Releases: getkirby/kirby
3.5.7
Security
Cross-site scripting (XSS) from field and configuration text displayed in the Panel
This release fixes the following XSS vulnerabilities inside the Panel:
- Placeholders in core translation strings (e.g. in error or info messages) are now escaped.
- Error message boxes in dialogs and the
fields
section now only display the escaped exception message. - Data displayed in the users and settings view (list of users/languages) is now escaped.
- The default
text
displayed by thefiles
andpages
sections (filename/page title), thefiles
,pages
andusers
fields (filename/page title/username) and by query-basedcheckboxes
,radio
,tags
andmultiselect
fields (default text depending on the used query) is now escaped.
Note: Custom text
, help
and info
queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.
You can find out more about the issues and fixes in our security advisory.
PHPMailer update
- PHPMailer has a new security release, which fixes two of their security issues. There seems to be a small, insignificant breaking change in their validator code, according to their release notes. We still decided to add the security fixes as soon as possible and include it in this release.
🎉 Features
- Support for custom callbacks for
Str::template()
(e.g. to escape query output) #3454
Str::template($value, $data, [
'callback' => function ($result) {
return Str::ucwords($result);
}
]);
- The
Box
component now supports a text-only mode (with thehtml
prop set tofalse
). For compatibility, the default value is currentlytrue
. We plan to makefalse
(escaped text) the new default behavior in Kirby 3.6.0. - The
Autocomplete
component now has support for HTML in thetext
property with a newhtml
property (defaults tofalse
). - New
this.$helper.string.escapeHTML
(orthis.$esc
) helper to escape HTML special characters as entities
Enhancements
- Improved blocks and layout field value for
isEmpty()
field method support #3153 - Supports new assets extensions
map|json|avif|mjs
for plugins #3436 Str::template()
now supports an$options
array that can containfallback
,callback
,start
,end
attributes. We plan to deprecate the old$fallback
,$start
and$end
arguments in 3.6.0. #3454- The
Kirby\Sane\Svg::$allowedNamespaces
property is now public to allow customizing it to your needs. #3424 - Dropdowns in the Panel are now automatically aligned vertically, depending on their position in the window. #3080
- The
Card
component now supports HTML in itstext
property for consistency withListItem
. - The
Radio
,Tags
andMultiselect
input components now support HTML in theirtext
properties for consistency withCheckboxes
.
Fixes
- Toggle and checkbox field labels support HTML again #3278
- Filtering based on field value sizes issue fixed #3382
- Fixed updating pages and files sections after sorting a page/file in another section #3399
- Fixed
width
prop of columns in the table block preview #3323 - Fixed preview output in the table block preview #3324
- Fixed autofocus option for list and writer fields #3122
- Fixed writer field empty state #3365
- Added missing
marks
prop for quote block #3443 Dir::make()
: Fixed warning when there is a file in the provided folder path #3442
Refactoring
- Table block and structure field refactored to display properly in block table #3411
Stats
- 56 commits
- 29 closed issues and PRs
- Contributors: @afbora, @bastianallgeier, @distantnative, @doriansimeha, @lukasbestle (alphabetical order)
3.5.6
Features
- New
Locale::get()
method to access the current PHP locales #3319 - New
A::apply($array, $parameters)
method that recursively loops through the array and resolves each entry that is aClosure
by calling it with the passed parameters #3331 Collection::values($map)
now accepts a mappingClosure
as first parameter. All items are resolved with thisClosure
. #3332
Enhancements
- Added some missing
@since
tags in doc-blocks #3336 - The
layout
property of the tags field is now documented #3371 - Updated translations
Fixes
- Fixed browser back button in the Panel #3216
- The configured database port is no longer ignored in the DB class #3302
- The list block is no longer out of sync with the drawer #3320
- Hard coded labels in the writer field have been updated with their translations #3316
Refactoring
- Our continuous integration workflow has been improved and is now more robust against unexpected tool changes. #3335
Stats
- 27 commits
- 18 closed issues and PRs
- Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @thathoff (alphabetical order)
3.5.5
🎉 Features
Allow setting the page cache expiry from controllers #3246 #3292
- New
$kirby->response()->cache(false)
method that can be used to completely disable Kirby's page cache from controllers or templates - It is now also possible to set the page cache expiry timestamp from controllers or templates:
$kirby->response()->expires(1234567890); // timestamp
$kirby->response()->expires(60); // minutes
$kirby->response()->expires('2021-12-31');
video
KirbyTag supporting local and remote videos #3104
Supports local videos, YouTube and Vimeo with a completely overhauled video tag.
