Avg Release Cycle
- ✨ Enhancement: adding the ability to pass association ID through request and pick it up in the form
- ➕ Adding associations to Express form notifications
- Top Navigation Bar block now honors the
nav_targetcustom attribute, if it exists (thanks ccmEnlil)
🐛 Bug Fixes
- 🛠 Fixed bug in /ccm/system/upgrade script on PHP 8.1 (thanks ccmEnlil)
- 🛠 Fixed upgrade inconsistencies that could cause problems for installers like Softaculous
- 🛠 Fixed Accordion Block: when the initial state set to 'all items open' or 'all items closed' the collapsed state is not always correct (thanks danklassen)
- 🛠 Fixed compatibility with PHP 8.1 when installing with Composer.
- 🛠 Fixing bug where Express entries with multiple associations could not be filtered accurately in advanced search
- 🛠 Fixing bug where submitted values do not persist in Express association forms
- 🛠 Fixed: Changing the page template of a draft breaks block versioning (thanks jaromirdalecky)
- 🛠 Fixed: Duplicating file as non-super admin does not work due to permissions key (thanks danklassen)
- 🛠 Fixed: core search block: the form tag has two class attributes
- 🛠 Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)
Backward Compatibility Notes
⚡️ Developer Updates
- ⚡️ Laminas cache laminas/laminas-cache-storage-adapter-memory library updated to 2.0 in order to restore compatibility with PHP 8.1 when installing via Composer
- 🛠 Fixed: Block::isOriginal() returns opposite value (thanks jaromirdalecky)
🆕 New Features
- 👌 Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
- ➕ Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
- Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
- 🔋 Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
- 💅 Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
- ➕ Added new Security Policy page in the Dashboard (thanks hissy)
- ➕ Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
- 👌 Improvements and refinements to Dashboard file details screen in desktop and mobile views.
- ➕ Added the ability to move a file folder in the Dashboard file manager.
- ➕ Added the tree view back to the Groups Dashboard page.
- ➕ Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)
- Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.
- 🆕 New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)
- 🛠 File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.
- 🚚 Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)
- Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.
- You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.
- 👍 Better display of inline floating commands for things like containers and block move.
- We now show the container name when hovering over containers in edit mode.
- 👌 Improve display of Recaptcha settings page.
- Appearance improvements to Waiting for Me and the Dashboard desktop.
- Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)
- Locale home page is now undeleteable when using multilingual sites.
- 🐎 Miscellaneous performance improvements for logged-in users (thanks hissy)
- ➕ Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality
- 👍 Better usage of meta canonical tag in page under certain circumstances (thanks hissy)
- File folders now cannot be deleted if they have sub-folders or sub-files in them.
- 💅 Display improvements to inline style dropdown (no more too-dark panels with no contrast.)
- 👍 Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.
- 🚚 Don’t allow users to delete site types until they have removed all sites of that type.
- 👌 Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.
- ➕ Added the ability to view a user’s public profile from their Dashboard user details page.
- ➕ Added
--session-handlerto the console install utility. Set to
databaseif you’d like to override the default file-based sessions.
- Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)
- ➕ Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.
- ➕ Added URL Path as a column that can be added to the Page Search interface.
- 🛠 Fixed: Login page forces gray background on custom themes
- 🛠 Fixed: Scheduled page publishing doesn't purge the page cache (thanks hissy)
- ➕ Added more caching to certain objects to improve performance (thanks hissy)
- Pre-selected File Storage Location For Nested Folder
🐛 Bug Fixes
- 🛠 Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)
- 🛠 Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.
- 🛠 Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.
- 👌 Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.
- 🛠 PHP 8 compatibility fixes for Calendar (thanks deek87)
- 🛠 Fixed: Database Character Set is no longer showing current character set.
- 🛠 Fixed: Missing font selection for body font in Atomik customizer when using Default skin.
- 🛠 Fixed: Batch Task with empty batch does not finish running
- 🛠 Fix Top Navigation Bar block 'include sticky nav' setting not set appropriately when editing the block
- 🛠 Fixed inability to drag an individual block out of the stacks panel in a page.
- 🛠 Fixed: Document Library advanced search fields do not display
- 🛠 Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.
- 🛠 Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.
- 🛠 Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented
- 🛠 Fixed: "Added to Page" File search filter doesn't work
- 🛠 Fixed: Schedule Guest Access doesn't work (thanks HamedDarragi)
- 🛠 Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)
- 🛠 Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.
- 🛠 Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.
- 🛠 Fixed bugs with using custom file attributes with the Document Library block.
- 🛠 Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.
- 🛠 Fixed inability to see sort icons on attributes in the Dashboard.
- 🛠 Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)
- 🛠 Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)
- 🛠 Fixed: Accordion block doesn't load required assets when not using BS5 based theme.
- 🛠 Fixed Error when try to edit 'express details block' (thanks Ruud-Zuiderlicht)
- 🛠 Fixed edit page type basic details error on PHP 8.
- Tooltips now work properly again in Composer interface (thanks danklassen)
- 🛠 Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.
- 🛠 Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.
- 🛠 Fixed: User activation workflow, Activate action not working
- 🛠 Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)
- 🛠 Fixed: Placing a Sticky "Top Navigation Bar" in Global "Navigation" using Atomik blocks editing of page
- 🛠 Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
- Re-enabled the ability to edit a user’s avatar from their Dashboard details page.
