🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more
✨ Enhancements
- New
$file->sharpen()method for images #6227
🐛 Bug fixes
- Fixed
Str::excerpt()for texts without spaces #6215 - Proper error message when a MIME type of a file is being validated but could not be determined from the file #6095
k-button-groupwrap with long label line. #6231- "Invalid Date" parsing dates in pages section with
layout: table#6234 - Disable license dialog in demo mode #6271
- Emojis are now working in buttons and the
k-iconcomponent #6276