New
- You can now filter, sort, and group a page's media by the values in their
.meta.yamlmetafiles directly in Twig, with newfilterBy,where,findBy,sortBy,groupBy, andwithMetamethods onpage.media. Fixes #4200.
Bugfix
- [security] A page editor can no longer read arbitrary files from the server by pointing an image watermark at a traversal path such as
carrier.png?watermark=../secret.png; an editor-supplied watermark path is now confined to the site's media, while operator-configured watermarks and stream URIs are unaffected (GHSA-w3f4-8pj2-599w). - [security] A page-edit account can no longer reach file-disclosure or secret-read functions by naming an arbitrary
Class::methodas a dynamic field's data provider; qualified providers are now limited to a known-safe allowlist, closing a bypass of the guard added in 2.0.7 and 2.0.9 (GHSA-7pgq-cr25-xvc8, GHSA-cxv3-5jj3-cpgr). - A page is no longer blanked when viewed just because a trusted plugin or shortcode on it outputs markup the content security scan flags, such as an embed, form, or icon; the check that guards against dangerous editor content now runs once when the page is saved rather than every time it is rendered (GHSA-2c4f-86xc-cr74).
Improved
- [security] Page content that uses Twig to assemble disallowed markup at render time, such as building an event handler or a
<script>tag from separate pieces, is now refused when you save the page instead of being allowed through to visitors. - The
rawTwig filter is no longer allowed inside editor-authored page content, so page content can no longer output unescaped dynamic values past the content security check; trusted theme templates are unaffected.