Skip to content

v4.3.1

Latest

Choose a tag to compare

@sampoyigi sampoyigi released this 06 Jul 08:37
71bd30a

This release delivers important security hardening for template sandboxing and file uploads, along with a bug fix for active tab state management in admin forms.

Fixed

  • Active tab now resets to the default when opening a new or different record, preventing stale tab state from carrying over between records
  • Hardened file upload handling to protect against path traversal and code injection attacks
  • Blocked higher-order function bypass attempts in the Pagic template sandbox
  • Blocked server-side template injection in mail and theme templates

Changed

  • Simplified sandbox regex patterns and callback syntax in Pagic for cleaner, more maintainable code

Security

  • Restricted @php Blade directive in layouts. Default layouts no longer permit raw @php blocks to prevent unsanitised input execution.
    • If you haven't customised the default layout: no action needed, the update applies automatically.
    • If you have customised the default layout: back up your current layout, delete the existing default layout (so the updated version can be regenerated), then reapply your customisations on top of the new default.
  • Theme and mail layout editors now validate against raw PHP. If you need PHP in a theme or mail layout, edit the Blade files directly on disk — the in-app theme/mail editors will reject saves containing PHP code.