4.0.0

Kirby 4 is here! 🚀
Full release notes: https://getkirby.com/releases/4.0

4.0.0-rc.4

This is a quick patch for an upload regression that we unfortunately introduced in the last RC. Please, use this RC instead of RC.3

4.0.0-rc.3

UPDATE

We unfortunately introduced an upload bug in this RC, which renders any uploads unusable. We are very sorry for that. Please, use RC.4 instead: https://github.com/getkirby/kirby/releases/tag/4.0.0-rc.4

🚨 Security

During an internal security review of the Kirby 4 codebase, we have discovered two cross-site scripting (XSS) vulnerabilities in the changes dialog and the admin disable dialog for the new TOTP login feature.

Both vulnerabilities were introduced during the Kirby 4 alphas and betas and are fixed by this RC.

The vulnerabilities affect all Kirby sites on Kirby 4 alphas, betas or previous release candidates that might have potential attackers in the group of authenticated Panel users or that allow external visitors to create or update user accounts.

Sites on Kirby 3 are not affected.

✨ Enhancements

• Add Vue target version to jsconfig #5971
• Add missing class aliases to ease some breaking changes #5987
• Field and section labels have title attribute #5994
• colors library supports hex colors without leading # #5997
• New disabled theme for <k-item> #5996

🐛 Bug fixes

• Fix double-escaping bug in the Panel language view #5986
• ImageMagick: fix focus-cropping bug (thanks to @mrflix) #5982
• Block selector: fix for empty groups #5794
• Object field: fix disabled table style #5957
• Models fields: add disabled style #5959
• Link field: fix model preview for too long titles #5924
• Slug field respects custom allowed slug characters from Str::$defaults['slug']['allowed'] #5929
• Buttons in field and section headers don’t wrap on narrow screens #5994
• ColornameInput: only use getComputedStyle as last resort when colors library fails #5997

♻️ Refactored

• Use the Vue object syntax for dynamic :style attributes to enhance the robustness and security #5986
• Ensure the security of the Str::safeTemplate() method against code execution attacks with an automated test #5986

🚨 Breaking changes

• $helper.string.slug: the allow parameter now defines the whole set of allowed characters, not just the characters in addition to a-z0-9 #5991

4.0.0-rc.2

✨ Enhancements

• The selected color in the color field (options mode) now has a clear outline #5962
• New $field->permalinksToUrls() method for writer fields #5551
• Uuid::for() also parses permalinks now #5551
• Remove extraneous string splitting in changes dialog #5970

🐛 Bug fixes

• Fix header margin in the lab view
• Fix structure field footer #5941
• k-tabs: badges shown again #5969
• Long help texts no longer overflow the layout #5966
• Blocks: keep selected sort order #5896

3.9.8

🎉 Features

• New A::every(), A::find() and A::some() methods that implement the functionality of the JavaScript functions with the same names (thanks to @rasteiner) #5724
• New option to add a CLI specific config file (thanks to @lukaskleinschmidt) #5581

// config.cli.php
return [
    'option.one' => 1,
    'option.two' => 2,
];

✨ Enhancements

• The System view in the Panel now warns when the used PHP version is end-of-life and no longer receives security updates. #5728
• Files with the .pht extension can no longer be uploaded to a Kirby site to provide additional protection in older server setups beyond our recommendations in the security guide (thanks to @akabe1). #5925

🐛 Bug fixes

• Blocks field: pasting HTML does not remove crucial spaces anymore in inline contexts #4702
• The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
• $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
• Append copy suffix of duplicated pages #5787
• Fix searching for Unicode characters #5780
• The backup copy of changed content now includes a JSON output for fields with structured data instead of scrambled data. #5791
• The validation error "Please enter a date between ... and ..." for the date field now correctly includes the maximum date. #5920

4.0.0-rc.1

✨ Enhancements

• Exclude UI docs and lab from regular bundle #5909
• k-stat supports new icon prop #5908
• Tweaked style of Toggle input #5916
• k-header: add warning for removed tabs support #5918
• New activation tooltip and better design for the activation button in the menu. #5921
• Switch to “Activate” wording instead of “register” #5922
• Dom: New allowHostRelativeUrls sanitization option (true by default) to perform less strict checks when the HTML <base> element is used
• Dom: Custom sanitization callbacks for attributes, elements and the doctype now also receive the $options array
• Sane: New $isExternal mode specifically for external files that may be accessed directly

