4.2.0

🎉 Features

• New api option for Sections to define API endpoints just like for fields #6246

✨ Enhancements

• Added option to change the number of threads for the ImageMagick driver (thanks to @caplod) #6210

<?php

return [
  'thumbs' => [
    'driver' => 'im',
    'threads' => 2
  ]
];

• Video block now also supports local videos by default #6113
• Significantly improved file sorting performance (thanks @rasteiner) #6112
• The login form can now be prefilled for testing use cases with the new value prop of the k-login-view component #6364
• Lab: $helpers docs #6257 #6287
• Improved Panel favicons for dark mode, including media attribute support for custom Panel favicons #5657
• Updated icons: expand, collapse, divider and chart
• Support non string scalar values in where clause builder for 2 arguments (thanks @SeriousKen) #6291
• Add native validity to range input #6253
• Added native validity to calendar, date, time, timoptions inputs #6254
• Enhanced options for database table creation: #6303
  • Adds unsigned option for integers. Defaults to true to maintain backwards compatibility.
  • Adds size option for varchars. Defaults to 255 to maintain backwards compatibility.
  • Adds float type to create a floating point columns.
  • Adds decimal type to create decimal columns with precision and decimal_places options. The new features are aimed at MySQL and are ignored in SQLite as they are not supported. Float and decimal both map to REAL columns in SQLite.
• Improve k-user-avatar #6325
• Translatable panel menu titles #6311
• Allow unknown file extensions to be selected in file open dialog (thanks to @rasteiner) #6263
• Added pagination to the file browser in the link field #6288
• Date and time field interpret a few more input formats correctly #6362
• Table layout: allow modifying default columns #6335

🐛 Bug fixes

• A::prepend() now behaves the same as A::append() (just opposite side) for non-associative arrays #6219
• Translatable range tooltip #6221
• Disabled inputs don't show placeholders anymore #6163
• Choice inputs have similar disabled styling as other fields
• alpha and hue inputs: setting custom min and max props would break the inputs. Those props aren't falsely exposed anymore. #6251
• colorname input: props that were falsely exposed are now correctly unset #6255
• search input: props that were falsely exposed are now correctly unset #6256
• Fixed fallback null value for Text\KirbyTag::parent() #6220
• Fixed upgrade status for PHP version strings with extra information (thanks @SeriousKen) #6262
• Database\Query: Fixed using BETWEEN or NOT BETWEEN in →where() clause (thanks @SeriousKen) #6292
• Database: Fixed handling of boolean values in prepared statements (thanks @SeriousKen) #6297
• Fix for Date::round() not taking timezone into account properly (thanks @SeriousKen) #6264
• Fix header offset when no sticky header #6283
• Fix k-tabs inline variable assignment #6324
• Writer field counter correctly strips HTML again #6323
• Keep title and slug when switching template in create dialog #6328
• Panel fields: fix direction for content language #6350
• Tags input: when creating a new tag, the input is now correctly split at the separator into multiple tags #6341
• Fix blocks styling inside layout column #6280
• Fixed page create dialog when used with pages section on user/file blueprint #6190
• Close all nested drawers when navigating #6274
• Object field: inline previews are not editable anymore when the subfield is disabled #6346
• Fix toggle field preview value error #6249
• Table: fix width for image and flag column on mobile #6228

♻️ Refactored

• Slight performance improvements for Dir::inventory() #6218
• Clean up Cms\Blueprint class #6206
• Fix v-bind order #6333
• Use mounted lifecycle hooks instead of created #6336

🧹 Housekeeping

• Unit tests: properly resetting error handlers (thanks to @SeriousKen) #6259
• Upgraded Psalm
• Added performance tests for Dir::inventory() with various number of page models #6218
• Added more explicit coverage annotations to Options, Query, Text and partially Toolkit packages tests, including additional tests for uncovered code #6220
• Lab: added GitHub source links for all helpers, libraries and CSS examples #6295
• Removed Lab\Example::github() linking to lab example file #6295

4.1.2

🐛 Bug fixes

• Don’t throw an exception in the permalinksToUrlsmethod if a model for a UUID cannot be found #6165
• Don't redeclare the dump helper if it already exists. This fixes Kirby for Herd Pro users and other cases where dump is already defined by the environment #6250
• Fix emoji overflow issue in k-icon-frame #6315
• Fix commands for custom textarea buttons #6039
• More stability for the toFiles method by checking for valid file IDs #6318
• Suppress warnings in the Remote class if system CA is outside of open_basedir #6316
• Fix tables in the object field and license dialog #6307 and partially #6228

4.1.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

---

✨ Enhancements

• New $file->sharpen() method for images #6227

---

🐛 Bug fixes

• Fixed Str::excerpt() for texts without spaces #6215
• Proper error message when a MIME type of a file is being validated but could not be determined from the file  #6095
• k-button-group wrap with long label line. #6231
• "Invalid Date" parsing dates in pages section with layout: table #6234
• Disable license dialog in demo mode #6271
• Emojis are now working in buttons and the k-icon component #6276

---

🧹 Housekeeping

• Prettier is used properly in CI (and Highlight.vue is properly ignored) #6270
• Remove reviewdog tool from CI to reduce complexity #6290
• Upgrade GitHub workflow actions #6272

3.10.0.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

3.9.8.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

3.8.4.3

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

3.7.5.4

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

3.6.6.5

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

4.1.0

🎉 Features

New page create dialog features

The page create dialog now allows to hide the title and/or slug field by defining a string template that will be used instead

create:
  title: "{{ page.location }} – {{ page.date.toDate('M Y') }}"
  slug: "{{ page.location.slug }}-{{ page.date.toDate('Y-m-d') }}"

Custom fields from the create dialog will be accessible through Kirby query starting with page. (in this example the fields location and date. If no custom fields are defined, the create dialog will be skipped and the page immediately created. #6154

Color field: query and API support for options

myColorField:
  type: color
  options:
    type: query
    query: kirby.option('my.colors')

// only values
return [
    'my' => [
        'colors' => [
            '#3e3e3e',
            '#aaa',
            '#ddd',
        ]
    ]
];

// values -> labels
return [
    'my' => [
        'colors' => [
            '#3e3e3e' => 'Color A' ,
            '#aaa'    => 'Color B',
            '#ddd'    => 'Color C',
        ]
    ]
];

New sharpen option for thumbnails

When resizing images, you can now sharpen them. This often enhances the image quality when downscaling images.

