This release delivers important security hardening for template sandboxing and file uploads, along with a bug fix for active tab state management in admin forms.
Fixed
- Active tab now resets to the default when opening a new or different record, preventing stale tab state from carrying over between records
- Hardened file upload handling to protect against path traversal and code injection attacks
- Blocked higher-order function bypass attempts in the Pagic template sandbox
- Blocked server-side template injection in mail and theme templates
Changed
- Simplified sandbox regex patterns and callback syntax in Pagic for cleaner, more maintainable code
Security
- Restricted
@phpBlade directive in layouts. Default layouts no longer permit raw@phpblocks to prevent unsanitised input execution.- If you haven't customised the default layout: no action needed, the update applies automatically.
- If you have customised the default layout: back up your current layout, delete the existing default layout (so the updated version can be regenerated), then reapply your customisations on top of the new default.
- Theme and mail layout editors now validate against raw PHP. If you need PHP in a theme or mail layout, edit the Blade files directly on disk — the in-app theme/mail editors will reject saves containing PHP code.