3.5.7
Security
Cross-site scripting (XSS) from field and configuration text displayed in the Panel
This release fixes the following XSS vulnerabilities inside the Panel:
- Placeholders in core translation strings (e.g. in error or info messages) are now escaped.
- Error message boxes in dialogs and the
fieldssection now only display the escaped exception message. - Data displayed in the users and settings view (list of users/languages) is now escaped.
- The default
textdisplayed by thefilesandpagessections (filename/page title), thefiles,pagesandusersfields (filename/page title/username) and by query-basedcheckboxes,radio,tagsandmultiselectfields (default text depending on the used query) is now escaped.
Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.
You can find out more about the issues and fixes in our security advisory.
PHPMailer update
- PHPMailer has a new security release, which fixes two of their security issues. There seems to be a small, insignificant breaking change in their validator code, according to their release notes. We still decided to add the security fixes as soon as possible and include it in this release.
🎉 Features
- Support for custom callbacks for
Str::template()(e.g. to escape query output) #3454
Str::template($value, $data, [
'callback' => function ($result) {
return Str::ucwords($result);
}
]);- The
Boxcomponent now supports a text-only mode (with thehtmlprop set tofalse). For compatibility, the default value is currentlytrue. We plan to makefalse(escaped text) the new default behavior in Kirby 3.6.0. - The
Autocompletecomponent now has support for HTML in thetextproperty with a newhtmlproperty (defaults tofalse). - New
this.$helper.string.escapeHTML(orthis.$esc) helper to escape HTML special characters as entities
Enhancements
- Improved blocks and layout field value for
isEmpty()field method support #3153 - Supports new assets extensions
map|json|avif|mjsfor plugins #3436 Str::template()now supports an$optionsarray that can containfallback,callback,start,endattributes. We plan to deprecate the old$fallback,$startand$endarguments in 3.6.0. #3454- The
Kirby\Sane\Svg::$allowedNamespacesproperty is now public to allow customizing it to your needs. #3424 - Dropdowns in the Panel are now automatically aligned vertically, depending on their position in the window. #3080
- The
Cardcomponent now supports HTML in itstextproperty for consistency withListItem. - The
Radio,TagsandMultiselectinput components now support HTML in theirtextproperties for consistency withCheckboxes.
Fixes
- Toggle and checkbox field labels support HTML again #3278
- Filtering based on field value sizes issue fixed #3382
- Fixed updating pages and files sections after sorting a page/file in another section #3399
- Fixed
widthprop of columns in the table block preview #3323 - Fixed preview output in the table block preview #3324
- Fixed autofocus option for list and writer fields #3122
- Fixed writer field empty state #3365
- Added missing
marksprop for quote block #3443 Dir::make(): Fixed warning when there is a file in the provided folder path #3442
Refactoring
- Table block and structure field refactored to display properly in block table #3411
Stats
- 56 commits
- 29 closed issues and PRs
- Contributors: @afbora, @bastianallgeier, @distantnative, @doriansimeha, @lukasbestle (alphabetical order)