Official repository for concrete5 development

concrete5

Last update: Jan 2, 2023

Related tags

Overview

Welcome to the official repository for concrete5 development! concrete5 is an open source CMS built by people from around the world. Want to get involved? Check out our contributor guide for more info.

Documentation

If you're looking for concrete5 documentation, you'll want to navigate over to documentation.concrete5.org. If you see anything that needs more information or is just completely wrong, contributions are welcomed! Just log in to the documentation site with your concrete5.org account and edit away!

Installation

Clone the repository

 git clone https://github.com/concrete5/concrete5.git
 cd concrete5/

Use Composer to install the third party dependencies
```
 composer install
```

Community Channels

Legacy

Looking for legacy versions of concrete5? Head over to the concrete5-legacy repository.

Comments

Moving from Transifex to our own translation system
Current status

Currently the translation of concrete5 is done this way:

Core translations

On a server (kindly offered by @Remo), we have a cron job that runs my core2pot.php script. This script fetches the core from Transifex (both Legacy and 5.7), extracts the strings (using my translation library) and create the .pot (English) files that Transifex fetches once a day.

Another cron job (my transifex2github) fetches the Transifex translations and place them in https://github.com/concrete5/concrete5-translations so users can get the translations from http://www.concrete5.org/developers/translate/

Package translations

When package developers want their packages translated in Transifex, they contact me. I manually add these packages to another Transifex project. A cron jon on Remo's server runs my packages-translations.php that fetches the Transifex translations and commit them to https://github.com/concrete5/package-translations so that developers and users can get them without a Transifex account or gettext knowledge.

Current problems

This whole Transifex approach is quite complex and just one or two people fully know/undestand/maintain it

When a new concrete5 version is released, we should add a new Transifex resource. That's because new versions could have some strings removed, so we have to "freeze" the translations. But having tens of Transifex resources is a big problems for translators: when there's a translation that should be fixed, translators have to to it for every resource (as a workaround I created http://i18n.concrete5.ch/tx2tx/ to compare Transifex resources, but the problem remains).

Package developers can submit translations only for open source projects

The Transifex resources for all the core versions and the Transifex resources for the packages don't share the translations. Translators have to translate the same strings many times

Package developers need to manually update their packages every now and then to include translations in their packages

For Belarusian, Polish, Russian and Ukrainian, Transifex defines 4 plural rules, but we only use 3 (that's because gettext - ie us - define plural rules only for unsigned integers, whereas Transifex accepts rules even for negative and real numbers). So, when we fetch the data from Transifex we have to change the translations for those languages.

In order to directly access Transifex translations, users/developers need a Transifex account belonging to the core/packages Transifex project

The solution (for me :wink:)

I'd create a new system (let's call it translate.concrete5.org) that:

defines translations just once, and associate them to the core versions/package (versions) using them. That way, we have to translate strings just once

package translations could be integrated automatically

all the package translations are translated (or at least translatable :wink:)

no manual operations to be performed

no data going to/from Transifex/GitHub/concrete5.org

there's no problem with the differences in the count of plural rules

A while ago I started https://github.com/mlocati/concrete5-integrated-localization but it need a complete rewrite (it's for concrete5 5.5 and has quite ugly code).
opened by mlocati 67
Page type and area name insanity
I have recently been comparing themes. The variation I found in page type and area names is absolutely insane. Lack of standardisation makes it harder to switch between themes and leads sites into dead ends that inhibit subsequent changes.

From the 115 themes I tested, there are:

102 different page types (and that is just the .php page types)

422 area and global area names

For lists, please see attachments to: http://www.concrete5.org/community/forums/5-7-discussion/page-type-and-area-name-insanity/

Some of the variation comes from existing conventions not being followed or enforced. Much of the variation comes from developers continually re-inventing the wheel.

Its way too late to standardise this mess for 5.6, but with 5.7 being a 'breaking' update and requiring code work for any addon or theme, maybe now is also the time to bring both of these ridiculous levels of variation down to a more manageable number.

So, to open the discussion: How can the 5.7 core enforce greater standardisation on area names and page type names?
opened by JohntheFish 61
Caching Issue
The issue is rather critical, visitors will attempt to browse to a page and it'll fail and show the error, here is an example from the logs:

Exception Occurred: /var/www/vhosts/[sitedomainame]/httpdocs/application/files/cache/0fea6a13c52b4d47/25368f24b045ca84/38a865804f8fdcb6/57cd99682e939275/18e23c785c6a72cf/ca47fbe20fed45aa.php:14 syntax error, unexpected end of file, expecting variable (T_VARIABLE) or ${ (T_DOLLAR_OPEN_CURLY_BRACES) or {$ (T_CURLY_OPEN) (0)

This is on a site running community store but appears to be a C5 issue. The Stash library seems to build quite large files and then it seems to struggle reading the whole thing, so I guess that is why we get a syntax error when infact there are none in the cache file.

Example cache file attached. ca47fbe20fed45aa.txt

A suggestion from the Stash page on github: "Try switching to the SQLite backend. The filesystem one works great in testing but runs into various race conditions when put under load."

Link to Stash issue/conversation: https://github.com/tedious/Stash/issues/374

So it looks like to use PDO/Sqlite we need to write a new class under: \concrete\src\Cache\Driver\FileSystemStashDriver.php

But call it something else like SqliteStashDriver.php and in /concrete/config/ have a choice of drivers maybe:

'core_filesystem' => [ 'class' => \Concrete\Core\Cache\Driver\FileSystemStashDriver::class, //'class' => \Concrete\Core\Cache\Driver\SqliteStashDriver::class,
opened by madesimplemedia 49
Customize Design Dashboard not working

In 8.5.4, the front end Design/Customize dashboard is not showing up. Everything shows until you click Customize, then, where the tools are, it is blank with no tools at all. I've had to roll my versions back on the new projects we are working on as customizing the look and feel of the site is not possible.

Thanks!
Type:Bug Bug Priority:Medium Affects:Content Creators Product Areas:Theming

opened by edsaxmoore 44
db.xml Version 0.5

We currently use AXMLS for our db schema files (version 0.3.) We should create version 0.5, based on Doctrine naming.

Make sure all type and length fields honor Doctrine values. Basically, this is a declarative XML format for Doctrine DBAL schema values.

We should make sure this handles foreign key constraints in a syntactically nice way.

We need to create a schema parser for this that is loaded based on the version (this is probably just an XML load into a doctrine schema object, very little parsing required.)

Thoughts? Thoughts on syntax for stuff that isn't supported out of the box, like foreign keys, other things we could add?

opened by aembler 44
Package autoload issue

So I noticed this when trying to use my S3 addon on the latest git version

in the following commit: https://github.com/concrete5/concrete5-5.7.0/commit/9ffea260d06bab58f85cc21c8703d2f248e44630#diff-870da868c5b9a1d629e57609bae3758eR84 that line is commented out and removed in a later commit, removing that line broke the autoloading for my package, any reason why this was removed? the class name that c5 generates for my storage location is Concrete\Package\S3Storage\Core\File\StorageLocation\Configuration\S3Configuration and has the path of /packages/s3_storage/core/file/storage_location/configuration/s3_configuration.php

Which was working before this change,

opened by Mnkras 43
v8 - Forms fields have a background color the same as disabled fields

The new form design uses grey to denote fields, but this is the same as what is currently used for disabled fields - there's no way to visually tell the difference.

Compare a screen in 5.7 where some fields are disabled on the right:

With the same screen in v8:

Grey being used to indicate a disable field control is a very established convention in user interfaces, i.e. something has been 'Grayed out'. https://www.google.com.au/search?q=disabled+fields&tbm=isch

Making disabled fields either darker or lighter is unlikely to solve the problem, as the convention is either greyed or not greyed at all. Trying to communicate meaning via two shades of grey is likely to just make things even more confusing.

opened by Mesuva 42
fix expensive cache when caching is disabled
Fixes the expensive cache when caching is disabled. BlackHole never returns anything and thus broke my system. In my case, the code below returned null

$expensiveCache = \Core::make('cache/expensive'); $cacheObject = $expensiveCache->getItem('Cache/MyObject'); if ($cacheObject->isMiss()) { $cacheObject->set('test', 600); } echo $cacheObject->get();
opened by Remo 42
Clipboard / Stack feature in sidebar not obvious, colours hard to read

I'm commonly receiving feedback that users aren't aware of where to find the clipboard after copying something to it. I also find the colours uses for the sidebar drop down to be low in contrast, making it even less obvious that there are additional hidden sections. The little arrow is hardly visible.

As the dropdown doesn't save much space, would it be more usable to simply present the three options here, treating the sidebar as an accordion?

I've quickly mocked up what something like this could look like, with colours that are much easier to read (but still along the lines of what is already in the sidebar).

Product Areas:UX

opened by Mesuva 41
Enable Multi-Site Functionality in Core
This has been available via a private add-on for about a year, and we're bringing it to the core in version 9.0. Including:

Multiple sites per concrete5 installation

Support for multiple site types

Support for multiple site type skeletons

Type:Enhancement
opened by aembler 40
Proposal: Define rules for things PSR-2 doesn't cover
PSR-1 and PSR-2 intentionally omit judgements on certain things, I think we should discuss some things left out and come up with some concrete rules that we all hold ourselves to with the help of the cs-fixer config and potentially scrutinizer (#3310).

Some things that would be good to clear up:

Doc block comments. We should review PSR-5 briefly and come up with real requirements for method comments.

Inline namespacing. We should have an individual use statement for every class we use, even ones at the root namespace. Having a list of use statements at the top makes it really easy to see what the dependencies of a class are.

new class vs new class();

Class constant naming

Class configuration, what's in the constructor vs what's in the service provider

When to use a service provider

When to use IoC

When to use singletons

Test coverage requirements, we should figure out what percentage coverage we have today and make sure that it continues to go up and not down.

Comment here with more things to add.
opened by KorvinSzanto 40
Consolidate Search Indexes
Description

At present, each kind of searchable entity has its own search index. There is a search index for pages/collections, a search index for files, a search index for users, a search index for calendar events, search indexes for express objects, and probably more that I have missed.

Whilst there are differences in the structure of these search indexes, there is also considerable overlap in structure and data held.

One of the growing areas of CMS functionality is aggregation of disparate data, so we can have things like boards showing an overview across pages and calendar events.

The proposal here is that all search indexes could be replaced with a single consolidated search index. The primary advantage of this single index will be to facilitate front end and dashboard functionality that aggregates different kinds of entities.

A secondary advantage will be a reduction in not-quite duplicated code. The various search populating and data list classes will benefit from greater common functionality.

A further advantage will be the ease with which further kinds of listed and searchable entities can be incorporated into the index, and hence incorporated into the aggregated usage of that index.

There will be obvious consequences for code that populates the search indexes and to existing classes that use the search indexes. With that in mind, this could be implemented as a phased update across core minor versions.

v9.N - The new consolidated index is added to exist in parallel with existing disparate search indexes.

v9.(N+1) - Existing disparate search indexes are marked as deprecated, allowing time for code using the search indexes to be updated to use the consolidated search index. New functionality utilizing the consolidated index advertises the benefits.

v9.(N+2) - Full switch over. Deprecated disparate search index tables and any remaining deprecated code removed.

For implementation, the columns in this consolidated search index could be a combination of:

Map equivalent columns together from the current search index tables. (Could this translate directly into the summary fields of boards?)

