3.6.0-beta.1

3.6 Beta

To learn more about Kirby 3.6 and the beta phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

Features

Extensible areas, dialogs, dropdowns and searches

It's now possible to extend or replace every important aspect of our backend and frontend logic for the Panel. You can have your own page search, your own dialogs and even your own dropdowns for files, pages or users. Add options, fields or entire new views. It's pretty magical.

You can find more in our docs:

• http://getkirby.com/releases/3.6/fiber/areas
• http://getkirby.com/releases/3.6/fiber/dialogs
• http://getkirby.com/releases/3.6/fiber/dropdowns
• http://getkirby.com/releases/3.6/fiber/search

New icons

We've extended our icon set for the Panel significantly: http://getkirby.com/releases/3.6/features/icons

- audio
- crop
- display
- flag
- food
- grid
- grid-bottom
- grid-bottom-left
- grid-bottom-right
- grid-full
- grid-left
- grid-right
- grid-top
- grid-top-right
- grid-top-left
- h1
- h2
- h3
- h4
- h5
- h6
- heart-outline
- info
- images
- mobile
- order-alpha-asc
- order-alpha-desc
- order-num-asc
- order-num-desc
- paypal
- pin
- pipette
- play
- print
- qr-code
- server
- shuffle
- sitemap
- star-outline
- sun
- table
- tablet
- text-center
- text-justify
- text-left
- text-right
- tiktok

New Panel features

• The toggle field now supports the query syntax in the text property
• The k-dropdown-content component is now compatible with our dynamic Fiber dropdowns. You can pass a string for the options prop and the component will automatically load the matching Fiber dropdown defined in PHP.

<k-dropdown-content options="my/custom/dropdown" />

will now load the Fiber dropdown defined like this in one of your areas:

Kirby::plugin('custom/dropdown', [
  'areas' => [
    'custom' => [
      'dropdowns' => [
        'my/custom/dropdown' => function () {
          return [ 
            [
              'icon' => 'trash', 
              'text' => 'Delete',
              'link' => '/go/some/where'
            ]
          ];
        }
      ];
    ]
  ]
]);

New core security features

• New Str::safeTemplate() method that escapes HTML from all regular query placeholders, allows HTML with new {< site.myMethodWithHtml >} syntax
• New $model->toSafeString() method that uses Str::safeTemplate() instead of Str::template()

Enhancements

• Better string template parsing in block labels #3661
• The video block is now more privacy friendly by creating embeds with the "do not track" option
• The page position field is hidden from dialogs when only one option is available
• The sort page option is disabled in the page dropdown when only one option would be available
• Custom iframe attributes are now allowed in the video helper
• Improved plugin asset resolver #2422
• The RadioInput component now supports (escaped) HTML in the info property for radio options.
• Config file for slug field #3610

Fixes

• The $field->replace() method no longer returns the model ID for empty fields, instead an empty string is returned as expected. #3652
• this.$helper.upload now correctly uses the method parameter
• Fixed writer field email title #3630
• Changing template of a page on a multi-language setup no longer creates content files for untranslated languages #3674
• Video block does now show domain-restricted clips in Panel #3257
• Fixed autofocus option for the blocks field #3681
• k-progress: fixed not updating when value prop changed
• Fixed opening blocks that have no fields or no editable #3686

Fixed regressions from 3.6.0-alpha.4

• Fixed storing content in the account view #3665
• The CSS utility classes for text alignment now set the correct CSS custom properties again (—-align instead of --algin) #3641
• Fixed alignment of the sort icon (+ new icon) #3595
• Remove unwanted focus outline on outer panel div #3632
• Fiber search now respects read: false #3650
• image: false and image: icon options work again in pages and files sections. #3633
• Conditional sections with extending fields does work again #3636
• Fixed broken files field upload #3687
• Fix for display error in narrow columns #3689
• Fixed compatibility with Parcel #3628

Refactoring

• Moved panel/src/component/Blocks to panel/src/component/Forms/Blocks
• Moved panel/src/component/Writer to panel/src/component/Forms/Writer

Deprecations

• <k-text align="right"> has been deprecated, use <k-text align="end"> instead

Breaking Changes

• Several blueprint options that use the query syntax were updated to escape the placeholder values against raw HTML output that may lead to XSS attacks. HTML code directly in the query (like This is <strong>{{ page.important }}</strong>) still works as normal. If placeholders need to return HTML, you can use the new {< site.myMethodWithHtml >} syntax. In this case you need to ensure manually that the returned HTML code is safe. With the {{ }} syntax, Kirby performs the escaping for you.
• The <k-box text="..." /> property is now rendered as plain text by default instead of as HTML code. For the previous behavior use <k-box text="..." :html="true" />.