- 🛠 Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks
- 🛠 Fixed: When placing a stack, the edit mode menu is not displayed
- 🛠 Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8
- 🛠 Fixed: Multilingual copy site tree with alias pages (thanks hissy)
- 🛠 Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)
- 🛠 Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)
- 🛠 Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…
- 🛠 Fixes ErrorException - Undefined property: Concrete\Core\Permission\Access\Entity\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)
- Legacy form's "reply to this email address" checked state was not properly passed (thanks katzueno)
- 🛠 Fixed errors with the legacy form (thanks mlocati)
- 🛠 Fixed: Updating an express form handle can result in a table name that is too long for mysql
- 🛠 Fix several user search fields not retaining their selected values (thanks mnakalay)
- 🛠 Fixed: install with Elemental full fails due to undefined array key "titleFormat" under PHP 8
- 🛠 Fix YouTube block responsive size class issue (thanks katalysis)
- 🛠 Fixed Marketplace dashboard page broken under PHP 8
- Conversation rating stars now appear properly (thanks deek87)
- 🛠 Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)
- 🛠 Fixed bug where core “Parallax Image” area custom template (deprecated) now works again
- 🛠 Fix a bug with having multiple image blocks with on-hover attribute set on the page didn’t work reliably (thanks evgk)
- 🛠 Fixed: Toolbar title styling interfering with intelligent search results in accessibility mode (thanks Mesuva)
- 🛠 Fixed: Switch Language block default view does not work
- 🛠 Fixed inability to use the “Express Entry Selector Multiple” form control type.
- 🛠 [V9 RC]Fixed cookie not being cleared properly to open "add block panel" when using the sticky add panel and installing Concrete in a sub-directory
- 🛠 Fixed: Position of the reCAPTCHA badge not shown correctly after saving
- 🛠 Fixed errors in waiting for me when groups or users were deleted.
- 🛠 Fix inability to set storage location from file details Dashboard page.
- 🛠 Fixed bugs with thumbnails on alternate storage locations (thanks mnakalay)
- 🛠 Fixed: concrete.debug.hide_keys' not working on Globals do to commented Code
- 🛠 Fix IpAccessControlService check against specific access control category (thanks mlocati)
- Access Control: fix sorting categories in the dashboard page (thanks mlocati)
- 🛠 Fixed bug: When there's no time window, we currently ban IP addresses forever, even if we configure Concrete to only ban for X seconds. (thanks mlocati)
- 🛠 Fixed bug: "Illegal mix of collations" when running reindex task when running under certain database conditions.
- ➕ Added “snippet.png” back into rich text editor so you can see that button.
- 🛠 Fixed: Removing Author User From Page Attributes & Saving Throws Error
- 🛠 Fixed: Deleting Containers throws Access Denied error under certain in-page editing conditions.
- 🛠 Fixed: Rich Text Page Attribute Composer "Source" Editing Hindered By Composer Autosave
- 🛠 Fixed a bug in image processing (Imagine Library) that could lead to segmentation faults under certain conditions (thanks mlocati)
- 🛠 Fixed: PlaceholderService error in thumbnail overview (thanks haeflimi)
- 🛠 Fixed: Deleting Containers shows multiple delete modal windows under certain in-page editing conditions.
- 🛠 Fixed: Top navigation block always loads the default site tree even in multilingual sites (thanks danklassen)
- 🛠 Fixed inability to override session handler to database in config prior to installation and then install successfully.
- 🛠 Fix missing none option in attribute display block (thanks JohnTheFish)
- 🛠 Fixed: Stacks with no approved versions do not appear in stacks list
Backward Compatibility Notes
- ⚡️ The
Concrete\Core\Express\Form\Validator\Routine\RoutineInterfaceclass and all classes that implement it has changed. The
validatemethod now takes a nullable third parameter for the
Concrete\Core\Entity\Express\Entryobject that may or may not exist. This replaces the request type attribute. The request type can now be inferred - if the entry does not exist, we assume this to be an
ADDoperation. If the entry exists within the
validatemethod, you are running an
- Block::duplicate() has changed its secondary parameter from $isCopiedWhenPropagated to $controllerMethodToTryAndRun. This lets us choose
duplicate_masteror the new
duplicate_clipboardin certain situations. It is very unlikely that this should impact any custom code you have written as this is pretty deep in the Concrete internals.
- If you have customized the Document Library view template, please ensure that your
<form>tag has a valid input button with the name
”search”. This is checked in the controller in order to ensure searching is actually occurring. If you want to search by advanced file attributes, you’ll need this to be in place or else the Document Library controller will not check for attribute searching.
⚡️ Developer Updates
on_page_version_deleteevent (thanks hathawayweb)
- ⚡️ Mail Importer code running on ancient Zend Mail code updated to PHP 7+ (thanks KevinBLT)
- Patches to third party libraries to allow for installation on PHP 8.1 w/Composer (thanks mlocati)
- ⚡️ htmlawed HTML sanitization library updated for better compatibility with HTML5.
- IP Access Control: add IpAccessControlCategory::describeTimeWindow() (thanks mlocati)
- 👍 Allow Date service class to work with DateTimeImmutable objects (thanks mlocati)
- 👌 Improvements and bug fixes to route building and controller syntax (thanks mlocati)
- More reliable running of on_start() in block controllers before page contents are rendered (thanks hissy)
- 🚚 Moved concrete5/dependency-patches to the core composer.json instead of the separate composer project (thanks mlocati)
- 👌 Improved code commenting throughout all core blocks (thanks deek87)
- 🛠 Fix list_syntax rule of PHP-CS-Fixer (thanks mlocati)
- ⚡️ Significant list of third party PHP script minor updates.
- Simplify c5:exec return code (thanks mlocati)
- 🛠 Fixed: Task scheduling command is incorrect on dashboard page and in documentation, needs more detail
Concrete\Core\Http\ResponseFactoryused to take
$sessionas its first constructor dependency, even though that was not used. This caused problems in the event response factory was used prior to sessions being available or being configured for database sessions that were not yet installed. This parameter has been removed. If you use the
$app->make()method of building this class, you should not be affected.
- Now using https:// for communication with the Concrete marketplace even when the user’s site is not https://
🔒 Security Fixes
- 🛠 Fixed: https://hackerone.com/reports/1483104
- 🛠 Fixed several places where we weren’t sanitizing file names in the file manager and stacks page.
- 🌐 Many translation fixes, including new components that weren’t localized (thanks mlocati)
- 👍 Better appearance of inline toolbars. Updates to remove potential style collisions between block design toolbar and themes.
- 👌 Improvements to the process of publishing page type default blocks to child pages (thanks deek87)
- 🔒 Rehash passwords when needed to ensure adherence to the latest security standards.