A superset of the remaining columns from the current search index tables

A column to identify the kind of entity indexed.

This would leave a single sparsely populated table of all search data, where any entry provided some common data and a subset of further data relevant to the type of entity indexed.This sparse population may also identify scope for improving the searchability of some kinds of entity, along the lines of "What do we use for the description column for XXX? It doesn't have one? Why not?"
Type:Enhancement
opened by JohntheFish 0
Multiple form helpers broken

Affected Version of Concrete CMS

9.x

Description

I see #10352 about date/time inputs which affects both the form helper and the built in form blocks. Wanted to report the form rating widget is broken also, since the jqAwesomeStarRating library is now bundled into cms.js.

How to reproduce

$ratingHelper = $app->make('helper/form/rating'); $ratingHelper->rating('FieldName'); Results in a javascript error: "$(...).awesomeStarRating is not a function"

Possible Solution

Either bring back the individual css/js assets so they can be included by relevant blocks and helpers, or else deprecate these helpers so there's no expectation they can be used in web pages outside of a logged-in CMS environment. Either way would probably be fine but at the moment it's not super clear what direction things are going.

Additional Context

No response
Type:Bug

opened by chemmett 0

Fix entity mappings

Before

biplob@Biplobs-MacBook-Pro concretecms % c5 orm:validate-schema

Mapping
-------

 [FAIL] The entity-class Concrete\Core\Entity\Notification\GroupSignupRequestNotification mapping is invalid:
 * The mappings Concrete\Core\Entity\Notification\GroupSignupRequestNotification#signupRequest and Concrete\Core\Entity\User\GroupSignupRequest#notifications are inconsistent with each other.


 [FAIL] The entity-class Concrete\Core\Entity\Notification\GroupRoleChangeNotification mapping is invalid:
 * The mappings Concrete\Core\Entity\Notification\GroupRoleChangeNotification#groupRoleChange and Concrete\Core\Entity\User\GroupRoleChange#notifications are inconsistent with each other.


 [FAIL] The entity-class Concrete\Core\Entity\Health\Report\SearchResult mapping is invalid:
 * The field Concrete\Core\Entity\Health\Report\SearchResult#findings is on the inverse side of a bi-directional relationship, but the specified mappedBy association on the target-entity Concrete\Core\Entity\Health\Report\Finding#result does not contain the required 'inversedBy="findings"' attribute.


 [FAIL] The entity-class Concrete\Core\Entity\Health\Report\Result mapping is invalid:
 * The field Concrete\Core\Entity\Health\Report\Result#findings is on the inverse side of a bi-directional relationship, but the specified mappedBy association on the target-entity Concrete\Core\Entity\Health\Report\Finding#result does not contain the required 'inversedBy="findings"' attribute.


 [FAIL] The entity-class Concrete\Core\Entity\User\GroupRoleChange mapping is invalid:
 * The association Concrete\Core\Entity\User\GroupRoleChange#notifications refers to the owning side field Concrete\Core\Entity\Notification\GroupRoleChangeNotification#signup which does not exist.


 [FAIL] The entity-class Concrete\Core\Entity\User\GroupSignupRequest mapping is invalid:
 * The association Concrete\Core\Entity\User\GroupSignupRequest#notifications refers to the owning side field Concrete\Core\Entity\Notification\GroupSignupRequestNotification#signup which does not exist.

After

biplob@Biplobs-MacBook-Pro concretecms % c5 orm:validate-schema

Mapping
-------

                                                                                                                        
 [OK] The mapping files are correct.

opened by biplobice 0

Firefox's undefined error pop-up after chancing page name
Affected Version of Concrete CMS

9.x

Description

Originally reported by Jun_22 https://forums.concretecms.org/t/topic/4081/13

This only happens on Firefox.

The undefined error pop-up shows up after you change the page name in Firefox.

How to reproduce

Use Firefox (tested with 108.0.1)

Default 9.1.3 fresh install with Atomik sample content

Login as admin user

Visit Resource page

Change the page name to something random and save & publish

Go back to Resource page, try to click the link anywhere

the Undefined error shows up when moving to the next page

Here is my screencast

https://user-images.githubusercontent.com/485751/209160457-ae7e77ea-08e8-45d1-9426-10720cadb329.mov

Possible Solution

No response

Additional Context

No response
Type:Bug
opened by katzueno 0

Composer Autosave Error when there is option attribute

Affected Version of Concrete CMS

9.x

Description

Originally reported by a Japanese user Jun_22 https://forums.concretecms.org/t/topic/4421

When you have option attribute set in composer and not thin was selected, Concrete ended up with the following error

Exception Occurred: XXXX/concrete/attributes/select/controller.php:250 Trying to access array offset on value of type null (2)

There are also javascript error in console

Uncaught TypeError: my.saver is null
    start https://EXAMPLE.COM/!drafts/2570/?ccmCheckoutFirst=1 line 2 > injectedScript:126
    o https://EXAMPLE.COM/concrete/js/cms.js?ccm_nocache=76d599a23bc797cf15692be5b6bfdcd64c993a1c:180
    jQuery 7
    publish https://EXAMPLE.COM/concrete/js/cms.js?ccm_nocache=76d599a23bc797cf15692be5b6bfdcd64c993a1c:180
    start https://EXAMPLE.COM/!drafts/2570/?ccmCheckoutFirst=1 line 2 > injectedScript:112
    jQuery 8
    start https://EXAMPLE.COM/!drafts/2570/?ccmCheckoutFirst=1 line 2 > injectedScript:110
    <anonymous> https://EXAMPLE.COM/!drafts/2570/?ccmCheckoutFirst=1 line 2 > injectedScript:172
    jQuery 11
    <anonymous> https://EXAMPLE.COM/!drafts/2570/?ccmCheckoutFirst=1 line 2 > injectedScript:171
    jQuery 14
    openPanelDetail https://EXAMPLE.COM/concrete/js/cms.js?ccm_nocache=76d599a23bc797cf15692be5b6bfdcd64c993a1c:284
    setupPanelDetails https://EXAMPLE.COM/concrete/js/cms.js?ccm_nocache=76d599a23bc797cf15692be5b6bfdcd64c993a1c:284
    jQuery 4
2570:126:13

How to reproduce

Tested on PHP8.1 + Concre CMS 9.1.3 with Atomik fullsite

Dashboard -> Page and Theme -> Attribute -> create "Option List"
Check to allow multiple selection and finish creating new option list attribute
Add the option list attribute to page type's composer to a page type.
Create a new page with the page type with the option list attribute
Open a composer and wait for auto-save, or click Save, or Edit Mode button

When you set it to radio button and choose to hide "None" option, it can also reproduce the same error.

Possible Solution

No response

Additional Context

No response

Type:Bug

opened by katzueno 0

Releases(8.5.12)

8.5.12(Nov 3, 2022)
Bug Fixes

More PHP 5 fixes (thanks mlocati)

Improved testing for PHP 5 compatibility

Source code(tar.gz)
Source code(zip)
8.5.11(Nov 1, 2022)
8.5.11

Bug Fixes

Restored support for PHP 5.6

Source code(tar.gz)
Source code(zip)
9.1.3(Oct 31, 2022)
9.1.3

Behavioral Improvements

Made the legacy_salt functionality easier to read

Security Fixes

See our security release blog post for more information about security fixes.

Medium

CVE-2022-43693 Added "state" parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43686 Improved performance of "forever" cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @_akbar_jafarli_for reporting HackerOne report #1696363.

Low

CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

Not Ranked

Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.

Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.

Source code(tar.gz)
Source code(zip)
concrete-cms-9.1.3.zip(72.02 MB)
8.5.10(Oct 31, 2022)
8.5.10

Bug Fixes

Fix ZendCacheDriver does not set lifetime properly (thanks hissy)

Made the legacy_salt functionality easier to read

Developer Updates

Private properties in Select Attribute Controller updated to be protected (thanks biplobice)

Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)

Security Fixes

See our security release blog post for more information about security fixes.

Medium

CVE-2022-43693 Added "state" parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43686 Improved performance of "forever" cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @_akbar_jafarli_for reporting HackerOne report #1696363.

Low

CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

Not Ranked

Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.

Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.

Source code(tar.gz)
Source code(zip)
9.1.2(Sep 15, 2022)
New Features

Added “Exclude Current Page” option to the Page List block (thanks ccmEnlil)

Added new “Upload Settings” Dashboard page to configure file upload settings, including chunking, chunk size, and parallel streams (thanks mlocati).

Behavioral Improvements

WebP images now supported by the file manager. WebP images will show up with the proper extension and thumbnail (assuming the browser supports them). File extension added to the file manager list view.

Many minor UI fixes throughout Dashboard pages and edit dialogs (thanks shahroq)

Improved display of Environment information Dashboard page: larger window of text.

Removed ability to approve versions of drafts – because they need to be published first.

If a folder is specified as the root folder of a document library, uploaded files will be placed in this folder if uploaded through the document library.

Nicer version history view in add-on update screen (thanks biplobice)

Much improved scrolling of page when dragging blocks into the page using the Atomik theme.

Fixed weird Chrome behavior where sometimes dialog windows would have a fully opaque black background.

Added the ability to toggle passwords when adding a user or change your user’s password (thanks shahroq)

API Integrations Dashboard page now more suitable for situations where many integrations exist. Supports search, pagination, etc…

Add a pull down menu to set datetime format for CSV exports (thanks hissy)

Hide username on edit profile when it is not required on registration (thanks hissy)

Allow for saving Hero Image Blocks without Image while avoiding the current datatype Exception (thanks haeflimi)

Mercure overhauled to default all Concrete events to private (for better security).

Added additional configuration methods to Server-Sent Events (Mercure) to allow for more advanced configuration use cases.

Fixed display of CMS when wrapping areas in text-align styles.

Added environment hostname and name to Environment page (thanks shahroq)

Improvements to Event List block edit dialog.

Improved display of navigation in the Express Dashboard pages (thanks shahroq)

Improvements to the Concrete user input component (thanks mlocati)

By default, login will take you to the home page of your site (this can be changed from the Login Destination Dashboard page, if desired.)

Bug Fixes

Fixed bug where automated groups were not working properly.

Fixed bug where users could not change the custom template of a block in a Stack.

Fixed custom options forms not showing properly in third party Captcha packages

Fixed error editing Hero Image block in PHP 8+ when title format had not been set.

Fixed bugs under PHP 8+ when configuring advanced properties of advanced permissions.

Fixed: Background Color of a custom skin can no longer be cleared but destroy the custom skin itself

Fixed: Adding layout throws error in console "Cannot read properties of undefined (reading 'closest')" in v9.1.1

Fixed display issues and content issues in the Help panel.

Added some better content in the help panel.

Fixed bug where Copy languages feature copied all pages instead of only pages that have not been associated.

Fixed: Setting Atomik Top Navigation Bar Color to transparent breaks theme cusomiser

Fixed bug in Atomik sample content where blog posts weren’t showing up because they were going in with dates that were too old.

Fixed bug where only the super user could assign user groups or remove user groups through the bulk editing interface.

