You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Velocity Playground: Shipped as an Angular portlet with a split Monaco editor, dark Velocity theme, JSON pretty-printing, and share/export actions, with the legacy JSP retained for runtime rollback. (#35904)
Security / XSS: Added the OWASP Java Encoder and exposed context-aware output encoding to Velocity templates via $xsstool (encodeForHTML, encodeForHTMLAttribute, encodeForJavaScript, encodeForURL, encodeForCSS). (#35318)
Page Editor: Contentlet titles in the palette now clamp to two lines with a tooltip for the full name, making similarly named items easier to distinguish. (#35878)
Style Editor: Added sort options for dropdown, radio, and checkbox fields in the schema generator. (#35918)
Fixes and Known Issues
Asset Serving: Anonymously-readable assets are now served instead of returning HTTP 401 when the request carries an unrelated or invalid Authorization: Basic header; REST endpoints keep strict rejection. (#35925)
Categories API: PUT /api/v1/categories now applies the active flag from the payload, while omitting it preserves the existing value. (#36020)
Infrastructure & Security
Image Processing: Added an optional libvips (vips-ffm) image engine behind the IMAGE_API_USE_LIBVIPS feature flag (default off), with graceful fallback to the legacy engine and support for AVIF output and attention-based smartcrop. (#35990)
