Releases: getkirby/kirby
3.10.0.1
🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript:
links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode
option instead of the correct safe
option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more
3.9.8.1
🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript:
links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode
option instead of the correct safe
option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more
3.8.4.3
🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript:
links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode
option instead of the correct safe
option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more
3.7.5.4
🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript:
links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode
option instead of the correct safe
option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more
3.6.6.5
🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript:
links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode
option instead of the correct safe
option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more
4.1.0
🎉 Features
New page create dialog features
The page create dialog now allows to hide the title
and/or slug
field by defining a string template that will be used instead
create:
title: "{{ page.location }} – {{ page.date.toDate('M Y') }}"
slug: "{{ page.location.slug }}-{{ page.date.toDate('Y-m-d') }}"
Custom fields from the create dialog will be accessible through Kirby query starting with page.
(in this example the fields location
and date
. If no custom fields are defined, the create dialog will be skipped and the page immediately created. #6154
Color field: query and API support for options
myColorField:
type: color
options:
type: query
query: kirby.option('my.colors')
// only values
return [
'my' => [
'colors' => [
'#3e3e3e',
'#aaa',
'#ddd',
]
]
];
// values -> labels
return [
'my' => [
'colors' => [
'#3e3e3e' => 'Color A' ,
'#aaa' => 'Color B',
'#ddd' => 'Color C',
]
]
];
New sharpen option for thumbnails
When resizing images, you can now sharpen them. This often enhances the image quality when downscaling images.
$page->image('my-image.jpg')->thumb([
'width' => 300,
'height' => 200,
'sharpen' => true
]);
You can also pass an integer value to control the sharpening effect. Higher numbers create sharper images. The default is 50.
$page->image('my-image.jpg')->thumb([
'width' => 300,
'height' => 200,
'sharpen' => 25
]);
Thank you very much to @dgsiegel for implementing this feature. #6164
Link Field Previews
The link field now has proper previews in structure and object fields #5262
And more …
- Stats section supports new
icon
option #6006 - New
A::implode()
method that also handles nested arrays #6059
✨ Enhancements
- Upgrade to Vite 5 #5984
- Page and files section with table layout will now try to infer the column type from the blueprint of the first model when no type has been provided explicitly #6147
- When a block fieldset doesn't set a
name
, thelabel
is now used as fallback #6137 - The search type can now be pre-defined when opening the search dialog #6158
panel.dialog.open({
component: "k-search-dialog",
props: {
type: "pages"
}
});
- Extensive block examples in the lab #6160
- Added support for emojis and other multi-byte characters in mysql database connections. Thanks to @degoya #6168
- Improved lab examples with better source code view #6170
🐛 Bug fixes
- Link field: fixed default type if
url
option not available #6145 - Fixed renewal date formatting in the license dialog when using a custom date handler #6138
- Fix Panel menu button centering #6051
- Writer toolbar: fix when implicitly inline #6069
- Support dimensions for
avif
images #6141 - Table layout: columns marked as
mobile: true
are shown again in narrow viewports #6106 - Respect custom allowed slug characters from
Str
class in slug field #6049 $store.content
: fix consistent id pattern #6057- Structure field: clone row on duplicate #6073
field.isVisible()
: fix if statement #6098- Many objects are serializable again #6072
Helpers::handleErrors()
correctly restores the original error handler even if an exception is thrown in the action #6105- Fixed PHP warning for structure fields without subfields #6059