🐛 Bug fixes

• Calendar input dropdown doesn't close without effect on click
• Calendar input dropdown stays open when selecting a date
• Calendar input dropdown: when clicking today button, also update the dropdown to show that date
• Clicking a button in the textarea no longer changes the scroll position #5906
• The textarea restores the size again after reverting changes #5871
• The textarea scrolls to a new line again #5868
• Removes breaking change: this.$library.autosize is back
• Fix grid and border radius in the TOTP dialog #5911
• Fix drag to empty blocks list #5910
• UUID permalinks added via the link dialog of the writer field are no longer removed in subfolder setups #5208
• Structure fields with gap fields can be added again
• The pagination dropdown no longer disappears before a selection can be made #5940
• Fix field states without options #5947
• Page move dialog: fix currently selected #5573
• Highlight selected values in multiselect field instead of hiding them #5744
• Fix keyboard navigation in the Tags field filter input #5741
• Proper scrolling overflow in the Multiselect and Tags dropdown #5627
• Fixed overflow issue for the Multiselect and Tags dropdown on mobile #5629
• Fixed tags field focus issue #5939

🚨 Breaking changes

• When sanitizing DOM objects (e.g. in the writer field, but not
  during the sanitization/validation of uploaded files), host-relative
  URLs that point outside the site root are now allowed as the use of the
  HTML <base> element is assumed for sites in a subfolder. To revert to the old, strict behavior, set the allowHostRelativeUrls option to false.
• New $isExternal argument for the Sane\Handler::sanitize() and ::validate() methods that custom Sane handlers need to implement; it allows to
  differentiate between strings from external files that may be accessed
  directly and strings that will end up directly on the page

3.9.8-rc.1

🎉 Features

• New A::every(), A::find() and A::some() methods that implement the functionality of the JavaScript functions with the same names (thanks to @rasteiner) #5724
• New option to add a CLI specific config file (thanks to @lukaskleinschmidt) #5581

// config.cli.php
return [
    'option.one' => 1,
    'option.two' => 2,
];

✨ Enhancements

• The System view in the Panel now warns when the used PHP version is end-of-life and no longer receives security updates. #5728
• Files with the .pht extension can no longer be uploaded to a Kirby site to provide additional protection in older server setups beyond our recommendations in the security guide (thanks to @akabe1). #5925

🐛 Bug fixes

• Blocks field: pasting HTML does not remove crucial spaces anymore in inline contexts #4702
• The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
• $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
• Append copy suffix of duplicated pages #5787
• Fix searching for Unicode characters #5780
• The backup copy of changed content now includes a JSON output for fields with structured data instead of scrambled data. #5791
• The validation error "Please enter a date between ... and ..." for the date field now correctly includes the maximum date. #5920

4.0.0-beta.3

🎉 Features

Second-factor auth via time-based one-time codes

TOTP (time-based one-time codes) are now supported for two-factor authentication via the new Kirby\Toolkit\Totp class #5654

<?php 
// /site/config/config.php

return [
  'auth' => [
    'methods' => [
      'password' => ['2fa' => true]
    ]
  ]
];

PHP 8.3 support

Kirby 4 now supports PHP 8.3 and drops support for PHP 8.0. #5774

New Panel Lab

Syntax highlighting in the k-code with prism

New Str::camelToKebab method

<?= Str::camelToKebab('fooBar') // output: foo-bar ?>

New k-text-drawer

this.$panel.drawer.open({
  component: "k-text-drawer",
  props: {
    text: "Hello world"
  }
});

New lab icon

Plugin assets get easily exposed via the PHP API #5641

• New $plugin->assets() collection
• New $plugin->asset('styles.css') method
• New PluginAsset object with many methods, e.g. $plugin->asset('styles.css')->url()
• Plugin asset's media url contains a modification timestamp to easily cachebust (e.g. https://getkirby.com/media/plugins/getkirby/test-plugin/2375797551-472389240/styles.css)
• css() and js() helpers support passing plugin and plugin assets objects to include all assets of the plugin