- 🛠 Fixed display of the FAQ block in edit mode.
- 📈 Use base64 encoding/decoding on submitting tracking codes in the Dashboard to avoid triggering mod_security (if present) on submit (thanks Mesuva)
- ➕ Added a settings tab with new options to Accordion block type (thanks katalysis)
- Concrete file choosers once again limit by file type and extension in certain contexts (e.g. no longer able to choose non-image files if the code requires image files be chosen.)
- Two Column Light and Light Stripe containers in Atomik theme renamed to Two Column Highlight and Highlight Stripe to avoid confusion.
- 👍 Stacked and Stacked Primary custom templates for Feature block in Atomik have nicer padding, better behavior when used to link elsewhere.
- 👍 Hero Image “Offset Title” custom template in Atomik now has better behaviors: it honors the height setting and looks nicer in the theme whether the container is enabled or not.
- 💅 Miscellaneous style classes added to the rich text editor when using Atomik theme.
- 👌 Improvements to the new “configurable thumbnails” responsive thumbnails in the Image block.
- 👌 Improvements to logo custom template and feature link CSS in Atomik theme.
🐛 Bug Fixes
- 🛠 Fixed fatal error when viewing Express object listings with associations in their list in a site updated from 8.5.x.
- 🛠 Fixed Hero Image block button not linking anywhere
- 🛠 Fixed Feature Link block button not linking anywhere
- 🛠 Fixed error where block template view.css and view.js files were not loading properly.
- 🛠 Fixed inability to start from a customized theme when using the legacy theme customizer.
- 🛠 Fixed inability to delete files or clear sample data content when files were being used in a Board.
- Canonical URLs no longer include arbitrary query strings.
- 🛠 Fixed inability to uninstall tasks when working with packages that had installed custom tasks.
- 🛠 Fixed error when connecting to marketplace under PHP 8.
- 🛠 Fix issue where sitemap is inaccessible to users on multilingual sites if the user doesn't have access to view the default locale in the sitemap.
- 🛠 Fixed weird behavior when attempting to edit theme grid layouts in Atomik and other Bootstrap 5 themes.
- 🛠 Fixed bug when deleting containers that had been aliased out from a master page removing the container on the master page as well.
- 🛠 Fixed inability to sort entries in the Image Slider block.
- File trackability works much more reliably and across more core block types than before.
- 🛠 Fixed: CollectionSearchIndexAttributes table is updated without approving the page version
- 🛠 Fixed missing icons in Share this Page block (thanks hissy)
- 🛠 Fixed: Layout toolbar partially off page window. Add Layout Function not working
- 🛠 Fixed custom CSS not showing up in the customizer when editing a custom skin.
- 🛠 Fixed fatal error when rendering /dashboard root page in PHP 8+.
- 🛠 Fixed fatal error rendering Dashboard file detail screen in PHP 8+.
- 🛠 Fixed fatal error when rendering gallery add block interface in PHP8+.
- 🛠 Fixed bug where border radius wasn’t being saved properly in block/area design settings.
- 🛠 Fixed error in Gallery block when images in it had been removed from the file manager.
- 🛠 Fixed error “Trying to access array offset on value of type bool “ when logging in with a username that doesn’t exist under PHP 8 (should get an error that explains what you did wrong better than this).
- 🛠 Many additional fixes for core block types in PHP 8 (thanks deek87)
- 🛠 Fix “division by zero” error under some conditions when running queueable commands.
- 🛠 Fixed bug where custom block cache override settings are reset on new version approval (thanks hissy)
- 🛠 Fixed: If by any chance $buttonColor is unset, the class tag of the
<div>is never closed (thanks puka-tchou)
- 📱 Theme responsive image breakpoints are now in the proper order to support the picture tags on mobile devices in Atomik.
- Color picker in image editor now displays properly (thanks mlocati)
- 🛠 Fixed: Dashboard favorites menu aren’t localized properly (thanks mlocati)
- 🛠 Fixed bugs with Hero Image block under PHP 8
- 🛠 Fixed bugs with Feature Link block under PHP 8
- 🛠 Fixed error in YouTube block view when using PHP 8.
- 🛠 Fixed errors in Top Navigation Bar block under PHP 8
- 🛠 Fixed error in Testimonial block when using PHP 8 (thanks hissy)
- 🛠 Fix "Undefined array key" warning for advanced page search on [email protected] (thanks hissy)
- 🛠 Fix "variable is undefined" errors when adding Conversation blocks when using PHP 8 (thanks mlocati)
- 🛠 Fixed Exception thrown when attempting to reload strings (thanks mlocati)
- 🛠 Fixed inability to download files in the file manager via the “Download File” option in the file menu.
- 🛠 Fixed broken Site attribute type.
- 🛠 Fixed: When configuring a select attribute to allow a single selection but also allow end user additions, an error is received.
- 🛠 Fixed: Adding a user unless multiple languages are installed fails under PHP 8
- 🛠 Fixed: Board "Error Call to a member function getStylesheet() on null" when rendering a Board in the Dashboard.
- 🛠 Fixing issues viewing users in groups in Dashboard for sub-admins.
- 🛠 Fixed: Exception uninstalling package/theme when package has installed containers
- 🛠 Fixed: List of themes ready to install broken and has design issues (thanks mnakalay)
- 🛠 Fix c5:entities:refresh CLI command (thanks mlocati)
- 🛠 Fixed error when using files with UUIDs in the content block (thanks mnakalay)
- 🛠 Fix position of caption in Language Details dialog (thanks mlocati)
- 🛠 Fixed error adding Document Library block to the page.
- 🛠 Fixed error “Unknown named parameter $html” when attempting to reset a password on PHP 8.
- Fixed: Document Library Block: Click on a folder leads to Invalid folder ID
- 🛠 Fixed magnifying glass button in the search in the navigation bar is not working in the Top Navigation Bar block.
- 🛠 Fixed some edge case errors with package uninstall and Doctrine entities
- 🛠 Fixed error where database entities weren’t showing their directory locations on the Database Entities Dashboard page.
