chore(deps-dev): bump getkirby/cms from 4.1.0 to 4.1.1

[dependabot[bot]]

Bumps getkirby/cms from 4.1.0 to 4.1.1.

Release notes

Sourced from getkirby/cms's releases.

4.1.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@​PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

---

✨ Enhancements

• New $file->sharpen() method for images #6227

---

🐛 Bug fixes

• Fixed Str::excerpt() for texts without spaces #6215
• Proper error message when a MIME type of a file is being validated but could not be determined from the file  #6095
• k-button-group wrap with long label line. #6231
• "Invalid Date" parsing dates in pages section with layout: table #6234
• Disable license dialog in demo mode #6271
• Emojis are now working in buttons and the k-icon component #6276

---

🧹 Housekeeping

• Prettier is used properly in CI (and Highlight.vue is properly ignored) #6270
• Remove reviewdog tool from CI to reduce complexity #6290
• Upgrade GitHub workflow actions #6272

Commits

• 1353c9f Merge pull request #6305 from getkirby/release/4.1.1
• b16314f Preflight for 4.1.1
• cda3dd9 Link field: Don’t allow custom type by default
• d984188 Add unit test
• e757c05 Validate avatar file type and MIME type
• 3c3363d URL field: Make button clickable for valid URLs
• 93d47fa Strict mode for isUrl helper
• 3421361 Update security policy
• dabd64a Merge pull request #6293 from getkirby/fix/remote-json-psalm-return-type
• 3703d91 Remote::json() Psalm conditional return type
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/mauricerenck/kirby-podcaster/network/alerts).

[dependabot[bot]]

Looks like getkirby/cms is up-to-date now, so this is no longer needed.