$page->image('my-image.jpg')->thumb([
    'width' => 300,
    'height' => 200,
    'sharpen' => true
]);

You can also pass an integer value to control the sharpening effect. Higher numbers create sharper images. The default is 50.

$page->image('my-image.jpg')->thumb([
    'width' => 300,
    'height' => 200,
    'sharpen' => 25
]);

Thank you very much to @dgsiegel for implementing this feature. #6164

Link Field Previews

The link field now has proper previews in structure and object fields #5262

And more …

• Stats section supports new icon option #6006
• New A::implode() method that also handles nested arrays #6059

---

✨ Enhancements

• Upgrade to Vite 5 #5984
• Page and files section with table layout will now try to infer the column type from the blueprint of the first model when no type has been provided explicitly #6147
• When a block fieldset doesn't set a name, the label is now used as fallback #6137
• The search type can now be pre-defined when opening the search dialog #6158

panel.dialog.open({
    component: "k-search-dialog",
    props: {
        type: "pages"
    }
});

• Extensive block examples in the lab #6160
• Added support for emojis and other multi-byte characters in mysql database connections. Thanks to @degoya #6168
• Improved lab examples with better source code view #6170

---

🐛 Bug fixes

• Link field: fixed default type if url option not available #6145
• Fixed renewal date formatting in the license dialog when using a custom date handler #6138
• Fix Panel menu button centering #6051
• Writer toolbar: fix when implicitly inline #6069
• Support dimensions for avif images #6141
• Table layout: columns marked as mobile: true are shown again in narrow viewports #6106
• Respect custom allowed slug characters from Str class in slug field #6049
• $store.content: fix consistent id pattern #6057
• Structure field: clone row on duplicate #6073
• field.isVisible(): fix if statement #6098
• Many objects are serializable again #6072
• Helpers::handleErrors() correctly restores the original error handler even if an exception is thrown in the action #6105
• Fixed PHP warning for structure fields without subfields #6059
• Fixed PHP warning for F::size() with non-existing file #6059
• Fixed PHP warning for unserializing Session data #6059
• Fixed PHP warning for V::message() with nested arrays #6059
• Fix fallbacks in the Kirby/Api/Api and Kirby/Form/Form classes when no app object is loaded
• The CLI detection also works for processes not attached to a terminal (e.g. externally called from another script)
• Fix $store.content.id when deleting page #6111
• Fix handling image: false in blueprint for Panel preview images #6020
• Fixes overflow in narrow layout field columns when using a block with preview: fields #6128
• Blocks: fixed disabled field preview #5818
• Language argument now gets passed reliably to hooks from dialogs/areas #6117
• Improve link kirbytag behavior when uuid point to non-existing page #6083
• Files section: fixed NaN value after sorting files #6067
• Page create dialog: custom fields in dialogs are prefilled with default values #6137
• Page create dialog: no error is thrown when directly publishing page with required fields that have a default value #6119
• Fixed Panel column block gap #5935
• Consistent disabled state and styling for all block types #5100
• It is possible again to use the field names field, options, parent, siblings and params inside structure fields #6181
• $field->toStructure()->field() now returns a copy of the structure field object as intended #6181
• file KirbyTag that references a non-existing file does not throw an exception anymore, when not text attribute passed #6177
• New text and html props for the k-tag component #5834
• New cancel-small icon version #5834
• New $helper.link #5834
• Upload of the identical file should not change the UUID #5730
• Add missing link field id #6169
• RangeInput: fixed tooltip max-width #6189
• Link field: no dropdown is shown if only one type option is active #6186
• Link field: no dropdown icon is shown when field is disabled
• Sets the default border radius for k-bubble to rounded-sm to be consistent with k-tag. #6188
• Cropping a jpg with focus point no longer results in wrong aspect ratio #5855
• Fix type hint on Panel::area() #6217
• Structure field: Drawer is now closed correctly again when an entry is deleted #6209
• Structure field: row height fix on mobile #6203

---

♻️ Refactored

• New this.$helper.array. functions: fromObject, sortBy, split, wrap #6140
• The license file included in the Kirby repo is now formatted correctly on GitHub #6060
• PHPUnit test provider methods are now static
  • FileActionsTest: static provider methods #6092
• Prepare for Vue 3
  • Replace instanceof Vue #6100
  • Added emits definition to all Vue components #6110
  • Fix counter.js for stricter Vue 3 checks #6108
  • Removed this._uuid usage #6097
• Remove input theme field mentions #6102
• Use more PHP arrow functions #6125
• DRY tests with Kirby\TestCase #6124
• Blocks and layouts reuse props across components #5818
• Color field: options sh...

4.1.0-rc.3

What's changed since 4.1.0-rc.2

• Refactor the link field input event handling to improve link detection #6198
• ColorField: proper HTML/XSS handling #6195
• ImageMagick: remove optimization that breaks focus #6205

Full Changelog: 4.1.0-rc.2...4.1.0-rc.3