ยซ Changelog History


ApostropheCMS v3.4.0 Release Notes

Release Date: 2021-09-13 // over 2 years ago

  • ๐Ÿ”’ Security

    • โฌ†๏ธ Changing a user's password or marking their account as disabled now immediately terminates any active sessions or bearer tokens for that user. Thanks to Daniel Elkabes for pointing out the issue. To ensure all sessions have the necessary data for this, all users logged in via sessions at the time of this upgrade will need to log in again.
    • ๐Ÿšš Users with permission to upload SVG files were previously able to do so even if they contained XSS attacks. In Apostrophe 3.x, the general public so far never has access to upload SVG files, so the risk is minor but could be used to phish access from an admin user by encouraging them to upload a specially crafted SVG file. While Apostrophe typically displays SVG files using the img tag, which ignores XSS vectors, an XSS attack might still be possible if the image were opened directly via the Apostrophe media library's convenience link for doing so. All SVG uploads are now sanitized via DOMPurify to remove XSS attack vectors. In addition, all existing SVG attachments not already validated are passed through DOMPurify during a one-time migration.

    ๐Ÿ›  Fixes

    • ๐Ÿ”’ The apos.attachment.each method, intended for migrations, now respects its criteria argument. This was necessary to the above security fix.
    • โœ‚ Removes a lodash wrapper around @apostrophecms/express bodyParser.json options that prevented adding custom options to the body parser.
    • ๐Ÿ‘ฏ Uses req.clone consistently when creating a new req object with a different mode or locale for localization purposes, etc.
    • ๐Ÿ›  Fixes bug in the "select all" relationship chooser UI where it selected unpublished items.
    • ๐Ÿ›  Fixes bug in "next" and "previous" query builders.
    • Cutting and pasting widgets now works between locales that do not share a hostname, provided that you switch locales after cutting (it does not work between tabs that are already open on separate hostnames).
    • ๐Ÿ‘ The req.session object now exists in task req objects, for better compatibility. It has no actual persistence.
    • Unlocalized piece types, such as users, may now be selected as part of a relationship when browsing.
    • Unpublished localized piece types may not be selected via the autocomplete feature of the relationship input field, which formerly ignored this requirement, although the browse button enforced it.
    • ๐Ÿ’ป The server-side JavaScript and REST APIs to delete pieces now work properly for pieces that are not subject to either localization or draft/published workflow at all the (localize: false option). UI for this is under discussion, this is just a bug fix for the back end feature which already existed.
    • ๐Ÿ›  Starting in version 3.3.1, a newly added image widget did not display its image until the page was refreshed. This has been fixed.
    • ๐Ÿ›  A bug that prevented Undo operations from working properly and resulted in duplicate widget _id properties has been fixed.
    • ๐Ÿ›  A bug that caused problems for Undo operations in nested widgets, i.e. layout or multicolumn widgets, has been fixed.
    • Duplicate widget _id properties within the same document are now prevented on the server side at save time.
    • Existing duplicate widget _id properties are corrected by a one-time migration.

    โž• Adds

    • โž• Adds a linter to warn in dev mode when a module name include a period.
    • ๐Ÿ‘• Lints module names for apostrophe- prefixes even if they don't have a module directory (e.g., only in app.js).
    • โš  Starts all warnDev messages with a line break and warning symbol (โš ๏ธ) to stand out in the console.
    • ๐Ÿ—„ apos.util.onReady aliases apos.util.onReadyAndRefresh for brevity. The apos.util.onReadyAndRefresh method name will be deprecated in the next major version.
    • โž• Adds a developer setting that applies a margin between parent and child areas, allowing developers to change the default spacing in nested areas.

    ๐Ÿ”„ Changes

    • โœ‚ Removes the temporary trace method from the @apostrophecms/db module.
    • ๐Ÿ“š Beginning with this release, the apostrophe:modulesReady event has been renamed apostrophe:modulesRegistered, and the apostrophe:afterInit event has been renamed apostrophe:ready. This better reflects their actual roles. The old event names are accepted for backwards compatibility. See the documentation for more information.
    • Only autofocuses rich text editors when they are empty.
    • Nested areas now have a vertical margin applied when editing, allowing easier access to the parent area's controls.