3.9.6.1

🎉 Features

• The Content-Security-Policy: frame-ancestors header sent by the Panel (introduced in 3.9.6) can now be customized with an option if needed: #5431

  return [
    'panel' => [
      // allow frame embedding from the same domain
      'frameAncestors' => true,
  
      // allow frame embedding from the same *and* from the specified domains
      'frameAncestors' => ['*.example.com', 'https://example.com'],
  
      // allow frame embedding on any domain (not recommended)
      'frameAncestors' => '*',
    ]
  ];

🐛 Bug fixes

• Search component broken when query is null #5428

3.9.6

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in June 2023:

• Insufficient Session Expiration after a password change (high severity, CVSS score 7.3)
• Field injection in the KirbyData text storage handler (high severity, CVSS score 7.1)
• XML External Entity (XXE) vulnerability in the XML data handler (medium severity, CVSS score 6.8)
• Cross-site scripting (XSS) from MIME type auto-detection of uploaded files (medium severity, CVSS score 5.7)
• Denial of service from unlimited password lengths (medium severity, CVSS score 5.3)

Thanks to Shankar Acharya (@5hank4r), Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issues.

Updated default .htaccess

We have updated the .htaccess that ships with our kits to the new version 2023-07-22, which adds protection against browser MIME type detection from malicious file uploads for files that have already been copied to the media folder. We recommend to update your sites’ .htaccess or server configuration with the new changes if you might have potential attackers in your group of authenticated Panel users or if your sites allow file uploads by visitors and the file extensions of uploaded files are not limited to a fixed safe list.

You can find the changes to the .htaccess in this commit and read more about the added rules in the security guide.

Thanks to Shankar Acharya (@5hank4r) for making us aware of this potential attack vector.

Frame-blocking in the Panel

The Panel now sends the Content-Security-Policy: frame-ancestors 'none' header to increase the protection against clickjacking attacks. The session cookie was already set to SameSite before, so this is an additional layer of protection.

Thanks to Shankar Acharya (@5hank4r) for suggesting this security enhancement.

Security-related breaking changes

• All users are logged out from their sessions after updating to this patch release.
• The Xml data handler (e.g. Data::decode($string, 'xml')) and the Xml::parse() method no longer process XML external entities.
• The Panel can no longer be embedded in HTML frames.

🎉 Features

• Added Rumanian translation (thanks to @danburzo) 🎉

✨ Enhancements

• Updated translations (is, ko, pl, sv)
• Stats section: link, label, info and value now all support translations and Kirby queries #5256
• Support for variadic controller arguments (thanks to @lukaskleinschmidt) #5222
• collection() helper (and corresponding methods) allow passing an $options array which will be provided as additional arguments to the collection closure (thanks to @ceesvanegmond)

  <?php
  
  // site/controller/news.php
  $articles = collection('news', ['order' => 'asc']);
  
  // site/collection/news.php
  use Kirby\Cms\Site;
  
  return function (Site $site, string $order) {
      return $site->find('news')->children()->template('article')->orderBy($order);
  };

🐛 Bug fixes

• Fixed lock API routes for files that are ancestors of a page called files #5273
• Kirby queries can handle integers and floats as arguments correctly now
• Fixed using Query helpers, such as page() alongside provided objects with the same name #5276
• Structure form options button doesn't disappear anymore when form is open but disabled #5302
• Fixed Panel URL redirect issue when running on subfolder #5266
• Fixed number field blur issue #5170
• Fixed language detection with custom locale #5320
• Fixed user blueprint home option #5359 (regression)
• Fixed full preview slug in change URL dialog when in multi-language mode #5371
• Fixed correct slug rules usage for Romanian (thanks to @danburzo) #5376

♻️ Refactored

• Clean up search component #5297

3.8.4.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in June 2023:

• Insufficient Session Expiration after a password change (high severity, CVSS score 7.3)
• Field injection in the KirbyData text storage handler (high severity, CVSS score 7.1)
• XML External Entity (XXE) vulnerability in the XML data handler (medium severity, CVSS score 6.8)
• Cross-site scripting (XSS) from MIME type auto-detection of uploaded files (medium severity, CVSS score 5.7)
• Denial of service from unlimited password lengths (medium severity, CVSS score 5.3)

Thanks to Shankar Acharya (@5hank4r), Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issues.

