4.0.2

✨ Enhancements

• Updated translations (cs, fr, is, nl)

🐛 Bug fixes

• Respect custom allowed slug characters from Str class in slug field #6049
• Fixed crop issue in the Asset class #6065

♻️ Refactored

• The license file included in the Kirby repo is now formatted correctly on GitHub #6060

3.10.0

The version number might seem a bit weird. Here's the explanation:

The latest stable release of Kirby 3 is Kirby 3.9.8, which has support for PHP 8.0 until PHP 8.2. But we cannot offer support for PHP 8.3 without dropping support for PHP 8.0, due to version restrictions in our dependencies. So we decided to introduce this additional release, which adds support for PHP 8.3 (and nothing else) but also drops support for 8.0, while still keeping Kirby 3.9.8 around with the support for PHP 8.0. Depending on your hosting requirements, you can now choose between either Kirby 3.9.8 or Kirby 3.10.0.

✨ Enhancements

• Adds support for PHP 8.3
• Drops support for PHP 8.0

4.0.1

✨ Enhancements

• Updated translations (fr, it, ko, lt, nl)

🐛 Bug fixes

• Fix slug field in file rename dialog #6024
• Writer toolbar: don’t set position when not inline #6021
• Proper default value for -scroll-top
• Table block: fix sticky table headers inside table block preview #6016
• Slug field: fixed wizard button style #6008
• Slug field: wizard now works correctly with mixed-case field names
• Fixes the bottom margin of the pagination in a models dialog #6010
• Fix the bottom margin for the info box in the lab #6033
• Fix layout field when there are no fieldsets #6035

4.0.0

Kirby 4 is here! 🚀
Full release notes: https://getkirby.com/releases/4.0

4.0.0-rc.4

This is a quick patch for an upload regression that we unfortunately introduced in the last RC. Please, use this RC instead of RC.3

4.0.0-rc.3

UPDATE

We unfortunately introduced an upload bug in this RC, which renders any uploads unusable. We are very sorry for that. Please, use RC.4 instead: https://github.com/getkirby/kirby/releases/tag/4.0.0-rc.4

🚨 Security

During an internal security review of the Kirby 4 codebase, we have discovered two cross-site scripting (XSS) vulnerabilities in the changes dialog and the admin disable dialog for the new TOTP login feature.

Both vulnerabilities were introduced during the Kirby 4 alphas and betas and are fixed by this RC.

The vulnerabilities affect all Kirby sites on Kirby 4 alphas, betas or previous release candidates that might have potential attackers in the group of authenticated Panel users or that allow external visitors to create or update user accounts.

Sites on Kirby 3 are not affected.

✨ Enhancements

• Add Vue target version to jsconfig #5971
• Add missing class aliases to ease some breaking changes #5987
• Field and section labels have title attribute #5994
• colors library supports hex colors without leading # #5997
• New disabled theme for <k-item> #5996

🐛 Bug fixes

• Fix double-escaping bug in the Panel language view #5986
• ImageMagick: fix focus-cropping bug (thanks to @mrflix) #5982
• Block selector: fix for empty groups #5794
• Object field: fix disabled table style #5957
• Models fields: add disabled style #5959
• Link field: fix model preview for too long titles #5924
• Slug field respects custom allowed slug characters from Str::$defaults['slug']['allowed'] #5929
• Buttons in field and section headers don’t wrap on narrow screens #5994
• ColornameInput: only use getComputedStyle as last resort when colors library fails #5997

♻️ Refactored

• Use the Vue object syntax for dynamic :style attributes to enhance the robustness and security #5986
• Ensure the security of the Str::safeTemplate() method against code execution attacks with an automated test #5986

🚨 Breaking changes

• $helper.string.slug: the allow parameter now defines the whole set of allowed characters, not just the characters in addition to a-z0-9 #5991

4.0.0-rc.2

✨ Enhancements

• The selected color in the color field (options mode) now has a clear outline #5962
• New $field->permalinksToUrls() method for writer fields #5551
• Uuid::for() also parses permalinks now #5551
• Remove extraneous string splitting in changes dialog #5970

🐛 Bug fixes

• Fix header margin in the lab view
• Fix structure field footer #5941
• k-tabs: badges shown again #5969
• Long help texts no longer overflow the layout #5966
• Blocks: keep selected sort order #5896