3.6.0-alpha.4

3.6 Alpha

To learn more about Kirby 3.6 and the alpha phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

Features

Dynamic blueprint plugins

You can now define blueprint settings in a callback and base blueprint setups on config options, content and more.

<?php 

Kirby::plugin('my/plugin', [
  'blueprints' => [
      'pages/blog' => function ($kirby) {
          return [
              'title' => 'Blog', 
              'sections' => [
                  // ...
              ]
          ];
      }
  ]
]);

New core methods

• New $file->sha1() method

Enhancements

Instant field and info section loading

Form fields and info boxes now show up immediately in the Panel. This massively improves the received performance and usability.

Additional enhancements

• File uploads now check for duplicates via sha1 hashes. This leads to a better upload experience because when you upload the exact same file twice, the upload is simply ignored.
• The files field can now accept new files via drag & drop
• New files automatically store the sort attribute on upload if the files section is sortable #2886

Fixed regressions from 3.6.0-alpha.3

• Fixed CSS dir issue in dialogs and drawers
• Fixed images in picker field previews #3551
• Fixed file urls for draft pages #3587

Refactoring

• The api.csrf option is automatically set to dev when the panel.dev option is true
• CSS: logical properties aren't preserved for now (until browser support increases)

Breaking Changes

New minimum browser requirements (browsers with dynamic import() support):

• Firefox 67+
• Chrome 63+
• Opera 50+
• macOS Safari 11.1+
• Safari iOS 11+
• Android Browser 92+
• Chrome for Android 92+

Removed outdated $api methods in Vue:

• $api.pages.breadcrumb
• $api.files.breadcrumb
• $api.users.breadcrumb
• $api.site.breadcrumb
• $api.site.options
• $api.roles.options
• $api.translations.options

3.6.0-alpha.3

3.6 Alpha

To learn more about Kirby 3.6 and the alpha phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

Features

New Fiber Dropdowns

For context sensitive dropdown menus – such as the option dropdowns for pages, files or users – you need to collect a lot of information before the menu can be opened. Which options are available for the current model? Which permissions are to be considered, etc.? We solve this with asynchronous dropdowns, which load their options from the API.

With Fiber, we've managed to simplify those asynchronous dropdowns significantly. We can now create new complex dropdowns right in PHP in minutes. Dropdowns are part of the new Panel areas. Here's an example for a potential plugin.

Kirby::plugin('your-plugin/todos', [
    'areas' => [
        'todos' => [
            ...
            'dropdowns' => [
                'todos/(:any)' => function (string $id) {
                    // find the $todo here. (i.e. from a database)
                    return [
                        [
                            'text'   => 'Edit',
                            'dialog' => 'todos/' . $id . '/edit',
                            'icon'   => 'edit'
                        ],
                        [
                            'text'   => 'Duplicate',
                            'dialog' => 'todos/' . $id . '/duplicate',
                            'icon'   => 'copy'
                        ],
                        [
                            'text'   => 'Delete',
                            'dialog' => 'todos/' . $id . '/delete',
                            'icon'   => 'trash'
                        ]                        
                    ];  
                }
            ]
        ]    
    ]
]);

Your dropdown options can then be loaded in your Vue code like this:

<k-dropdown>
    <k-button icon="cog" @click="$refs.options.toggle()">Options</k-button>
    <k-dropdown-content ref="options" :options="$dropdown('todos/the-todo-id')" />
</k-dropdown>

The most exciting part: it will soon be possible to overwrite and extend our default dropdowns for pages, files and users 🎉

Just think about it. You can create simple plugins to add additional options to cross-post page content on social media, start generating static versions, edit files, and so much more. It's all up to you.