- 🛠 Fixed error where uninstalling a package and reinstalling it doesn’t create the block type record in the package if there is only a single block type in the package and nothing else.
- 🛠 Fixed errors installing Atomik documentation under PHP 8.
- 🐛 Bug Fixes to Event List block in PHP 8.
- 🛠 Fixed: Featured Event Toggle Not Working in Event List block.
- 🛠 Fixed double select appearance on Edit File Thumbnail Dashboard screen.
- 🛠 Fixed PHP 8 Error: Error on editing Page List block on brand new 9.0.1 install
- 🛠 Fixed inability to set permissions against a particular user in advanced permissions mode (thanks hamzaouibacha)
- Dashboard Reports page now links over to legacy form results page when necessary (thanks mnakalay)
- 🛠 Fix for broken area edit menu when advanced permissions were enabled under some conditions (thanks mnakalay)
- 🛠 Fixed: Contrast off for edit button label when toolbar titles setting enabled
- 🛠 Fixed image libraries check not running in Image Options single page (thanks mnakalay)
- 🛠 Fixed: Elemental theme, Version 9.0.1: New Accordion Block not working properly
⚡️ Developer Updates
- ⏪ Reverted Form helper behavior so that passing in
classwill append the CSS classes to whatever the default class was, rather than replace it fully. Added a new
classeskey that will fully replace the classes if present.
- ⬆️ Upgrade gettext/languages and punic/punic (thanks mlocati)
- Theme grid preset layouts now export properly and import properly when using the exporter/Content XML format (thanks mlocati)
- 🏷 The canonical URL query string handler has been changed from excluded to included – meaning that if you as a developer want to include a query string parameter in your various canonical URLs, you’ll need to add the parameter key/name to the
- ⚡️ CKEditor updated to 4.17.1 (thanks hissy)
- 👌 Improvements to scheduled page version publishing (thanks hissy).
- 🐎 Performance improvements when retrieving access entities for users (thanks hissy)
- ⚡️ Updated translation library to 1.7.0 to allow 9.0 to be fully translated (thanks mlocati)
🐛 Bug Fixes
- 🛠 Fixed error when installing Elemental on PHP 8 (https://github.com/concrete5/concrete5/issues/10003)
- 🛠 Many display issues fixed when browsing marketplace from within your 9.0 site.
- 🛠 Fixed issue where updating from 8.5.6 would disable concrete extensions in rich text editor.
- 🛠 Fixed Unknown column 'folderItemName' in 'field list’ in folder item list custom code used by add-ons.
- 🛠 Fixed time dropdowns not working when editing a calendar event.
- 🛠 Fixed inability to install 9.0 with Composer.
- 🛠 Fixed some missing social icons for social link types.
- 🛠 Fixed inability for legacy LESS themes to support rgb and rgba colors.
- 🛠 Fixed broken Dashboard page: Excluded URL Word List
- 🛠 Fixed inability to see proper options selected when editing user attribute key.
- 🛠 Fixed ImageValue::setImageFileID() must be of the type int, string given when updating some legacy theme customizer values (thanks martinkouba)
- 🛠 Fixed page summary templates link not working in page design panel.
- 🛠 Fixed inability to open block custom design toolbar in PHP 8.
- 🐛 Bug fixes to theme updates that use the text type customizer in certain situations (thanks martinkouba)
- 🛠 Fixed: Non super admin cannot move a block pasted from clipboard (thanks jaromirdalecky)
- 🐛 Bug fixes to legacy theme customizer with themes that used the same variable for different variable types.
- 🛠 Fixed error Base table or view not found: 1146 Tablemessengerscheduledtasks' doesn't exist when upgrading from 8.5.x to 9.0.
- 🛠 Fixed: Country select menu has the
form-controlclass instead of
⚡️ Developer Updates
- 🔨 Banned Words validation service classes completely refactored and modernized (thanks hissy)
- 👉 Make it so users can disable core middlewares (thanks mlocati)
🔒 Security Fixes
- 🛠 Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 8.5.7
Major New Features
- Summary Templates
- 👍 Multisite support.
- 🆕 New modern theme for 2021 – Atomik
- 🆕 New Gallery block built into the core.
- 💻 Completely rebuilt file manager that has much better folder and advanced search support, support for home folders, favorite folders, external file providers, a new file upload UI and much much more.
- 🔌 Completely new upload experience that adds support for additional service provider plugins.
- A completely new integrated image editor
- 👍 Overhauled theme customizer, with support for skins, non-customizable skins, SCSS support, Bootstrap 5 and more.
- ⏱ Tasks: a completely rebuilt, much improved version of classic Concrete Jobs, with support for queueing, scheduling, unified input/output within the console and web interfaces, live output with Mercure and more.
- 👉 User Group Types: Add the ability to create types of groups, including roles within groups, group management based on roles within groups, and more.
- 💻 An overhauled UI built off of Bootstrap 5 and Concrete Bedrock
Other New Features and Improvements
- 👍 Express now supports multisite.
- ➕ Added the ability to edit page aliases from within the Dashboard sitemap (thanks mlocati)
- ➕ Added the ability to customize the from name registration email parameter (thanks katzueno)
- 🆕 New Breadcrumb Navigation block now available (thanks hissy)
- 🐎 Much improved performance throughout, due to better navigation caching, and cache optimization (hissy and core team)
- ➕ Added pagination to clipboard panel and the ability to reset all clipboards from the Dashboard (thanks bitterdev)
- ➕ Added configuration for whether to log email body contents or just metadata (thanks bitterdev)
- 👌 Support for interactive theme documentation and block preview.
- ➕ Added bulk page permissions commands to the page search interface (thanks bitterdev)
- ➕ Added the ability to upload a CSV of users to assign to a particular group. (thanks bitterdev)
- 🔌 Completely new image editor plugin framework. Ships with TUI Image Editor.
- 🆕 New icon selector component when working with block types like Feature that allow users to select icons.