Updated default .htaccess

We have updated the .htaccess that ships with our kits to the new version 2023-07-22, which adds protection against browser MIME type detection from malicious file uploads for files that have already been copied to the media folder. We recommend to update your sites’ .htaccess or server configuration with the new changes if you might have potential attackers in your group of authenticated Panel users or if your sites allow file uploads by visitors and the file extensions of uploaded files are not limited to a fixed safe list.

You can find the changes to the .htaccess in this commit and read more about the added rules in the security guide.

Thanks to Shankar Acharya (@5hank4r) for making us aware of this potential attack vector.

Frame-blocking in the Panel

The Panel now sends the Content-Security-Policy: frame-ancestors 'none' header to increase the protection against clickjacking attacks. The session cookie was already set to SameSite before, so this is an additional layer of protection.

Thanks to Shankar Acharya (@5hank4r) for suggesting this security enhancement.

Security-related breaking changes

• All users are logged out from their sessions after updating to this patch release.
• The Xml data handler (e.g. Data::decode($string, 'xml')) and the Xml::parse() method no longer process XML external entities.
• The Panel can no longer be embedded in HTML frames.

3.7.5.2

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in June 2023:

• Insufficient Session Expiration after a password change (high severity, CVSS score 7.3)
• Field injection in the KirbyData text storage handler (high severity, CVSS score 7.1)
• XML External Entity (XXE) vulnerability in the XML data handler (medium severity, CVSS score 6.8)
• Cross-site scripting (XSS) from MIME type auto-detection of uploaded files (medium severity, CVSS score 5.7)
• Denial of service from unlimited password lengths (medium severity, CVSS score 5.3)

Thanks to Shankar Acharya (@5hank4r), Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issues.

Updated default .htaccess

We have updated the .htaccess that ships with our kits to the new version 2023-07-22, which adds protection against browser MIME type detection from malicious file uploads for files that have already been copied to the media folder. We recommend to update your sites’ .htaccess or server configuration with the new changes if you might have potential attackers in your group of authenticated Panel users or if your sites allow file uploads by visitors and the file extensions of uploaded files are not limited to a fixed safe list.

You can find the changes to the .htaccess in this commit and read more about the added rules in the security guide.

Thanks to Shankar Acharya (@5hank4r) for making us aware of this potential attack vector.

Frame-blocking in the Panel

The Panel now sends the Content-Security-Policy: frame-ancestors 'none' header to increase the protection against clickjacking attacks. The session cookie was already set to SameSite before, so this is an additional layer of protection.

Thanks to Shankar Acharya (@5hank4r) for suggesting this security enhancement.

Security-related breaking changes

• All users are logged out from their sessions after updating to this patch release.
• The Xml data handler (e.g. Data::decode($string, 'xml')) and the Xml::parse() method no longer process XML external entities.
• The Panel can no longer be embedded in HTML frames.

3.6.6.3

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in June 2023:

• Insufficient Session Expiration after a password change (high severity, CVSS score 7.3)
• Field injection in the KirbyData text storage handler (high severity, CVSS score 7.1)
• XML External Entity (XXE) vulnerability in the XML data handler (medium severity, CVSS score 6.8)
• Cross-site scripting (XSS) from MIME type auto-detection of uploaded files (medium severity, CVSS score 5.7)
• Denial of service from unlimited password lengths (medium severity, CVSS score 5.3)

Thanks to Shankar Acharya (@5hank4r), Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issues.

Updated default .htaccess

We have updated the .htaccess that ships with our kits to the new version 2023-07-22, which adds protection against browser MIME type detection from malicious file uploads for files that have already been copied to the media folder. We recommend to update your sites’ .htaccess or server configuration with the new changes if you might have potential attackers in your group of authenticated Panel users or if your sites allow file uploads by visitors and the file extensions of uploaded files are not limited to a fixed safe list.

You can find the changes to the .htaccess in this commit and read more about the added rules in the security guide.

Thanks to Shankar Acharya (@5hank4r) for making us aware of this potential attack vector.

Frame-blocking in the Panel

The Panel now sends the Content-Security-Policy: frame-ancestors 'none' header to increase the protection against clickjacking attacks. The session cookie was already set to SameSite before, so this is an additional layer of protection.

Thanks to Shankar Acharya (@5hank4r) for suggesting this security enhancement.