New Fiber Search

Very much like the new Fiber views, dialogs and dropdowns, Panel search is now also massively simplified. Our default searches for pages, files and users already run on Fiber in this new release and your plugins can now create their own new search types, which will automatically be available in our search dialog.

Kirby::plugin('your-plugin/todos', [
    'areas' => [
        'todos' => [
            ...
            'searches' => [
                'todos' => [
                    'label' => 'Todos',
                    'icon' => 'check',
                    'query' => function () {
                        // search for $todos here. 
                        $results = [];
                        
                        foreach ($todos as $todo) {
                            $results[] = [
                                'image' => [ // optional image settings ],
                                'text'  => $todo->text(),
                                'link'  => '/todos/' . $todo->id(),
                                'info'  => 'Get it done!'
                            ];
                        }

                        return $results;
                    }                    
                ]
            ]
        ]    
    ]
]);

That's all it takes to create your own search index for your own plugins.

The search will automatically appear in the search dialog, but can also be run manually from your Vue components with …

const query = 'Searchy search';
const todos = await this.$search('todos', query);

Like all other Fiber features, it will soon be possible to overwrite and extend our default searches for pages, files and users 🎉

New core methods

• New $blocks->hasType() method
• New $layouts->toBlocks() method
• New $layouts->hasBlockType() method

Enhancements

• Enhanced CSS support for RTL Panel interface #3556
• New v-direction directive to set the dir attribute based on the current content translation #3568
• File view uses stable preview link for files (instead of media folder URL) #3575
• The Data\Json::decode() and Data\Xml::decode() methods now accept empty strings and treat them as an empty data set (empty array) for consistency with Data\Txt::decode() and Data\Yaml::decode() #3565

Fixed

• Fixes blocks field sort handle on hover #3538
• Fixes writer field RTL support https://kirby.nolt.io/322
• Fixed version number in settings view in RTL interface #3581
• Fixed manual files sorting via changePosition dialog #3589

Fixed regressions from 3.6.0-alpha.2

• Fixes drag handle for picker fields #3553
• Fixes blocks field options bar #3552
• Fixes correct dir attribute for fields #3568
• Styling for tabbed link highlighting works again #3576
• Topbar is fully responsive again #3574
• Languages get deleted without error again #3588
• Dropdowns and dropdown buttons no longer appear above the save bar. #3554

Breaking Changes

• CSS class .k-block-handle has been replaced with .k-sort-handle

3.6.0-alpha.2

3.6 Alpha

To learn more about Kirby 3.6 and the alpha phase, check out our dedicated preview site: https://getkirby.com/releases/3.6

Features

Improved Duplicate Dialog

The Page Duplicate Dialog now also accepts a title for the new page

New line block

Add horizontal rules to your blocks with the new line block. It automatically supports and imports hr blocks from the old Editor plugin.

New panel.favicon option

Set your own favicon(s) for the panel – the last step to a full white-label solution

'panel.favicon' => [
    'apple-touch-icon' => [
        'type' => 'image/png',
        'url'  =>  'assets/apple-touch-icon.png',
    ],
    'shortcut icon' => [
        'type' => 'image/svg+xml',
        'url'  => 'assets/favicon.svg',
    ],
    'alternate icon' => [
        'type' => 'image/png',
        'url'  => 'assets/favicon.png',
    ]
]

New CSS selectors for Panel customizations

• .k-panel[data-language] for the current content translation language
• .k-panel[data-default-language] for the default content translation language
• .k-panel[data-translation] for the current Panel UI/user language
• .k-panel[data-role] for current user role
• .k-panel[data-user] for current user ID
• .k-page-view[data-id] for page ID
• .k-page-view[data-template] for page's intended template
• .k-file-view[data-id] for file ID
• .k-file-view[data-template] for file's template
• .k-user-view[data-id] for user ID
• .k-user-view[data-role] for user's role
• .k-site-view[data-id] for site ID (/)
• .k-site-view[data-template] for site's template (site)
• .k-languages-dropdown for content translation language dropdown
• .k-page-view-options, .k-file-view-options and .k-user-view-options for options dropdown on model views
• .k-page-view-preview, .k-file-view-preview, .k-site-view-preview and .k-user-view-preview for preview button on model views
• .k-pages-section .k-item[data-id], .k-pages-section .k-item[data-status] and .k-pages-section .k-item[data-template]
• .k-files-section .k-item[data-id] and .k-files-section .k-item[data-template]
• .k-status-icon .k-status-icon-{status} for the page's status button