- ➕ Added logging for file uploads and file deletions (thanks bitterdev)
- 📇 File manager can now automatically populate file attributes from EXIF metadata on upload (thanks bitterdev)
- Implement Clear-Site-Data header after a successful login (thanks ahukkanen)
- ➕ Added block title format for Date Navigation block (thanks katalysis)
- Much improved Image block, including the ability to load images in lightboxes, display thumbnails of image in the page, and much more.
- ➕ add delete button to package that is just uninstalled or download (thanks hissy)
- 👌 Improved login performance when logging in with Remember Me cookie.
- 🆕 New Page Version Comment field available in page composer (thanks hissy)
- 🔒 Introduce new middlewares for security options (thanks hissy)
- 👉 User must now confirm the existing password when changing their own password or another user’s password in the Dashboard.
- Much improved asynchronous thumbnail generation process, with enhancements from the CLI task runner and Mercure (thanks bitterdev)
🐛 Bug Fixes
- Files are not placed in a folder's selected storage location if it has a custom storage location (thanks danklassen)
- 🛠 Fixes bug where files moved to folders were not using those folders storage locations (thanks danklassen)
- If a form redirects to an external page that includes a query parameter, the result is a malformed URL. (thanks JeffPaetkau)
- 🛠 FIxed error when marking URL slug as required in composer form (thanks httnnnkrng)
- 🛠 Fixed: User workflows - User activation does not trigger on admin email validations (thanks bitterdev)
- Document Library - Handle missing folder
- Avoid an exception on express_entry_detail block when the express form ID is not exists (thanks biplobice)
- Copied block with no edit mode has "edit block" link which throws excepetion (thanks gutig)
- 🛠 Fixed bugs within Redis-powered full page caching driver (thanks matt9mg)
⚡️ Developer Updates
- 🚚 Badges and community points have been removed from the core. If you need this functionality, install the Community Badges add-on from https://github.com/concrete5/community_badges prior to upgrading your site.
- Concrete now runs on PHP 8.
- 📦 Tools have been completely removed, including from blocks and packages. Their functionality has been more securely and flexibly available with the routing and controller systems for many years now. (thanks mlocati!)
- Completely rebuilt new queue system, built on Symfony Messenger.
- Completely new command/message system, built on Symfony Messenger.
- ⚡️ Many core components updated to their latest version, including Laravel and Symfony components.
- ➕ Add overridable collection handle generator (thanks hissy)
- Removing old process.php script for backend requests.
- Introducing a new command bus pattern. Developers can use to encapsulate their commands, reusing them with one or two lines in multiple places.
- Swapped underlying HTTP client with Guzzle and PSR7.
- 👍 Router adds support for single action controllers with __invoke (thanks shahroq)
- 👍 Allow Form helper to handle new HTML input types (thanks JohnTheFish)
- https://github.com/concrete5/concrete5/pull/9479 (thanks jeffPaetkau)
- Blacklist/whitelist terminology renamed throughout the core.
Backward Compatibility Notes
- 📚 If you use
$app->make()or anything similar in your packages, and provide arguments to these classes at the same time, recent updates to the Laravel Container class may break some older code. Please see this tutorial for more information: https://documentation.concretecms.org/tutorials/add-developers-get-your-add-ons-ready-concrete-cms-90
- Beginning in version 8, we added the ability to override core elements from within your themes. For example, if the core requires an element via
View::element(‘conversations/add_post’;the core looks for this add-on in
concrete/elements/conversations/add_post.php. However, if the currently active theme provides this element in
themes/my_theme/elements/concrete/conversations/add_post.php, it will be used instead. We are changing this to remove the
concrete/directory from the
elementsdirectory within your theme. That means in order to override any core element from within your theme, you only need to make it available at the same path within the
elements/directory of your theme.
- 👀 If you register custom help for specific pages in your package, make sure to do so from within your package’s
on_startmethod rather than from within the Dashboard page. Our new help panel requires this. See https://github.com/concrete5/concrete5/issues/9869#issuecomment-927136592 for more information.
- Console command
c5:blacklist:clearhas been renamed
- If you work with Concrete cookies directly in your server configurations, be aware that they have been renamed. The default session cookie has been changed from CONCRETE5 to CONCRETE; the default is-logged-in cookie has been changed from CONCRETE5_LOGIN to CONCRETE_LOGIN.
🐛 Bug Fixes
- 🛠 Fixed issue where remote updater would read the entire update into memory, leading to potential out of memory errors when updating the core.
- 🛠 Fixed error when setting global calendar permissions in the Dashboard.
- 🛠 Fixed issue where reset users weren’t properly notified when logging in that their passwords needed to be changed (thanks hissy)
- 🛠 Fixed: reCAPTCHA timout after 2min (thanks JeffPaetkau)
- 🛠 Fixed: fatal error on upgrade french version 8.5.5 to 8.5.6, "2 plural forms instead of 3" (thanks mlocati)
- 🛠 Fixed error with rich text conversation editor not working (Thanks hissy)
- 🛠 Fixed issue with URLs being case sensitive in some internationalization cases (thanks dimger)
- 🛠 Fixes to topic attribute search index content (thanks hissy)
- 🚧 Maintenance mode now returns the 503 HTTP error code when running (thanks hissy)
- 🛠 Fix Call to a member function isDefault() on null" error on the site upgraded from 5.7 when using the migration tool (thanks hissy)
- 🛠 Fixed issue where rich text attribute type wasn’t showing a full toolbar (note: in the future we want to make this an option, and strongly recommend users use this smaller, sanitized toolbar – but it should be an option, not the default.)
- If a file has a password in the file manager, you will not be able to view it inline in the rich text editor.