Fix/error in reindex contents task with Page Objects when pages are in the trash/don’t have a public date (thanks deek87)

Fixed error in breadcrumb block rendering when parent pages were unapproved (thanks hissy)

Fixed bug where editing block visibility at certain device breakpoints via custom design was not working (thanks deek87)

Fixed bug where clearing the site’s cache may lead to an error when using custom cache drivers like Redis (thanks chauve-dev)

Fixed bug where “page topics” filtering option in Event List block didn’t work and didn’t present a list of topics.

Fixed bug where large images added via the Content block would burst out of the Atomik theme.

Fixed bug where images saved in the database with UUID placeholders didn’t display properly (can happen when using the migration tool with version 9)

Fixed bug where calendar block would not display properly on older themes.

Fixed bug where pages would not validate in the w3c validator due to a closing </link> tag being present.

Fixed error when adding an Event List block where topic attributes were present under PHP 8.1 (thanks TMDesigns)

Fixed error when changing locale on Multilingual Setup page (thanks jocomail78)

File upload chunking now works again (if enabled) (thanks mlocati)

Fixed: “Your Computer” tab initially empty when swapping files in the file manager (thanks mlocati)

Fixed bug where filtering by topic tree in the Event List block didn’t show a topic tree to choose from.

Fixed miscellaneous bugs in Event List block edit dialog.

Fixed ability to edit certain content in the rich text editor in the Accordion block.

Fixed interaction where adding a layout and then cancelling would hide the area the layout was added to until the page was reloaded.

Fixed gallery block error where a gallery referencing a deleted image would cause an Exception (thanks JeffPaetkau)

Fixed: In php 8 when signed in as a non super user an error occurs when accessing the /dashboard/extend/update page due to $mi not being defined (thanks danklassen)

Fixed dialogs/block/design.php - Line 12 has an extra closing php tag (thanks ConcreteOwl)

Fixed Back button not taking you anywhere when viewing an Express entry that was owned by another Express entry.

Fixed bug on Organize page types Dashboard page under PHP 8.1.

Fixed error adding basic workflow in PHP 8.1.

Fixed error editing groups under PHP 8 (thanks hissy)

Fixed "An exception occurred while executing 'insert into CollectionVersionBlocks" when changing page template.

Fixed: When using PHP8 if you turn Advanced Permissions on then try to add Block Permissions you're met with this error.

Fixed: Setting nothing to Items Per Page option of Express Entry List causes an error

Fixed: Incorrect tag namespace for multilingual sitemap generation (thanks gregheafield)

Fixed: Page Selector Attribute - Search& Indexing broken (thanks haeflimi)

Bug fixes for Page List block under PHP 8.1 (thanks ccmEnlil)

Fixed: Express Form Block E-Mail notification doesn't respect form field Order

Fixed: Express Form Block E-Mail notification – URL to entries doen't work and leads to empty page

Fixed error when updating file sets in PHP8+ (thanks ccmEnlil)

Fixed errors when using Server-Sent events introduced in 9.1.0

Fixed bug when using magic method in form helper to create previously undefined form input types (thanks JohnTheFish)

Fixed bug where page list block would offer the number of entries as the rss feed title if the block was being edited.

Fix LaminasCacheDriver does not set TTL properly (thanks hissy)

Fixed: Saving Page with Legacy Attribute Error with PHP8

Fixed ugly styling for authentication when logging in via Oauth2

Fixed community authentication (community.concretecms.com) - now it works again.

Backward Compatibility Notes

Tweaked Auto-Nav block controller to fix issue with Community Store breadcrumb custom template.

Developer Updates

Private properties in Select Attribute Controller updated to be protected (thanks biplobice)

MessageBusManager library improvements for extension

Update the URL of the Doctrine XML repository/GitHub Pages (thanks mlocati)

Any custom integrations using Mercure (likely very few, if any) should be checked over – Mercure system has been completed overhauled, including an update to Symfony Mercure 0.61.

Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)

Let translators swap file extension and file type (thanks mlocati)

Added ability to pass class to tabs method (thanks shahroq)

Form helper __call magic method can now output form types that have dashes in them (thanks mlocati)

Add an option to the DeleteGroup command to skip deleting groups with users

Added application/pdf to the types of files that can be used with view_inline (thanks hissy)

Source code(tar.gz)
Source code(zip)
8.5.9(Jun 23, 2022)
Bug Fixes

Fixed inability to upload files when file chunking is disabled.

Fixed bug that prevented file chunking from also working.

Reverted code that accidentally made the core require PHP 5.6+ in some situations.

Source code(tar.gz)
Source code(zip)
8.5.8(Jun 20, 2022)
Behavioral Improvements

JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)

Renamed concrete5 to Concrete CMS and Concrete during the installation process.

Nicer version history view in add-on update screen (thanks biplobice)

Bug Fixes

Fixed error that would occur if you deleted an Express entry and then attempted to reorder that same entry on the page before reloading (thanks biplobice)

Fixed error where users, files and sites weren’t being reindexed when running the index_search_all job.

Fixed error where copying conversation blocks out from page defaults made them all one instance of the same conversation (thanks hissy)

Validating Express, User and Page attribute types now works when used with Composer and Expres (thanks hissy)

Fixed bug in Redis caching backend when saving a primitive value.

Fixed: when using the Express Form block, and a file is uploaded through the form, it creates two versions of the file, which are seemingly identical (thanks 1stthomas)

Fixed: Clear old page versions in all site trees when running remove page versions job (thanks Ruud-Zuiderlicht)

Fixed bug where OAuth2 and sign in as user functionality could lead to someone unintentionally joining their user account to a different account.

Render single pages like 404, 403, login, register in default site locale (thanks hissy)

Fixed: : error message doesn't display when upload file failed via drag & drop (thanks hissy)

Fixed invalid and unhelpful displaying on marketplace connection failures during certain conditions (thanks JohnTheFish)

Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)

Fixed: Multilingual copy site tree with alias pages (thanks hissy)

Fix migration bug on fix overlapping start end dates when custom page publishing dates had been set in some cases (thanks hissy)

Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)

Security Fixes

CKEditor updated from 4.16.2 to 4.18.0 (thanks hissy)

Remediated CVE-2022-21829 - Concrete CMS Version 9.0.2 and below and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520

Remediated CVE-2022-30117 - Concrete CMS version 9.0.2 and below and 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280

Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598

Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: \ old browsers only. When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

Source code(tar.gz)
Source code(zip)
9.1.1(May 25, 2022)
Behavioral Improvements

Enhancement: adding the ability to pass association ID through request and pick it up in the form

Adding associations to Express form notifications

Top Navigation Bar block now honors the nav_target custom attribute, if it exists (thanks ccmEnlil)

Bug Fixes

Fixed bug in /ccm/system/upgrade script on PHP 8.1 (thanks ccmEnlil)

Fixed upgrade inconsistencies that could cause problems for installers like Softaculous

Fixed Accordion Block: when the initial state set to 'all items open' or 'all items closed' the collapsed state is not always correct (thanks danklassen)

Fixed compatibility with PHP 8.1 when installing with Composer.

Fixing bug where Express entries with multiple associations could not be filtered accurately in advanced search

Fixing bug where submitted values do not persist in Express association forms

Fixed: Changing the page template of a draft breaks block versioning (thanks jaromirdalecky)

Fixed: Duplicating file as non-super admin does not work due to permissions key (thanks danklassen)

Fixed: core search block: the form tag has two class attributes

Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)

Developer Updates

Laminas cache laminas/laminas-cache-storage-adapter-memory library updated to 2.0 in order to restore compatibility with PHP 8.1 when installing via Composer

Fixed: Block::isOriginal() returns opposite value (thanks jaromirdalecky)

Source code(tar.gz)
Source code(zip)
9.1.0(May 12, 2022)
New Features

Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)

Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…

Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)

Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)

Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)

Added new Security Policy page in the Dashboard (thanks hissy)

Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)

Improvements and refinements to Dashboard file details screen in desktop and mobile views.

Added the ability to move a file folder in the Dashboard file manager.

Added the tree view back to the Groups Dashboard page.

Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)

Behavioral Improvements

Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.

New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)

File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.

Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)

Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.

You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.

Better display of inline floating commands for things like containers and block move.

We now show the container name when hovering over containers in edit mode.

Reinstated CSS and JavaScript asset post-processing cache setting; restructured the Dashboard Cache Settings page for better grouping of functionality and explanation.

Improve display of Recaptcha settings page.

Appearance improvements to Waiting for Me and the Dashboard desktop.

Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)

Locale home page is now undeleteable when using multilingual sites.

Miscellaneous performance improvements for logged-in users (thanks hissy)

Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality

Better usage of meta canonical tag in page under certain circumstances (thanks hissy)

File folders now cannot be deleted if they have sub-folders or sub-files in them.

Display improvements to inline style dropdown (no more too-dark panels with no contrast.)

Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.

Don’t allow users to delete site types until they have removed all sites of that type.

Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.

Added the ability to view a user’s public profile from their Dashboard user details page.

Added --session-handler to the console install utility. Set to database if you’d like to override the default file-based sessions.

Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)

JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)

Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.

Added URL Path as a column that can be added to the Page Search interface.

Fixed: Login page forces gray background on custom themes

Fixed: Scheduled page publishing doesn't purge the page cache (thanks hissy)

Added more caching to certain objects to improve performance (thanks hissy)

Pre-selected File Storage Location For Nested Folder

Bug Fixes

Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)

Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.

Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.

Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.

PHP 8 compatibility fixes for Calendar (thanks deek87)

Fixed: Database Character Set is no longer showing current character set.

Fixed: Missing font selection for body font in Atomik customizer when using Default skin.

Fixed: Batch Task with empty batch does not finish running

Fix Top Navigation Bar block 'include sticky nav' setting not set appropriately when editing the block

Fixed inability to drag an individual block out of the stacks panel in a page.

Fixed: Document Library advanced search fields do not display

Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.

Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.

Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented

Fixed: "Added to Page" File search filter doesn't work

Fixed: Schedule Guest Access doesn't work (thanks HamedDarragi)

Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)

Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.

Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.

Fixed bugs with using custom file attributes with the Document Library block.

Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.

Fixed inability to see sort icons on attributes in the Dashboard.

Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)

Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)

Fixed: Accordion block doesn't load required assets when not using BS5 based theme.

Fixed Error when try to edit 'express details block' (thanks Ruud-Zuiderlicht)

Fixed edit page type basic details error on PHP 8.

Tooltips now work properly again in Composer interface (thanks danklassen)

Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.

Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.

Fixed: User activation workflow, Activate action not working

Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)

Fixed: Placing a Sticky "Top Navigation Bar" in Global "Navigation" using Atomik blocks editing of page

Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)

Re-enabled the ability to edit a user’s avatar from their Dashboard details page.

Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks

Fixed: When placing a stack, the edit mode menu is not displayed

Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8

Fixed: Multilingual copy site tree with alias pages (thanks hissy)

Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)

Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)

Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…

Fixes ErrorException - Undefined property: Concrete\Core\Permission\Access\Entity\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)

Legacy form's "reply to this email address" checked state was not properly passed (thanks katzueno)

Fixed errors with the legacy form (thanks mlocati)

Fixed: Updating an express form handle can result in a table name that is too long for mysql

Fix several user search fields not retaining their selected values (thanks mnakalay)

Fixed: install with Elemental full fails due to undefined array key "titleFormat" under PHP 8

Fix YouTube block responsive size class issue (thanks katalysis)

Fixed Marketplace dashboard page broken under PHP 8

Conversation rating stars now appear properly (thanks deek87)

Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)

Fixed bug where core “Parallax Image” area custom template (deprecated) now works again

Fix a bug with having multiple image blocks with on-hover attribute set on the page didn’t work reliably (thanks evgk)

Fixed: Toolbar title styling interfering with intelligent search results in accessibility mode (thanks Mesuva)

Fixed: Switch Language block default view does not work

Fixed inability to use the “Express Entry Selector Multiple” form control type.