Security-related breaking changes

• All users are logged out from their sessions after updating to this patch release.
• The Xml data handler (e.g. Data::decode($string, 'xml')) and the Xml::parse() method no longer process XML external entities.
• The Panel can no longer be embedded in HTML frames.

3.5.8.3

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in June 2023:

• Insufficient Session Expiration after a password change (high severity, CVSS score 7.3)
• Field injection in the KirbyData text storage handler (high severity, CVSS score 7.1)
• XML External Entity (XXE) vulnerability in the XML data handler (medium severity, CVSS score 6.8)
• Cross-site scripting (XSS) from MIME type auto-detection of uploaded files (medium severity, CVSS score 5.7)
• Denial of service from unlimited password lengths (medium severity, CVSS score 5.3)

Thanks to Shankar Acharya (@5hank4r), Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issues.

Updated default .htaccess

We have updated the .htaccess that ships with our kits to the new version 2023-07-22, which adds protection against browser MIME type detection from malicious file uploads for files that have already been copied to the media folder. We recommend to update your sites’ .htaccess or server configuration with the new changes if you might have potential attackers in your group of authenticated Panel users or if your sites allow file uploads by visitors and the file extensions of uploaded files are not limited to a fixed safe list.

You can find the changes to the .htaccess in this commit and read more about the added rules in the security guide.

Thanks to Shankar Acharya (@5hank4r) for making us aware of this potential attack vector.

Frame-blocking in the Panel

The Panel now sends the Content-Security-Policy: frame-ancestors 'none' header to increase the protection against clickjacking attacks. The session cookie was already set to SameSite before, so this is an additional layer of protection.

Thanks to Shankar Acharya (@5hank4r) for suggesting this security enhancement.

Security-related breaking changes

• All users are logged out from their sessions after updating to this patch release.
• The Xml data handler (e.g. Data::decode($string, 'xml')) and the Xml::parse() method no longer process XML external entities.
• The Panel can no longer be embedded in HTML frames.

4.0.0-alpha.5

🚀 Kirby 4 roadmap

This is a pre-release for Kirby 4, which will be released later this year. Find out more about features and our roadmap on our Kirby 4 release page: https://getkirby.com/releases/4.0

🎉 Features

New Panel Design

Highlights

• New collapsible sidebar menu
• Full width layout
• New color scheme
• New save button position
• New button styles
• New system for CSS properties
• Completely overhauled keyboard accessibility
• Improved scroll behaviour
• Lots of improvements to responsiveness (due to container queries)
• Many new opportunities to style components via custom CSS properties

Core

• New access and list permissions for files #5219

✨ Enhancements

• Disabled buttons can receive focus (tab) which allows them to be read out by screenreaders
• Structure fields don’t disregard content changes anymore when clicking outside the form (now drawer)

🐛 Bug fixes

• App::multilang and App::defaultLanguage are correctly updated #5342
• Prevent unnecessary runs in Language::update when updating the default language
• Don’t display superfluous node divider on writer field #5352
• Fixed centering of picker dialogs #5321
• Fixed a lot of overflow layout issues related to too narrow columns
• Default languages an multilang is now correctly handled when changed during a request #5343
• Block title: certain HTML characters are now properly unescaped in the label #5346
• Fix ->toUrl() method for invalid uuids #5367

4.0.0-alpha.4

🎉 Features

• Custom methods for structure and structure object
• New templatesIgnore for pages section - https://kirby.nolt.io/130 #5322
• Link field
  • New anchor type for the link field
    
  • New custom type for the link field
    
  • Allows selecting which types (url, email, tel...) to include #5278
• New anchor icon

✨ Enhancements

• Add field preview for color field #5282
• Uploader: allow to add more files via drop #5304
• Users field: set default: true to always use the currently logged in user as default
• New focus option for file blueprints to enable/disable setting focus point in the Panel (defaults to true for all viewable images, false for all other files) #5316
• New App::models() method that returns a generator for each model (site, files, pages and users) of the site [#5337]#5337

🐛 Bug fixes

• PageCreateDialog: make title label translatable #5286
• Disable changing layout if only one layout available #5288
• Writer: preserve whitespace #5295
• Fixed block keydown propagation #5272
• Users field does not anymore use a default if none set #5284
• An outside click will now collapse the link field #5204
• Removes conflicting block keyboard shortcuts with Cmd key (instead use variants with Ctrl key) #5268
• Fixed block collapsing inside layouts #5289
• Fixed styling of color field options
• Fixed link field selecting files type