New PHP methods

• New System::title() method (is now used for all emails to replace "Kirby Panel" as generic title)
• New $files->size() and $files->niceSize() methods

Enhancements

• Writer field: marks (floating toolbar buttons) now show tooltips
• Blocks without fields don't open empty drawer anymore (e.g. new line block)
• F::size and F::niceSize accept array of file paths
• Dir::size() has new $recursive parameter
• The new license root allows to store the license outside the config dir for easier deployments and multi-site setups.
• The default block snippet for the image block now escapes the content output from the source, alt and link fields. This protects against XSS attacks against site visitors.
• $t() JS helper now supports a fallback value as third parameter
• Str::widont applies to punctuation with gap

Fixed

• Extending a non-existing Vue component is ignored now instead throwing a console error and breaking the Panel
• Changing the page title no longer causes errors with slug autocorrection (e.g. from underscores to dashes) if the user does not have permissions to change the slug

Fixed regressions from 3.6.0-alpha.1

• Fixed dropdown issue in model views #3491
• Fixed default permissions for Panel views #3487
• Fixed error dialog not shown at form errors #3520
• Fixed dialog events not being triggered
• Fixed blueprint placeholder messages for file views with default template

Deprecations

• Str::template(): the parameters $fallback, $start and $end have been deprecated and throw a deprecation warning. Use instead an $options array with fallback, start and/or end keys as third parameter.

Breaking Changes

• F::niceSize() doesn't check anymore whether file exists
• .k-panel[data-translation] is now .k-panel[data-language]
• .k-panel[data-default-translation] is now .k-panel[data-default-language]

3.5.7.1

This is a patch release for a regression in 3.5.7. The regression in 3.5.7 was causing an error in templates when the layout field was empty and the ->toLayouts() method was called. If you are not using the layout field, you don't necessarily have to update to this patch release.

Fixes

• Fixed error when calling the ->toLayouts() method on an empty layout field #3482
• Fixed in-code type hints for the $collection->filterBy() method

3.6.0-alpha.1

Check out our Kirby 3.6.0 alpha site: https://getkirby.com/releases/3.6

3.5.7

Security

Cross-site scripting (XSS) from field and configuration text displayed in the Panel

This release fixes the following XSS vulnerabilities inside the Panel:

• Placeholders in core translation strings (e.g. in error or info messages) are now escaped.
• Error message boxes in dialogs and the fields section now only display the escaped exception message.
• Data displayed in the users and settings view (list of users/languages) is now escaped.
• The default text displayed by the files and pages sections (filename/page title), the files, pages and users fields (filename/page title/username) and by query-based checkboxes, radio, tags and multiselect fields (default text depending on the used query) is now escaped.

Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.

You can find out more about the issues and fixes in our security advisory.

PHPMailer update

• PHPMailer has a new security release, which fixes two of their security issues. There seems to be a small, insignificant breaking change in their validator code, according to their release notes. We still decided to add the security fixes as soon as possible and include it in this release.

🎉 Features

• Support for custom callbacks for Str::template() (e.g. to escape query output) #3454

Str::template($value, $data, [
    'callback' => function ($result) {
        return Str::ucwords($result);
    }
]);

• The Box component now supports a text-only mode (with the html prop set to false). For compatibility, the default value is currently true. We plan to make false (escaped text) the new default behavior in Kirby 3.6.0.
• The Autocomplete component now has support for HTML in the text property with a new html property (defaults to false).
• New this.$helper.string.escapeHTML (or this.$esc) helper to escape HTML special characters as entities

Enhancements

• Improved blocks and layout field value for isEmpty() field method support #3153
• Supports new assets extensions map|json|avif|mjs for plugins #3436
• Str::template() now supports an $options array that can contain fallback, callback, start, end attributes. We plan to deprecate the old $fallback, $start and $end arguments in 3.6.0. #3454
• The Kirby\Sane\Svg::$allowedNamespaces property is now public to allow customizing it to your needs. #3424
• Dropdowns in the Panel are now automatically aligned vertically, depending on their position in the window. #3080
• The Card component now supports HTML in its text property for consistency with ListItem.
• The Radio, Tags and Multiselect input components now support HTML in their text properties for consistency with Checkboxes.

