9.3.8

Behavioral Improvements

• We now check whether is_featured is an event or page attribute and that it’s indexed properly before allowing you to filter the Event List or Page List blocks (thanks mlocati, ccmEnlil)
• When editing a locale-specific Stack in a multilingual website, we will now show that stack as a new segment in the breadcrumb (thanks mlocati)

Bug Fixes

• Fixed incorrect site tree being set when adding external links under a different multilingual site tree than the root (thanks mlocati)
• Fix invalid permission key to solve error on update files via REST API (thanks hissy, mlocati)
• Fixed error when importing files from the incoming directory f you have a subfolder or file with no suffix under application/files/incoming under PHP 8 (thanks mlocati)
• Fixed incorrect stack being returned when referencing stack by name but a multilingual-specific version of the stack exists (thanks mlocati, SvanteArvedson)
• Fixed: Fixed width and height for images in CkEditor doesn't work (thanks mlocati)
• Fixed: Document Library - Sorting does not work within Subfolders
• Fix exporting area layout column when area is null (thanks mlocati)
• Fixed error that could occur if you returned null when implementing your own entity manager entity location registries in your package controller (thanks JohnTheFish)
• Fixed inability to customize a board slot.

Developer Updates

• You can now specify package-specific options when installing packages in CIF XML (thanks mlocati)
• API improvements to the StackList object (thanks mlocati)
• Page::getByPath can now except a as well as a site tree and return all pages in all multilingual site trees therein (thanks mlocati)
• Added getExternalProfileURL to the External Concrete authentication method controller (thanks mlocati)

9.3.7

Bug Fixes

• Fix broken file manager under PHP8 introduced in 9.3.6 (thanks mlocati)
• Fix Undefined variable error on PHP8 on editing top navigation bar that could occur under certain circumstances (thanks hissy)

9.3.6

New Features

• Added the ability to specify a custom filename pattern for downloading files from the file manager. Available placeholders are {title}, {extension} and {filename} (thanks SashaMcr)
• Added the ability to set the default file manager column and sort order (thanks SashaMcr)

Behavioral Improvements

• CSV Export of Users now uses the “DateTime Format” for CSV options as defined in the Dashboard (thanks SashaMcr)
• Added width/height to image slider (thanks ajenkins-dev)
• Improved and refactored RSS displayer controller and view code (thanks SvanteArvedson)
• Improved performance of the Express Entry List block (thanks hissy)
• Miscellaneous performance improvements (thanks hissy)
• Fixed: Security Headers are not set when the full page is cached (thanks marcokuoni)
• Added more useful information to the Environment Information report (thanks JohnTheFish)
• Added more useful information about Block Types to the Block Types Dashboard page (thanks JohnTheFish)

Bug Fixes

• When a page is re-edited, topics in the child level of the topic attribute disappear (thanks hissy)
• Re-instate Dorset as an English County (thanks ajenkins-dev)
• Fixed: RSS displayer view function duplicates the received RSS posts (thanks SvanteArvedson)
• Fixed bug where custom styles applied to the Main area on a page would cascade into any stacks that were placed using the editor on the page.
• Fixed: Atomik documentation creation dies when not installed with full content
• Fixed: Fix: top navigation bar shows unapproved version of pages (thanks hissy)
• Fixed bug when editing an Express object with a results folder that was deleted (thanks dimger)
• Fix Accordion controller.php to allow pretty URLs in description field (thanks jbender0)
• Fix login with OAuth when there are attributes to be fulfilled (thanks mlocati)
• Fixed situation where choosing to filter a page list by a topic category didn’t work (only topics worked) (thanks hissy)
• Fixed bug where CMS UI tooltips weren’t displaying properly in non-Bedrock themes.
• Fixed: "Uploaded" header is active when I open a Choose File modal, but "Name" should be active instead (thanks hissy)
• Fixed error private messages mailbox if a message is received from a user who has been deleted (thanks wtflm)
• Fixed: Topics Filter UI Element in Event List Block does not re-populate properly.

9.3.5

New Features

• Added a Dashboard page for “File Chooser Options” on which you can configure the file chooser tab you want to be the default (thanks Mesuva)
• Added a new checkbox to enable “hreflang” on multilingual websites to the Multilingual Setup page (thanks leal-k)

Behavioral Improvements

• Replaced some uses of “concrete5” with Concrete throughout the codebase (thanks mlocati)
• Added width and height attributes to the image block and to some image thumbnails in order to reduce layout shift on load (thanks katalysis)

