3.9.3

🎉 Features

• New Str methods: ::match, ::matches and ::matchAll (thanks to @adamkiss) #5034
• New A methods: ::count, ::has, ::reduce, ::slice and ::sum (thanks to @adamkiss) #5032

✨ Enhancements

• Unicode characters and slashes are no longer escaped in blocks and layout fields, even if the pretty: true mode is not used https://kirby.nolt.io/518
• Upgraded SimpleImage library which adds avif support and improved color extractor #5089

🐛 Bug fixes

• Fix wrong sort number when using limit in files section #5105
• Using zero number in params now returns the correct result #5113
• Fixed issues with pasting blocks, e.g. in block selector dialog #5110
• Fix blocks and layout field ids for default values #5111

📜 Updates to the Kirby license agreement (EULA)

On March 21, 2023, we made minor edits to our license agreement (EULA) based on community feedback we received in the last months.

You can find the full text of the new EULA on the Kirby website, together with a diff from the previous version and the following summary:

Your rights

• We have updated the section on license termination. You still have the right to terminate the license agreement at any time. However we restricted our own right of termination so that we can only do so on violation of or non-compliance with the license terms. We never intended to terminate licenses arbitrarily and now this is written in black and white to give you and your clients legal certainty.

Clarifications

• We made explicit that a license transfer results in the transfer of all rights and obligations from the license agreement to the new licensee at the moment we confirm the transfer.
• We have clarified that copies of and edits to our source code are also allowed for the purpose of code contributions back to our GitHub repository.
• We declare that you are allowed indefinite use of all Kirby versions that are covered by the respective license.

🧹 Housekeeping

• Updated composer dependencies
• Reduced stale bot to only take care of issues/PR that need user input and aren’t actionable by the team

3.9.2

🎉 Features

• Custom asset methods #4989 (thanks to @tobimori)
• Block and layout objects for the blocks and layout fields now allow access to the parent field object with $block->field(), $layout->field() and $layoutColumn->field(). #5053
• New A::keyBy() method to add keys to an array (thanks to @adamkiss) #5040

✨ Enhancements

• Pages and files sections: show most relevant search results with flip and sortBy #5035
• Support shorts for the youtube embed JS helper #5059
• Changing page template: additional check to ensure only valid templates can be used #5060
• A::fill accepts a closure/callable (thanks to @adamkiss) #5036
• Old editor and builder content gets automatically translated to blocks again #5051
• Corrected the menu label from "Logout" (noun) to "Log out" (verb). (thanks to @purplespider) #5047
• New $helper.field.form(fields) function to set up values for an empty form #5076

🐛 Fixes

• Fix updating file template #5049
• Page::create() doesn’t ignore isDraft prop any longer (thanks to @SeriousKen) #5042
• Pages::factory() correctly considers isDraft/draft props as well as $draft parameter (thanks to @SeriousKen) #5043
• Fix alt  attribute issue for asset()  helper #5066
• Fixes ->inline(), ->nl2br() and ->toTimestamp() field methods when field is empty or not exists #5063
• Fixes doNotTrack  argument in youtube embed JS helper #5059
• Options from API: field methods can be applied to text/value #5068
• Fix displaying conditional fields for empty when condition #4838
• Fixed some console errors when Panel received Unauthenticated response #4967
• Nested blocks can be copied/pasted #5074
• Dir::index(): $ignore parameter works now #5010

3.9.1

✨ Enhancements

• Deprecation warnings can now be disabled granularly by setting Helpers::$deprecations['<deprecation-key>'] = false in your site/config/config.php. You can find the possible deprecation keys in kirby/src/Cms/Helpers.php. #5014
• The deprecation warning for passing an empty string as the value to Xml::attr() (introduced in 3.9.0) is no longer displayed by default because there are use cases where both the old and new behavior are fine. If you still want to check your code, you can enable the deprecation warning with Helpers::$deprecations['xml-attr-empty-string'] = true. #4934
• Passing the snippet name argument as null is now handled gracefully #5004
• Date field: fix tabbing behavior #5018 (Thank you to @mrflix 🙌)
• Updated translations

🐛 Fixed

• Emojis are now correctly treated again when using ParsedownExtra #5008
• Fixed regression with avatar uploads #5022
• Show correct error message on invalid cache type configuration #5012

♻️ Refactoring

• Improvements for Http classes‘ code quality #4990
• The CI workflow that runs on release now checks the code coverage again #5016

3.9.0 – Brookesia

We've prepared a special site for this release with all new features and changes: https://getkirby.com/releases/3.9

📈 Stats

• 204 commits
• 73 closed issues and PRs

3.8.4

🐛 Bug fixes

• The multiselect field search works again #4951
• Date field: Maximum call stack size exceeded error fixed #4969
• Tags input: spaces aren't removed anymore #4977
• Fixed issues with k-form and k-fieldset not updating values #4982
• Tags and multiselect fields arrow actions are working properly again #4994

3.8.3

🎉 Features

• Kirby query language gains new functionalities: #4854 (thanks to @adamkiss for his help with regex on this)
  • Optional chaining: page('note').cover.toFile?.url does not crash anymore when no cover file is present, but returns null
  • Simple comparisons: support for a ? b : c, a ?: c and a ?? b
• New hook: page.render:before|after: https://kirby.nolt.io/419
• New language hooks: https://kirby.nolt.io/419
  • language.create:before|after: It is triggered when a new language is created.
  • language.update:before|after: It is triggered when the language is updated.
  • language.delete:before|after: It is triggered when the language is deleted.
• Added a new option 'content.uuid' => 'uuid-v4' to switch the built-in UUID generator to UUID v4 mode #4868
• New Mastodon icon.