- 🛠 Fixed: Changing database charset in dashboard throws error: call to a member function add() on null (thanks myq)
⚡️ Library Updates
- ⬆️ Bump CKEditor from 4.16.1 to 4.16.2 (thanks hissy)
🔒 Security Fixes
- 🛠 Fixed CVE-2021-22966 - Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a bulk update permission security check. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Credit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )" This fix is also in Concrete version 9.0.0
- 🛠 Fixed CVE-2021-40101: Admin users must now provide their password when changing another user’s password from the Dashboard.Concrete CMS security team CVSS scoring is 6.4 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. Credit for discovery: "S1lky”. This fix is also in Concrete version 9.0.0
- 🛠 Fixed CVE-2021-22968: A bypass of adding remote files in Concrete CMS File manager lead to remote code execution. We added a check for the allowed file extensions before downloading files to a tmp directory. Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N Thanks Joe for reporting! This fix is also in Concrete version 9.0.0
- 👀 Fixed CVE-2021-22951: “Unauthorized individuals could view password protected files using view_inline”. Concrete CMS now checks to see if a file has a password in view_inline and if it does we don’t render the file. Concrete CMS security team CVSS scoring is 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Credit for discovery: "Solar Security Research Team". This fix is also in Concrete version 9.0.0
- 🔒 Follow up fix for CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option. We were informed the fix put into version 8.5.6 was not sufficient. Thanks "Solar Security Research Team". We now check to see if a file has a password in view_inline and, if it does, we don’t render the file. Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N This fix is also in Concrete version 9.0.0
- 🛠 Fixed CVE-2021-22967: insecure indirect object reference (IDOR); an unauthenticated user was able to access restricted files by attaching them to a message in a conversation. To remediate this, we added a check to see if a user has permissions to view files before attaching the files to a message in "add / edit message”. The Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Thanks Adrian H for reporting! This fix is also in Concrete version 9.0.0
- 🛠 Fixed CVE-2021-22969 : SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys. To fix this, Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS. The Concrete CMS team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Discoverer: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices. This fix is also in Concrete version 9.0.0
- 🛠 Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 9.0.1
🆕 New Features
- ➕ Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.
- ➕ Added support for translation placeholders (thanks shahroq)
- 💻 Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
- ➕ Add autocomplete=off to various password fields.
- ⚡️ "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
- 🛠 Fix default formatting of datetime exports in express export csv (thanks deek87)
- 👌 Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)
🐛 Bug Fixes
- 🛠 Fixed error when pages weren’t getting accurately set in the full page cache.
- 🛠 Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)
- ➕ Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)
- 🛠 Fix error attaching a Facebook account to a user profile (thanks biplobice)
- 🛠 Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)
- 🐛 Bug fixes on switching language using the Switch Language block (thanks biplobice)
- 🛠 Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)
- 🛠 Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)
- 🛠 Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)
- 🛠 Fix to show page drafts created by the current user (thanks hissy)
- 🛠 Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).
🐛 Bug fixes to search popup with pagination (thanks deek87, katz, hissy)
🛠 Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)
🔒 Security Fixes
🔒 (Special thanks to Solar Security Research Team and Concrete CMS Japan)
- 🛠 Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression
- 🛠 Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression
- 🛠 Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
- 🛠 Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
- 🛠 Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization
- 🛠 Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)
- 🛠 Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF
- 🛠 Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer
- 🛠 Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options
- 🛠 Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)
- 🛠 Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option
- 🛠 Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint
- 🛠 Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space.
- For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager.
- For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.
- 🛠 Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.
- 🛠 Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)
🆕 New Features
- Let user specify the SMTP HELO/EHLO domain for their SMTP server (thanks mlocati)
- ✂ Removed version from meta generator tag.
- ⚡️ CKEditor updated to 4.15.0 (thanks mlocati)
- Page drafts are now viewable by the view page draft permission (thanks HMone23)
- ⚡️ Updated list of UK counties (thanks Mesuva)
- ⚡️ Update CKEditor from 4.15.0 to 4.15.1 (thanks mlocati)
- 🛠 Fix: make email log readable by decode quoted printable text (thanks hissy)
🐛 Bug Fixes
- 🛠 Fixing bug where accidentally re-saving a theme preset layout (e.g. “Left Sidebar”) as a user preset would cause a site to become unresponsive.
- 🛠 Fixed bug where pages indexed through the CLI search index job weren’t indexed properly (thanks haeflimi)
- Page Selector attribute now properly searchable (thanks dimger)
- 👷 No longer fire event
execute_jobtwice (thanks deek87)
- 🛠 Fixing error when rescanning a multilingual locale (thanks mlocati)
- 🛠 Fixed error or max execution timeout that can occur when logging out of multilingual websites (thanks hissy)
- 🛠 Fixed: [CKEDITOR] Error code: editor-element-conflict. (thanks mlocati)
- 🛠 Fixed error: No such file or directory error when editing an aliased block which is not editable (thanks mlocati)
- 🛠 Fix some issues when using tags on multilingual site (thanks hissy)
- 🛠 Fix duration of IP bans (they were supposed to last seconds but instead used the same value and in minutes) (thanks mlocati)
- 🛠 Fixed: Stacks don't update if caching is enabled (thanks hissy)
- 📜 Correctly parse non-decimal IP addresses (thanks mlocati)
- 🛠 Fix: enable to send private message to all groups at once (thanks hissy)
- 🛠 Fixed: Redis cookie handler always use the session name as a prefix (thanks mlocati)
- 🛠 Fixed an error where 404 does not work in multi language cases under certain situations (thanks hissy)
- ⬆️ More resilient upgrade routine when dealing with conflicting character sets in mysql (thanks mlocati)
- 🛠 Fix issue where a rich text field on a form block doesn't re-populate contents after submit (thanks Mesuva)
- 🛠 Fixed: Express Forms - CSV Export does not respect datetime format from config (thanks 1stthomas)
- 🛠 Fix bug: Express Form can generate same attribute keys for multiple attribute keys (thanks hissy)
- 🛠 Fixes filtering by multiple topic attributes on an item list (thanks hissy)
- Banned words with multibyte characters are now accurately detected (thanks hissy)
- 👉 Use UserMessageException when invalid path traversal is detected (thanks mlocati)
- 🚚 Do not remove picture elements on rendering textarea attribute value (thanks hissy)
- 🛠 Fix "call to a member function overrideCollectionPermissions() on a non-object" in AreaAssignment (thanks mlocati)
🔒 Security Fixes
- 🛠 Fixed CVE-2021-28145 XSS in Surveys fixed (thanks deek87)
- 🛠 Fixed CVE-2021-3111 Stored XSS on express entries H1 report 873474
⚡️ Developer Updates
- 👍 Allow routes with optional arguments (thanks mlocati)
🐛 Bug Fixes
- 🛠 Fixing update errors that can happen (Update causes exception): #8729 (thanks mlocati)
- 🛠 Fix certain occasions where editing pages would result in composer being unable to load blocks. Fixes error “Unable to load block into composer” (Note: this will fix the issue for pages going forward, but existing pages with this error will not be resolved.)