[V9 RC]Fixed cookie not being cleared properly to open "add block panel" when using the sticky add panel and installing Concrete in a sub-directory

Fixed: Position of the reCAPTCHA badge not shown correctly after saving

Fixed errors in waiting for me when groups or users were deleted.

Fix inability to set storage location from file details Dashboard page.

Fixed bugs with thumbnails on alternate storage locations (thanks mnakalay)

Fixed: concrete.debug.hide_keys' not working on Globals do to commented Code

Fix IpAccessControlService check against specific access control category (thanks mlocati)

Access Control: fix sorting categories in the dashboard page (thanks mlocati)

Fixed bug: When there's no time window, we currently ban IP addresses forever, even if we configure Concrete to only ban for X seconds. (thanks mlocati)

Fixed bug: "Illegal mix of collations" when running reindex task when running under certain database conditions.

Added “snippet.png” back into rich text editor so you can see that button.

Fixed: Removing Author User From Page Attributes & Saving Throws Error

Fixed: Deleting Containers throws Access Denied error under certain in-page editing conditions.

Fixed: Rich Text Page Attribute Composer "Source" Editing Hindered By Composer Autosave

Fixed a bug in image processing (Imagine Library) that could lead to segmentation faults under certain conditions (thanks mlocati)

Fixed: PlaceholderService error in thumbnail overview (thanks haeflimi)

Fixed: Deleting Containers shows multiple delete modal windows under certain in-page editing conditions.

Fixed: Top navigation block always loads the default site tree even in multilingual sites (thanks danklassen)

Fixed inability to override session handler to database in config prior to installation and then install successfully.

Fix missing none option in attribute display block (thanks JohnTheFish)

Fixed: Stacks with no approved versions do not appear in stacks list

Backward Compatibility Notes

The Concrete\Core\Express\Form\Validator\Routine\RoutineInterface class and all classes that implement it has changed. The validate method now takes a nullable third parameter for the Concrete\Core\Entity\Express\Entry object that may or may not exist. This replaces the request type attribute. The request type can now be inferred - if the entry does not exist, we assume this to be an ADD operation. If the entry exists within the validate method, you are running an UPDATE operation.

Block::duplicate() has changed its secondary parameter from $isCopiedWhenPropagated to $controllerMethodToTryAndRun. This lets us choose duplicate_master or the new duplicate_clipboard in certain situations. It is very unlikely that this should impact any custom code you have written as this is pretty deep in the Concrete internals.

If you have customized the Document Library view template, please ensure that your <form> tag has a valid input button with the name ”search”. This is checked in the controller in order to ensure searching is actually occurring. If you want to search by advanced file attributes, you’ll need this to be in place or else the Document Library controller will not check for attribute searching.

Developer Updates

Added on_page_version_delete event (thanks hathawayweb)

Mail Importer code running on ancient Zend Mail code updated to PHP 7+ (thanks KevinBLT)

Patches to third party libraries to allow for installation on PHP 8.1 w/Composer (thanks mlocati)

htmlawed HTML sanitization library updated for better compatibility with HTML5.

IP Access Control: add IpAccessControlCategory::describeTimeWindow() (thanks mlocati)

Allow Date service class to work with DateTimeImmutable objects (thanks mlocati)

Improvements and bug fixes to route building and controller syntax (thanks mlocati)

More reliable running of on_start() in block controllers before page contents are rendered (thanks hissy)

Moved concrete5/dependency-patches to the core composer.json instead of the separate composer project (thanks mlocati)

Improved code commenting throughout all core blocks (thanks deek87)

Fix list_syntax rule of PHP-CS-Fixer (thanks mlocati)

Significant list of third party PHP script minor updates.

Simplify c5:exec return code (thanks mlocati)

Fixed: Task scheduling command is incorrect on dashboard page and in documentation, needs more detail

Concrete\Core\Http\ResponseFactory used to take $session as its first constructor dependency, even though that was not used. This caused problems in the event response factory was used prior to sessions being available or being configured for database sessions that were not yet installed. This parameter has been removed. If you use the $app->make() method of building this class, you should not be affected.

Now using https:// for communication with the Concrete marketplace even when the user’s site is not https://

Security Fixes

Fixed: https://hackerone.com/reports/1483104

Fixed several places where we weren’t sanitizing file names in the file manager and stacks page.

Source code(tar.gz)
Source code(zip)
9.0.2(Jan 24, 2022)
Behavioral Improvements

Many translation fixes, including new components that weren’t localized (thanks mlocati)

Better appearance of inline toolbars. Updates to remove potential style collisions between block design toolbar and themes.

Improvements to the process of publishing page type default blocks to child pages (thanks deek87)

Rehash passwords when needed to ensure adherence to the latest security standards.

Fixed display of the FAQ block in edit mode.

Use base64 encoding/decoding on submitting tracking codes in the Dashboard to avoid triggering mod_security (if present) on submit (thanks Mesuva)

Added a settings tab with new options to Accordion block type (thanks katalysis)

Concrete file choosers once again limit by file type and extension in certain contexts (e.g. no longer able to choose non-image files if the code requires image files be chosen.)

Two Column Light and Light Stripe containers in Atomik theme renamed to Two Column Highlight and Highlight Stripe to avoid confusion.

Stacked and Stacked Primary custom templates for Feature block in Atomik have nicer padding, better behavior when used to link elsewhere.

Hero Image “Offset Title” custom template in Atomik now has better behaviors: it honors the height setting and looks nicer in the theme whether the container is enabled or not.

Miscellaneous style classes added to the rich text editor when using Atomik theme.

Improvements to the new “configurable thumbnails” responsive thumbnails in the Image block.

Improvements to logo custom template and feature link CSS in Atomik theme.

Bug Fixes

Fixed fatal error when viewing Express object listings with associations in their list in a site updated from 8.5.x.

Fixed Hero Image block button not linking anywhere

Fixed Feature Link block button not linking anywhere

Fixed error where block template view.css and view.js files were not loading properly.

Fixed inability to start from a customized theme when using the legacy theme customizer.

Fixed inability to delete files or clear sample data content when files were being used in a Board.

Canonical URLs no longer include arbitrary query strings.

Fixed inability to uninstall tasks when working with packages that had installed custom tasks.

Fixed error when connecting to marketplace under PHP 8.

Fix issue where sitemap is inaccessible to users on multilingual sites if the user doesn't have access to view the default locale in the sitemap.

Fixed weird behavior when attempting to edit theme grid layouts in Atomik and other Bootstrap 5 themes.

Fixed bug when deleting containers that had been aliased out from a master page removing the container on the master page as well.

Fixed inability to sort entries in the Image Slider block.

File trackability works much more reliably and across more core block types than before.

Fixed: CollectionSearchIndexAttributes table is updated without approving the page version

Fixed missing icons in Share this Page block (thanks hissy)

Fixed: Layout toolbar partially off page window. Add Layout Function not working

Fixed custom CSS not showing up in the customizer when editing a custom skin.

Fixed fatal error when rendering /dashboard root page in PHP 8+.

Fixed fatal error rendering Dashboard file detail screen in PHP 8+.

Fixed fatal error when rendering gallery add block interface in PHP8+.

Fixed bug where border radius wasn’t being saved properly in block/area design settings.

Fixed error in Gallery block when images in it had been removed from the file manager.

Fixed error “Trying to access array offset on value of type bool “ when logging in with a username that doesn’t exist under PHP 8 (should get an error that explains what you did wrong better than this).

Many additional fixes for core block types in PHP 8 (thanks deek87)

Fix “division by zero” error under some conditions when running queueable commands.

Fixed bug where custom block cache override settings are reset on new version approval (thanks hissy)

Fixed: If by any chance $buttonColor is unset, the class tag of the <div> is never closed (thanks puka-tchou)

Theme responsive image breakpoints are now in the proper order to support the picture tags on mobile devices in Atomik.

Color picker in image editor now displays properly (thanks mlocati)

Fixed: Dashboard favorites menu aren’t localized properly (thanks mlocati)

Fixed bugs with Hero Image block under PHP 8

Fixed bugs with Feature Link block under PHP 8

Fixed error in YouTube block view when using PHP 8.

Fixed errors in Top Navigation Bar block under PHP 8

Fixed error in Testimonial block when using PHP 8 (thanks hissy)

Fix "Undefined array key" warning for advanced page search on [email protected] (thanks hissy)

Fix "variable is undefined" errors when adding Conversation blocks when using PHP 8 (thanks mlocati)

Fixed Exception thrown when attempting to reload strings (thanks mlocati)

Fixed inability to download files in the file manager via the “Download File” option in the file menu.

Fixed broken Site attribute type.

Fixed: When configuring a select attribute to allow a single selection but also allow end user additions, an error is received.

Fixed: Adding a user unless multiple languages are installed fails under PHP 8

Fixed: Board "Error Call to a member function getStylesheet() on null" when rendering a Board in the Dashboard.

Fixing issues viewing users in groups in Dashboard for sub-admins.

Fixed: Exception uninstalling package/theme when package has installed containers

Fixed: List of themes ready to install broken and has design issues (thanks mnakalay)

Fix c5:entities:refresh CLI command (thanks mlocati)

Fixed error when using files with UUIDs in the content block (thanks mnakalay)

Fix position of caption in Language Details dialog (thanks mlocati)

Fixed error adding Document Library block to the page.

Fixed error “Unknown named parameter $html” when attempting to reset a password on PHP 8.

Fixed: Document Library Block: Click on a folder leads to Invalid folder ID

Fixed magnifying glass button in the search in the navigation bar is not working in the Top Navigation Bar block.

Fixed some edge case errors with package uninstall and Doctrine entities

Fixed error where database entities weren’t showing their directory locations on the Database Entities Dashboard page.

Fixed error where uninstalling a package and reinstalling it doesn’t create the block type record in the package if there is only a single block type in the package and nothing else.

Fixed errors installing Atomik documentation under PHP 8.

Bug Fixes to Event List block in PHP 8.

Fixed: Featured Event Toggle Not Working in Event List block.

Fixed double select appearance on Edit File Thumbnail Dashboard screen.

Fixed PHP 8 Error: Error on editing Page List block on brand new 9.0.1 install

Fixed inability to set permissions against a particular user in advanced permissions mode (thanks hamzaouibacha)

Dashboard Reports page now links over to legacy form results page when necessary (thanks mnakalay)

Fix for broken area edit menu when advanced permissions were enabled under some conditions (thanks mnakalay)

Fixed: Contrast off for edit button label when toolbar titles setting enabled

Fixed image libraries check not running in Image Options single page (thanks mnakalay)

Fixed: Elemental theme, Version 9.0.1: New Accordion Block not working properly

Developer Updates

Reverted Form helper behavior so that passing in class will append the CSS classes to whatever the default class was, rather than replace it fully. Added a new classes key that will fully replace the classes if present.