New Attributes:
- autoplay
- controls (default:
true
) - loop
- muted *
- poster
- preload (
auto
,metadata
,none
)
* The video will automatically be muted if autoplay
is activated and the muted
option is not defined
Usage:
# local
(video: local-video.mp4)
# remote
(video: https://www.getkirby.com/sample-video.mp4)
# example 1
(video: local-video.mp4 autoplay: true)
# example 2
(video: local-video.mp4 controls: false autoplay: true loop: true)
# example 3
(video: local-video.mp4 poster: cover.jpg)
# example 4
(video: local-video.mp4 preload: auto)
# example 5
(video: https://www.getkirby.com/sample-video.mp4 muted: true controls: false autoplay: true)
# example 6
(video: local-video.mp4 poster: https://www.getkirby.com/sample-cover.jpg)
Other features
- The
$kirby->response()->header()
method now accepts a new third$lazy
param. If set totrue
, an already set header is not overridden. #3292 - Blocks: New
$block->excerpt()
method #3196
Enhancements
- All pages that rely on Kirby's session are now automatically excluded from Kirby's page cache and from the browser and intermediary caches #3292
- When setting cache values, you can now define an absolute expiry timestamp instead of the number of minutes. The number of minutes is still supported and auto-detected. #3246
- The email auth challenge now uses the user's language, the configured
panel.language
or site default language for the email text (in that order) #3294 - Slots for the
ListItem
component #3217 Topbar
: Configurable menu entry for views #3206- Editor → Blocks conversion of paragraph no longer lacks
<p>
#3210 - Support HTML tags on list items text attribute #3200
- Blocks field: new delete button inside the drawer #3180
- Blocks field: fixed inconsistencies in max items behaviour #3179
- Better login error message in debug mode "Passwords do no match" #3165
- FileCache: Now cleans up empty directories on
remove()
#3162 - Handling of fatal Exceptions #3154
- Updated pull request template #3286
- Updated Composer dependencies #3280
- In-code UI component documentation #3175
Refactorings
- Fixed
Form\OptionsQuery
prop types #3283 - Use shared Laminas escaper instance #3274
- Fixed file permissions #3258
- Updated docblocks for
esc()
helpers/methods #3254 esc()
helper: Remove unused$strict
param #3252- Removed duplicated
jp2
file extension forF
class #3253 - Improved
Structure/StructureObject
parameter docs #3251 - Added
Languages::__construct()
parameter description #3249 - Fixed doc blocks for field methods #3229
- Fixed and extended doc blocks and parameter hinting #3223
- Fixed return types:
$this
,static
andself
#3167 - Deprecated: improved docs and warnings #3166
Fixes
- Fixed the default sender domain for the email auth challenge if the site URL contains a path #3294
- Video block now saves captions correctly #3264
- Using dynamic query language values for API option URLs in blueprints no longer fails #3260
- Layout field: the link title is no longer deleted when leaving a page and returning #3255
- The
$ignore
parameter inDir::copy()
is now passed down in recursive calls #3243 - Whoops now handles custom HTTP codes from exceptions correctly #3237
- Links no longer overflow in disabled structure fields #3227
- Fixed error when clicking on non-translatable files field in second language #3220
- Duplicating a page with an empty URL appendix is no longer possible #3214
- Fixed date validation bug in
invalid()
helper #3208 - Fixed error message on empty URL appendix #3205
- Blocks writer preview does now apply field props #3145
- Added missing nodes prop for writer field #3144
- Writer & list field: fixed issue with the revert bar after focusing a new field #3126
- List Items no longer get saved with
<p>
-tags in list-block #3086 - The toolbar of the writer field no longer overflows in the drawer #2971
Stats
- 141 commits
- 73 closed issues and PRs
- Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @pine3ree @pReya (alphabetical order)
3.5.4
Security release
This security release fixes a cross-site scripting (XSS) vulnerability from unvalidated uploaded SVG or XML files.
Impact
An editor with write access to the Kirby Panel can upload an SVG or XML file that contains harmful content like <script>
tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim.
This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.
Visitors without Panel access can only use this attack vector if your site allows SVG or XML file uploads in frontend forms and you don't already validate or sanitize uploaded SVG or XML files.
The attack requires user interaction by another user or visitor and cannot be automated.
Patches
Uploads in the Panel
The problem has been patched in this release by validating uploaded SVG and XML files and rejecting potentially harmful files. Please update to this or a later version to fix the vulnerability.
Frontend upload forms
Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use File::create()
, you are protected by updating to Kirby 3.5.4+.
