Kirby 2.0.5

This update is a security- and bugfix release. Please read the update instructions. Check out our tutorial on how to work with Git to learn more about a faster setup for updates.




Security fix

Kirby's URL auto-detection could theoretically be abused for a cross site scripting attacks (xss). This release fixes this vulnerability. We've also included a more secure way of handling multi-environment configuration files.

This release is recommended for all Kirby 2 sites.

Please don't hesitate to send us any questions or concerns about this issues:

Core updates

  • Additional field methods provided by @fvsch
    // you can now provide a fallback if the field 
    // is empty with the new or method
    $page->myfield()->or('Some fallback');
    // converts the field value to integer
    // returns the field value as boolean
  • Brackets in Kirbytags are no longer breaking them. Example:
    (twitter: getkirby text: Follow us (on Twitter))
  • Improved Field class with new field::value() method
  • Template data can now be set in plugins with tpl::set('key', 'value');
  • page::title now always returns a field object for better consistency
  • Fixed page::isOpen method for multi-language pages with custom URL-Keys
  • More secure way of handling multi-environment setups
  • Fixed popup attribute for image tags
  • The content.file.ignore option is back
  • New Parsedown and Parsedown Extra versions including various bugfixes
  • More reliable sorting number extractor for content folders

Panel updates

  • Line breaks in textareas are now being converted to LF on save.
  • Bugfix for titles containing html tags, which break the sidebar.
  • Bugfix for slug generation on entering a title for a new page containing ampersands
  • New Portuguese translation (Brazil)
  • New Finish translation
  • Updated German translation
  • Updated Czech translation
  • Updated Spanish translation (Latin America)
  • The field option for tag fields is now being recognized
  • Additional bugfix for tag field autocompletion
  • The date field value can now be overwritten on each update (add overwrite: true to field options)
  • The time field value can now be overwritten on each update (add overwrite: true to field options)
  • The required attribute for title fields can now be overwritten

Toolkit updates

  • New timer class for simple performance profiling.
  • Smarter widont method
  • Better f::safeFilename method, which does not remove @ . and _
  • Fixed issue with the html::attr method generating invalid HTML.
  • Input sanitization for server::get('SERVER_NAME') and server::get('HTTP_HOST').
  • url::current is now based on SERVER_NAME instead of HTTP_HOST
  • Bugfixes for the email class
  • Default values for columns in database::createTable
  • Router filters can now return false to invalidate a route
  • Support for protocol-free URLs in url::makeAbsolute
  • New omitFirstPage option for the Pagination class

Our partners

CDN by KeyCDN Search by Algolia