- Fixed PHP warning for
F::size()
with non-existing file #6059 - Fixed PHP warning for unserializing
Session
data #6059 - Fixed PHP warning for
V::message()
with nested arrays #6059 - Fix fallbacks in the
Kirby/Api/Api
andKirby/Form/Form
classes when no app object is loaded - The CLI detection also works for processes not attached to a terminal (e.g. externally called from another script)
- Fix
$store.content.id
when deleting page #6111 - Fix handling
image: false
in blueprint for Panel preview images #6020 - Fixes overflow in narrow layout field columns when using a block with
preview: fields
#6128 - Blocks: fixed disabled field preview #5818
- Language argument now gets passed reliably to hooks from dialogs/areas #6117
- Improve link kirbytag behavior when uuid point to non-existing page #6083
- Files section: fixed
NaN
value after sorting files #6067 - Page create dialog: custom fields in dialogs are prefilled with default values #6137
- Page create dialog: no error is thrown when directly publishing page with required fields that have a default value #6119
- Fixed Panel column block gap #5935
- Consistent disabled state and styling for all block types #5100
- It is possible again to use the field names
field
,options
,parent
,siblings
andparams
inside structure fields #6181 $field->toStructure()->field()
now returns a copy of the structure field object as intended #6181file
KirbyTag that references a non-existing file does not throw an exception anymore, when nottext
attribute passed #6177- New text and html props for the
k-tag
component #5834 - New
cancel-small
icon version #5834 - New
$helper.link
#5834 - Upload of the identical file should not change the UUID #5730
- Add missing link field id #6169
- RangeInput: fixed tooltip
max-width
#6189 - Link field: no dropdown is shown if only one type option is active #6186
- Link field: no dropdown icon is shown when field is disabled
- Sets the default border radius for
k-bubble
to rounded-sm to be consistent withk-tag
. #6188 - Cropping a jpg with focus point no longer results in wrong aspect ratio #5855
- Fix type hint on
Panel::area()
#6217 - Structure field: Drawer is now closed correctly again when an entry is deleted #6209
- Structure field: row height fix on mobile #6203
♻️ Refactored
- New
this.$helper.array.
functions:fromObject
,sortBy
,split
,wrap
#6140 - The license file included in the Kirby repo is now formatted correctly on GitHub #6060
- PHPUnit test provider methods are now static
FileActionsTest
: static provider methods #6092
- Prepare for Vue 3
- Remove input theme field mentions #6102
- Use more PHP arrow functions #6125
- DRY tests with
Kirby\TestCase
#6124 - Blocks and layouts reuse props across components #5818
- Color field: options sh...
4.1.0-rc.3
What's changed since 4.1.0-rc.2
- Refactor the link field input event handling to improve link detection #6198
- ColorField: proper HTML/XSS handling #6195
- ImageMagick: remove optimization that breaks focus #6205
Full Changelog: 4.1.0-rc.2...4.1.0-rc.3
4.1.0-rc.2
4.1.0-rc.1
🎉 Features
New page create dialog features
The page create dialog now allows to hide the title
and/or slug
field by defining a string template that will be used instead
create:
title: "{{ page.location }} – {{ page.date.toDate('M Y') }}"
slug: "{{ page.location.slug }}-{{ page.date.toDate('Y-m-d') }}"
Custom fields from the create dialog will be accessible through Kirby query starting with page.
(in this example the fields location
and date
. If no custom fields are defined, the create dialog will be skipped and the page immediately created. #6154
Color field: query and API support for options
myColorField:
type: color
options:
type: query
query: kirby.option('my.colors')
// only values
return [
'my' => [
'colors' => [
'#3e3e3e',
'#aaa',
'#ddd',
]
]
];
// values -> labels
return [
'my' => [
'colors' => [
'#3e3e3e' => 'Color A' ,
'#aaa' => 'Color B',
'#ddd' => 'Color C',
]
]
];
New sharpen option for thumbnails
When resizing images, you can now sharpen them. This often enhances the image quality when downscaling images.
$page->image('my-image.jpg')->thumb([
'width' => 300,
'height' => 200,
'sharpen' => true
]);
You can also pass an integer value to control the sharpening effect. Higher numbers create sharper images. The default is 50.