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')
]);

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')->assets(),
]);

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')->asset('styles.css'),
]);

New SymmetricCrypto class

User-friendly and safe abstraction for symmetrical authenticated encryption using the PHP sodium extension

use Kirby\Toolkit\SymmetricCrypto;

// encryption/decryption with a password
$crypto     = new SymmetricCrypto(password: 'super secure');
$ciphertext = $crypto->encrypt('a very confidential string');
$plaintext  = $crypto->decrypt($ciphertext);

// encryption with a random key
$crypto     = new SymmetricCrypto();
$ciphertext = $crypto->encrypt('a very confidential string');
$secretKey  = $crypto->secretKey();

// encryption/decryption with a previously generated key
$crypto     = new SymmetricCrypto(secretKey: $secretKey);
$ciphertext = $crypto->encrypt('a very confidential string');
$plaintext  = $crypto->decrypt($ciphertext);

More

• New F::safeExtension() method #5760
• New F::safeBasename() method #5760
• New $date->formatWithHandler() method for Kirby date objects that allows to use different date handlers or even the globally configured one (default).

✨ Enhancements

• panel.menu config option can be a closure now that receives the $kirby object as argument
• Floating notifications #5600
• Tweaked styles for choice inputs #5756
  
  
  
• UX improvements for the multiselect and tags inputs #5742
  • Remove the label on top of the selector.
  • Don't show "no options" when query doesn't show any matches and
    creating a new option is allowed. The create button already provides
    enough context of what action is available. For accept: options keep the empty text to give context what's happening.
  • When replacing an existing tag that is an option, the replace button no longer shows #5743
  • Fixed disable state #5749
  • Text block: consistent padding for writer #5727
• Items without links will now automatically be disabled in the breadcrumb
• Search inputs: turn off autocomplete #5775
• Str::date() and its dependents (e.g. F::modified(), File::modified(), Dir::modified()) now respect the globally configured date handler
• Upgrade to Symfony YAML to v6 #5778
• The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
• Removed the error boundary from k-fieldset The error boundary kills the entire field/input if an error occurs, which is way too aggressive and also makes it more difficult to handle errors properly. #5790
• New k-stat component #5801
• New layout prop mixin #5802
• New dumb k-toolbar #5806
• k-navigate: support custom HTML element via element prop
• Textarea supports toggling command, e.g. bold, code… #5837
• New items size full #5849
• New panel.isOffline state
• Checking and writing content lock is skipped when Panel is offline #5890
• Fix PluginAssets::clean() #5836
• Writer supports directly switching from a list to paragraph #5886
• New $helper.field.defaultValue(field) method
• Better default value creation in $helper.field.form(fields)

🐛 Bug fixes

• $site->search() allows to provide a string with field names as $params again #5713
• Exceptions don't prefix i18n keys with error prefix if already prefixed
• $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
• Keep layout settings after changing layout #5726
• Link field: doesn't display site as option anymore #5717
• Writer: adding link, insert text when no selected #5684
• Disabled calendar and time pickers in disabled date and time fields #5735
• Fix custom writer marks and nodes name #5733
• Options, e.g. page options, won't override other roles' permissions anymore #5759
• The tags and multiselect fields hide the add button when disabled #5723
• Page create dialog: validate fields when directly publishing to not create orphaned page on errors #5616
• Selector dropdown: fix glitch when resizing window #5746
• Heading block: support toolbar option for writer #5703
• Consistent @ k-string-input padding
• Writer toolbar: active nodes are correctly handled #5751
• Writer toolbar: paragraph node gets removed when editor doc doesn't support it
• Select options with integer values work properly now #5013
• Fixed reactivity in the fieldset component. This also fixes an issue with auto-filled inputs #5689
• Fix pasting blocks when a required fieldset is not available #5769
• Fix Panel::go() calls in dialog and drawer submit code.
• Plugin asset CSS files no longer miss timestamps in the URL #5164 #148
• Fixed option slot in the items table. The options column was always visible, no matter if the slot was set or not. #5792
• Search now takes access permissions into account what types can be shown #5757
• k-navigate: focusable elements are correctly detected for dynamic content
• Fix styling glitches on k-tag
• The thumb cached is only cleared when the focus point changed #5311
• Toggle field preview: don’t open drawer when the toggle is clicked #5813
• Fix random structure ids #5702
• Fix outside click for blocks #5621
• Fix multiselect for nested blocks #5626
• Fix Search view [#5833](https://...

