Kirby's URL auto-detection could theoretically be abused for a cross site scripting attacks (xss). This release fixes this vulnerability. We've also included a more secure way of handling multi-environment configuration files.
This release is recommended for all Kirby 2 sites.
Please don't hesitate to send us any questions or concerns about this issues: firstname.lastname@example.org
- Additional field methods provided by @fvsch
// you can now provide a fallback if the field // is empty with the new or method $page->myfield()->or('Some fallback'); // converts the field value to integer $page->myfield()->int(); // returns the field value as boolean $page->myfield()->bool();
- Brackets in Kirbytags are no longer breaking them. Example:
(twitter: getkirby text: Follow us (on Twitter))
- Improved Field class with new field::value() method
- Template data can now be set in plugins with tpl::set('key', 'value');
- page::title now always returns a field object for better consistency
- Fixed page::isOpen method for multi-language pages with custom URL-Keys
- More secure way of handling multi-environment setups
- Fixed popup attribute for image tags
- The content.file.ignore option is back
- New Parsedown and Parsedown Extra versions including various bugfixes
- More reliable sorting number extractor for content folders
- Line breaks in textareas are now being converted to LF on save.
- Bugfix for titles containing html tags, which break the sidebar.
- Bugfix for slug generation on entering a title for a new page containing ampersands
- New Portuguese translation (Brazil)
- New Finish translation
- Updated German translation
- Updated Czech translation
- Updated Spanish translation (Latin America)
- The field option for tag fields is now being recognized
- Additional bugfix for tag field autocompletion
- The date field value can now be overwritten on each update (add overwrite: true to field options)
- The time field value can now be overwritten on each update (add overwrite: true to field options)
- The required attribute for title fields can now be overwritten
- New timer class for simple performance profiling.
- Smarter widont method
- Better f::safeFilename method, which does not remove @ . and _
- Fixed issue with the html::attr method generating invalid HTML.
- Input sanitization for server::get('SERVER_NAME') and server::get('HTTP_HOST').
- url::current is now based on SERVER_NAME instead of HTTP_HOST
- Bugfixes for the email class
- Default values for columns in database::createTable
- Router filters can now return false to invalidate a route
- Support for protocol-free URLs in url::makeAbsolute
- New omitFirstPage option for the Pagination class