3.5.7

Security

Cross-site scripting (XSS) from field and configuration text displayed in the Panel

This release fixes the following XSS vulnerabilities inside the Panel:

• Placeholders in core translation strings (e.g. in error or info messages) are now escaped.
• Error message boxes in dialogs and the fields section now only display the escaped exception message.
• Data displayed in the users and settings view (list of users/languages) is now escaped.
• The default text displayed by the files and pages sections (filename/page title), the files, pages and users fields (filename/page title/username) and by query-based checkboxes, radio, tags and multiselect fields (default text depending on the used query) is now escaped.

Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.

You can find out more about the issues and fixes in our security advisory.

PHPMailer update

• PHPMailer has a new security release, which fixes two of their security issues. There seems to be a small, insignificant breaking change in their validator code, according to their release notes. We still decided to add the security fixes as soon as possible and include it in this release.

🎉 Features

• Support for custom callbacks for Str::template() (e.g. to escape query output) #3454

Str::template($value, $data, [
    'callback' => function ($result) {
        return Str::ucwords($result);
    }
]);

• The Box component now supports a text-only mode (with the html prop set to false). For compatibility, the default value is currently true. We plan to make false (escaped text) the new default behavior in Kirby 3.6.0.
• The Autocomplete component now has support for HTML in the text property with a new html property (defaults to false).
• New this.$helper.string.escapeHTML (or this.$esc) helper to escape HTML special characters as entities

Enhancements

• Improved blocks and layout field value for isEmpty() field method support #3153
• Supports new assets extensions map|json|avif|mjs for plugins #3436
• Str::template() now supports an $options array that can contain fallback, callback, start, end attributes. We plan to deprecate the old $fallback, $start and $end arguments in 3.6.0. #3454
• The Kirby\Sane\Svg::$allowedNamespaces property is now public to allow customizing it to your needs. #3424
• Dropdowns in the Panel are now automatically aligned vertically, depending on their position in the window. #3080
• The Card component now supports HTML in its text property for consistency with ListItem.
• The Radio, Tags and Multiselect input components now support HTML in their text properties for consistency with Checkboxes.

Fixes

• Toggle and checkbox field labels support HTML again #3278
• Filtering based on field value sizes issue fixed #3382
• Fixed updating pages and files sections after sorting a page/file in another section #3399
• Fixed width prop of columns in the table block preview #3323
• Fixed preview output in the table block preview #3324
• Fixed autofocus option for list and writer fields #3122
• Fixed writer field empty state #3365
• Added missing marks prop for quote block #3443
• Dir::make(): Fixed warning when there is a file in the provided folder path #3442

Refactoring

• Table block and structure field refactored to display properly in block table #3411

Stats

• 56 commits
• 29 closed issues and PRs
• Contributors: @afbora, @bastianallgeier, @distantnative, @doriansimeha, @lukasbestle (alphabetical order)

3.5.6

Features

• New Locale::get() method to access the current PHP locales #3319
• New A::apply($array, $parameters) method that recursively loops through the array and resolves each entry that is a Closure by calling it with the passed parameters #3331
• Collection::values($map) now accepts a mapping Closure as first parameter. All items are resolved with this Closure. #3332

Enhancements

• Added some missing @since tags in doc-blocks #3336
• The layout property of the tags field is now documented #3371
• Updated translations

Fixes

• Fixed browser back button in the Panel #3216
• The configured database port is no longer ignored in the DB class #3302
• The list block is no longer out of sync with the drawer #3320
• Hard coded labels in the writer field have been updated with their translations #3316

Refactoring

• Our continuous integration workflow has been improved and is now more robust against unexpected tool changes. #3335

Stats

• 27 commits
• 18 closed issues and PRs
• Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @thathoff (alphabetical order)

3.5.5

🎉 Features

Allow setting the page cache expiry from controllers #3246 #3292

• New $kirby->response()->cache(false) method that can be used to completely disable Kirby's page cache from controllers or templates
• It is now also possible to set the page cache expiry timestamp from controllers or templates:

$kirby->response()->expires(1234567890); // timestamp
$kirby->response()->expires(60); // minutes
$kirby->response()->expires('2021-12-31');

video KirbyTag supporting local and remote videos #3104

Supports local videos, YouTube and Vimeo with a completely overhauled video tag.

