Grav Changelog

v1.7.48

7 months ago

1. • New Trait for fetchPriority attribute on images #3850
2. • Fix for #3164. Adds aliases as possible commands during lookup #3863
3. • Fix style conflict with Clockwork and tooltips #3861

v1.7.47

7 months ago

1. • New Utils::toAscii() method
   • Added support for Clockwork Debugger to allow web UI (requires new clockwork-web plugin)
2. • Include modular sub-pages in last-modification date computation #3562
   • Updated vendor libs to latest versions
   • Updated JQuery to 3.7.1 #3787
   • Updated vendor libraries to latest versions
   • Support for Fediverse Creator meta tag #3844
3. • Fixes deprecated for return type in Filesystem with PHP 8.3.6 #3831
   • Fix for exif_imagtetype() throwing an exception when file doesn't exist
   • Fix JSON output comments check with content type #3859

v1.7.46

1 year ago

1. • Better handling of external protocols in Utils::url() such as mailto:, tel:, etc.
   • Handle GRAV_ROOT or GRAV_WEBROOT when / #3667
2. • Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin)
   • Ensure the full filepath is checked for invalid filename in MediaUploadTrait::checkFileMetadata()
   • Fixed a bug in the on_events REGEX pattern of Security::detectXss() as it was not matching correctly.
   • Fixed an issue where read_file() Twig function could be used nefariously in content #GHSA-f8v5-jmfh-pr69

v1.7.45

1 year ago

1. • Added new Image trait for decoding attribute #3796
2. • Fixed some multibyte issues in Inflector class #732
   • Fallback to page modified date if Page date provided is invalid and can't be parsed getgrav/grav-plugin-admin#2394
   • Fixed a path traversal vulnerability with file uploads #GHSA-m7hx-hw6h-mqmc
   • Fixed a security issue with insecure Twig functions be processed #GHSA-2m7x-c7px-hp58 #GHSA-r6vw-8v8r-pmp4 #GHSA-qfv4-q44r-g7rv #GHSA-c9gp-64c4-2rrh
3. • Updated composer packages
   • Updated bin/composer.phar to latest 2.7.2

v1.7.44

1 year ago

1. • Added PHP 8.3 to tests #3782
   • Added debugger messages when Page routes conflict
   • Added ISO 8601 date format #3721
   • Added support for .vcf (vCard) in media configuration #3772
2. • Update jQuery to v3.6.4 #3713
   • Updated vendor libraries including Dom-Sanitizer v1.0.7 that addresses an XSS issue
   • Updated bin/composer.phar to latest 2.6.6
   • Updated vendor libraries to latest
   • Updated language files
   • Updated copyright year
3. • Fixed a math rounding issue with number validation when using floating point steps #3761
   • Fixed an issue with Inflector::ordinalize() not working as expected #3759
   • Fixed various issues with file extension checking with dangerous extensions [#3756(https://github.com/getgrav/grav/pull/3756)]
   • Fix for invalid input to foreach in UserGroupObject #3724
   • Fixed exception: Property 'jsmodule_pipeline_include_externals' does not exist in object #3661
   • Fixed too few arguments exception in FlexObjects #3658

v1.7.43

2 years ago

1. • Add the ability to programatically set a page's modified timestamp via a modified: frontmatter entry
2. • Update vendor libraries
   • Include phar in the list of security.uploads_dangerous_extensions
   • When enabled system.languages.debug now dumps Key -> Value to debugger #3752
   • Updated built-in composer to latest 2.6.4 #3748
   • Added support for @import to ensure paths are rewritten correctly in CSS pipeline #3750

v1.7.42.3

2 years ago

2. • Fixed a typo in Utils::isDangerousFunction

v1.7.42.2

2 years ago

2. • In Utils::isDangerousFunction, handle double \\ in |map twig filter to mitigate SSTI attack
   • Better handle empty email in Validatoin::typeEmail()

v1.7.42.1

2 years ago

2. • Quick fix for isDangerousFunction when $name was a closure #3727

v1.7.42

2 years ago

1. • Added a new system.languages.debug option that adds a <span class="translate-debug"></span> around strings translated with |t. This can be styled by the theme as needed.
2. • More robust SSTI handling in filter, map, and reduce Twig filters and functions
   • Various SSTI improvements Utils::isDangerousFunction()
3. • Fixed Twig |map() allowing code execution
   • Fixed Twig |reduce() allowing code execution

v1.7.41.2

2 years ago

1. • Added the ability to set a configurable 'key' for the Twig Cache Tag: {% cache 'my-key' 600 %}
2. • Fixed an issue with special characters in slug's would cause redirect loops

v1.7.41.1

2 years ago

1. • Fixed certain UTF-8 characters breaking Truncator class #3716

v1.7.41

2 years ago

1. • Removed FILTER_SANITIZE_STRING input filter in favor of htmlspecialchars(strip_tags()) for PHP 8.2+
   • Added GRAV_SANITIZE_STRING constant to replace FILTER_SANITIZE_STRING for PHP 8.2+
   • Support non-deprecated style dynamic properties in Parsedown class via ParseDownGravTrait for PHP 8.2+
   • Modified Truncator to not use deprecated mb_convert_encoding() for PHP 8.2+
   • Fixed passing null into mb_strpos() deprecated for PHP 8.2+
   • Updated internal TwigDeferredExtension to be PHP 8.2+ compatible
   • Upgraded getgrav/image fork to take advantage of various PHP 8.2+ fixes
   • Use UserGroupObject::groupNames method in blueprints for PHP 8.2+
   • Comment out files-upload deprecated message as this is not going to be removed
   • Added various public Twig class variables used by admin to address deprecated messages for PHP 8.2+
   • Added parse_url to list of PHP functions supported in Twig Extension
   • Added support for dynamic functions in Parsedown to stop deprecation messages in PHP 8.2+

v1.7.40

2 years ago

1. • Added a new timestamp: true|false option for individual assets
2. • Removed outdated xcache setting #3615
   • Updated robots.txt #3625
   • Handle the situation when GRAV_ROOT or GRAV_WEBROOT are / #3625
3. • Fixed force_ssl redirect in case of undefined hostname #3702
   • Fixed an issue with duplicate identical page paths
   • Fixed BlueprintSchema:flattenData to properly handle ignored fields
   • Fixed LogViewer regex greediness #3684
   • Fixed whoami command #3695

v1.7.39.4

2 years ago

1. • Reverted a reorganization of account.yaml that caused username to be disabled admin#2344

v1.7.39.3

2 years ago

1. • Fix for overzealous modular page template rendering fix in 1.7.39 causing Feed plugin to break #3689

v1.7.39.2

2 years ago

1. • Fix for invalid session breaking Flex Accounts (when switching from Regular to Flex)

v1.7.39.1

2 years ago

1. • Fix for broken image CSS with the latest version of DebugBar

v1.7.39

2 years ago

1. • Vendor library updates to latest versions
2. • Various PHP 8.2 fixes
   • Fixed an issue with modular pages rendering thew wrong template when dynamically changing the page
   • Fixed an issue with email validation that was failing on UTF-8 characters. Following best practices and now only check for @ and length.
   • Fixed PHPUnit tests to remove deprecation warnings