3.6.1.1

🐛 Fixes

• PHP 8.1: Fix more arguments of built-in functions #4023
• Fix minor Prettier weirdnesses #4022
• Upgraded phpmailer #4021
• Fix HTTPS check in SystemView #4019
• Declare PHP 8.1 compatibility in composer definition #4017
• Upgraded Cypress #4010
• Upgraded claviska/simpleimage #4008
• Fixed plugins.js regression #1062

3.6.1

🎉 Features

• Support for PHP 8.1 #3979
• New system.exception hook that can be used to log an error or exception in a log file or via a service like Sentry #3952

✨ Enhancements

• Added Toolkit\Html::$inlineList with array of tags that are allowed in inline context #3884
• System view: Renamed the "SSL" status to "HTTPS" for clarity: #3960
• The blocks field now only shows the currently selected block options bar on nested blocks preview #3931
• The gallery block preview uses srcset for potentially smaller preview images
• router.php now allows the document root to be set manually #3963
• Improved line wrapping for title and info texts on card items #3949
• New Str::date($time, $format, $handler) method to format a timestamp as date string #3992
• Run npm run format during pre-commit hook. #3995
• The Kirby\Sane\Svg class now supports more attributes like xml:space and enable-background. #3982
• Kirby\Toolkit\Dom: Added support for the special xml: namespace
• Thumbs created with the ImageMagick driver now include the ICC color profile for better color accuracy. Note that this currently does not work for PNG images. #2537
• Updated translations (sv_SV, ko, is_IS, fi, es_ES, es_419, cs) Thank you to all our translators 💛

🐛 Fixes

• pages() helper does not throw deprecation warning for arrays as single parameter #3938
• Asset objects can be used as Panel preview images again #3933
• Fixed non-standard MIME type "application/force-download" header in Response::download() #3956
• Converting blocks from non-existing type (e.g. after renaming) doesn't throw an error #3962
• Item dropdown icon doesn't overlap downdown itself anymore #3966
• Panel::go() and other exceptions are supported in the panel.route:before hook #3964
• route:before and route:after hooks only get called for core routing calls #3951
• Str methods handle an empty $needle string #3459
• Fixed passing null as second parameter which is deprecated since PHP 8.0 #3975
• The empty writer field no longer contains paragraph #3943
• Fixed script-src warning when setting a CSP header with our nonce #3986
• Area dropdowns can now be created with a simple closure instead of defining a full route (as already advertised) #3970:

'dropdowns' => [
    'example' => function () {
        return [ ... ]
    }
]

• Fixed prop type check for number text in the button component #4000

♻️ Refactoring

• Use strip_tags with array of tags #3884
• Use PHP arrow functions #3886
• Switched to Optional chaining operator on Frontend #3908
• Refactored plugin loading JS #3937
• Use Prettier for consistent JS formatting #3812
• Use null coalescing assignment operator in PHP #3885
• Upgraded claviska/simpleimage dependency #3989
• Type hint for Iterator::getIterator() https://github.com/getkirby/kirby/pull/3991/files
• Upgraded NPM dependencies #3993
• Don't pass null to native functions that actually don't accept null but a specific type (string, int...). #3990
• Replaced true/punycode with symfony/polyfill-intl-idn dependency #3988

📈 Stats

• 111 commits
• 53 closed issues and PRs

👨‍💻 Contributors

(in alphabetical order)

• @afbora
• @bastianallgeier
• @distantnative
• @fabianmichael
• @johannschopplich
• @lukasbestle
• @neildaniels
• @rasteiner
• @sebastiangreger
• @thathoff

3.6.0 – Jungle Calumma

We've prepared a special site for this release with all new features and changes:
https://getkirby.com/releases/3.6

3.5.8

Security release

This security release fixes two cross-site scripting (XSS) vulnerabilities from writer field and image block content printed in the site frontend.

Severity: medium (CVSS score 5.4)

Writer field

Impact

Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost.

Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of other users. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.

Because the writer field did not securely sanitize its contents on save, it was possible to inject malicious HTML code into the content file by sending it to Kirby's API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site.

This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

You are not affected if you don't use the writer field in any of your blueprints. The attack can only be performed by logged-in users and only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into writer field content.

Patches

We have patched the vulnerability in this release by sanitizing all writer field contents on the backend whenever the content is modified via Kirby's API. Please update to this or a later version (including Kirby 3.6.0) to fix the vulnerability.

More information

You can find more details like the CVE ID of this vulnerability on its security advisory page.

Image block

Impact

Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters against cross-site scripting (XSS) attacks.

Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of other users. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.

The default snippet for the image block unfortunately did not use our escaping helper. This made it possible to include malicious HTML code in the source, alt and link fields of the image block, which would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site.