New Attributes:

• autoplay
• controls (default: true)
• loop
• muted *
• poster
• preload (auto, metadata, none)

* The video will automatically be muted if autoplay is activated and the muted option is not defined

Usage:

# local
(video: local-video.mp4)

# remote
(video: https://www.getkirby.com/sample-video.mp4)

# example 1
(video: local-video.mp4  autoplay: true)

# example 2
(video: local-video.mp4 controls: false autoplay: true loop: true)

# example 3
(video: local-video.mp4 poster: cover.jpg)

# example 4
(video: local-video.mp4 preload: auto)

# example 5
(video: https://www.getkirby.com/sample-video.mp4 muted: true controls: false autoplay: true)

# example 6
(video: local-video.mp4 poster: https://www.getkirby.com/sample-cover.jpg)

Other features

• The $kirby->response()->header() method now accepts a new third $lazy param. If set to true, an already set header is not overridden. #3292
• Blocks: New $block->excerpt() method #3196

Enhancements

• All pages that rely on Kirby's session are now automatically excluded from Kirby's page cache and from the browser and intermediary caches #3292
• When setting cache values, you can now define an absolute expiry timestamp instead of the number of minutes. The number of minutes is still supported and auto-detected. #3246
• The email auth challenge now uses the user's language, the configured panel.language or site default language for the email text (in that order) #3294
• Slots for the ListItem component #3217
• Topbar: Configurable menu entry for views #3206
• Editor → Blocks conversion of paragraph no longer lacks <p> #3210
• Support HTML tags on list items text attribute #3200
• Blocks field: new delete button inside the drawer #3180
• Blocks field: fixed inconsistencies in max items behaviour #3179
• Better login error message in debug mode "Passwords do no match" #3165
• FileCache: Now cleans up empty directories on remove() #3162
• Handling of fatal Exceptions #3154
• Updated pull request template #3286
• Updated Composer dependencies #3280
• In-code UI component documentation #3175

Refactorings

• Fixed Form\OptionsQuery prop types #3283
• Use shared Laminas escaper instance #3274
• Fixed file permissions #3258
• Updated docblocks for esc() helpers/methods #3254
• esc() helper: Remove unused $strict param #3252
• Removed duplicated jp2 file extension for F class #3253
• Improved Structure/StructureObject parameter docs #3251
• Added Languages::__construct() parameter description #3249
• Fixed doc blocks for field methods #3229
• Fixed and extended doc blocks and parameter hinting #3223
• Fixed return types: $this, static and self #3167
• Deprecated: improved docs and warnings #3166

Fixes

• Fixed the default sender domain for the email auth challenge if the site URL contains a path #3294
• Video block now saves captions correctly #3264
• Using dynamic query language values for API option URLs in blueprints no longer fails #3260
• Layout field: the link title is no longer deleted when leaving a page and returning #3255
• The $ignore parameter in Dir::copy() is now passed down in recursive calls #3243
• Whoops now handles custom HTTP codes from exceptions correctly #3237
• Links no longer overflow in disabled structure fields #3227
• Fixed error when clicking on non-translatable files field in second language #3220
• Duplicating a page with an empty URL appendix is no longer possible #3214
• Fixed date validation bug in invalid() helper #3208
• Fixed error message on empty URL appendix #3205
• Blocks writer preview does now apply field props #3145
• Added missing nodes prop for writer field #3144
• Writer & list field: fixed issue with the revert bar after focusing a new field #3126
• List Items no longer get saved with <p>-tags in list-block #3086
• The toolbar of the writer field no longer overflows in the drawer #2971

Stats

• 141 commits
• 73 closed issues and PRs
• Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @pine3ree @pReya (alphabetical order)

3.5.4

Security release

This security release fixes a cross-site scripting (XSS) vulnerability from unvalidated uploaded SVG or XML files.

Impact

An editor with write access to the Kirby Panel can upload an SVG or XML file that contains harmful content like <script> tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim.

This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

Visitors without Panel access can only use this attack vector if your site allows SVG or XML file uploads in frontend forms and you don't already validate or sanitize uploaded SVG or XML files.

The attack requires user interaction by another user or visitor and cannot be automated.

Patches

Uploads in the Panel

The problem has been patched in this release by validating uploaded SVG and XML files and rejecting potentially harmful files. Please update to this or a later version to fix the vulnerability.

Frontend upload forms

Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use File::create(), you are protected by updating to Kirby 3.5.4+.

Validate existing files

Already uploaded files are not automatically validated again. If you are not sure if you have been impacted by this vulnerability in the past, we recommend to run all site files through the validator classes after updating to Kirby 3.5.4. You can use the following test script by pasting it into a template or uploading it to your web root:

<?php

@include_once __DIR__ . '/kirby/bootstrap.php';

if (version_compare(kirby()->version(), '3.5.4', '<') === true) {
  die('This script requires Kirby 3.5.4+.');
}

$objects = [
  // the site itself
  site(),

  // all pages and drafts
  ...site()->index(true)->values(),

  // all users
  ...kirby()->users()->values()
];

$errors = false;
foreach ($objects as $object) {
  foreach ($object->files() as $file) {
    try {
      // validate the contents lazily
      // (if a validator exists)
      $file->validateContents(true);
    } catch (\Kirby\Exception\InvalidArgumentException $e) {
      echo $file->id() . ': ' . $e->getMessage() . "<br>\n";
      $errors = true;
    }
  }
}

if ($errors === false) {
  echo 'No validation errors found.';
}

You only need to run this validator script once as future uploads will automatically be validated. If the script prints "No validation errors found", you have not been impacted by the vulnerability so far.