Upgrade gettext/languages and punic/punic (thanks mlocati)

Theme grid preset layouts now export properly and import properly when using the exporter/Content XML format (thanks mlocati)

The canonical URL query string handler has been changed from excluded to included – meaning that if you as a developer want to include a query string parameter in your various canonical URLs, you’ll need to add the parameter key/name to the site.siteName.seo.canonical_tag.included_querystring_parameters parameter.

CKEditor updated to 4.17.1 (thanks hissy)

Source code(tar.gz)
Source code(zip)
9.0.1(Nov 9, 2021)
Behavioral Improvements

Improvements to scheduled page version publishing (thanks hissy).

Fixed login welcome back/desktop in Atomik theme (previously had JavaScript errors.)

Performance improvements when retrieving access entities for users (thanks hissy)

Updated translation library to 1.7.0 to allow 9.0 to be fully translated (thanks mlocati)

Bug Fixes

Fixed error when installing Elemental on PHP 8 (https://github.com/concrete5/concrete5/issues/10003)

Many display issues fixed when browsing marketplace from within your 9.0 site.

Fixed issue where updating from 8.5.6 would disable concrete extensions in rich text editor.

Fixed Unknown column 'folderItemName' in 'field list’ in folder item list custom code used by add-ons.

Fixed time dropdowns not working when editing a calendar event.

Fixed inability to install 9.0 with Composer.

Fixed some missing social icons for social link types.

Fixed inability for legacy LESS themes to support rgb and rgba colors.

Fixed broken Dashboard page: Excluded URL Word List

Fixed inability to see proper options selected when editing user attribute key.

Fixed ImageValue::setImageFileID() must be of the type int, string given when updating some legacy theme customizer values (thanks martinkouba)

Fixed page summary templates link not working in page design panel.

Fixed inability to open block custom design toolbar in PHP 8.

Bug fixes to theme updates that use the text type customizer in certain situations (thanks martinkouba)

Fixed: Non super admin cannot move a block pasted from clipboard (thanks jaromirdalecky)

Bug fixes to legacy theme customizer with themes that used the same variable for different variable types.

Fixed error Base table or view not found: 1146 Tablemessengerscheduledtasks' doesn't exist when upgrading from 8.5.x to 9.0.

Fixed: Country select menu has the form-control class instead of form-select.

Developer Updates

Banned Words validation service classes completely refactored and modernized (thanks hissy)

Make it so users can disable core middlewares (thanks mlocati)

Security Fixes

Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 8.5.7

Source code(tar.gz)
Source code(zip)
8.5.7(Nov 9, 2021)
Bug Fixes

Fixed issue where remote updater would read the entire update into memory, leading to potential out of memory errors when updating the core.

Fixed error when setting global calendar permissions in the Dashboard.

Fixed issue where reset users weren’t properly notified when logging in that their passwords needed to be changed (thanks hissy)

Fixed: reCAPTCHA timout after 2min (thanks JeffPaetkau)

Fixed: fatal error on upgrade french version 8.5.5 to 8.5.6, "2 plural forms instead of 3" (thanks mlocati)

Fixed error with rich text conversation editor not working (Thanks hissy)

Fixed issue with URLs being case sensitive in some internationalization cases (thanks dimger)

Fixes to topic attribute search index content (thanks hissy)

Maintenance mode now returns the 503 HTTP error code when running (thanks hissy)

Fix Call to a member function isDefault() on null" error on the site upgraded from 5.7 when using the migration tool (thanks hissy)

Fixed issue where rich text attribute type wasn’t showing a full toolbar (note: in the future we want to make this an option, and strongly recommend users use this smaller, sanitized toolbar – but it should be an option, not the default.)

If a file has a password in the file manager, you will not be able to view it inline in the rich text editor.

Fixed: Changing database charset in dashboard throws error: call to a member function add() on null (thanks myq)

Library Updates

Bump CKEditor from 4.16.1 to 4.16.2 (thanks hissy)

Security Fixes

Fixed CVE-2021-22966 - Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a bulk update permission security check. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Credit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )" This fix is also in Concrete version 9.0.0

Fixed CVE-2021-40101: Admin users must now provide their password when changing another user’s password from the Dashboard.Concrete CMS security team CVSS scoring is 6.4 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. Credit for discovery: "S1lky”. This fix is also in Concrete version 9.0.0

Fixed CVE-2021-22968: A bypass of adding remote files in Concrete CMS File manager lead to remote code execution. We added a check for the allowed file extensions before downloading files to a tmp directory. Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N Thanks Joe for reporting! This fix is also in Concrete version 9.0.0

Fixed CVE-2021-22951: “Unauthorized individuals could view password protected files using view_inline”. Concrete CMS now checks to see if a file has a password in view_inline and if it does we don’t render the file. Concrete CMS security team CVSS scoring is 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Credit for discovery: "Solar Security Research Team". This fix is also in Concrete version 9.0.0

Follow up fix for CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option. We were informed the fix put into version 8.5.6 was not sufficient. Thanks "Solar Security Research Team". We now check to see if a file has a password in view_inline and, if it does, we don’t render the file. Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N This fix is also in Concrete version 9.0.0

Fixed CVE-2021-22967: insecure indirect object reference (IDOR); an unauthenticated user was able to access restricted files by attaching them to a message in a conversation. To remediate this, we added a check to see if a user has permissions to view files before attaching the files to a message in "add / edit message”. The Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Thanks Adrian H for reporting! This fix is also in Concrete version 9.0.0

Fixed CVE-2021-22969 : SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys. To fix this, Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS. The Concrete CMS team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Discoverer: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices. This fix is also in Concrete version 9.0.0

Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 9.0.1

Source code(tar.gz)
Source code(zip)
9.0.0(Oct 29, 2021)
Major New Features

Boards

Summary Templates

Multisite support.

New modern theme for 2021 – Atomik

New Gallery block built into the core.

Completely rebuilt file manager that has much better folder and advanced search support, support for home folders, favorite folders, external file providers, a new file upload UI and much much more.

Completely new upload experience that adds support for additional service provider plugins.

A completely new integrated image editor

Overhauled theme customizer, with support for skins, non-customizable skins, SCSS support, Bootstrap 5 and more.

Tasks: a completely rebuilt, much improved version of classic Concrete Jobs, with support for queueing, scheduling, unified input/output within the console and web interfaces, live output with Mercure and more.

User Group Types: Add the ability to create types of groups, including roles within groups, group management based on roles within groups, and more.

An overhauled UI built off of Bootstrap 5 and Concrete Bedrock

Other New Features and Improvements

Express now supports multisite.

Added the ability to edit page aliases from within the Dashboard sitemap (thanks mlocati)

Added the ability to customize the from name registration email parameter (thanks katzueno)

New Breadcrumb Navigation block now available (thanks hissy)

Much improved performance throughout, due to better navigation caching, and cache optimization (hissy and core team)

Added pagination to clipboard panel and the ability to reset all clipboards from the Dashboard (thanks bitterdev)

Added configuration for whether to log email body contents or just metadata (thanks bitterdev)

Support for interactive theme documentation and block preview.

Added bulk page permissions commands to the page search interface (thanks bitterdev)

Added the ability to upload a CSV of users to assign to a particular group. (thanks bitterdev)

Completely new image editor plugin framework. Ships with TUI Image Editor.

New icon selector component when working with block types like Feature that allow users to select icons.

Added logging for file uploads and file deletions (thanks bitterdev)

File manager can now automatically populate file attributes from EXIF metadata on upload (thanks bitterdev)

Implement Clear-Site-Data header after a successful login (thanks ahukkanen)

Added block title format for Date Navigation block (thanks katalysis)

Much improved Image block, including the ability to load images in lightboxes, display thumbnails of image in the page, and much more.

add delete button to package that is just uninstalled or download (thanks hissy)

Improved login performance when logging in with Remember Me cookie.

New Page Version Comment field available in page composer (thanks hissy)

Introduce new middlewares for security options (thanks hissy)

User must now confirm the existing password when changing their own password or another user’s password in the Dashboard.

Much improved asynchronous thumbnail generation process, with enhancements from the CLI task runner and Mercure (thanks bitterdev)

Bug Fixes

Files are not placed in a folder's selected storage location if it has a custom storage location (thanks danklassen)

Fixes bug where files moved to folders were not using those folders storage locations (thanks danklassen)

If a form redirects to an external page that includes a query parameter, the result is a malformed URL. (thanks JeffPaetkau)

FIxed error when marking URL slug as required in composer form (thanks httnnnkrng)

Fixed: User workflows - User activation does not trigger on admin email validations (thanks bitterdev)

Document Library - Handle missing folder

Avoid an exception on express_entry_detail block when the express form ID is not exists (thanks biplobice)

Copied block with no edit mode has "edit block" link which throws excepetion (thanks gutig)

Fixed bugs within Redis-powered full page caching driver (thanks matt9mg)

Developer Updates

Badges and community points have been removed from the core. If you need this functionality, install the Community Badges add-on from https://github.com/concrete5/community_badges prior to upgrading your site.

Concrete now runs on PHP 8.

Tools have been completely removed, including from blocks and packages. Their functionality has been more securely and flexibly available with the routing and controller systems for many years now. (thanks mlocati!)

Completely rebuilt new queue system, built on Symfony Messenger.

Completely new command/message system, built on Symfony Messenger.

Many core components updated to their latest version, including Laravel and Symfony components.

Add overridable collection handle generator (thanks hissy)

Removing old process.php script for backend requests.

Introducing a new command bus pattern. Developers can use to encapsulate their commands, reusing them with one or two lines in multiple places.

Swapped underlying HTTP client with Guzzle and PSR7.

Router adds support for single action controllers with __invoke (thanks shahroq)

Allow Form helper to handle new HTML input types (thanks JohnTheFish)

https://github.com/concrete5/concrete5/pull/9479 (thanks jeffPaetkau)

Blacklist/whitelist terminology renamed throughout the core.

Backward Compatibility Notes

If you use Core::make(), $app->make() or anything similar in your packages, and provide arguments to these classes at the same time, recent updates to the Laravel Container class may break some older code. Please see this tutorial for more information: https://documentation.concretecms.org/tutorials/add-developers-get-your-add-ons-ready-concrete-cms-90

Beginning in version 8, we added the ability to override core elements from within your themes. For example, if the core requires an element via View::element(‘conversations/add_post’; the core looks for this add-on in concrete/elements/conversations/add_post.php. However, if the currently active theme provides this element in themes/my_theme/elements/concrete/conversations/add_post.php, it will be used instead. We are changing this to remove the concrete/ directory from the elements directory within your theme. That means in order to override any core element from within your theme, you only need to make it available at the same path within the elements/ directory of your theme.

If you register custom help for specific pages in your package, make sure to do so from within your package’s on_start method rather than from within the Dashboard page. Our new help panel requires this. See https://github.com/concrete5/concrete5/issues/9869#issuecomment-927136592 for more information.

Console command c5:blacklist:clear has been renamed c5:denylist:clear

If you work with Concrete cookies directly in your server configurations, be aware that they have been renamed. The default session cookie has been changed from CONCRETE5 to CONCRETE; the default is-logged-in cookie has been changed from CONCRETE5_LOGIN to CONCRETE_LOGIN.

Source code(tar.gz)
Source code(zip)
9.0.0RC4(Sep 17, 2021)

Source code(tar.gz)
Source code(zip)
8.5.6(Sep 16, 2021)
New Features

Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.