Fixes

• Toggle and checkbox field labels support HTML again #3278
• Filtering based on field value sizes issue fixed #3382
• Fixed updating pages and files sections after sorting a page/file in another section #3399
• Fixed width prop of columns in the table block preview #3323
• Fixed preview output in the table block preview #3324
• Fixed autofocus option for list and writer fields #3122
• Fixed writer field empty state #3365
• Added missing marks prop for quote block #3443
• Dir::make(): Fixed warning when there is a file in the provided folder path #3442

Refactoring

• Table block and structure field refactored to display properly in block table #3411

Stats

• 56 commits
• 29 closed issues and PRs
• Contributors: @afbora, @bastianallgeier, @distantnative, @doriansimeha, @lukasbestle (alphabetical order)

3.5.6

Features

• New Locale::get() method to access the current PHP locales #3319
• New A::apply($array, $parameters) method that recursively loops through the array and resolves each entry that is a Closure by calling it with the passed parameters #3331
• Collection::values($map) now accepts a mapping Closure as first parameter. All items are resolved with this Closure. #3332

Enhancements

• Added some missing @since tags in doc-blocks #3336
• The layout property of the tags field is now documented #3371
• Updated translations

Fixes

• Fixed browser back button in the Panel #3216
• The configured database port is no longer ignored in the DB class #3302
• The list block is no longer out of sync with the drawer #3320
• Hard coded labels in the writer field have been updated with their translations #3316

Refactoring

• Our continuous integration workflow has been improved and is now more robust against unexpected tool changes. #3335

Stats

• 27 commits
• 18 closed issues and PRs
• Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @thathoff (alphabetical order)

3.5.5

🎉 Features

Allow setting the page cache expiry from controllers #3246 #3292

• New $kirby->response()->cache(false) method that can be used to completely disable Kirby's page cache from controllers or templates
• It is now also possible to set the page cache expiry timestamp from controllers or templates:

$kirby->response()->expires(1234567890); // timestamp
$kirby->response()->expires(60); // minutes
$kirby->response()->expires('2021-12-31');

video KirbyTag supporting local and remote videos #3104

Supports local videos, YouTube and Vimeo with a completely overhauled video tag.

New Attributes:

• autoplay
• controls (default: true)
• loop
• muted *
• poster
• preload (auto, metadata, none)

* The video will automatically be muted if autoplay is activated and the muted option is not defined

Usage:

# local
(video: local-video.mp4)

# remote
(video: https://www.getkirby.com/sample-video.mp4)

# example 1
(video: local-video.mp4  autoplay: true)

# example 2
(video: local-video.mp4 controls: false autoplay: true loop: true)

# example 3
(video: local-video.mp4 poster: cover.jpg)

# example 4
(video: local-video.mp4 preload: auto)

# example 5
(video: https://www.getkirby.com/sample-video.mp4 muted: true controls: false autoplay: true)

# example 6
(video: local-video.mp4 poster: https://www.getkirby.com/sample-cover.jpg)

Other features

• The $kirby->response()->header() method now accepts a new third $lazy param. If set to true, an already set header is not overridden. #3292
• Blocks: New $block->excerpt() method #3196

Enhancements

• All pages that rely on Kirby's session are now automatically excluded from Kirby's page cache and from the browser and intermediary caches #3292
• When setting cache values, you can now define an absolute expiry timestamp instead of the number of minutes. The number of minutes is still supported and auto-detected. #3246
• The email auth challenge now uses the user's language, the configured panel.language or site default language for the email text (in that order) #3294
• Slots for the ListItem component #3217
• Topbar: Configurable menu entry for views #3206
• Editor → Blocks conversion of paragraph no longer lacks <p> #3210
• Support HTML tags on list items text attribute #3200
• Blocks field: new delete button inside the drawer #3180
• Blocks field: fixed inconsistencies in max items behaviour #3179
• Better login error message in debug mode "Passwords do no match" #3165
• FileCache: Now cleans up empty directories on remove() #3162
• Handling of fatal Exceptions #3154
• Updated pull request template #3286
• Updated Composer dependencies #3280
• In-code UI component documentation #3175