This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

You are not affected if you don't use the blocks field or specifically the image block in any of your blueprints. You are also protected if you use a custom block snippet that either escapes the printed values or doesn't use them. The attack can only be performed by logged-in users and only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into the image block content.

Patches

We have patched the vulnerability in this release by escaping special HTML characters in the output from the default image block snippet. Please update to this or a later version (including Kirby 3.6.0) to fix the vulnerability.

More information

You can find more details like the CVE ID of this vulnerability on its security advisory page.

Credits

Thanks to Azrul Ikhwan Zulkifli (@azrultech) from BAE Systems AI Vulnerability Research Team for responsibly reporting the identified issues.

3.6.0-rc.5

3.6 RC

To learn more about Kirby 3.6 and the RC phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

✨ Enhancements

• Better error message for invalid parent in pages section #3916
• New CSS properties
  • --color-dark: #313740;
  • --z-fatal
  • --z-offline
• Moved animations to their own stylesheet
• Use Tailwind sr-only utility instead of k-offscreen Old class name is still available to avoid breaking change
• Load compatibility check script first in the head element to unblock stylesheet loading as soon as possible.
• Moved offline warning to new k-offline-warning component
• The offline warning is now translatable with error.offline
• The offline warning has a new design
• Improved alignment of title without info in cards.
• Better outline styles for links and buttons in System view
• Improved error handling for Fiber requests

🐛 Fixes

• Fixed nested blocks drawer breadcrumb issue #3871
• Fix rotating loader in Firefox

🐛 Fixed regressions from 3.6.0-rc.4

• Fixed cursor on the empty box in pages and files sections #3915
• Fixed strikethrough tag for writer field #3920
• Fixed layout shift when opening overlays #3823
• Fixed dialog reset when dialogs are not closed properly #3923
• Fix hover effect on disabled buttons

3.6.0-rc.4

3.6 RC

To learn more about Kirby 3.6 and the RC phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

✨ Enhancements

• Only show plugins section if there are any plugins installed
• The Plugin headline is now linked with the plugin directory
• Improved error handling for Fiber requests

🐛 Fixed regressions from 3.6.0-rc.3

• Fixed unsaved changes loop in the writer field #3798
• Copy & Paste to blocks no longer adds unwanted line breaks #3813
• Fixed converting slugs incorrectly in multilanguage websites #3900
• Fixed overwritable custom site title #3901
• Fixed monospace option in textarea fields #3902
• Language dropdown is no longer missing when adding languages manually #3888
• The k-link component now correctly handles absolute URLs
• The writer field allows relative URLs again. #3754

3.6.0-rc.3

3.6 RC

To learn more about Kirby 3.6 and the RC phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

✨ Enhancements

• The Toolkit\Dom::toString method now exports the document with the same structure as the input. #3887

🐛 Fixes

• Hidden blocks are no longer visible in layouts #3857
• The image/svg MIME type is now recognized by the Sane classes
• Account files are now fully accessible through the account view, even if permissions for the users area is blocked #2580

🐛 Fixed regressions from 3.6.0-rc.2

• Fixed changes dropdown #3854
• Fixed missing max/min length indicator in the Textarea counter #3861
• Fixed file upload validation #3849
• Fixed breaking change in FieldClass::store method #3866
• Fixed blocks field empty prop #3872
• Fixed port detection behind proxy #3645
• CSS gets auto prefixed again (e.g. solves issue with toggle field in Safari)
• Fixed inline docs for cardlets layout option
• Unicode characters in the writer field are no longer converted to HTML entities. #3887
• Fixed account permission issues when the users area is blocked #3868
• Fixed block selection in layout columns: #3856
• Fixed error notification dialog #3890
• Fixed "Invalid redirect URL" error #3892

⚠️ Breaking changes

• Kirby no longer supports PHP 7.3, which will reach its end-of-life date soon. We will add support for PHP 8.1 to Kirby as soon as possible after the official release of PHP 8.1.
• Hidden blocks in the layout field will no longer be visible (as expected)
• Cms\Collection::has(): 1st parameter got renamed to $key
• Cms\Collection::indexOf(): 1st parameter got renamed to $needle
• Cms\Collection::query(): 1st parameter got renamed to $arguments

3.6.0-rc.2

3.6 RC

To learn more about Kirby 3.6 and the RC phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

🎉 Features

New system view #3821

We received a lot of feedback about the confusing state of the Settings view in the Panel. Technically, it was never really about settings. It was a mixture of system information and languages. This is why we decided to replace this view with two new views. A new system view with all kinds of additional information about your Kirby installation and a brand new languages view.

The system view contains the version and license information from the previous settings view. But now it also features additional health information about your setup, which will be extended step by step in later releases. It also contains a list of your installed plugins.

