into account properly (thanks @SeriousKen) #6264
• Fix header offset when no sticky header #6283
• Fix k-tabs inline variable assignment #6324
• Writer field counter correctly strips HTML again #6323
• Keep title and slug when switching template in create dialog #6328
• Panel fields: fix direction for content language #6350
• Tags input: when creating a new tag, the input is now correctly split at the separator into multiple tags #6341
• Fix blocks styling inside layout column #6280
• Fixed page create dialog when used with pages section on user/file blueprint #6190
• Close all nested drawers when navigating #6274
• Object field: inline previews are not editable anymore when the subfield is disabled #6346
• Fix toggle field preview value error #6249
• Table: fix width for image and flag column on mobile #6228

♻️ Refactored

• Slight performance improvements for Dir::inventory() #6218
• Clean up Cms\Blueprint class #6206
• Fix v-bind order #6333
• Use mounted lifecycle hooks instead of created #6336

🧹 Housekeeping

• Unit tests: properly resetting error handlers (thanks to @SeriousKen) #6259
• Upgraded Psalm
• Added performance tests for Dir::inventory() with various number of page models #6218
• Added more explicit coverage annotations to Options, Query, Text and partially Toolkit packages tests, including additional tests for uncovered code #6220
• Lab: added GitHub source links for all helpers, libraries and CSS examples #6295
• Removed Lab\Example::github() linking to lab example file #6295

4.1.2

🐛 Bug fixes

• Don’t throw an exception in the permalinksToUrlsmethod if a model for a UUID cannot be found #6165
• Don't redeclare the dump helper if it already exists. This fixes Kirby for Herd Pro users and other cases where dump is already defined by the environment #6250
• Fix emoji overflow issue in k-icon-frame #6315
• Fix commands for custom textarea buttons #6039
• More stability for the toFiles method by checking for valid file IDs #6318
• Suppress warnings in the Remote class if system CA is outside of open_basedir #6316
• Fix tables in the object field and license dialog #6307 and partially #6228

4.1.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

---

✨ Enhancements

• New $file->sharpen() method for images #6227

---

🐛 Bug fixes

• Fixed Str::excerpt() for texts without spaces #6215
• Proper error message when a MIME type of a file is being validated but could not be determined from the file  #6095
• k-button-group wrap with long label line. #6231
• "Invalid Date" parsing dates in pages section with layout: table #6234
• Disable license dialog in demo mode #6271
• Emojis are now working in buttons and the k-icon component #6276

---

🧹 Housekeeping

• Prettier is used properly in CI (and Highlight.vue is properly ignored) #6270
• Remove reviewdog tool from CI to reduce complexity #6290
• Upgrade GitHub workflow actions #6272

3.10.0.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

3.9.8.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more