New
- Plugins can now register trusted iframe hosts so legitimate provider embeds (such as YouTube) are no longer blanked by the content XSS scan on hardened sites.
- Added an
onXssTrustedMarkupevent that lets a plugin exempt its own rendered markup from the content XSS scan without weakening it for editor-authored content.
Bugfix
- [security] Grav's
.htaccessrules blocking sensitive folders and files are now matched case-insensitively, closing a bypass where, on case-insensitive filesystems (Windows, macOS, some Docker mounts), a differently-cased request could reach files such as account and config YAML; existing sites are healed on upgrade (GHSA-vwg3-w8w3-pc79). - [security] The
user/datafolder now ships a media-aware allowlist that serves uploaded assets such as images, fonts, CSS and JS while keeping data files like YAML and JSON blocked, and upgrading widens an over-narrow allowlist from earlier security updates in place so legitimate theme assets stop returning 403. Fixes #4169. - [security] The Twig
regex_replacefilter now returns its input unchanged instead of null when a pattern hits a PCRE error such as a backtrack-limit, so a catastrophic pattern can no longer break output (GHSA-37f3-6p89-6qr9). bin/gpm self-upgradeno longer fails on shared-folder setups such as a VirtualBox shared folder, where thebindirectory holding the running script could not be deleted, by overwriting the upgrade files in place instead. Fixes #4171.- Debug messages logged during API requests now reach the Admin2 API debug panel and Clockwork even when the debugger is set to PHP DebugBar. Fixes grav-plugin-admin2#76.
- Resizing an image larger than its original size with
?resize=no longer pads it onto an oversized canvas with a white border, returning the image at its natural size instead unless?forceresizeis used. Fixes #4173. - Turning off the Twig sandbox no longer breaks pages or modules that contain a form, which previously failed with a "SandboxExtension extension is not enabled" error. Fixes #4175.
- A blueprint validation error now names the value it rejected, so a message like "Invalid input in Process" explains what actually caused it. Relates to #4178.
- Adding a blocked item to the Twig sandbox allowlist from the Tools report now clears that block from the recent-blocks list. Fixes grav-plugin-admin2#85.