3.9.8

🎉 Features

• New A::every(), A::find() and A::some() methods that implement the functionality of the JavaScript functions with the same names (thanks to @rasteiner) #5724
• New option to add a CLI specific config file (thanks to @lukaskleinschmidt) #5581

// config.cli.php
return [
    'option.one' => 1,
    'option.two' => 2,
];

✨ Enhancements

• The System view in the Panel now warns when the used PHP version is end-of-life and no longer receives security updates. #5728
• Files with the .pht extension can no longer be uploaded to a Kirby site to provide additional protection in older server setups beyond our recommendations in the security guide (thanks to @akabe1). #5925

🐛 Bug fixes

• Blocks field: pasting HTML does not remove crucial spaces anymore in inline contexts #4702
• The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
• $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
• Append copy suffix of duplicated pages #5787
• Fix searching for Unicode characters #5780
• The backup copy of changed content now includes a JSON output for fields with structured data instead of scrambled data. #5791
• The validation error "Please enter a date between ... and ..." for the date field now correctly includes the maximum date. #5920

4.0.0-rc.1

✨ Enhancements

• Exclude UI docs and lab from regular bundle #5909
• k-stat supports new icon prop #5908
• Tweaked style of Toggle input #5916
• k-header: add warning for removed tabs support #5918
• New activation tooltip and better design for the activation button in the menu. #5921
• Switch to “Activate” wording instead of “register” #5922
• Dom: New allowHostRelativeUrls sanitization option (true by default) to perform less strict checks when the HTML <base> element is used
• Dom: Custom sanitization callbacks for attributes, elements and the doctype now also receive the $options array
• Sane: New $isExternal mode specifically for external files that may be accessed directly

🐛 Bug fixes

• Calendar input dropdown doesn't close without effect on click
• Calendar input dropdown stays open when selecting a date
• Calendar input dropdown: when clicking today button, also update the dropdown to show that date
• Clicking a button in the textarea no longer changes the scroll position #5906
• The textarea restores the size again after reverting changes #5871
• The textarea scrolls to a new line again #5868
• Removes breaking change: this.$library.autosize is back
• Fix grid and border radius in the TOTP dialog #5911
• Fix drag to empty blocks list #5910
• UUID permalinks added via the link dialog of the writer field are no longer removed in subfolder setups #5208
• Structure fields with gap fields can be added again
• The pagination dropdown no longer disappears before a selection can be made #5940
• Fix field states without options #5947
• Page move dialog: fix currently selected #5573
• Highlight selected values in multiselect field instead of hiding them #5744
• Fix keyboard navigation in the Tags field filter input #5741
• Proper scrolling overflow in the Multiselect and Tags dropdown #5627
• Fixed overflow issue for the Multiselect and Tags dropdown on mobile #5629
• Fixed tags field focus issue #5939

🚨 Breaking changes

• When sanitizing DOM objects (e.g. in the writer field, but not
  during the sanitization/validation of uploaded files), host-relative
  URLs that point outside the site root are now allowed as the use of the
  HTML <base> element is assumed for sites in a subfolder. To revert to the old, strict behavior, set the allowHostRelativeUrls option to false.
• New $isExternal argument for the Sane\Handler::sanitize() and ::validate() methods that custom Sane handlers need to implement; it allows to
  differentiate between strings from external files that may be accessed
  directly and strings that will end up directly on the page

3.9.8-rc.1

🎉 Features

• New A::every(), A::find() and A::some() methods that implement the functionality of the JavaScript functions with the same names (thanks to @rasteiner) #5724
• New option to add a CLI specific config file (thanks to @lukaskleinschmidt) #5581

// config.cli.php
return [
    'option.one' => 1,
    'option.two' => 2,
];

✨ Enhancements

• The System view in the Panel now warns when the used PHP version is end-of-life and no longer receives security updates. #5728
• Files with the .pht extension can no longer be uploaded to a Kirby site to provide additional protection in older server setups beyond our recommendations in the security guide (thanks to @akabe1). #5925

🐛 Bug fixes

• Blocks field: pasting HTML does not remove crucial spaces anymore in inline contexts #4702
• The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
• $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
• Append copy suffix of duplicated pages #5787
• Fix searching for Unicode characters #5780
• The backup copy of changed content now includes a JSON output for fields with structured data instead of scrambled data. #5791
• The validation error "Please enter a date between ... and ..." for the date field now correctly includes the maximum date. #5920