Validate existing files
Already uploaded files are not automatically validated again. If you are not sure if you have been impacted by this vulnerability in the past, we recommend to run all site files through the validator classes after updating to Kirby 3.5.4. You can use the following test script by pasting it into a template or uploading it to your web root:
<?php
@include_once __DIR__ . '/kirby/bootstrap.php';
if (version_compare(kirby()->version(), '3.5.4', '<') === true) {
die('This script requires Kirby 3.5.4+.');
}
$objects = [
// the site itself
site(),
// all pages and drafts
...site()->index(true)->values(),
// all users
...kirby()->users()->values()
];
$errors = false;
foreach ($objects as $object) {
foreach ($object->files() as $file) {
try {
// validate the contents lazily
// (if a validator exists)
$file->validateContents(true);
} catch (\Kirby\Exception\InvalidArgumentException $e) {
echo $file->id() . ': ' . $e->getMessage() . "<br>\n";
$errors = true;
}
}
}
if ($errors === false) {
echo 'No validation errors found.';
}
You only need to run this validator script once as future uploads will automatically be validated. If the script prints "No validation errors found", you have not been impacted by the vulnerability so far.
Errors that it lists may or may not be critical as our validator classes also catch files with an invalid data structure or less harmful attacks like the "billion laughs" denial-of-service attack or the usage of external sources. We recommend to review and fix each listed error manually until the script no longer finds any validation errors.
Please delete the script again after you have used it.
More information
You can find more details like the CVE ID of this vulnerability on its security advisory page.
Credits
Thanks to @sreenathr10 for reporting the problem.
3.5.3.1
3.5.3
This is a patch release for a regression in 3.5.2. The regression in 3.5.2 might affect multi-language setups and will lead to a broken Panel. If you are running a single-language setup, you don't necessarily have to upgrade to this patch release.
Fixes
- Fixed Panel translation error #3149
Improvements
- Updated translations (fr, id)
3.5.2
Features
- New
isEmpty()
andisNotEmpty()
methods for layout field #3131 - Added similarity search method for
Str
class #2936 #3134 - Improved
F::niceSize()
typography and locale #3019
Enhancements
- Refactored some return types #3061
- Sections info and text props are translatable #3109
- Supported list items in info fields #2946
- Improved contrast of read-only/disabled fields #2807
- Enabled
fail_ci_if_error
argument for Codecov #3119 - Added Transifex to the issue list
- Nicer badges for the readme
- Updated languages
Fixes
- Added missing translation for the src label in the image block #3087
- Tabs on account page work correctly again #3098
- Fixed error when overwriting block tabs #3101
- Fixed error when overwriting layout tabs #3095
- Consistent arguments for
Response::redirect()
#3136 site()->index(true)
now always returns drafts correctly #3082- Panel page icons are now centered as expected in Firefox #2943
$collection->filter()
can no longer collide with global functions #3117- An empty writer field no longer leaves
<p></p>
as artefacts.isEmpty()
is fixed with this change as well #3115 - PHP locale strings are updated correctly in the dialog #3129
- List items no longer contain p-tags in list blocks and the list field #3086
api/translations/:code
now returns custom language variables #3064- We switched to PHP 7.4 for GitHub action analysis for now #3113
- Fixed potential relative paths in FileCache keys.
Stats
- 74 commits
- 43 closed issues and PRs
3.5.1
Features
- New blocks navigation in the blocks drawer
settings
in the Layout field can now be extended #3011- Support for blocks in field queries #2977
Enhancements
- Support for all 12-column layout variations in fields sections and layouts
- Automatically generate locale code in new language dialog #2427
- I18n: Support for multiple fallback locales #3006
- New
$auth->status()
method andKirby\Cms\Auth\Status
class panel.language
: Fall back to site default lang- We switched our test setup from Travis to Github actions with tons of new enhancements
- We switched our code coverage setup from Coveralls to Codecov
- We now use Psalm for static code analysis
- We now use PHPMD to detect additional possible problems
- PHP 8.0 in CI
- Improved
Cookie::forever()
method for 32-bit servers #2968 - Deactivate the replace action if files cannot be replaced #3031
- Automatic fallback for email security = true #2896
- Updated PR template
- Updated Russian translation
Fixes
- Fixed global search shortcut #3015
- Date field: Fixed missing
format
option #3026 - Fixed autofocus issue on blocks field #3002
- The Blocks and Layouts fields now support the
when
option #3013 - Fixed autofocus issue on structure field #3083
- Avoid invalid content representation types for missing representations #2924
- Various small fixes for issues detected by the new analysis tools
PHP::encode()
: Fix encoding of ints- Fixed Apcu detection in tests
- Fixed
F::rename
overwriting - Fixed broken flag prop
- Fixed styling issue in pagination element in sections #3027
Stats
- 146 commits
- 55 closed issues and PRs
- Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @steirico (alphabetical order)
3.5.0 – Calumma
We've prepared a special site for this release with all new features and changes:
https://getkirby.com/releases/3.5
3.5.0-rc.7
Our last pre-release 🤞
Enhancements
- Faster file cache access
- Date input: support key manipulation for am/pm
- Updated translations (el, ko, it)
Bug fixes
- Fixed regression in F::read
- Various date and time field fixes
- Fixed breadcrumb issue in block and layout settings