Behavioral Improvements

Added support for translation placeholders (thanks shahroq)

Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility

Add autocomplete=off to various password fields.

"Index Search Engine - Updates" job should not re-index all entries (thanks hissy)

Fix default formatting of datetime exports in express export csv (thanks deek87)

Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)

Bug Fixes

Fixed error when pages weren’t getting accurately set in the full page cache.

Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)

Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)

Fix error attaching a Facebook account to a user profile (thanks biplobice)

Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)

Bug fixes on switching language using the Switch Language block (thanks biplobice)

Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)

Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)

Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)

Fix to show page drafts created by the current user (thanks hissy)

Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).

Bug fixes to search popup with pagination (thanks deek87, katz, hissy)

Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)

Security Fixes

Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression

Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression

Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)

Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"

Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization

Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)

Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF

Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer

Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options

Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)

Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option

Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint

Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space. For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager. For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.

Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.

Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)

(Special thanks to Solar Security Research Team and Concrete CMS Japan)
Source code(tar.gz)
Source code(zip)
9.0.0RC3(Aug 18, 2021)

Everything in 9.0, 9.0.0RC1, 9.0.0RC2 + new bug fixes
Source code(tar.gz)
Source code(zip)
9.0.0RC1(Aug 4, 2021)
Major New Features

Boards

Summary Templates

Multisite support.

New Gallery block built into the core.

Completely rebuilt file manager that has much better folder and advanced search support, support for home folders, favorite folders, external file providers, a new file upload UI and much much more.

A completely new integrated image editor

Overhauled theme customizer, with support for skins, non-customizable skins, SCSS support, Bootstrap 5 and more.

Tasks: a completely rebuilt, much improved version of classic Concrete Jobs, with support for queueing, scheduling, unified input/output within the console and web interfaces, live output with Mercure and more.

User Group Types: Add the ability to create types of groups, including roles within groups, group management based on roles within groups, and more.

An overhauled UI built off of Bootstrap 5 and Concrete Bedrock

Other New Features and Improvements

Express now supports multisite.

Added the ability to edit page aliases from within the Dashboard sitemap (thanks mlocati)

Added the ability to customize the from name registration email parameter (thanks katzueno)

New Breadcrumb Navigation block now available (thanks hissy)

Much improved performance throughout, due to better navigation caching, and cache optimization (hissy and core team)

Added pagination to clipboard panel and the ability to reset all clipboards from the Dashboard (thanks bitterdev)

Added configuration for whether to log email body contents or just metadata (thanks bitterdev)

Added bulk page permissions commands to the page search interface (thanks bitterdev)

Added the ability to upload a CSV of users to assign to a particular group. (thanks bitterdev)

Completely new image editor plugin framework. Ships with TUI Image Editor and Filerobot Image editor.

Added logging for file uploads and file deletions (thanks bitterdev)

File manager can now automatically populate file attributes from EXIF metadata on upload (thanks bitterdev)

Implement Clear-Site-Data header after a successful login (thanks ahukkanen)

Added block title format for Date Navigation block (thanks katalysis)

Much improved Image block, including the ability to load images in lightboxes, display thumbnails of image in the page, and much more.

add delete button to package that is just uninstalled or download (thanks hissy)

Improved login performance when logging in with Remember Me cookie.

New Page Version Comment field available in page composer (thanks hissy)

Introduce new middlewares for security options (thanks hissy)

Bug Fixes

Files are not placed in a folder's selected storage location if it has a custom storage location (thanks danklassen)

Fixes bug where files moved to folders were not using those folders storage locations (thanks danklassen)

If a form redirects to an external page that includes a query parameter, the result is a malformed URL. (thanks JeffPaetkau)

FIxed error when marking URL slug as required in composer form (thanks httnnnkrng)

Fixed: User workflows - User activation does not trigger on admin email validations (thanks bitterdev)

Document Library - Handle missing folder

Avoid an exception on express_entry_detail block when the express form ID is not exists (thanks biplobice)

Copied block with no edit mode has "edit block" link which throws excepetion (thanks gutig)

Fixed bugs within Redis-powered full page caching driver (thanks matt9mg)

Developer Updates

Badges and community points have been removed from the core. If you need this functionality, install the Community Badges add-on from https://github.com/concrete5/community_badges prior to upgrading your site.

Tools have been completely removed, including from blocks and packages. Their functionality has been more securely and flexibly available with the routing and controller systems for many years now. (thanks mlocati!)

Completely rebuilt new queue system, built on Symfony Messenger.

Completely new command/message system, built on Symfony Messenger.

Many core components updated to their latest version, including Laravel and Symfony components.

Add overridable collection handle generator (thanks hissy)

Removing old process.php script for backend requests.

Introducing a new command bus pattern. Developers can use to encapsulate their commands, reusing them with one or two lines in multiple places.

Swapped underlying HTTP client with Guzzle and PSR7.

Router adds support for single action controllers with __invoke (thanks shahroq)

Allow Form helper to handle new HTML input types (thanks JohnTheFish)

https://github.com/concrete5/concrete5/pull/9479 (thanks jeffPaetkau)

Source code(tar.gz)
Source code(zip)
8.5.5(Mar 18, 2021)
8.5.5

New Features

Let user specify the SMTP HELO/EHLO domain for their SMTP server (thanks mlocati)

Behavioral Improvements

Removed version from meta generator tag.

CKEditor updated to 4.15.0 (thanks mlocati)

Page drafts are now viewable by the view page draft permission (thanks HMone23)

Updated list of UK counties (thanks Mesuva)

Update CKEditor from 4.15.0 to 4.15.1 (thanks mlocati)

Fix: make email log readable by decode quoted printable text (thanks hissy)

Bug Fixes

Fixing bug where accidentally re-saving a theme preset layout (e.g. “Left Sidebar”) as a user preset would cause a site to become unresponsive.

Fixed bug where pages indexed through the CLI search index job weren’t indexed properly (thanks haeflimi)

Page Selector attribute now properly searchable (thanks dimger)

No longer fire event execute_job twice (thanks deek87)

Fixing error when rescanning a multilingual locale (thanks mlocati)

Fixed error or max execution timeout that can occur when logging out of multilingual websites (thanks hissy)

Fixed: [CKEDITOR] Error code: editor-element-conflict. (thanks mlocati)

Fixed error: No such file or directory error when editing an aliased block which is not editable (thanks mlocati)

Fix some issues when using tags on multilingual site (thanks hissy)

Fix duration of IP bans (they were supposed to last seconds but instead used the same value and in minutes) (thanks mlocati)

Fixed: Stacks don't update if caching is enabled (thanks hissy)

Correctly parse non-decimal IP addresses (thanks mlocati)

Fix: enable to send private message to all groups at once (thanks hissy)

Fixed: Redis cookie handler always use the session name as a prefix (thanks mlocati)

Fixed an error where 404 does not work in multi language cases under certain situations (thanks hissy)

More resilient upgrade routine when dealing with conflicting character sets in mysql (thanks mlocati)

Fix issue where a rich text field on a form block doesn't re-populate contents after submit (thanks Mesuva)

Fixed: Express Forms - CSV Export does not respect datetime format from config (thanks 1stthomas)

Fix bug: Express Form can generate same attribute keys for multiple attribute keys (thanks hissy)

Fixes filtering by multiple topic attributes on an item list (thanks hissy)

Banned words with multibyte characters are now accurately detected (thanks hissy)

Use UserMessageException when invalid path traversal is detected (thanks mlocati)

Do not remove picture elements on rendering textarea attribute value (thanks hissy)

Fix "call to a member function overrideCollectionPermissions() on a non-object" in AreaAssignment (thanks mlocati)

Security Fixes

Fixed CVE-2021-28145 XSS in Surveys fixed (thanks deek87)

Fixed CVE-2021-3111 Stored XSS on express entries H1 report 873474

Developer Updates

Allow routes with optional arguments (thanks mlocati)

Source code(tar.gz)
Source code(zip)
8.5.4(Jun 9, 2020)
Bug Fixes

Fixing update errors that can happen (Update causes exception): https://github.com/concrete5/concrete5/issues/8729 (thanks mlocati)

Fix certain occasions where editing pages would result in composer being unable to load blocks. Fixes error “Unable to load block into composer” (Note: this will fix the issue for pages going forward, but existing pages with this error will not be resolved.)

Additional Functionality Present in 8.5.3 not described in previous release notes

New Features (Note: some of these are present in 8.5.3)

Added the ability to copy, paste, import and export style customizer settings at the page level (thanks mlocati)

Added new public identifier property to express entries; you can use this identifier to relate entries to each other, or within custom API requests in such a way that it can’t be guessed.

Added a new Group custom attribute type for use with Express.

Added the ability to specify file storage locations at the file folder level (thanks marvinde)

Added the ability to send private messages to all users in a specific group.

CSV files exported from Express objects now containing association data.

Added the ability to show/hide survey results in the survey block.

Added a console command to export express entities.

Added the ability to require associations be selected in Express forms.

Running the reindex search all function will now reindex all Express entities and entries as well.

Behavioral Improvements (Note: some of these are present in 8.5.3)

Improvements to code quality, speed and efficiency (thanks mlocati)

Improvements to file importer code quality, better sanitization of problematic SVGs on upload. (thanks mlocati)

Much improved address attribute logic and presentation for non North American countries/provinces/states – see https://github.com/concrete5/concrete5/issues/7943 (thanks ahukkanen)

We now refresh the file manager after changing properties (thanks marvinde)

Developer Improvements (Note: some of these are present in 8.5.3)

Added coding style guideline sniffer using phpcs directly into the concrete5 console (thanks mlocati)

Refactored file importer, added support for pre and post processors (thanks mlocati)

Generalizes IP Blocking, making it easier for developers to add support for blocking IPs based on custom actions (thanks mlocati)

Cleanup and improvements to the c5:package:pack command (thanks mlocati)

Source code(tar.gz)
Source code(zip)
8.5.3(Jun 4, 2020)
New Features

Added the ability to display the version status on the results page of a Page Search (thanks biplobice)

Added the ability to log API requests via a Dashboard setting (thanks Kaapiii)

Add phone and email to social links (thanks mlocati)

The YouTube Video block now supports lazy loading. (Thanks MrKarlDilkington)

Behavioral Improvements

Moves the custom block template selector from the advanced tab to buttons (thanks Mesuva)

YouTube block: Delete 'show video infomation' option and change option name of showing related videos (thanks yuuminakazawa)

Return a response object instead of exiting after saving a block (thanks mlocati)

Fixed: We don't have to generate thumbnails if the image is in the private storage location (thanks hissy)

Fixed potential errors that could result when adding invalid regular expressions into the Google authentication type whitelist/blacklist (thanks mlocati)

When you uncheck “include attribute in search index” then the columns will be fully removed from the search indexing tables (thanks mlocati)

Update OAuth password check to use PasswordHasher class (thanks Mesuva)

CKEditor: turn off 'Edit Source' before submit (thanks mlocati)

Fix issue with sitemap generation in multilingual sites (thanks dimger)

concrete5 handle the session garbage collection if a server isn’t going to do it (thanks mlocati)

Select Multiple now works from within the file manager again (thanks deek87)

When the user opens "Schedule Publishing" dialog, show a warning message if there is another scheduled version (thanks hissy)

Add "Cancel Scheduled Publish" button in "Publish Pending" dialog (thanks hissy)

Show a logout view to logged in users on the login page

More logging during OAuth attach/detach attempts.