Languages and system views can be switched on or off by role with the new access permissions:

# users/editor.yml
title: Editor
permissions: 
  access: 
    system: false
    languages: false

New languages view #3821

The new languages view is now only visible in the menu when you switch to a multi-language setup. It features the same language editor from previous versions. We will be extending this view with more options in the future.

New home option for user blueprints to control redirect after login #3834

When a user logs in to the Panel, they normally get redirected to the last view they've been on before they've been logged out or the Site view. When you work with permissions, you might want to block the Site view or redirect the user to a completely different view instead. This is now possible with the new home option for user blueprints. This way you can define the redirect for each role individually. Redirects can be simple paths or dynamic locations via string queries.

Simple paths

title: Editor
home: /panel/account

Queries to panel views

title: Editor
home: "{{ site.find('blog').children.first.panel.url }}"

Queries to pages

title: Editor
home: "{{ site.find('blog').children.first.url }}"

New slug field #3613

Technically this has been in there for ages, but we never documented it :)

The new slug field is perfect when you want to create sanitized strings for IDs, URL paths, css class names, etc.

Setup

fields: 
  className:
    label: Class Name 
    type: slug

Sync option
You can sync the slug field with another field. Whenever the editor types something into the synced field, the slug field will update with a sluggified version of the input:

fields: 
  className:
    label: Class Name 
    type: slug
    sync: title

Allow option
By default, the slug field will strip out or replace any non-alphabetic, non-numeric character with a simple dash. You can define additional allowed characters with the allow option:

fields: 
  className:
    label: Class Name 
    type: slug
    sync: title
    allow: _

✨ Enhancements

• Updated inline docs for the writer field
• The Remote class now by default prefers the system certificate authority bundle (CA bundle) for verifying remote TLS connections if a bundle is configured in php.ini (curl.cainfo option). If no bundle is configured, Kirby will still use its internal CA bundle.
• Additional unit tests for Filesystem, CMS, Form, Image and Panel classes
• Fixed validation code for the Kirby\Form\FieldClass class
• Better error handling for dialogs without proper handlers
• Cleaner solution to ignore entire files from code coverage

🐛 Fixed regressions from 3.6.0-rc.1

• Fixed issue in slug field with undefined value #3826
• Fix writer field caret position on blocks/layout field #3838
• Fix writer field height on blocks/layout field
• Fixed collision when changing the user language #3844

3.6.0-beta.3

3.6 Beta

To learn more about Kirby 3.6 and the beta phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

🎉 Features

Core component: email #3766

Developers can now easily integrate their own email providers (sendgrid, mailgun, mailchimp, sparkpost, etc), instead of using Kirby's default PHPMailer library.

class CustomEmailProvider extends Kirby\Email\Email
{
    public function send(bool $debug = false): bool
    {
        // sending stuff
        return true;
    }
}

Kirby::plugin('my/email', [
    'components' => [
        'email' => function ($kirby, $props, $debug) {
            return new CustomEmailProvider($props, $debug);
        }
    ]
]);

Extends blocks and layout methods #3739

Using the new 5 extensions below, you can write your own custom methods for the blocks and layout fields.

• layoutsMethods (layouts collection)
• layoutMethods (each layout)
• layoutColumnMethods (each layout column)
• blocksMethods (blocks collection)
• blockMethods (each block)

<?php

Kirby::plugin('my/blocksLayoutMethods', [
    'blockMethods' => [
        'test' => function () {
            return 'block method';
        }
    ],
    'blocksMethods' => [
        'test' => function () {
            return 'blocks method';
        }
    ],
    'layoutMethods' => [
        'test' => function () {
            return 'layout method';
        }
    ],
    'layoutColumnMethods' => [
        'test' => function () {
            return 'layout column method';
        }
    ],
    'layoutsMethods' => [
        'test' => function () {
            return 'layouts method';
        }
    ]
]);

Extendable block models #3740

Now each block type can have its own custom model. Like models for page templates or user roles.

<?php

use Kirby\Cms\Block;

class HeadingBlock extends Block
{
    public function id(): string
    {
        return 'custom id';
    }
}

Kirby::plugin('my/blockModels', [
    'blockModels' => [
        'heading' => HeadingBlock::class
    ]
]);

Default model for blocks #3747

When defining a custom model, the Kirby\Cms\Block class represents the default model for all blocks.