Bug Fixes

• Fixed some bugs that could occur when saving topic and Express attribute types (thanks alecbiela)
• Fixed issue where Auto-Nav and Express Form blocks couldn’t be edited or previewed reliably in global areas.
• Checkbox for Exclude from Nav attributes are now translated properly (thanks leal-k)
• Fixed bug where the “Schedule” button in the composer page schedule dialog did nothing.
• Fixed bug in Top Navigation Bar block where clicking on items with sub-pages would not take you to the page.
• Fixed bug where block help dialog was not shown in Firefox (thanks alecbiela)
• Fixed: Unsetting form redirect destination throws error
• Fixed: Incorrect variable name in Youtube block
• Fix typo in DeleteGroupCommandHandler.php (thanks mlocati)
• Fixed: Cannot remove email notification from Form Block (thanks lea-k)
• Fixed: Swagger interactive API console fails to update page except for Super-admin
• Fixed bug in topic attribute export if no value was set (thanks RLHawk1)

Developer Updates

• Add Support for Javascript "module" and "importmap" types to the Asset System (thanks alecbiela)
• Improved output of the LatestMigrationTest unit test (thanks mlocati)
• Tweaks to API documentation (thanks dimger)
• List pages and view page children API methods now require canViewPage permission instead of canViewPageInSitemap.

9.3.4

New Features

• Added the ability to search pages by their cache settings in the advanced page search (thanks SashaMcr)

Behavioral Improvements

• Added Discord to Social Links (thanks RLHawk1)
• We now require the redirect URL when adding a new API integration (thanks mlocati)
• Canonical URL is now validated when saving (thanks hissy)

Bug Fixes

• Fixed some errors in the Add block dialog on the Stacks Dashboard page when running Concrete in strict mode (thanks mlocati)
• You can no longer choose Guest or Registered Users as groups to assign to users (which you shouldn’t have been able to do.)
• Fixed canonical URL sometimes not included a path to a subdirectory if the Concrete installation is in a subdirectory (thanks biplobice)
• Fixed: When selecting a topic to filter ExpressList, the previously selected topic remains (thanks hissy)
• c5:package:install CLI command: pass install options to install method (thanks mlocati)

Developer Updates

• Top Navigation Bar should work better on non-Bedrock themes (thanks RLHawk1)
• Some removals of deprecated Core::make() code from the core.
• Enhance c5:package:pack Command to Allow Flexible Output Path Without Requiring Zip File Name (thanks biplobice)

Security Updates

• Fixed CVE-2024-8291 Stored XSS in Image Editor Background Color by sanitizing output of "Save Background Image Colour" in file thumbnail dashboard single page with commit dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and commit 12183
  for version 9. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting HackerOne 921527.

• Fixed CVE-2024-7398 Stored XSS Vulnerability in Calendar Event Addition Feature with commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 for version 8 and commits 12183 and 12184 for version 9. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting HackerOne 2400810.

• Fixed CVE-2024-8660 Stored XSS in in the "Top Navigator Bar" block with commit 12128. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Prior to the fix,a rogue admin could add a malicious payload. Since "Top Navigator Bar" output was not sufficiently sanitized, the payload could be executed when targeted users visited the home page. This does not affect Versons below 9 since they do not have the Top Navigation Bar Block. Thanks Chu Quoc Khanh for reporting HackerOne 2610205

• Fixed CVE-2024-8661 Stored XSS in the "Next&Previous Nav" block with commit 12204 for version 9 and with commit ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 for version 8. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting HackerOne 2610205

9.3.2

Bug Fixes

• Fixed errors where copying a package after downloading it from the marketplace would throw an error under certain conditions.
• Moving a stack from Orphan Blocks into the page 500 (thanks JohnTheFish)
• Fixed: Stacks, Containers and Scrapbook blocks makes longer block cache than block cache setting (thanks hissy)
• Fixed bug where boolean page attributes that are checked by default show up as checked even if they have previously been saved unchecked (thanks hissy)
• Fixed error when using workflow under certain conditions in PHP 8+ (thanks pszostok)
• Fixed: If you use advanced log configuration to set your own logger for Channels::META_CHANNEL_ALL, this logger gets applied to all core channels. Therefore you cannot set this at the same time as customising a specific core channel (thanks bikerdave)

Developer Updates

Updated scssphp/scssphp to a newer version, tweaking some output of the theme customizer (thanks mlocati)

9.3.1

Behavioral Improvements

• 9.3.0 automatically checked and configured a canonical URL on installation, in order to improve marketplace connection reliability. This is not actually necessary, as initial marketplace connections do not require a canonical URL to function, so this behavior has been reverted to pre-9.3.0.
• When encountering a problem downloading a package, we now report the error in a nicer presentation.
• If the saving of remote data in a Concrete Site data object in the marketplace fails, it will fail silently and log the error, instead of outputting it.

