Bump getkirby/cms from 3.6.5 to 3.6.6.1

[dependabot]

Bumps getkirby/cms from 3.6.5 to 3.6.6.1.

Release notes

Sourced from getkirby/cms's releases.

3.6.6.1

🚨 Security release

Cross-site scripting (XSS) from content entered in the tags and multiselect fields

Severity: high (CVSS score 7.1)

The tags and multiselect fields allow to select tags from an autocompleted list. The tags field also allows to enter new tags or edit existing tags. Kirby already handled escaping of the autocompleted tags, but unfortunately the Panel used HTML rendering for new or edited tags as well as for custom tags from the content file.

This allowed attackers with Panel access to store malicious HTML code in a tag. The browser of the victim who visited the modified page in the Panel will then have rendered this malicious HTML code.

It also allowed self-inflicted XSS attacks in the tags field (meaning that malicious code is executed in the browser of the user who entered it). This could be used in social engineering attacks where a victim is convinced by an attacker to enter malicious code into a tags field.

Visitors without Panel access could only use this attack vector if your site allows changing the content of a tags or multiselect field from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.

You are also not affected by these vulnerabilities if your site doesn't have untrustworthy users with Panel access or a way to modify field values from the frontend or if you don't use the tags or multiselect fields.

Note: The fixes for these vulnerabilities have the side effect that values in the tags and multiselect fields that come from dynamic options are displayed with double escaping (e.g. the & character is displayed as &). We will fix the double escaping issues with a refactoring of the options fields (tags, multiselect, checkboxes, radio, select and toggles) in Kirby 3.8.

3.6.6

🎉 Features

• New A::random() and $collection->random() methods to get one or multiple random items from arrays and collections, optionally shuffled. Unless shuffled, the overall order of the returned items is kept. #4270
• Added support for getting multiple properties from Toolkit\Obj objects and derived objects, like so: #4268

$thing = new Obj(['one' => '👋', 'two' => 'Kirby']);
$properties = $thing->get(['one', 'three'], ['three' => 'fallback']);
// results in ['one' => '👋', 'three' => 'fallback']

✨ Enhancements

• When creating new instances of the Uri class, the params prop can now be set to false to treat colons/semicolons in the path as literals and not as param separators. This is useful for parsing external non-Kirby URIs. #2948
• Support returning blueprint file path in callback for programmable blueprints #4281

🐛 Fixes

• Panel redirects to non-origin URLs caused a network exception. They now trigger a full redirect instead of sending the Fiber request. #4280
• User blueprints can now use a callback (programmable blueprints) #4281

📈 Stats

• 22 commits
• 7 closed issues and PRs

👨‍💻 Contributors

(in alphabetical order)

... (truncated)

Commits

• 3a753ae Update version number and cert bundle
• 430abb7 Update dist files
• d1d4ca4 Fix XSS issue in the MultiselectInput
• e81436c Fix XSS issue in the TagsInput
• 005fc78 Merge pull request #4300 from getkirby/release/3.6.6
• 0ff6757 Update dependencies
• 0538c04 Merge pull request #4288 from getkirby/release/3.6.6-rc.1
• f97ec2a Update dist files
• 65bb081 Merge pull request #4281 from getkirby/fix/programmable-user-blueprints
• 245d899 Merge pull request #4268 from adamkiss/feat-obj-get-multiple
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #43.