➕ Additional Functionality Present in 8.5.3 not described in previous release notes
🆕 New Features (Note: some of these are present in 8.5.3)
- ➕ Added the ability to copy, paste, import and export style customizer settings at the page level (thanks mlocati)
- ➕ Added new public identifier property to express entries; you can use this identifier to relate entries to each other, or within custom API requests in such a way that it can’t be guessed.
- ➕ Added a new Group custom attribute type for use with Express.
- ➕ Added the ability to specify file storage locations at the file folder level (thanks marvinde)
- ➕ Added the ability to send private messages to all users in a specific group.
- CSV files exported from Express objects now containing association data.
- ➕ Added the ability to show/hide survey results in the survey block.
- ➕ Added a console command to export express entities.
- ➕ Added the ability to require associations be selected in Express forms.
- ⚙ Running the reindex search all function will now reindex all Express entities and entries as well.
Behavioral Improvements (Note: some of these are present in 8.5.3)
- 👌 Improvements to code quality, speed and efficiency (thanks mlocati)
- 👌 Improvements to file importer code quality, better sanitization of problematic SVGs on upload. (thanks mlocati)
- 👀 Much improved address attribute logic and presentation for non North American countries/provinces/states – see #7943 (thanks ahukkanen)
- We now refresh the file manager after changing properties (thanks marvinde)
Developer Improvements (Note: some of these are present in 8.5.3)
- ➕ Added coding style guideline sniffer using phpcs directly into the concrete5 console (thanks mlocati)
- 🔨 Refactored file importer, added support for pre and post processors (thanks mlocati)
- 👍 Generalizes IP Blocking, making it easier for developers to add support for blocking IPs based on custom actions (thanks mlocati)
- 📦 Cleanup and improvements to the c5📦pack command (thanks mlocati)
🆕 New Features
- ➕ Added the ability to display the version status on the results page of a Page Search (thanks biplobice)
- ➕ Added the ability to log API requests via a Dashboard setting (thanks Kaapiii)
- ➕ Add phone and email to social links (thanks mlocati)
- 👍 The YouTube Video block now supports lazy loading. (Thanks MrKarlDilkington)
- 🚚 Moves the custom block template selector from the advanced tab to buttons (thanks Mesuva)
- YouTube block: Delete 'show video infomation' option and change option name of showing related videos (thanks yuuminakazawa)
- Return a response object instead of exiting after saving a block (thanks mlocati)
- 🛠 Fixed: We don't have to generate thumbnails if the image is in the private storage location (thanks hissy)
- 🛠 Fixed potential errors that could result when adding invalid regular expressions into the Google authentication type whitelist/blacklist (thanks mlocati)
- 🚚 When you uncheck “include attribute in search index” then the columns will be fully removed from the search indexing tables (thanks mlocati)
- ⚡️ Update OAuth password check to use PasswordHasher class (thanks Mesuva)
- CKEditor: turn off 'Edit Source' before submit (thanks mlocati)
- 🛠 Fix issue with sitemap generation in multilingual sites (thanks dimger)
- concrete5 handle the session garbage collection if a server isn’t going to do it (thanks mlocati)
- Select Multiple now works from within the file manager again (thanks deek87)
- ⏱ When the user opens "Schedule Publishing" dialog, show a warning message if there is another scheduled version (thanks hissy)
- ➕ Add "Cancel Scheduled Publish" button in "Publish Pending" dialog (thanks hissy)
- 👉 Show a logout view to logged in users on the login page
- 🌲 More logging during OAuth attach/detach attempts.
- ➕ Added a unique page ID class to each page for page targeting (thanks Shahroq)
- ➕ Added a blacklist of file extensions to ensure that developers can’t easily add PHP to a list of uploadable file types (thanks mlocati)
- 👌 Improves to logout speed under certain circumstances (thanks kkyusuke)
- 👍 Calendar block height set to auto for better display in small width areas (thanks nakazanaka)
- 🛠 Fixed: getUserAccessEntityObjects returns guest if no session found (thanks biplobice)
- The Refresh Token grant is now available for OAuth2 APIs (thanks kkyusuke)
- 👉 Use local date time format in CSV (thanks hissy)
- 🙋 Faster and safer duplication of FAQ/Image Slider blocks (thanks mlocati)
- ➕ Added an exception in case there's no template file to render (thanks iampedropiedade)
- ➕ Added raw and samesite options to cookie (thanks iampedropiedade)
- 👌 Improve distinction between log severity icons (thanks JohnTheFish)
🐛 Bug Fixes
- 🛠 Fixed inability to save blocks or do much of anything on Chrome 83 (relates to Chrome 83 behavioral change) (thanks bikerdave)
- 🛠 Fixing not sending password to RedisArray in session and cache drivers (thanks deek87)
- 🛠 Fixed bug where unnecessary localized stacks are generated when adding stacks to a multilingual site (thanks hissy)
- 🛠 Fixed: 8.5.2 - Chunked file uploads generate multiple files in the backend (thanks ahukkanen)
- 🛠 Fix flat sitemap in the trash view (thanks hamzaouibacha)
- 🛠 Fixed: Given a calendar event that was starting yesterday and ends tomorrow. It's a strange behavior if this event doesn't show up today in the calendars "events list" block (thanks core77)
- 🛠 Fixed multiple issues with user groups (thanks deek87)
- Failed to upload avatar on user account page because of ccm_token error (thanks deek87)
- 🛠 Fix file manager issue with number of items per page (thanks biplobice)
- 🛠 Fixed: Thumbnails broken for storage locations outside web root (thanks hissy)
- 🛠 Fixed: Unable to detach google account at My Account page due to null exception (thanks deek87)
- 🛠 Fixed inability to move multiple pages at once in certain situations (thanks wordish)
- Unable to paste the screenshot into content block (thanks deek87)
- 🛠 Fixed: Failing block validation denies any further access to that block if you cancel editing (thanks jlucki)
- 🛠 Fix user-selector events firing more than once (thanks deek87)
- 🛠 Fixed: CSS of Free-Form Layouts (or 'Custom Layouts') isn't loaded if the visitor is not logged in (thanks Ruud-Zuiderlicht)
- 🛠 Fixed inability to insert a link in Rich Text editor custom attributes in the Dashboard context (thanks mlocati)
- 🛠 Fixed XSS issue where admin could insert tags into image slider titles.