<?php

use Kirby\Cms\Block;

class DefaultBlock extends Block
{
    public function id(): string
    {
        return 'custom id';
    }
}

class HeadingBlock extends DefaultBlock
{
    public function test(): string
    {
        return 'Hello World!';
    }
}

Kirby::plugin('my/blockModels', [
    'blockModels' => [
        'Kirby\\Cms\\Block' => DefaultBlock::class
        'heading' => HeadingBlock::class
    ]
]);

✨ Enhancements

• Multiselect with CMD/CTRL keys for blocks field #3748
• Updated npm dependencies #3744
• Blocks are now always selected in the original order, no matter in which order they have been selected in.
• Parsing blocks from Word documents is now a lot more reliable and the results will be better.
• Canonical language URLs in the Panel #3759

🐛 Fixes

• Fixed parsing logic for entire documents and breaks when pasting blocks #3735
• The expired DST Root CA X3 CA certificate (previously used for Let's Encrypt certificates) has been removed from the CA bundle to prevent "expired certificate" warnings when requesting remote resources (like in options API fields) on some server systems #3765
• Fixed unstable links / hashes for media files #3646

🐛 Fixed regressions from 3.6.0-beta.2

• k-item now features former k-list-item slots again
• Fixed border-radius and box-shadow on image in lists #3733
• Backward and forward buttons work properly in the Panel again
• Fixed unwanted hover effect on disabled buttons #3742
• Fixed translation bug after login and installation #3725
• Fixed empty box layout for cardlets
• Fixed block selector collapsing when there are no groups
• Fixed low quality thumbnail in the pages field #3756
• Fixed unsaved changes loop caused by the blocks field #3736
• Fixed odd revert behaviour caused by the blocks field #3008
• Fixed escaped HTML in blueprint info box #3763
• Fixed files field option dropdown when upload disabled #3768
• Fixed node issues in the writer field #3749
• Fixed missing href attribute for email addresses in the writer #3754

⚠️ Breaking Changes

• F::modified() does no longer calculate a maximum between mtime and ctime for file changes. This could in theory lead to different timestamps in some scenarios. Very unlikely though.

3.6.0-beta.2

3.6 Beta

To learn more about Kirby 3.6 and the beta phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

🎉 Features

Copy and paste for blocks

It's finally here! You can now copy and paste blocks between block and layout fields and even create blocks from pasted HTML and text.

copy-paste.mp4

New block formats in the writer field (heading, bulletList, orderedList) #3449

Global options for all Kirbytags #3690

You can now provide default values for all Kirbytag attributes in your config.

return [
    'kirbytext' => [
        'video' => [
            'class' => 'video',
        ],
        'image' => [
            'imgclass' => 'margin-5'
        ],
        'link' => [
            'rel' => 'nofollow'
        ],
    ]
];

🥳 That's not all the features

• New paragraph icon
• New Toolkit\Dom class that allows to parse, modify and sanitize DOM-based documents (XML and HTML)
• The Sane classes now have new sanitize() and sanitizeFile() methods that will apply the same rules as validate() but directly modify the input string/file so it is valid afterwards
• New Sane\Html class for validating and sanitizing HTML files or HTML snippets
• New $file->sanitizeContents() method

✨ Enhancements

• Unit tests for remaining Fiber changes #3406
• Improved fiber error handling for dialogs and dropdowns
• Added server-side sanitization in the writer field on field changes for extra security against XSS attacks
• Improved error messages for file validation/sanitization errors (Sane classes)
• The Sane classes now have proper XML namespace support so that custom namespace prefixes are properly detected

🐛 Fixes

• Fix overlay/dialogs/drawers on back navigation #3704
• Login with invalid password now sends a 401 in debug mode #2856
• Inconsistent return types between Query class insert method and shortcut Db::$queries['insert'] have been fixed #3140
• Added fallbacks for deprecated CSS classes #3706
• Confirming empty password dialog no longer throws error #3716
• Changing the slug of a page with an irrelevant .lock file no longer causes PHP to completely hang #2516
• The panel now sets the correct default language in multi language projects: #3647
• Fix inner join queries #2501
• Support for multi-line tags #3614
• Fixed saving nested structure fields without click OK button #2550
• Top-level pages with a slug called files will no longer create havoc #3187

🐛 Fixes regressions from 3.6.0-beta.1

• Blocks in layouts can be edited again without problems #3699
• Toggle field without text prop on site working again #3696
• When debug is set to false and there is no longer just one blueprint available #3644
• Fixed links and icons broken in unsaved changes dialog #3709
• Fixes minLength typo on checkboxes validations #3726

♻️ Refactoring

• Refactored async code to async/wait #3694

⚠️ Breaking Changes

• The public static configuration attributes of the Sane classes have been renamed for consistency with the new Toolkit\Dom class
• The Sane\Svg::$allowedNamespaces attribute now expects namespace reference names as the array keys instead of full attribute names (so xmlns:xlink should become just xlink and xmlns should become an empty string)
• The Sane\Svg::$allowedTags attribute (before $allowedElements) now is an associative array with the allowed attributes for this tag as the value