getkirby/kirby 3.6.3

on GitHub

UPDATE: Patch available

Unfortunately, we introduced a regression in this release that broke parameters in URLs. I.e. https://example.com/blog/page:2 and thus also pagination and all kinds of URL filters based on such parameters. A patch is now available: https://github.com/getkirby/kirby/releases/tag/3.6.3.1

🎉 Features

Allow list of secure URLs

Kirby auto-detects the base URL for your site unless you hard-code it in your config with the url option. This auto-detection is based on the your SERVER_NAME settings by default. This is totally safe unless your server is not correctly configured. In order to protect you from security issues with an insecure server configuration, you get more options to set allowed base URLs now. By default, the auto-detection will just work as before. Here are the new and existing options you have.

Auto-detected URL based on the SERVER_NAME

Just like before, you can just ignore the URL option or use the Server::HOST_FROM_SERVER constant to let Kirby find the correct base URL, based on the SERVER_NAME.

return [
];

// or

return [
  'url' => Server::HOST_FROM_SERVER
];

This can be combined with the new Server::HOST_ALLOW_EMPTY option to accept empty hostnames. This will lead to relative URLs i.e. /some-url for your installation:

return [
  'url' => Server::HOST_FROM_SERVER | Server::HOST_ALLOW_EMPTY
];

Hard-coded URL

You can also still set the base URL for your site. This will disable any form of auto-detection of URLs. But it also means that you might have to keep different versions for your local installation, staging and your production server.

return [
  'url' => 'https://example.com'
];

This also still works for relative URLs without a host.

return [
  'url' => '/'
];

URL allow list

With the new option to define a set of allowed base URLs, your Kirby installation will automatically pick the right one based on HTTP_HOST, HTTP_X_FORWARDED_HOST or SERVER_NAME (whatever is provided) and makes sure to send an error on an invalid hosts. This is perfect when you cannot fully trust your server configurations on various environments.

return [
  'url' => [
     'https://example.com',
     'https://staging.example.com',
     'http://example.test'
  ]
];

Wildcard option

If you fully trust your server setup, you can allow any host name coming from HTTP_HOST or HTTP_X_FORWARDED_HOST. This could be necessary in some situations, but is insecure if you don't know what you are doing with your server configuration.

return [
  'url' => Server::HOST_FROM_HEADER
];

Again, this can be combined with the Server::HOST_ALLOW_EMPTY option to allow the host name to be left empty. It will lead to relative URLs for your installation:

return [
  'url' => Server::HOST_FROM_HEADER | Server::HOST_ALLOW_EMPTY
];

✨ Enhancements

• Upgraded JS dependencies
• Switched to PSR-12 code style for PHP
• Improved table block preview #4096
• Supports $locale parameter in t() and tc() helpers #4160
• Updated PR template & contributing guidelines #4153
• More accessible style for the selected data in the calendar #4202
• Updated contributing.md #4197
• New license.md which replicates the license terms on our site
• contributing.md & readme.md are now back in the main directory of the repo instead of the .github subdirectory
• Improved imagemagick performance thanks to @silllli #4106
• Updated translations

🐛 Fixes

• Continues passing $inline parameter to Markdown component plugins #4127
• Fixed today’s date is no longer highlighted on date picker #4124
• Fix vertical alignment for today text in calendar #4205
• Fixed npm run dev #4134
• Fixed path ending with params separator #4138
• Focussing a k-button-link element in dropdown now works #4148
• Fixed copying of multiple blocks #4129
• Fixed removing multiple blocks #4131
• Fixed copying blocks with Writer preview in Chrome #3941
• Fixed table block throws error when value is empty #4164
• Fixed Kirby and PHPMailer differ in their $text initialisation which fails in PHP8.1 #4155
• Fixes javascript mime type detection in Mime class. #4174
• Fixed layout/reading direction for Korean and Esperanto #4159
• Overwriting the URL in the config is now correctly working in the Panel as well. #4185
• The new Environment class now checks for correct subfolder installations #4191
• Fixed inactive Whoops debugger when throwing an exception in the Environment class #4180
• Fixed Vimeo ID extraction thanks to @Basics09 #4187
• Fixed phpmailer message body empty exception #4183

📈 Stats

• 128 commits
• 49 closed issues and PRs

👨‍💻 Contributors

(in alphabetical order)

• @afbora
• @Basics09
• @bastianallgeier
• @distantnative
• @lukasbestle
• @neildaniels
• @rasteiner
• @silllli
• @tasinttttttt
• @texnixe
• @sebastiangreger