Release Notes

This release contains a potentially breaking change for the sake of security.

What's fixed

• Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
• External Glide URL validation #14101 by @jasonvarga
• Harden redirects #14099 by @jasonvarga
• Harden auth redirects #14089 by @duncanmcclean
• Fix user fieldtype search #14084 by @duncanmcclean
• Fix user name and email logic #14079 by @jasonvarga
• Sanitize SVGs #14077 by @jasonvarga
• Fix CSRF token on pages excluded from static caching #14056 by @duncanmcclean
• Improve PDF Viewer #14045 by @duncanmcclean
• Throw UnableToReadFile for invalid images in ImageGenerator #14043 by @mmodler
• Antlers user content and config #14058 by @jasonvarga
• Block methods in Antlers by default #14059 by @jasonvarga

What's fixed

• Fixes shouldUpdateUris regex adding additional brackets to Antlers #13995 by @martyf
• Validate password reset url #14023 #14008 by @jasonvarga
• Harden html rendering #14006 by @jasonvarga

What's fixed

• Correct test namespaces to avoid PSR-4 warnings #13989 by @duncanmcclean
• Sanitize html in html fieldtype #13992 by @jasonvarga

What's fixed

• Avoid replacing nocache regions in initial full-measure response #13953 by @duncanmcclean
• Fix Icon fieldtype augment error when value is empty #13966 by @jhhazelaar
• Fix whereIn()/whereNotIn() error for booleans #13952 by @duncanmcclean

What's fixed

• Revert etags #13933 by @jasonvarga

What's fixed

• Fix after_save preference not persisting when default preferences override 'listing' #13879 by @el-schneider
• Asset auth fix #13883 by @duncanmcclean
• Account for custom fields when checking if entry URIs should be updated #13859 by @duncanmcclean

What's fixed

• Add auth to asset routes #13810 by @jasonvarga

What's fixed

• Handle 0 values in text fields and null string in slugs #13786 by @joshuablum
• Fix multi-site URL invalidation in ApplicationCacher #13793 by @joshuablum

What's fixed

• Avoid showing large number of assets in listing #13758 by @jasonvarga
• Abort 404 when asset is not found in AssetsController #13741 by @mynetx

What's fixed

• Revert AssetContainer::accessible() visibility change #13673 by @duncanmcclean
• Fix: Prevent 304 responses without client cache headers #13654 by @mynetx
• Fix uninitialized property error from HandleEntrySchedule job #13648 by @duncanmcclean
• Bump lodash from 4.17.21 to 4.17.23 #13628 by @dependabot
• Avoid updating Bard value unless content has actually changed #13645 by @duncanmcclean

What's fixed

• Revert config values in forms #13632 by @jasonvarga

What's new

• Allow config values to be used in forms #11403 by @FrittenKeeZ
• Allow closure in cascade content hydration #13580 by @marcorieser

What's fixed

• AssetContainer::accessible() should take filesystem visibility into account #13621 by @duncanmcclean
• Augment appended form config fields for Antlers #13111 by @marcorieser
• Fix error from DefaultInvalidator when creating a nav #13596 by @duncanmcclean
• Prevent redirect when creating term via fieldtype #13595 by @duncanmcclean
• Handle null value gracefully #13598 by @aerni
• Fix existing field validation with prefixed fieldset imports #13551 by @duncanmcclean

What's new

• Support query scopes in navigations #13509 by @el-schneider

What's fixed

• Generate etag after nocache replacements #13433 by @mmodler
• Support custom validation rules for asset containers #13459 by @duncanmcclean
• Fix filterWhere with arrays #13507 by @aerni
• Dutch translations #13532 by @laurenskr

What's new

• PHP 8.5 Compatibility #13112 by @duncanmcclean
• Add ability to get raw array directly from Values object #13318 by @andjsch
• Make GetItemsContainingData hookable #13302 by @ryanmitchell

What's fixed

• Fix structure not being saved to collection #13479 by @jasonvarga
• Fix JsDriver::addToFormData call to match interface signature #13463 by @andrii-trush
• Fix add set button not overlap content on small container #13269 by @lecoa
• Terms Filter: Use terms fieldtype instead of select #13439 by @duncanmcclean
• Fix blueprint cache #13430 by @aerni
• Add Nav::clearCachedUrls expectation to AddonTestCase #13396 by @duncanmcclean
• Remove "Bulgarian Lev" from Currencies dictionary #13414 by @duncanmcclean
• Ensure field parent is set correctly #13305 by @aerni
• Invalidate nav's URL cache when collection/taxonomy/etc is created #13297 by @duncanmcclean
• Fix whereNotIn error with nulls #13266 by @jasonvarga
• Fix eloquent:import-users command with computed values #13260 by @duncanmcclean
• Fix page collection and mounted collection #13250 by @jasonvarga
• French translations #13300 by @ebeauchamps
• Bump validator from 13.15.20 to 13.15.22 #13234 by @dependabot
• Bump qs from 6.11.1 to 6.14.1 #13409 by @dependabot

What's new

• Pass original upload filename into AssetUploaded event #11423 by @daun
• Allow statamic URLs to use fragments or query strings #13085 by @miicah
• Add Glide Asset Cleared Event #13004 by @infabo

What's fixed

• Performance Optimizations for Stache and Query Operations #12894 by @hastinbe
• Avoid hardcoded nocache url in js #13199 by @JorisOrangeStudio
• Fix nocache tag not replacing element correctly #13177 by @duncanmcclean
• Date modifiers shouldn't return anything when value is empty #13178 by @duncanmcclean
• Terms fieldtype: Only show "Allow Creating" option when using stack selector #13151 by @duncanmcclean
• Ensure updated_at and updated_by is not null in TracksLastModified #13099 by @simonerd
• Correct namespace in FakesQueriesTest #13029 by @duncanmcclean
• Require url in nocache request #12975 by @Jade-GG
• Fix HTML entities in currency translations #12982 by @duncanmcclean
• Fix failing tests due to lowercase utf-8 charset #13213 by @duncanmcclean
• French translations #13136 by @ebeauchamps
• Bump lowest composer constraints #13037 by @jasonvarga
• Bump js-yaml from 3.14.1 to 3.14.2 #13097 by @dependabot