Skip to content


Choose a tag to compare
@lukasbestle lukasbestle released this 02 Jul 09:30


Cross-site scripting (XSS) from field and configuration text displayed in the Panel

This release fixes the following XSS vulnerabilities inside the Panel:

  • Placeholders in core translation strings (e.g. in error or info messages) are now escaped.
  • Error message boxes in dialogs and the fields section now only display the escaped exception message.
  • Data displayed in the users and settings view (list of users/languages) is now escaped.
  • The default text displayed by the files and pages sections (filename/page title), the files, pages and users fields (filename/page title/username) and by query-based checkboxes, radio, tags and multiselect fields (default text depending on the used query) is now escaped.

Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.

You can find out more about the issues and fixes in our security advisory.

PHPMailer update

  • PHPMailer has a new security release, which fixes two of their security issues. There seems to be a small, insignificant breaking change in their validator code, according to their release notes. We still decided to add the security fixes as soon as possible and include it in this release.

🎉 Features

  • Support for custom callbacks for Str::template() (e.g. to escape query output) #3454
Str::template($value, $data, [
    'callback' => function ($result) {
        return Str::ucwords($result);
  • The Box component now supports a text-only mode (with the html prop set to false). For compatibility, the default value is currently true. We plan to make false (escaped text) the new default behavior in Kirby 3.6.0.
  • The Autocomplete component now has support for HTML in the text property with a new html property (defaults to false).
  • New this.$helper.string.escapeHTML (or this.$esc) helper to escape HTML special characters as entities


  • Improved blocks and layout field value for isEmpty() field method support #3153
  • Supports new assets extensions map|json|avif|mjs for plugins #3436
  • Str::template() now supports an $options array that can contain fallback, callback, start, end attributes. We plan to deprecate the old $fallback, $start and $end arguments in 3.6.0. #3454
  • The Kirby\Sane\Svg::$allowedNamespaces property is now public to allow customizing it to your needs. #3424
  • Dropdowns in the Panel are now automatically aligned vertically, depending on their position in the window. #3080
  • The Card component now supports HTML in its text property for consistency with ListItem.
  • The Radio, Tags and Multiselect input components now support HTML in their text properties for consistency with Checkboxes.


  • Toggle and checkbox field labels support HTML again #3278
  • Filtering based on field value sizes issue fixed #3382
  • Fixed updating pages and files sections after sorting a page/file in another section #3399
  • Fixed width prop of columns in the table block preview #3323
  • Fixed preview output in the table block preview #3324
  • Fixed autofocus option for list and writer fields #3122
  • Fixed writer field empty state #3365
  • Added missing marks prop for quote block #3443
  • Dir::make(): Fixed warning when there is a file in the provided folder path #3442


  • Table block and structure field refactored to display properly in block table #3411