$page->image('my-image.jpg')->thumb([
'width' => 300,
'height' => 200,
'sharpen' => 25
]);
Thank you very much to @dgsiegel for implementing this feature. #6164
Link Field Previews
The link field now has proper previews in structure and object fields #5262
And more …
- Stats section supports new
icon
option #6006 - New
A::implode()
method that also handles nested arrays #6059
✨ Enhancements
- Upgrade to Vite 5 #5984
- Page and files section with table layout will now try to infer the column type from the blueprint of the first model when no type has been provided explicitly #6147
- When a block fieldset doesn't set a
name
, thelabel
is now used as fallback #6137 - The search type can now be pre-defined when opening the search dialog #6158
panel.dialog.open({
component: "k-search-dialog",
props: {
type: "pages"
}
});
- Extensive block examples in the lab #6160
- Added support for emojis and other multi-byte characters in mysql database connections. Thanks to @degoya #6168
- Improved lab examples with better source code view #6170
🐛 Bug fixes
- Link field: fixed default type if
url
option not available #6145 - Fixed renewal date formatting in the license dialog when using a custom date handler #6138
- Fix Panel menu button centering #6051
- Writer toolbar: fix when implicitly inline #6069
- Support dimensions for
avif
images #6141 - Table layout: columns marked as
mobile: true
are shown again in narrow viewports #6106 - Respect custom allowed slug characters from
Str
class in slug field #6049 $store.content
: fix consistent id pattern #6057- Structure field: clone row on duplicate #6073
field.isVisible()
: fix if statement #6098- Many objects are serializable again #6072
Helpers::handleErrors()
correctly restores the original error handler even if an exception is thrown in the action #6105- Fixed PHP warning for structure fields without subfields #6059
- Fixed PHP warning for
F::size()
with non-existing file #6059 - Fixed PHP warning for unserializing
Session
data #6059 - Fixed PHP warning for
V::message()
with nested arrays #6059 - Fix fallbacks in the
Kirby/Api/Api
andKirby/Form/Form
classes when no app object is loaded - The CLI detection also works for processes not attached to a terminal (e.g. externally called from another script)
- Fix
$store.content.id
when deleting page #6111 - Fix handling
image: false
in blueprint for Panel preview images #6020 - Fixes overflow in narrow layout field columns when using a block with
preview: fields
#6128 - Blocks: fixed disabled field preview #5818
- Language argument now gets passed reliably to hooks from dialogs/areas #6117
- Improve link kirbytag behavior when uuid point to non-existing page #6083
- Files section: fixed
NaN
value after sorting files #6067 - Page create dialog: custom fields in dialogs are prefilled with default values #6137
- Page create dialog: no error is thrown when directly publishing page with required fields that have a default value #6119
- Fixed Panel column block gap #5935
- Consistent disabled state and styling for all block types #5100
- It is possible again to use the field names
field
,options
,parent
,siblings
andparams
inside structure fields #6181 $field->toStructure()->field()
now returns a copy of the structure field object as intended #6181file
KirbyTag that references a non-existing file does not throw an exception anymore, when nottext
attribute passed #6177- New text and html props for the
k-tag
component #5834 - New
cancel-small
icon version #5834 - New
$helper.link
#5834 - Upload of the identical file should not change the UUID #5730
- Add missing link field id #6169
♻️ Refactored
- New
this.$helper.array.
functions:fromObject
,sortBy
,split
,wrap
#6140 - The license file included in the Kirby repo is now formatted correctly on GitHub #6060
- PHPUnit test provider methods are now static
FileActionsTest
: static provider methods #6092
- Prepare for Vue 3
- Remove input theme field mentions #6102
- Use more PHP arrow functions #6125
- DRY tests with
Kirby\TestCase
#6124 - Blocks and layouts reuse props across components #5818
- Color field: options should be written as
$value => $name
, e.g. #6152
options:
"#F8B195": "Sunny rays"
"#F67280": "First-love blush"
"#C06C84": "Cherry blossom"
"#6C5B7B": "Morning gloom"
"#355C7D": "Midnight rain"
- Improved performance due to caching blueprint section objects #6175
☠️ Deprecated
- Color field: writing options as
$name => value
has been deprecated #6152 $helper.object.clone()
has been deprecated. Use the nativestructuredClone
function instead. #6086Array.fromObject()
has been deprecated. Usethis.$helper.array.fromObject()
instead.Array.wrap()
has been deprecated. Usethis.$helper.array.wrap()
instead.- `myArray.sortBy...
4.0.3
✨ Enhancements
- DDEV development environments are now treated as local and allow setting up the Panel by default #6091
- Kirby 3 licenses can now activated from the Kirby 4 Panel to allow direct renewal #6089
- Updated translations (de, it, pt_BR, pt_PT, tr)
🐛 Bug fixes
- No more deprecation warning when passing empty string to
Url::short()
#6126
🧹 Housekeeping
- Replace remote testing domain with example.com