✨ Enhancements

• Adds a plus button to the blocks field. When there are no blocks, or when the maximum amount of blocks is reached, the button is not visible. (by @wiegertschouten) #4858

• Documents that the function Uri::domain() might contain the auth and port parts, by explicitly mentioning them in the docblock. #4846
• Stats section info prop can be translated #4840

🐛 Bug Fixes

• Fixed right and left join in Query class #4812
• Fixes multiselect field when no options for a value #4848
• Fixes duplicating UUIDs for children and its files #4864

☠️ Deprecated

• Vue: Usage of v-model on all Kirby components (and in general) has been soft-deprecated (no consequences yet, but strongly recommend to avoid it/move away from it). Use :value="" @input="" instead, e.g.

// before
v-model="myValue"

// now
:value="myValue"
@input="myValue = $event"

♻️ Refactoring

• Replaced many classname strings with ::class notation fro better IDE support #4826
• Get rid of more unnecessary else statements #4811
• PHP 8: clean up Database package #4812
• Vue: use imported set(), del() #4817
• Vue: Get rid of $children usage #4818
• Vue: Remove importing Vue globally as much as possible #4820
• Vue: register e.g. component instead via Vue plugin that receives app instance in Vue 3 (in Vue 2.7 still global Vue) #4820
• Order-sensitive v-bind usage #4819
• Replaced all v-model occurrences with :value="value" @input="value = $event", due to https://v3-migration.vuejs.org/breaking-changes/v-model.html #4822
• PHP 8.2 prep: fix partial callables #4889

3.8.2

✨ Enhancements

• Kirby query improvements #4626
  • New default entries/functions for queries: kirby, collection("your-collection"), page("blog"), file("blog/test.pdf"), site, user("homer"), t("your.i18n.key")
  • Support for closures as query arguments: site.myLazyFunction(() => site.children) - no support for parameters or others, only as lazy-calling measure
• Support for YouTube Shorts video URLs #4791
• UUIDs are now supported as API fields for pages, files and users #4810

🐛 Bug Fixes

• User fields work correctly when user(s) not found #4797
• Fixed duplicated UUIDs for pages and files when copying/duplicating pages #4831

☠️ Deprecated

• New Kirby\Query namespace with new Kirby\Query\Query class (to be used going forward for queries). Old Kirby\Toolkit\Query class has been deprecated and will be removed in Kirby 3.10.0. Use Kirby\Query\Query instead, e.g.Query::factory($query)->resolve($data). #4626
  • new Query($query, $data): Passing $data to constructor will be deprecated. Use (new Query($query))->resolve($data) instead.
  • Query::result() will be deprecated. Use $query->resolve($data) instead.

♻️ Refactoring

• Upgrade npm dependencies #4813
• Import h() from Vue #4816
• Improve App::language() syntax #4808
• Improve ContentTranslation::content() syntax #4806
• Use coalesce equal in more places #4809
• PHP 8: clean up Email package #4525

3.8.1.1

🐛 Bug Fixes

• Fixed potential content loss when auto-generating UUIDs. #4800
• Fixed redundant UUID in translation files #4802

✨ Enhancements

• Updated translation (fi)

3.8.1

🚨 Security

User enumeration in the code-based login and password reset forms

Severity: medium (CVSS score 4.8)

Errors that occur during the processing of the code-based login and password reset were in some cases passed to the user. This includes errors of the code challenge itself (e.g. if the email could not be sent) and errors thrown inside the user.login:failed hook.

This vulnerability allowed user enumeration, which is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.

This vulnerability only affects you if you are using the code or password-reset auth method with the auth.methods option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.

Thanks to Florian Merz (@florianmrz) of hatchery.io for responsibly reporting the identified issue.

User enumeration in the brute force protection

Severity: medium (CVSS score 6.5)

We used the opportunity to review other parts of Kirby's authentication handling and found another part that is affected by a similar user enumeration vulnerability caused by a response discrepancy in Kirby's brute force protection system.

This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.

---

✨ Enhancements

• UUIDs can be disabled locally via content.uuid option #4755
• Improved version information of plugins installed with Composer #4733
• F::load()  and F::loadOnce() now guard against unintended output when passing a new 4th parameter $allowOutput as false #4656
• Fatal errors are written to PHP error log #4775
• A::merge($array1, $array2, $array3, A::MERGE_APPEND) now supports to merge more than 2 arrays #4675
• Upgraded dependencies

🐛 Bug Fixes

• System view: console message about accessible folders/files issues fixed #4774
• Panel lock requests happen silent again (without triggering the loading indicator) #4770
• Fixed visual glitch for Panel text inputs with Chrome autofill #4767
• Corrected picker fields store prop description #4780
• go($site->homePage()) redirects to absolute URLs again. #4781
• Fixed generating a uuid value for models when the content.uuid option is disabled #4787

♻️ Refactoring

• Removed else statements to improve code readability #4773

3.7.5.1

🚨 Security release

User enumeration in the code-based login and password reset forms

Severity: medium (CVSS score 4.8)

Errors that occur during the processing of the code-based login and password reset were in some cases passed to the user. This includes errors of the code challenge itself (e.g. if the email could not be sent) and errors thrown inside the user.login:failed hook.

This vulnerability allowed user enumeration, which is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.

This vulnerability only affects you if you are using the code or password-reset auth method with the auth.methods option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.

Thanks to Florian Merz (@florianmrz) of hatchery.io for responsibly reporting the identified issue.

User enumeration in the brute force protection

Severity: medium (CVSS score 6.5)

We used the opportunity to review other parts of Kirby's authentication handling and found another part that is affected by a similar user enumeration vulnerability caused by a response discrepancy in Kirby's brute force protection system.

This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.