Release Notes

What's fixed

• Harden DataCollection sort value resolution #14693 by @duncanmcclean
• Fix token path traversal #14700 by @duncanmcclean
• Authorize relationship fieldtype data #14718 by @jasonvarga
• Fix asset fieldtype icon #14720 by @jasonvarga

What's fixed

• Harden remote URL validation #14645 by @jasonvarga

What's fixed

• Always show success when using forgot password form #14539 by @jasonvarga

What's fixed

• Harden query value resolution #14476 by @duncanmcclean
• Harden OrderBys #14474 by @duncanmcclean
• Remove negative assertions from TestCase #14458 by @duncanmcclean

What's fixed

• Add link tag to allowed Antlers tags #14438 by @edalzell
• Add @default support to Antlers content allowlists #14440 by @jasonvarga
• Fix Stache index re-entrancy causing null URIs on cold stache #14181 by @o1y
• Fix form submission types #14430 by @daun

What's fixed

• Harden OrderBys #14421 by @jasonvarga

What's fixed

• Fix term revisions error #14347 by @duncanmcclean

What's fixed

• Fix config through Antlers views #14328 by @jasonvarga
• Sanitize password reset form redirect value #14327 by @jasonvarga
• Restrict markdown preview endpoint #14326 by @jasonvarga
• Add authorization to revision routes #14301 by @duncanmcclean
• Add CSP header to svg route #14325 by @jasonvarga
• Relationship fieldtype authorization tweaks #14307 by @duncanmcclean
• Allow external redirects from Form::getSubmissionRedirect #14318 by @jasonvarga
• Handle more cases in external url detection #14312 by @jasonvarga
• Fix live preview token scope #14304 by @jasonvarga
• Fix PHP sanitization edge cases #14300 by @duncanmcclean

What's fixed

• Harden password reset #14296 by @jasonvarga
• Add additional URL::isExternalToApplication() tests #14288 by @duncanmcclean

What's fixed

• Prevent term creation via fieldtype without permission #14274 by @duncanmcclean
• Prevent path traversal in file dictionary #14272 by @duncanmcclean
• Sanitize SVGs on asset reupload #14270 by @jasonvarga

What's fixed

• Relationship endpoint authorization #14254 by @jasonvarga
• Fix ensure field has config #14195 by @marcorieser
• Removed a comment from the js code output of the StaticCacher #14233 by @micahhenshaw
• Acquire stache-warming lock in Duplicates::find #14176 by @mmodler

What's fixed

• Antlers config backwards compatibility #14146 by @jasonvarga
• Config parsing exclusion #14152 by @jasonvarga
• Fix Antlers parser state restoration #14151 by @jasonvarga
• Support Laravel Debugbar 4 #14142 by @jasonvarga
• Remove pdf css #14141 by @jasonvarga
• More Antlers defaults #14125 by @jasonvarga

This release contains a potentially breaking change for the sake of security.

What's fixed

• Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
• External Glide URL validation #14101 by @jasonvarga
• Harden redirects #14099 by @jasonvarga
• Harden auth redirects #14089 by @duncanmcclean
• Fix user fieldtype search #14084 by @duncanmcclean
• Fix user name and email logic #14079 by @jasonvarga
• Sanitize SVGs #14077 by @jasonvarga
• Fix CSRF token on pages excluded from static caching #14056 by @duncanmcclean
• Improve PDF Viewer #14045 by @duncanmcclean
• Throw UnableToReadFile for invalid images in ImageGenerator #14043 by @mmodler
• Antlers user content and config #14058 by @jasonvarga
• Block methods in Antlers by default #14059 by @jasonvarga

What's fixed

• Fixes shouldUpdateUris regex adding additional brackets to Antlers #13995 by @martyf
• Validate password reset url #14023 #14008 by @jasonvarga
• Harden html rendering #14006 by @jasonvarga

What's fixed

• Correct test namespaces to avoid PSR-4 warnings #13989 by @duncanmcclean
• Sanitize html in html fieldtype #13992 by @jasonvarga