github getkirby/kirby 4.0.0-rc.3
on GitHub

latest releases: 4.5.0-rc.1, 5.0.0-alpha.3, 4.4.1...
pre-release11 months ago

UPDATE

We unfortunately introduced an upload bug in this RC, which renders any uploads unusable. We are very sorry for that. Please, use RC.4 instead: https://github.com/getkirby/kirby/releases/tag/4.0.0-rc.4

🚨 Security

During an internal security review of the Kirby 4 codebase, we have discovered two cross-site scripting (XSS) vulnerabilities in the changes dialog and the admin disable dialog for the new TOTP login feature.

Both vulnerabilities were introduced during the Kirby 4 alphas and betas and are fixed by this RC.

The vulnerabilities affect all Kirby sites on Kirby 4 alphas, betas or previous release candidates that might have potential attackers in the group of authenticated Panel users or that allow external visitors to create or update user accounts.

Sites on Kirby 3 are not affected.

✨ Enhancements

  • Add Vue target version to jsconfig #5971
  • Add missing class aliases to ease some breaking changes #5987
  • Field and section labels have title attribute #5994
  • colors library supports hex colors without leading # #5997
  • New disabled theme for <k-item> #5996

🐛 Bug fixes

  • Fix double-escaping bug in the Panel language view #5986
  • ImageMagick: fix focus-cropping bug (thanks to @mrflix) #5982
  • Block selector: fix for empty groups #5794
  • Object field: fix disabled table style #5957
  • Models fields: add disabled style #5959
  • Link field: fix model preview for too long titles #5924
  • Slug field respects custom allowed slug characters from Str::$defaults['slug']['allowed'] #5929
  • Buttons in field and section headers don’t wrap on narrow screens #5994
  • ColornameInput: only use getComputedStyle as last resort when colors library fails #5997

♻️ Refactored

  • Use the Vue object syntax for dynamic :style attributes to enhance the robustness and security #5986
  • Ensure the security of the Str::safeTemplate() method against code execution attacks with an automated test #5986

🚨 Breaking changes

  • $helper.string.slug: the allow parameter now defines the whole set of allowed characters, not just the characters in addition to a-z0-9 #5991
Check out latest releases or
releases around getkirby/kirby 4.0.0-rc.3

Don't miss a new kirby release

NewReleases is sending notifications on new releases.

Get notifications