Skip to content
Grav 2.0 is officially stable. Read the announcement →
Releases

Grav Update v2.0.0 -> v2.0.1, most pages stopped rendering

Solved by Andy Miller View solution

Started by astrorob 2 weeks ago · 3 replies · 164 views
2 weeks ago

Typhoon Theme, all pages worked perfectly in Grav v2.0.0.

After running the update to v2.0.1, some (most) pages use which use Tabler icons or Github Markdown Alerts went blank. The rest of the theme renders correct around it (Hero, footer etc), or modules such as Gallery. But the page or module with these specific elements... completely blank. Remove the Tabler Icon or Github Markdown Alert, and the full page renders correctly.

Ended up copying the bin, vendor and system folders from my 2.0.0 backup to restore my full pages.

Examples of problematic elements in affected pages in Grav 2.0.1:

[svg-icon=telescope class="text-primary" /]

or...

> [!IMPORTANT]

> Please park your car safely.

last edited 06/24/26 by astrorob
2 weeks ago

I found the config options to allow my pages to work in Grav 2.0.1:

  • Security
    • Filter on Events: No
    • Then delete SVG from the Dangerous HTML Tags List.

But how are these dangerous when they're installed by Grav Plugins, and using the syntax in their docs?

2 weeks ago Solution

Hi astrorob,

Thanks for the detailed write-up, and especially for narrowing it down to the security settings. That was the key clue. This is a genuine false positive on our side, not anything wrong with your setup or those plugins.

Here's what happened. 2.0.1 added a render-time security check that re-scans the final HTML of pages that process Twig in their content, to catch certain script-injection tricks. The problem is that the scanner can't tell a legitimate inline <svg> from a malicious one, and inline SVG is full of the exact things it's trained to be suspicious of (the xmlns attribute, <title> and <style> elements inside the icon, and so on). So any page that processed content Twig and rendered an inline SVG got blanked. That's why your Tabler icons and the GitHub-style alerts both broke: the alerts render an inline SVG status icon too.

You've got it working, but I'd suggest a cleaner workaround than disabling "Filter on Events" and editing the dangerous tags list, since those weaken protection across your whole site. Instead, turn off just the new render-time scan in user/config/security.yaml:

YAML
    twig_content:
      xss_scan_output: false

That leaves all the other XSS protections in place and only disables the over-eager output re-scan.

The proper fix is already done and lands in 2.0.2: the scan now skips legitimate inline SVG and MathML while still catching injected scripts around them, so icons and alerts render normally with no config changes needed. Once you're on 2.0.2 you can revert the workaround above.

Thanks again for the report.

— Andy

Suggested topics

Topic Participants Replies Views Activity
Releases · by Marcel, 1 week ago
1 151 1 week ago
Releases · by astrorob, 2 weeks ago
0 79 2 weeks ago
Releases · by jeremycherfas, 2 weeks ago
1 107 2 weeks ago
Releases · by Hugh Barnes, 10 months ago
4 414 9 months ago
Releases · by Karmalakas, 2 years ago
3 408 2 years ago