3.9.7

🎉 Features

Adds support for whoops.blocklist config option to mask variables that are displayed when showing errors with Whoops. (thanks to @HYR)

return [
  // mask everything
  'whoops' => [
    'blocklist' => [
      '_COOKIE' => array_keys($_COOKIE),
      '_SERVER' => array_keys($_SERVER),
      '_ENV' => array_keys($_ENV),
    ]
  ]
];

return [
  // mask specific things
  'whoops' => [
    'blocklist' => [
      '_SERVER' => [
        'AWS_ACCESS_KEY_ID',
        'AWS_SECRET_ACCESS_KEY',
      ],
    ]
  ]
];

✨ Enhancements

• Prevent kirby as user id #5514
• Supports passing callable to Database\Query::fetch() #5651 (thanks @adamkiss)
• Str::pool(): New base32 and base32hex pools (useful when a Str::random() needs to be printed in a human-readable way without easy to confuse 0/O and 1/I). #5715

🐛 Bug fixes

• Use k-text-input for text field if no specific component exists for its type #5369
• Invalid cached UUIDs are now corrected when index lookup succeeds #5430
• Allow plugin assets with the .mjs extension #5473
• Fixed $page->isUnlisted() which falsely would return true for drafts #5506
• List field: fix disabled writer #5526
• Fix $collection->group() for case-sensitive #5631
• Calling a single database row when using a fetch closure works now #5640 (thanks @adamkiss)
• Fix layout dropdown in structure field #5267

📚 Docs

• Add note on dist files to contributing guide #5480

4.0.0-beta.2

🎉 Features

• QR code generation built into Kirby: New Kirby\Image\QrCode class, qr() helper function and >toQrCode() field method #5666

  $qr = new Kirby\Image\QrCode('https://getkirby.com');
  $qr->toSvg(color: '#ff00ff');
  $qr->toDataUri(color: '#ff00ff');
  $qr->write(file: 'qr.png', size: 750, back: '#efefef')
  
  qr('https://getkirby.com')->toSvg();
  $page->myLinkField()->toQrCode()->toSvg();

• New k-alpha-input and  k-hue-input #5693
• New k-color-frame component to preview color swatches #5686
• New k-coloroptions-input #5696 and k-colorname-input #5699
• New k-search-input component #5705
• New LazyValue class that can be used to resolve a value lazily. Collections and controllers use it to resolve many of Kirby's objects only when the collection/controller requests them, improving performance #5608

✨ Enhancements

• k-tabs is now fully responsive #5583
• k-pagination always can be navigated by keys (no extra prop needed anymore) #5578
• ModelsSection: use Filter as label #5612
• Text fields: new font: monospace option https://kirby.nolt.io/558
• panel.css and panel.js config options now also support arrays with multiple entries as well as absolute URLs #5602
• Responsive: show only text for language dropdown #5577
• Notification: support custom icons #5601
• Files, pages and users fields more consistent #5637
• Blocks field: improve UI for no fieldsets #5679
• k-calendar-input is now set up as a proper fieldset with legend and additional aria labels for improved accessibility. #5695
• k-tag supports an image/icon frame #5686
• Link field uses native k-tag image for preview #5686
• Color field preview uses k-tag with k-color-frame in image slot #5686
• Improved grids: Only break to single column at 30rem, not 40rem
• Improved focus styles for links and the flag preview in tables
• Improved text overflow behavior for links in tables
• The color field now also translates valid CSS color names
• Various table improvements
  • Better focus styles for the option and flag buttons in the table
  • Simplified CSS styles for the table
  • New --table CSS properties for more control
  • Better mobile responsiveness for tables with a scrollable container instead of hiding cells
  • Better disabled state with aria-disabled property
  • New disabled property for the k-options-dropdown component
  • More reliable margin rules for k-text
  • Full k-text style support for the k-html-field-preview component
  • The table rows are now the same height as inputs, boxes and items, which cleans up the design quite a bit
  • All field previews now use the --table-cell-padding property to control their padding, which leads to more reliable styling options
  • All table setup variants have examples in the lab
• New selected prop for k-button to set the aria-selected attribute. #5698

