Release Notes

What's fixed

• Prevent term creation via fieldtype without permission #14274 by @duncanmcclean
• Prevent path traversal in file dictionary #14272 by @duncanmcclean
• Sanitize SVGs on asset reupload #14270 by @jasonvarga

What's fixed

• Relationship endpoint authorization #14254 by @jasonvarga
• Fix ensure field has config #14195 by @marcorieser
• Removed a comment from the js code output of the StaticCacher #14233 by @micahhenshaw
• Acquire stache-warming lock in Duplicates::find #14176 by @mmodler

What's fixed

• Antlers config backwards compatibility #14146 by @jasonvarga
• Config parsing exclusion #14152 by @jasonvarga
• Fix Antlers parser state restoration #14151 by @jasonvarga
• Support Laravel Debugbar 4 #14142 by @jasonvarga
• Remove pdf css #14141 by @jasonvarga
• More Antlers defaults #14125 by @jasonvarga

This release contains a potentially breaking change for the sake of security.

What's fixed

• Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
• External Glide URL validation #14101 by @jasonvarga
• Harden redirects #14099 by @jasonvarga
• Harden auth redirects #14089 by @duncanmcclean
• Fix user fieldtype search #14084 by @duncanmcclean
• Fix user name and email logic #14079 by @jasonvarga
• Sanitize SVGs #14077 by @jasonvarga
• Fix CSRF token on pages excluded from static caching #14056 by @duncanmcclean
• Improve PDF Viewer #14045 by @duncanmcclean
• Throw UnableToReadFile for invalid images in ImageGenerator #14043 by @mmodler
• Antlers user content and config #14058 by @jasonvarga
• Block methods in Antlers by default #14059 by @jasonvarga

What's fixed

• Fixes shouldUpdateUris regex adding additional brackets to Antlers #13995 by @martyf
• Validate password reset url #14023 #14008 by @jasonvarga
• Harden html rendering #14006 by @jasonvarga

What's fixed

• Correct test namespaces to avoid PSR-4 warnings #13989 by @duncanmcclean
• Sanitize html in html fieldtype #13992 by @jasonvarga

What's fixed

• Avoid replacing nocache regions in initial full-measure response #13953 by @duncanmcclean
• Fix Icon fieldtype augment error when value is empty #13966 by @jhhazelaar
• Fix whereIn()/whereNotIn() error for booleans #13952 by @duncanmcclean

What's fixed

• Revert etags #13933 by @jasonvarga

What's fixed

• Fix after_save preference not persisting when default preferences override 'listing' #13879 by @el-schneider
• Asset auth fix #13883 by @duncanmcclean
• Account for custom fields when checking if entry URIs should be updated #13859 by @duncanmcclean

What's fixed

• Add auth to asset routes #13810 by @jasonvarga

What's fixed

• Handle 0 values in text fields and null string in slugs #13786 by @joshuablum
• Fix multi-site URL invalidation in ApplicationCacher #13793 by @joshuablum

What's fixed

• Avoid showing large number of assets in listing #13758 by @jasonvarga
• Abort 404 when asset is not found in AssetsController #13741 by @mynetx

What's fixed

• Revert AssetContainer::accessible() visibility change #13673 by @duncanmcclean
• Fix: Prevent 304 responses without client cache headers #13654 by @mynetx
• Fix uninitialized property error from HandleEntrySchedule job #13648 by @duncanmcclean
• Bump lodash from 4.17.21 to 4.17.23 #13628 by @dependabot
• Avoid updating Bard value unless content has actually changed #13645 by @duncanmcclean

What's fixed

• Revert config values in forms #13632 by @jasonvarga

What's new

• Allow config values to be used in forms #11403 by @FrittenKeeZ
• Allow closure in cascade content hydration #13580 by @marcorieser

What's fixed

• AssetContainer::accessible() should take filesystem visibility into account #13621 by @duncanmcclean
• Augment appended form config fields for Antlers #13111 by @marcorieser
• Fix error from DefaultInvalidator when creating a nav #13596 by @duncanmcclean
• Prevent redirect when creating term via fieldtype #13595 by @duncanmcclean
• Handle null value gracefully #13598 by @aerni
• Fix existing field validation with prefixed fieldset imports #13551 by @duncanmcclean