Added a unique page ID class to each page for page targeting (thanks Shahroq)

Added a blacklist of file extensions to ensure that developers can’t easily add PHP to a list of uploadable file types (thanks mlocati)

Improves to logout speed under certain circumstances (thanks kkyusuke)

Calendar block height set to auto for better display in small width areas (thanks nakazanaka)

Fixed: getUserAccessEntityObjects returns guest if no session found (thanks biplobice)

The Refresh Token grant is now available for OAuth2 APIs (thanks kkyusuke)

Use local date time format in CSV (thanks hissy)

Faster and safer duplication of FAQ/Image Slider blocks (thanks mlocati)

Added an exception in case there's no template file to render (thanks iampedropiedade)

Added raw and samesite options to cookie (thanks iampedropiedade)

Improve distinction between log severity icons (thanks JohnTheFish)

Bug Fixes

Fixed inability to save blocks or do much of anything on Chrome 83 (relates to Chrome 83 behavioral change) (thanks bikerdave)

Fixing not sending password to RedisArray in session and cache drivers (thanks deek87)

Fixed bug where unnecessary localized stacks are generated when adding stacks to a multilingual site (thanks hissy)

Fixed: 8.5.2 - Chunked file uploads generate multiple files in the backend (thanks ahukkanen)

Fix flat sitemap in the trash view (thanks hamzaouibacha)

Fixed: Given a calendar event that was starting yesterday and ends tomorrow. It's a strange behavior if this event doesn't show up today in the calendars "events list" block (thanks core77)

Fixed multiple issues with user groups (thanks deek87)

Failed to upload avatar on user account page because of ccm_token error (thanks deek87)

Fix file manager issue with number of items per page (thanks biplobice)

Fixed: Thumbnails broken for storage locations outside web root (thanks hissy)

Fixed: Unable to detach google account at My Account page due to null exception (thanks deek87)

Fixed inability to move multiple pages at once in certain situations (thanks wordish)

Unable to paste the screenshot into content block (thanks deek87)

Fixed: Failing block validation denies any further access to that block if you cancel editing (thanks jlucki)

Fix user-selector events firing more than once (thanks deek87)

Fixed: CSS of Free-Form Layouts (or 'Custom Layouts') isn't loaded if the visitor is not logged in (thanks Ruud-Zuiderlicht)

Fixed inability to insert a link in Rich Text editor custom attributes in the Dashboard context (thanks mlocati)

Fixed XSS issue where admin could insert tags into image slider titles.

Fix error caused by invalid sort direction.

Build youtube embed url with the league url class to fix issues when malicious admin uses invalid URLs.

Fixed: [Bug] Single pages lose their path if location is resaved in sitemap or composer. (thanks dimger)

[Fix] Image block hover option doesn't work for responsive images using the picture tag (thanks biplobice)

Fixed error when the sortBy column isn't exists on the advanced search result (thanks biplobice)

Fixed: Setup on Child Pages updates all pages of the type, not the type / template combination (thanks danklassen)

Fixed: getUserAccessEntityObjects returns guest if no session found (thanks deek87)

Fixed: The folder name is null when you create it with name '0' (thanks biplobice)

Fix setting the emails subject a second time with an undefined variable (thanks Kaapiii)

Fixed: 404 does not work in multi language case (thanks Kaapiii)

Fixed: CKEDITOR errors shown in console (thanks mlocati)

BC Fix: Make it so routes can echo their output (thanks mlocati)

Fix token error on flag_conversation_message (thanks guyasyou)

Fix document library block error when file node type is other than File or FileFolder (thanks biplobice)

Fixed: Unable to save layout if it contains a Form block (thanks mlocati)

Fix Fix initializing country/province link (thanks mlocati)

Avoid exception on express attribute form during certain edge cases (thanks biplobice)

HackerOne security fixes (thanks mlocati)

Fix error on submitting workflow request to a deleted user (thanks hissy)

Fix height/width of edit folder permissions dialog (thanks deek87)

php 7.2 fix for updating a conversation message (thanks danklassen)

Replying to a conversation does not clear editor (thanks danklassen)

Don't check POSIX permissions of API public key on Windows (thanks mlocati)

Fixing draggable zone on filemanager to only accept file/folder nodes (thanks deek87)

Fixed: Currently in version 8.5.x sites that have been upgraded from 5.7 sites, you can no longer replace files (thanks deek87)

Fixed upgrading from 5.7 under certain database circumstances (thanks mlocati)

Fix wrong translatable strings placeholders (thanks mlocati)

Fixed: Loading malformed html into a content block does some funky stuff (thanks mlocati)

Fix H1 report 753567 (thanks hissy)

Aliases are now shown in the Dashboard menu (thanks Ruud-Zicherlicht)

make c5:package:uninstall --trash not throw exception if there wasn't a problem (thanks nklatt)

Fix: Creating folders in the file manager doesn't create them in the right place

Fixed: Deleting a Form block instance for an Existing Express Entity Form can delete the original entity (thanks dimger)

Avoid error on save page list block options with empty custom topic node (thanks hissy)

FIxed bug in alphabetizing multilingual sections (thanks biplobice)

Fixed bug where public date/time page property wasn’t being properly validated if it was marked as required in a composer form (thanks matt9mg)

Fixed potential YouTube block exception (thanks matt9mg)

Fixed: select filterByAttribute can return all results (thanks matt9mg)

Fixed order of parameters in some implode() methods (thanks shahroq)

Fixed PHP errors raised when calling View::action() method of an attribute (thanks mlocati)

Fixed certain block type errors in advanced permissions and stacks (thanks mlocati)

Fixed: CLI update fails if there is a package dependency such as MultiStep Workflow add-on

Developer Improvements

Allow nested containers in custom theme layout presets (thanks jneijt)

Allow the AuthorFormatter class to be overridden (thanks danklassen)

Update concrete5 Translation Library (thanks mlocati)

Code cleanup and improvements (thanks mlocati)

[Fix] Config command with env option (thanks biplobice)

Correctly set express entity package reference during import (thanks olsgreen)

Added new buildRedirect method for easily creating redirects that honor the framework middleware from within controller methods (thanks mlocati)

We now test installation and upgrades within Docker in our unit test suite (thanks mlocati)

Update punic to 3.5.1 (thanks mlocati)

Add the ability to easily inject custom Config drivers (loaders/saves) and implement Redis drivers.

Fix phpdoc of the \Concrete\Core\Form\Service\Validation::test() (thanks biplobice)

Fixed bug where update process wouldn’t use the interface LongRunningMigrationInterface to increase timeout (thanks mlocati)

Add ForeignKeyFixer and c5:database:foreignkey:fix CLI command (thanks mlocati)

Source code(tar.gz)
Source code(zip)
8.5.2(Oct 2, 2019)
New Features

You can now control the number of results in the file manager from the file manager directly without loading the advanced search dialog (thanks marvinde)

You can now delete all entries from an existing Express object without deleting the object.

Update CKEditor from 4.11.1 to 4.12, add Placeholder plugin (thanks mlocati)

Add the ability for each Express Form block to have its own from address (thanks dimger)

Added the ability to set a background color for thumbnails and for use with the image editor (thanks marvinde)

Added the ability to search attributes when adding attributes to the page composer form (thanks iampedropiedade)

The Page Attribute block can now use custom templates (thanks danklassen)

Add GUI to configure trusted headers received by a proxy (thanks mlocati)

Add dashboard page to change database character set / collation (thanks mlocati)

ReCaptcha is now included as a captcha option in the core (thanks edbeeny and mlocati)

You can now include page aliases in searches in the Dashboard advanced page search (thanks HamedDarragi)

Allow email sending enable/disable from the dashboard (thanks biplobice)

Make it configurable whether or not to ignore page permissions for RSS feeds (thanks hissy)

Added the ability to show captions by default for the YouTube block (thanks ahukkanen)

Added a new install theme console command (thanks AdamBassett)

Behavioral Improvements

Add MySQL version and SQL_MODE to environment information (thanks mlocati)

Removed the extraneous exception stack trace when the MySQL connection fails during installation (thanks mlocati)

Added support for right-to-left languages in the concrete5 translate UI (thanks mlocati)

Fix error where sitemap panel would show up even if the user has no access to add pages or to the sitemap.

Improved uniformity between search interfaces in the Dashboard and dialogs for things like files, pages. Miscellaneous display bug fixes for search interfaces.

Add the author column on express entries CSV export (thanks biplobice)

Added file read route to the rest api (thanks deek87)

Use the HTTP 303 code for downloading files instead of HTTP 302 (thanks dimger)

Simplify the error message when copying a file to folder (thanks mlocati)

Added Choose New File to the top of the file selector menu to help users confused by the “Replace” option further below (thanks mlocati)

If the form redirects to a thank you page, pass the entry id so that the page can interact with the entry if desired. (thanks JeffPaetkau)

We now separate titles and content of installation errors if you encounter them (thanks mlocati).

In the desktop draft block, deleting a draft now no longer redirects you to the home page (thanks hamzaouibacha)

Improved reliability when uploading large files into the file manager (thanks mlocati)

RSS feed URL slugs can now have hyphens in them (to match the behavior of other concrete5 URL slugs) (thanks bikerdave)

Added rel=noopener noreferer to different places in the core where we link to external pages, enabling better process management (thanks dimger)

Added Twitch Social Link (thanks core77)

Composer and block editing will no longer log you out while you are editing for a long period of time (thanks mlocati)

Remember me 2 weeks value is now configurable (thanks iampedropiedade)

Routing system now handles response objects returned by any controller on_start() methods (thanks mlocati)

Add a config key to support script-specific locales (thanks hissy)

Added the ability to disable checking for core and package updates when using concrete5 via composer (thanks mlocati)

Improvements to the display of the feature block icon selector (thanks shahroq)

PageTypeDefaults::SetupOnChildPages: Make Update forked blocks optional (thanks HamedDarragi)

Reduced the number of errors Doctrine complains about when inspecting the mapipng information for the core entity classes (thanks macserv)

Spelling errors fixed in certain error messages (thanks edbeeny)

Set quoted-printable encoding for outgoing emails for better compatibility (thanks mlocati)

Improvements to how the My Account menu was displayed in certain themes (thanks mlocati)

Don't ask to preserve old page path of external URLs (thanks mlocati)

When creating external links, the URL slug we generate is now based off the name of the link instead of the link (thanks dimger)

Better localization in edit mode of calendar, by including localized version of moment.js (thanks mlocati)

Brought back the ability to drag a file immediately into the file manager and have it begin uploading (Thanks mlocati)

Add asset version number to cache bursting query string (thanks mnakalay)

Show only the message when we have in case of UserMessageException (thanks mlocati)

Fixed - SEO issue: tag ignores any actions of page/block controller (thanks hissy)

Attribute controllers can now define the “No Value” text (thanks mlocati)

Reduced size of bundled bootstrap libraries; removed missing references to glyphicon font file

Bug Fixes

Fixed bug where XSS could be passed through to the select form helper under certain conditions.

Fixed bug when using the document library when MySQL has ONLY_FULL_GROUP_BY enabled (thanks dimger)

Fixed bug where additional cancel and submit search buttons were showing up in advanced search dialogs.

"Order Entries" page is not installed on upgrading from version 7 (thanks hissy)

Fixed buggy behavior when searching by associations in Express.