♻️ Refactored

• Made k-bubble more flexible #5305
• Kirby\Cms\Structure extends Kirby\Cms\Items and Kirby\Cms\StructureObject extends Kirby\Cms\Item
• Use Page::isAccessible instead of Page::isReadable #5220
• Adds query endpoint for Kql plugin to core
• New Content namespace
  • Moved the Content, ContentTranslation and Field classes (compatibility aliases are provided for now) #5283
  • New internal ContentStorage class that currently holds more of the storage related business logic
  • New internal ContentStorageHandler interface and internal PlainTextContentStorageHandler class to bundle all low-level content logic in one place #5283
  • Improve code quality and tests in the Content namespace #5283

☠️ Deprecated

• query should not be used anymore for custom API endpoints, it will be used for the Kql plugin/core implementation
• Internal $model->contentFile(), $model->contentFiles(), $model->contentFileDirectory(), $model->contentFileExtension() and $model->contentFileName() methods have been deprecated and will be removed in Kirby 5.

🚨 Breaking changes

• Registering a default block model now needs to be done with the key default, not Kirby\Cms\Block. #5299
• new Structure()/new StructureObject() don't work anymore as before. Use Structure::factory()/StructureObject::factory() instead
• Structure object IDs aren't simply their collection index numbers anymore but receive a Str::uuid() as blocks do
• Items::factory() and all inheriting classes throw an exception now if malformed data is passed
• Users field doesn't automatically uses the current user as default, add default: true to keep this functionality
• Remove keyboard shortcut to move block focus up/down
• Extending the internal $model->contentFile(), $model->contentFiles(), $model->contentFileDirectory(), $model->contentFileExtension(), $model->contentFileName(), $model->readContent() and $model->writeContent() methods in a page model will no longer have an effect as these methods are no longer called by the core. Please extend the new Kirby\\Content\\PlainTextContentStorage class instead and return an instance of your custom class from $model->storage(). However please note that the interface of PlainTextContentStorage is internal and may change in the future.
• The $translations->start() and $translations->stop() methods were no longer in use and have been removed. Content files are automatically converted by the Language class.
• $languages->codes() now returns ['default'] for single language installations #5339

4.0.0-alpha.3

✨ Enhancements

• Page tree now uses the icon defined in each page's blueprint #5239
  
• Add custom field types to the list of allowed fields for the page create dialog via \Kirby\Panel\PageCreateDialog::$fieldTypes[] = 'yourFieldType'
• Add pagination to search results #5191

🐛 Bug fixes

• Files upload: use upload.parent for mime check #5245
• Excluding textarea and writer for now in the Page Create Dialog until we have a better idea how to handle dialogs in layers #5243
• Page create dialog throws proper exceptions if a field type is not supported
• Color field: fix flex spacing and better color swatch preview #5260
• Fixed tags field with query in page create dialog #5231
• ->toUrl() to return null on empty fields #5259
• No redirect to logout when already logged out #5263
• Fix writer input padding #5271
• Fix line height in writer lists

♻️ Refactored

• Use panel.dialog for remove dialogs #5242
• Unit tests for PageCreateDialog #5235
• Fix method order of Toolkit\A ****#5227
• Better type hinting for Form classes #5209

🚨 Breaking changes

• Removed this.$config.search from Panel #5191
• Area search plugins receive two additional arguments for their query callback: $limit and $page to be used to paginate the results. They should then return an array with entries results and pagination. #5191

3.9.5

✨ Enhancements

• Vue is now separately accessible at window.Vue #5158
• New edit button for structure field to improve keyboard accessibility #5172
• Updated translations (cs, is_IS, ru)

🐛 Bug fixes

• Keep the language selector in sync when pressing the back button #5007
• HasFiles::file() now also uses $in parameter when looking up UUIDs #5159
• Database::lastError() doesn't crash anymore when no error occurred #5165
• Correctly process query params and body fields with numeric keys #5171
• $collection->indexOf() returns false instead of the index 0 when the passed element was not found in the collection #5175
• The collection next() and prev() methods are now type-hinted to return static for improved IDE support #5039
• Fix link style for structure field #5157
• Remove return type for collection() helper #5169

♻️ Refactored

• Clean up Toolkit package #5078
• Update SimpleImage dependecy #5248
• Bump vite from 4.3.0 to 4.3.9 in /panel #5250