🐛 Bug fixes

• Color field: added backend validation #5570
• Color field: support grad, rad and turn angels for hsl format #5589
• Fix color field border radius #5655
• Fixed dropdown positioning in RTL languages #5599
• Fixed return type for create methods #5586
• Creating listed pages no longer bypasses permissions #5365
• Fix regression for automatic plugin assets #5620
• Fixed problem deleting images in pages/files field #5623
• Fixed overflow issue in grids #5633
• Upload dialog: fix error overflow #5622
• The file upload now creates files with the right extension if the format is converted #5593
• Fixed reading invalid block types #5660
• Blocks field: max option respected when pasting blocks #5673
• Allow to use SVG fill attributes again #5668
• Blocks can be pasted before the selected block via the “insert before” dialog #5678
• $page->search() allows to provide a string with field names as $params again getkirby.com#2094
• Fix collapsing block fields preview #5669
• Fix sticky columns #5664
• Fixed translation string for the blocks field
• The link field shows up correctly if no options are defined
• The current scroll position is now correctly restored when opening a dropdown. This will no longer cause the main view to scroll up when a dropdown is opened. #5691
• k-calendar-input can now receive a regular iso date as value.
• File preview: fixed thumb placement and sizing in Safari #5605 #5604 #5603
• File view: fixed issues with the Panel menu when resizing in Safari #5606
• k-bubbles-field-preview and all other previews that extend it now correctly display when there are no bubbles
• k-color-field-preview correctly displays the pattern when no color is set
• The sticky header in the table now uses the --header-sticky-offset to fix it's stickiness.
• Various block fixes
  • Added default values for object props to avoid breaks
  • Fixed various inconsistencies in k-block-title styles
  • Better defaults and removed outdated props in k-block-figure
  • Fixed padding in the block header of the field block type component.

♻️ Refactored

• k-pagination: removed unused align and dropdown props #5578
• Clean up type hints for Str::short() #5688
• k-color is now k-colorpicker-input #5685
• k-coords is now k-coords-input #5685
• Better reset for range inputs, stored in styles/rests/range.css
• k-colorpicker-input now uses the new inputs
• The basic choice styles have been moved to styles/reset/choice.css
• k-time-field-preview now extends k-date-field-preview and improves time parsing and the default formatting
• The fieldPreview mixin defines proper defaults for column and field
• k-toggle-field-preview uses the low level k-toggle-input instead of k-input to avoid unnecessary markup
• k-timeoptions-input replaces k-times. k-times is still available as deprecated alias. #5698
• Date and Time fields use the new k-timeoptions-input #5698

☠️ Deprecated

• <k-dropdown> was deprecated. Use <k-dropdown-content> as standalone instead.
• k-calendar-input replaces k-calendar. k-calendar is still available but only as deprecated alias.

🚨 Breaking changes

• k-pagination doesn't support setting custom labels/titles via nextLabel, prevLabel or pageLabel #5578
• Removed deprecated DS constant. Use / instead. #5590
• Panel\Assets::custom() now returns an array #5602
• When impersonating the almighty kirby user, any permission check will succeed even if permission has been disabled for regular admins #5511
• Renamed parameter of ::group() method of all collection classes to $caseInsensitive #5634
• k-range is gone and replaced by k-alpha-range and k-hue-range
• k-choice has been removed. Use k-choice-input instead
• The unused theme prop has been removed from k-choice-input

🧹 Housekeeping

• Uses lightningcss for Vite instead of postcss