- 🛠 Fix error caused by invalid sort direction.
- 🏗 Build youtube embed url with the league url class to fix issues when malicious admin uses invalid URLs.
- 🛠 Fixed: [Bug] Single pages lose their path if location is resaved in sitemap or composer. (thanks dimger)
- 📱 [Fix] Image block hover option doesn't work for responsive images using the picture tag (thanks biplobice)
- 🛠 Fixed error when the sortBy column isn't exists on the advanced search result (thanks biplobice)
- 🛠 Fixed: Setup on Child Pages updates all pages of the type, not the type / template combination (thanks danklassen)
- 🛠 Fixed: getUserAccessEntityObjects returns guest if no session found (thanks deek87)
- 🛠 Fixed: The folder name is null when you create it with name '0' (thanks biplobice)
- 🛠 Fix setting the emails subject a second time with an undefined variable (thanks Kaapiii)
- 🛠 Fixed: 404 does not work in multi language case (thanks Kaapiii)
- 🛠 Fixed: CKEDITOR errors shown in console (thanks mlocati)
- BC Fix: Make it so routes can echo their output (thanks mlocati)
- Fix token error on flag_conversation_message (thanks guyasyou)
- 🛠 Fix document library block error when file node type is other than File or FileFolder (thanks biplobice)
- 🛠 Fixed: Unable to save layout if it contains a Form block (thanks mlocati)
- 🛠 Fix Fix initializing country/province link (thanks mlocati)
- 👻 Avoid exception on express attribute form during certain edge cases (thanks biplobice)
- 🔒 HackerOne security fixes (thanks mlocati)
- 🛠 Fix error on submitting workflow request to a deleted user (thanks hissy)
- 🛠 Fix height/width of edit folder permissions dialog (thanks deek87)
- ⚡️ php 7.2 fix for updating a conversation message (thanks danklassen)
- Replying to a conversation does not clear editor (thanks danklassen)
- 🏁 Don't check POSIX permissions of API public key on Windows (thanks mlocati)
- 🛠 Fixing draggable zone on filemanager to only accept file/folder nodes (thanks deek87)
- 🛠 Fixed: Currently in version 8.5.x sites that have been upgraded from 5.7 sites, you can no longer replace files (thanks deek87)
- 🛠 Fixed upgrading from 5.7 under certain database circumstances (thanks mlocati)
- 🛠 Fix wrong translatable strings placeholders (thanks mlocati)
- 🛠 Fixed: Loading malformed html into a content block does some funky stuff (thanks mlocati)
- 🛠 Fix H1 report 753567 (thanks hissy)
- Aliases are now shown in the Dashboard menu (thanks Ruud-Zicherlicht)
- 📦 make
c5:package:uninstall --trashnot throw exception if there wasn't a problem (thanks nklatt)
- 🛠 Fix: Creating folders in the file manager doesn't create them in the right place
- 🛠 Fixed: Deleting a Form block instance for an Existing Express Entity Form can delete the original entity (thanks dimger)
- Avoid error on save page list block options with empty custom topic node (thanks hissy)
- 🛠 FIxed bug in alphabetizing multilingual sections (thanks biplobice)
- 🛠 Fixed bug where public date/time page property wasn’t being properly validated if it was marked as required in a composer form (thanks matt9mg)
- 🛠 Fixed potential YouTube block exception (thanks matt9mg)
- 🛠 Fixed: select filterByAttribute can return all results (thanks matt9mg)
- 🛠 Fixed order of parameters in some
implode()methods (thanks shahroq)
- 🛠 Fixed PHP errors raised when calling View::action() method of an attribute (thanks mlocati)
- 🛠 Fixed certain block type errors in advanced permissions and stacks (thanks mlocati)
- 🛠 Fixed: CLI update fails if there is a package dependency such as MultiStep Workflow add-on
- 👍 Allow nested containers in custom theme layout presets (thanks jneijt)
- 👍 Allow the AuthorFormatter class to be overridden (thanks danklassen)
- ⚡️ Update concrete5 Translation Library (thanks mlocati)
- Code cleanup and improvements (thanks mlocati)
- [Fix] Config command with env option (thanks biplobice)
- 📦 Correctly set express entity package reference during import (thanks olsgreen)
- ➕ Added new
buildRedirectmethod for easily creating redirects that honor the framework middleware from within controller methods (thanks mlocati)
- ⬆️ We now test installation and upgrades within Docker in our unit test suite (thanks mlocati)
- ⚡️ Update punic to 3.5.1 (thanks mlocati)
- ➕ Add the ability to easily inject custom Config drivers (loaders/saves) and implement Redis drivers.
- 🛠 Fix phpdoc of the \Concrete\Core\Form\Service\Validation::test() (thanks biplobice)
- 🛠 Fixed bug where update process wouldn’t use the interface LongRunningMigrationInterface to increase timeout (thanks mlocati)
- ➕ Add ForeignKeyFixer and c5:database:foreignkey:fix CLI command (thanks mlocati)