Errors that it lists may or may not be critical as our validator classes also catch files with an invalid data structure or less harmful attacks like the "billion laughs" denial-of-service attack or the usage of external sources. We recommend to review and fix each listed error manually until the script no longer finds any validation errors.

Please delete the script again after you have used it.

More information

You can find more details like the CVE ID of this vulnerability on its security advisory page.

Credits

Thanks to @sreenathr10 for reporting the problem.

3.5.3.1

Fixes

• Fix regression in go() helper without args #3160
• FileCache: Safe and unique cache paths #3157
• Reverts info texts for pages/files sections
• Fixed typing bug in list field #3168
• Fix possible console warning when the API response in the Panel is broken

Updated languages

• da, ko, ru

3.5.3

This is a patch release for a regression in 3.5.2. The regression in 3.5.2 might affect multi-language setups and will lead to a broken Panel. If you are running a single-language setup, you don't necessarily have to upgrade to this patch release.

Fixes

• Fixed Panel translation error #3149

Improvements

• Updated translations (fr, id)

3.5.2

⚠️ Unfortunately, we discovered a regression for all multi-language installations. If you are using a multi-language setup, please use our patch instead: https://github.com/getkirby/kirby/releases/tag/3.5.3

Features

• New isEmpty() and isNotEmpty() methods for layout field #3131
• Added similarity search method for Str class #2936 #3134
• Improved F::niceSize() typography and locale #3019

Enhancements

• Refactored some return types #3061
• Sections info and text props are translatable #3109
• Supported list items in info fields #2946
• Improved contrast of read-only/disabled fields #2807
• Enabled fail_ci_if_error argument for Codecov #3119
• Added Transifex to the issue list
• Nicer badges for the readme
• Updated languages

Fixes

• Added missing translation for the src label in the image block #3087
• Tabs on account page work correctly again #3098
• Fixed error when overwriting block tabs #3101
• Fixed error when overwriting layout tabs #3095
• Consistent arguments for Response::redirect() #3136
• site()->index(true) now always returns drafts correctly #3082
• Panel page icons are now centered as expected in Firefox #2943
• $collection->filter() can no longer collide with global functions #3117
• An empty writer field no longer leaves <p></p> as artefacts. isEmpty() is fixed with this change as well #3115
• PHP locale strings are updated correctly in the dialog #3129
• List items no longer contain p-tags in list blocks and the list field #3086
• api/translations/:code now returns custom language variables #3064
• We switched to PHP 7.4 for GitHub action analysis for now #3113
• Fixed potential relative paths in FileCache keys.

Stats

• 74 commits
• 43 closed issues and PRs

3.5.1

Features

• New blocks navigation in the blocks drawer
• settings in the Layout field can now be extended #3011
• Support for blocks in field queries #2977

Enhancements

• Support for all 12-column layout variations in fields sections and layouts
• Automatically generate locale code in new language dialog #2427
• I18n: Support for multiple fallback locales #3006
• New $auth->status() method and Kirby\Cms\Auth\Status class
• panel.language: Fall back to site default lang
• We switched our test setup from Travis to Github actions with tons of new enhancements
• We switched our code coverage setup from Coveralls to Codecov
• We now use Psalm for static code analysis
• We now use PHPMD to detect additional possible problems
• PHP 8.0 in CI
• Improved Cookie::forever() method for 32-bit servers #2968
• Deactivate the replace action if files cannot be replaced #3031
• Automatic fallback for email security = true #2896
• Updated PR template
• Updated Russian translation

Fixes

• Fixed global search shortcut #3015
• Date field: Fixed missing format option #3026
• Fixed autofocus issue on blocks field #3002
• The Blocks and Layouts fields now support the when option #3013
• Fixed autofocus issue on structure field #3083
• Avoid invalid content representation types for missing representations #2924
• Various small fixes for issues detected by the new analysis tools
• PHP::encode(): Fix encoding of ints
• Fixed Apcu detection in tests
• Fixed F::rename overwriting
• Fixed broken flag prop
• Fixed styling issue in pagination element in sections #3027

Stats

• 146 commits
• 55 closed issues and PRs
• Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @steirico (alphabetical order)

3.5.0 – Calumma

We've prepared a special site for this release with all new features and changes:
https://getkirby.com/releases/3.5

3.5.0-rc.7

Our last pre-release 🤞

Enhancements

• Faster file cache access
• Date input: support key manipulation for am/pm
• Updated translations (el, ko, it)

Bug fixes

• Fixed regression in F::read
• Various date and time field fixes
• Fixed breadcrumb issue in block and layout settings