craftcms/cms 4.18.0

on GitHub

Development

• The |default Twig filter and is empty Twig test now treat all yii\base\Model instances as not empty. (#18727)
• Added craft\filters\SecFetchSiteFilter for request origin verification. (#18641)
• dataUrl() is no longer allowed in sandboxed Twig environments by default.

Extensibility

• Removed craft\controllers\AppController::actionResourceJs(). (#18559)

System

• Cross-domain script tags added by JavaScript are now loaded directly, rather than via a proxy. (#18559)
• Updated the built-in composer.phar to 2.9.8. (#18761)
• Fixed a moderate-severity JavaScript injection vulnerability. (GHSA-c55v-343g-5xff)
• Fixed a moderate-severity path traversal vulnerability. (GHSA-287w-mxq6-x2cp)