You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can now filter, sort, and group a page's media by the values in their .meta.yaml metafiles directly in Twig, with new filterBy, where, findBy, sortBy, groupBy, and withMeta methods on page.media. Fixes #4200.
Bugfix
[security] A page editor can no longer read arbitrary files from the server by pointing an image watermark at a traversal path such as carrier.png?watermark=../secret.png; an editor-supplied watermark path is now confined to the site's media, while operator-configured watermarks and stream URIs are unaffected (GHSA-w3f4-8pj2-599w).
[security] A page-edit account can no longer reach file-disclosure or secret-read functions by naming an arbitrary Class::method as a dynamic field's data provider; qualified providers are now limited to a known-safe allowlist, closing a bypass of the guard added in 2.0.7 and 2.0.9 (GHSA-7pgq-cr25-xvc8, GHSA-cxv3-5jj3-cpgr).
A page is no longer blanked when viewed just because a trusted plugin or shortcode on it outputs markup the content security scan flags, such as an embed, form, or icon; the check that guards against dangerous editor content now runs once when the page is saved rather than every time it is rendered (GHSA-2c4f-86xc-cr74).
Improved
[security] Page content that uses Twig to assemble disallowed markup at render time, such as building an event handler or a <script> tag from separate pieces, is now refused when you save the page instead of being allowed through to visitors.
The raw Twig filter is no longer allowed inside editor-authored page content, so page content can no longer output unescaped dynamic values past the content security check; trusted theme templates are unaffected.