Refactorings

• Fixed Form\OptionsQuery prop types #3283
• Use shared Laminas escaper instance #3274
• Fixed file permissions #3258
• Updated docblocks for esc() helpers/methods #3254
• esc() helper: Remove unused $strict param #3252
• Removed duplicated jp2 file extension for F class #3253
• Improved Structure/StructureObject parameter docs #3251
• Added Languages::__construct() parameter description #3249
• Fixed doc blocks for field methods #3229
• Fixed and extended doc blocks and parameter hinting #3223
• Fixed return types: $this, static and self #3167
• Deprecated: improved docs and warnings #3166

Fixes

• Fixed the default sender domain for the email auth challenge if the site URL contains a path #3294
• Video block now saves captions correctly #3264
• Using dynamic query language values for API option URLs in blueprints no longer fails #3260
• Layout field: the link title is no longer deleted when leaving a page and returning #3255
• The $ignore parameter in Dir::copy() is now passed down in recursive calls #3243
• Whoops now handles custom HTTP codes from exceptions correctly #3237
• Links no longer overflow in disabled structure fields #3227
• Fixed error when clicking on non-translatable files field in second language #3220
• Duplicating a page with an empty URL appendix is no longer possible #3214
• Fixed date validation bug in invalid() helper #3208
• Fixed error message on empty URL appendix #3205
• Blocks writer preview does now apply field props #3145
• Added missing nodes prop for writer field #3144
• Writer & list field: fixed issue with the revert bar after focusing a new field #3126
• List Items no longer get saved with <p>-tags in list-block #3086
• The toolbar of the writer field no longer overflows in the drawer #2971

Stats

• 141 commits
• 73 closed issues and PRs
• Contributors: @afbora, @bastianallgeier, @distantnative, @lukasbestle, @pine3ree @pReya (alphabetical order)

3.5.4

Security release

This security release fixes a cross-site scripting (XSS) vulnerability from unvalidated uploaded SVG or XML files.

Impact

An editor with write access to the Kirby Panel can upload an SVG or XML file that contains harmful content like <script> tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim.

This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

Visitors without Panel access can only use this attack vector if your site allows SVG or XML file uploads in frontend forms and you don't already validate or sanitize uploaded SVG or XML files.

The attack requires user interaction by another user or visitor and cannot be automated.

Patches

Uploads in the Panel

The problem has been patched in this release by validating uploaded SVG and XML files and rejecting potentially harmful files. Please update to this or a later version to fix the vulnerability.

Frontend upload forms

Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use File::create(), you are protected by updating to Kirby 3.5.4+.

Validate existing files

Already uploaded files are not automatically validated again. If you are not sure if you have been impacted by this vulnerability in the past, we recommend to run all site files through the validator classes after updating to Kirby 3.5.4. You can use the following test script by pasting it into a template or uploading it to your web root:

<?php

@include_once __DIR__ . '/kirby/bootstrap.php';

if (version_compare(kirby()->version(), '3.5.4', '<') === true) {
  die('This script requires Kirby 3.5.4+.');
}

$objects = [
  // the site itself
  site(),

  // all pages and drafts
  ...site()->index(true)->values(),

  // all users
  ...kirby()->users()->values()
];

$errors = false;
foreach ($objects as $object) {
  foreach ($object->files() as $file) {
    try {
      // validate the contents lazily
      // (if a validator exists)
      $file->validateContents(true);
    } catch (\Kirby\Exception\InvalidArgumentException $e) {
      echo $file->id() . ': ' . $e->getMessage() . "<br>\n";
      $errors = true;
    }
  }
}

if ($errors === false) {
  echo 'No validation errors found.';
}

You only need to run this validator script once as future uploads will automatically be validated. If the script prints "No validation errors found", you have not been impacted by the vulnerability so far.

Errors that it lists may or may not be critical as our validator classes also catch files with an invalid data structure or less harmful attacks like the "billion laughs" denial-of-service attack or the usage of external sources. We recommend to review and fix each listed error manually until the script no longer finds any validation errors.

Please delete the script again after you have used it.

More information

You can find more details like the CVE ID of this vulnerability on its security advisory page.

Credits

Thanks to @sreenathr10 for reporting the problem.