Cross-site scripting (XSS) from field and configuration text displayed in the Panel
This release fixes the following XSS vulnerabilities inside the Panel:
Placeholders in core translation strings (e.g. in error or info messages) are now escaped.
Error message boxes in dialogs and the fields section now only display the escaped exception message.
Data displayed in the users and settings view (list of users/languages) is now escaped.
The default text displayed by the files and pages sections (filename/page title), the files, pages and users fields (filename/page title/username) and by query-based checkboxes, radio, tags and multiselect fields (default text depending on the used query) is now escaped.
Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.
You can find out more about the issues and fixes in our security advisory.
PHPMailer update
PHPMailer has a new security release, which fixes two of their security issues. There seems to be a small, insignificant breaking change in their validator code, according to their release notes. We still decided to add the security fixes as soon as possible and include it in this release.
🎉 Features
Support for custom callbacks for Str::template() (e.g. to escape query output) #3454
The Box component now supports a text-only mode (with the html prop set to false). For compatibility, the default value is currently true. We plan to make false (escaped text) the new default behavior in Kirby 3.6.0.
The Autocomplete component now has support for HTML in the text property with a new html property (defaults to false).
New this.$helper.string.escapeHTML (or this.$esc) helper to escape HTML special characters as entities
Enhancements
Improved blocks and layout field value for isEmpty() field method support #3153
Supports new assets extensions map|json|avif|mjs for plugins #3436
Str::template() now supports an $options array that can contain fallback, callback, start, end attributes. We plan to deprecate the old $fallback, $start and $end arguments in 3.6.0. #3454
The Kirby\Sane\Svg::$allowedNamespaces property is now public to allow customizing it to your needs. #3424
Dropdowns in the Panel are now automatically aligned vertically, depending on their position in the window. #3080
The Card component now supports HTML in its text property for consistency with ListItem.
The Radio, Tags and Multiselect input components now support HTML in their text properties for consistency with Checkboxes.
Fixes
Toggle and checkbox field labels support HTML again #3278
Filtering based on field value sizes issue fixed #3382
... (truncated)
Commits
3395389 Merge pull request #3475 from getkirby/release/3.5.7
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/bnomei/kirby3-fingerprint/network/alerts).
Bumps getkirby/cms from 3.5.5 to 3.5.7.
Release notes
Sourced from getkirby/cms's releases.
... (truncated)
Commits
3395389
Merge pull request #3475 from getkirby/release/3.5.7fb408ca
Fix notice issue in OptionsQueryf5ead62
Merge pull request from GHSA-2f2w-349x-vrqma86e751
Update dist files and composer00c0b21
Update Panel dist filesa6eb9ee
Escape default text values in options queriesc2c97ba
Escape text/info for <k-list-item>/<k-card>39ea492
Don't display exceptions as HTMLfdf48fb
Escape translation placeholders483e877
NewescapeHTML
string helper methodDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/bnomei/kirby3-fingerprint/network/alerts).