Skip to content

2.0.11

Latest

Choose a tag to compare

@rhukster rhukster released this 14 Jul 22:37
ad9709f

New

  • You can now filter, sort, and group a page's media by the values in their .meta.yaml metafiles directly in Twig, with new filterBy, where, findBy, sortBy, groupBy, and withMeta methods on page.media. Fixes #4200.

Bugfix

  • [security] A page editor can no longer read arbitrary files from the server by pointing an image watermark at a traversal path such as carrier.png?watermark=../secret.png; an editor-supplied watermark path is now confined to the site's media, while operator-configured watermarks and stream URIs are unaffected (GHSA-w3f4-8pj2-599w).
  • [security] A page-edit account can no longer reach file-disclosure or secret-read functions by naming an arbitrary Class::method as a dynamic field's data provider; qualified providers are now limited to a known-safe allowlist, closing a bypass of the guard added in 2.0.7 and 2.0.9 (GHSA-7pgq-cr25-xvc8, GHSA-cxv3-5jj3-cpgr).
  • A page is no longer blanked when viewed just because a trusted plugin or shortcode on it outputs markup the content security scan flags, such as an embed, form, or icon; the check that guards against dangerous editor content now runs once when the page is saved rather than every time it is rendered (GHSA-2c4f-86xc-cr74).

Improved

  • [security] Page content that uses Twig to assemble disallowed markup at render time, such as building an event handler or a <script> tag from separate pieces, is now refused when you save the page instead of being allowed through to visitors.
  • The raw Twig filter is no longer allowed inside editor-authored page content, so page content can no longer output unescaped dynamic values past the content security check; trusted theme templates are unaffected.