Bug Fixes

• Fixed error when visiting the Dashboard Extend package under PHP 7.
• Fixed some minor marketplace connection errors when not running in UTC.
• Fixed bug where package showed up as ready to download from the marketplace even when it was already installed

9.3.0

New Features

• Support for the brand-new marketplace found at market.concretecms.com, featuring auto-connect, free trials on Concrete SAAS, Composer support for packages, a modern website and much more.
• Added support for webp images as the default thumbnail type when Concrete auto-generates thumbnails (thanks parasek)
• Added lazy loading as an option for the Image block (thanks parasek)
• Added an option to keep file manager folders at the top of the list of contents (instead of intermingled with files) (thanks hissy)
• When deleting user groups, users are now presented with an option as to what to do with child groups. (thanks mlocati)
• Make thumbnails generated by Image Helper SEO-friendly (thanks parasek)
• Atomik is now built on Bedrock 1.5 (Bootstrap 5.3)
• Dashboard theme is now built on Bedrock 1.5 (Bootstrap 5.3)

Behavioral Improvements

• Added a config value to toggle default behavior of "Keep Live Version Approved"-Toggle-Button (thanks marcokuoni)
• Added a confirm dialog box when cancelling out of the in-page rich text editor (thanks Mesuva)
• If users are prompted to save the username and password on install, the proper credentials will be saved for the admin user (thanks mlocati)
• Add attribute key handle next to attribute key name in the page type composer form add dialog (thanks parasek)
• Allow for setting/altering the User Logged by the Logging Service (Thanks haeflimi)
• File manager detail page now reloads when the file is swapped (thanks mlocati)

Bug Fixes

• Fixed: CKEditor Maximize plugin breaks editing when used in a dialog (thanks mlocati)
• Bug fixes and improvements to Boards (thanks marcokuoni)
• Fixed blank screen that showed when adding blocks to the composer page type form on first load (thanks parasek)
• Fixed bug where custom styles applied to a global area didn’t work.
• Fixed: When a page is re-edited, topics in the child level of the topic attribute disappear (thanks hissy)

Backward Compatibility Notes

• There has been some refactoring to the core class loaders and autoloaders. If you work with the autoloader directly or have extended the built-in Symfony autoloader classes, verify your changes work properly.
• The core themes now rely on Bootstrap 5.3 (Bedrock 1.5).

Developer Updates

• Significant improvements to the core autoloaders (thanks mlocati)
• The Dashboard and CMS are now using Bedrock 1.5 (built from Bootstrap 5.3) as their basis. This should be minimally invasive, but if some third party packages are not displaying properly, please verify that their markup conforms to Bootstrap 5.3.
• Removing trailing / from HTML header elements (thanks marcokuoni)
• Developers can now specify CLI shortcuts for fields added to their tasks, when they’re run via the CLI (thanks KnollElias)

9.2.9

Behavioral Improvements

• Added notifications into the interface about the new marketplace coming in Concrete CMS 9.3.0.
• Changed the field type for API integration redirect URIs from string to text, enabling better support for multiple redirect URIs.
• Broken Express objects will no longer attempt to be indexed, leading to errors on upgrade (thanks hissy)
• Removed the arbitrary 256MB upload limit when using the drag and drop file uploader. Increased to 4GB. (Note: limits based on PHP configuration are still in place – if your site is configured to have a lower limit than this for uploading this will not increase it.)
• Removed “concrete5” from the system help messages.

Bug Fixes

• Fixed bug where Add Pages/Navigate Sitemap icon was displayed in the Dashboard to users who didn’t have permission to actually do either of those operations.
• Fixed: QueuedReindexPageCommand failed when express entry detail block exists (thanks hissy)
• Fixed: Page List Custom Topics Category Filtering Not Working after 9.2.2 (thanks hissy)
• Fixed: Page Type Display Pages Beneath Page setting doesn't work (thanks hissy)
• Fixed: getPageIndexScore (unused in stock Concrete but perhaps used in certain configurations) would cause an error under PHP 8 if the score was undefined (thanks JohnTheFish)
• Fixed inability to add custom CSS classes with colons in them, which certain CSS frameworks like Tailwind require.
• Fixed: When multisite is enabled, the Form submission action gets executed on an incorrect page (thanks BSalaeddin)
• Fixed PHP 8 error for undefined $siteTypeID under certain conditions.
• Fixed error when using the calendar block in lightbox mode with a theme that didn’t include lightbox support (thanks hissy)
• Fixed: Date Time Widget is no longer translated.
• Fixed bug where user’s may not be prompted to validate their email address when user validation is required (thanks donaier)
• Fixed deprecation error "Decrement on bool" in page statistics (thanks mlocati)
• Minor fixes for PHP 8 compatibility (thanks shahroq)
• Removed obsolete line from search block controller save method (thanks shahroq)
• Fixed typo in ConfigServiceProvider (thanks biplobice)

Developer Updates

• SEOCanonical Class Add getIncludedQuerystringParameters (thanks ccmEnlil)

8.5.17

Behavioral Improvements

• Added notifications into the interface about the new marketplace coming in Concrete CMS 9.3.0.

Bug Fixes

• Backported fix from Concrete CMS 9: CollectionSearchIndexAttributes table is updated without approving the page version (thanks hissy)