Fixed: Search Presets in dialog not actually submitting (thanks deek87)

Fixed: Bugs with search presets not being deletable, searching JS errors when working with search presets (thanks deek87)

Fixed bug with autoplay not starting in YouTube block due to https://developers.google.com/web/updates/2017/09/autoplay-policy-changes (thanks edbeeny)

Fixed bug when Express form sends notification with an image/file attribute and it’s not filled out (thanks a3020)

Add new Italian Province: South Sardinia (thanks mlocati)

Fix error where adding an image or a file to composer would complain about it not being present, even if it was.

Fixed error where file usage dialog did not work with files linked in the content block (thanks jeverd01)

Fixed bug where navigating directly to dispatcher.php would throw PHP errors.

Fixed error where global password reset didn’t require typing the confirm code.

FIxed inability to unapprove a page version in the versions menu (thanks kzn-a)

Fixed: Password Requirements dashboard page was not installed via 8.5.0 & 8.5.1 fresh install (thanks katzueno and hissy)

Fixed bug where clicking publish on a composer page draft could still create an extra version in some cases (thanks ahukkanen)

Fixed: ccmAuthUserHash cookie and "Stay signed in" functionality allows user impersonation if hash table is leaked (thanks mlocati)

Remove Guest from "Group to enter on registration" options (thanks hissy)

Fixed: Copy page does not change the mpRelationID of the new page (thanks 1stthomas)

Fixed error with user attribute not calling its method on the correct user object, leading to strange results (thanks deek87)

Fixed: If you dropped an image into the rich text description of an FAQ entry, when you went back to edit the entry, the image didn't show up (thanks JeRoNZ)

Fixes error where Download file does not show up for files that aren’t images (thanks MrKarlDilkington.)

Fixed: $c->getPageWrapperClass() removes all other specified classes (thanks HamedDarragi)

Fixed: UI: Can not select topic in large tree on Page Search (thanks hissy)

Fixed error in Redis cache backend: Password set in config is not sent Redis connection process (thanks HamedDarragi)

Fixed untranslated text in the Event List block (thanks iampedropiedade)

Fix showing empty error message when a problem occurred using Setup on Child Pages (thanks HamedDarragi)

Fixed error where bumping the concrete5 version number without changing a version_db number wouldn’t re-trigger an upgrade.

Fixes issue with broken links to files in textarea(richtext) attribute (thanks dimger)

Check $search_path is set and string in search block view (thanks r-kumazaki)

Fixed errors in full page caching under multisite setups. (thanks ahukkanen)

Fixed errors in full page caching with blocks that used special parameters – the page was saved properly but it would replace the contents of the pages without parameters (thanks ahukkanen)

Fixed: 8.5.2RC1 - Adding external link with URL "/" breakes the whole site (thanks mlocati)

Fix error on delete user who has express enties (thanks hissy)

Fix: calendar feed parameter and validation (thanks myq)

Fixed: Calendar events displayed only on starting month when they span multiple months (thanks cirdan)

Fixed bug with rich text editor not exporting content properly (thanks ahukkanen)

Fixed bug where we displayed an error when browsing directly to /dashboard/system/environment/entities/update_entity_settings (thanks mlocati)

Fixed bug where users who first created would be deactivated if automatic deactivation based on last login were turned on and they hadn’t yet logged in yet.

Fixed: blocks added to stacks that use JavaScript or CSS assets in their view templates were not working when the block was cached.

Fixed errors in localization class not including the Config class (thanks haeflimi)

Fixed login error complaining about Groups being a reserved word under Percona MySQL 8.0 (thanks macserv)

Fixed issue where in page list block, missing input validation results in mysql-error (thanks krebbi)

Fixed: Default Express Entry List search functionality does not allow for searching for multiple fields simultaneously (thanks suuuth)

Fixes bug where Express form answers were emailed in a random order, rather than in the order they displayed in the form (thanks joe-meyer)

Login page will now no longer let you render parts of authentication type forms if those types are not enabled.

Fixed bug where images or files added to front-end forms wouldn’t be included in the email notification about those forms.

Fixed bugs and cleaned up code in the Workflow classes (thanks mlocati)

Prevent leading/trailing commas from triggering errors in Legacy Form block (thanks MrKarlDilkington)

Fixed bugs when arranging stack proxy blocks in pages as a non-super user with advanced permissions enabled (thanks mlocati)

Blocks no longer remain in their target area if there was something about the move operation that failed (thanks mlocati)

Fixed multiple bugs when working with the HTML Upload interaction type in the image/file attribute (thanks mlocati)

Fix the layout of the search fields in "Page Report" page (thanks shahroq)

Fixed: Migration to ut8mb4 incomplete due to problems with schema (thanks mlocati)

Fixed bug where the hovering image in a file manager window didn’t disappear when clicking on the image record (thanks mlocati)

Fix inability to connect to marketplace on sites behind SSL when that site is also behing a proxy like Cloudflare (thanks mlocati)

Fixed: All Day Events are not determined correctly (thanks haeflimi)

Fix calendar block issues with all-day events (thanks biplobice)

Fixed inconsistencies when using Ctrl key to deselect images in the file manager (thanks mlocati)

Fix some issues installing content with the content XML format by disabling request cache during XML installation (thanks mlocati)

Fixed Issues when removing Custom Workflow Types (thanks deek87)

Fixed Issues when adding Workflows that have custom workflow types. (thanks deek87)

Refactored Workflow Types Class to use newer code. (thanks deek87)

Upgrading jQuery UI to 1.12.1 and downgrading jQuery to 1.12.2 to fix security issue (

Fixed bug when clicking on folders in Document Library (thanks dimger)

Fixed: When you add a datetime attribute into the search form, you'll get a JavaScript error.

Fixed: When paging through versions in stacks or on a page, clicking version doesn't show menu

Fixed errors when sorting attributes, inability to sort attribute sets as a regular administrator and not the super user (thanks mlocati)

Fixed: When opening existing repeated events, selected days were not selected.

Fixed: Unpublished repeated events get published after deleting part of events.

Bug fixes when updating a site from 5.7 (thanks deek87, mlocati)

Fixed warnings when sending mail with the intl extension enabled (thanks mlocati)

Fixed entity not found exception when retrieving author of a file when the author had been deleted (thanks mlocati)

Fixed StorageLocationFactory::fetchByName should return an instance (thanks hissy)

Miscellaneous cleanup in URL Resolver classes (thanks mlocati)

Fixed null pointer exception when user attempted to view calendars in the Dashboard but didn’t have permission access to the first calendar retrieved (thanks kaktuspalme)

Bug fixes when upgrading from previous versions of concrete5 (https://github.com/concrete5/concrete5/pull/7837) (thanks mlocati)

Fixed bug where account menu was floating underneath the concrete5 toolbar (thanks mlocati).

Fixed problems overriding the Express form context registry (thanks ahukkanen)

Fix block templates that edit the scope variables within the block view (thanks ahukkanen)

Fixed bug where default contact form in Elemental wasn’t set to store its form data in the backend, only to email it.

Fix H1 Report 643442 (thanks hissy)

Developer Improvements

Add 'noCountryText' option to Form::selectCountry() (thanks mlocati)

Check that LIBXML constants are defined (thanks mlocati)

Render jQueryUI dialog buttons in concrete5 style (see https://github.com/concrete5/concrete5/pull/7588 for example) (thanks mlocati)

Add CkeditorEditor::outputEditorWithOptions (thanks mlocati)

Updated Punic library to 3.4 (thanks mlocati)

Added app() global helper method to return an instance of the Application object (thanks rikzuiderlicht)

Update phpseclib from 2.0.13 to 2.0.21 (thanks mlocati)

Updated Bootstrap to 3.4.1 to fix XSS issue.

Added two new events: on_page_alias_add and on_page_alias_delete (thanks faker-ben-ali)

changing instructions order to send collection version with updated data when triggering approve page version event (thanks faker-ben-ali)

Add new DestinationPicker form widget to enable users to specify an object to link to, and get a nice widget instead of having to paste a URL (Thanks mlocati)

Update composer.json to add PDO ext as dependency for project (thanks gavinkalinka)

Upgrading Spectrum color picker color palette library to 1.8.0 (thanks mlocati)

Miscellaneous code cleanup and php documentation (thanks mlocati, biplobice, deek87, concrete5russia)

Update IPLib from version 1.6.0 to version 1.9.0 (thanks mlocati)

Add native lazy loading and JavaScript lazy loading support to the "html/image" service (thanks MrKarlDilkington)

Added optgroup functionality to the selectMultiple form helper method (thanks mlocati)

Force attribute keys to be in one set only during import (thanks mlocati)

Source code(tar.gz)
Source code(zip)
8.5.1(Apr 3, 2019)
Feature Updates

Added the ability to filter logs by time (thanks biplobice)

Behavioral Improvements

Improved translation of user logging in multilingual environments. (Thanks katzueno )

Improvements to code quality and reduction in suppressed errors (thanks mlocati)

improvements to using multiple user selectors on a page; miscellaneous bug fixes to user selector (thanks haeflimi)

improvements to installation on a cluster where site home page ID may not be 1. (Thanks mlocati)

Improved file size of app.css; removed unnecessary and broken CSS.

Simplify the warning when the database does not fully support utf8mb4 (thanks mlocati)

Bug Fixes

Fixed error where external form actions were not working.

Fix Exception already used in CharsetCollation\Manager (thanks mlocati)

Fixed error where move/copy didn’t work in site map flat view (thanks biplobice)

Fix resuming copy language tree operation (thanks mlocati)

Fixed inability to run some user bulk actions in the Dashboard.

Fixed JavaScript error when changing default calendar colors in the Dashboard.

Fixed error in API where authenticated requests could pass through to read any API route.

Fix error on package uninstall while remove the package directory is checked (thanks biplobice)

Hide publish now button on versions of pages when user doesn’t have permission to publish (thanks hissy)

Make sure custom thumbnails have upscaling enabled (https://github.com/concrete5/concrete5/pull/7697)

Source code(tar.gz)
Source code(zip)
8.5.0(Mar 14, 2019)
8.5.0

Feature Updates

File Storage Location improvements: added the ability to search by file storage location, added file storage location to the file menu, allows changing file storage in bulk using a progressive operation, prevents deletion of file storage locations if they have files (thanks marvinde)

Added the User Selector attribute to the core, enabling the selection of users for pages, files and Express objects (thanks haeflimi)

Much improved logging support: more actions are logged, and you have the ability to specify what log levels you want to keep/discard in the Dashboard. Additionally, Monolog Cascade support means granular logging configuration is available in the PHP config.

Added date modified to express entries (thanks deek87)

Added “Author” as a property to Express – the users who create express entries are tracked. Added form field for author property as well.

Added the ability to specify an HTML Input vs Entry Selector vs. Select2 search autocomplete for association selecting in the Dashboard (thanks hissy)

Added the ability to filter the Express Entry List block at the block level before the data hits the page.

Express Entry List block can now be filtered by associations in advanced search on the page (thanks hissy)

You can now filter block types by searching them when adding blocks in stacks (thanks mlocati)

Added preview images when mousing over images in the file manager (thanks haeflimi)

Updated CKEditor from 4.9.1 to 4.10.0 (thanks MrKarlDilkington)

Added the ability to search a site by any locale in the local selector on multilingual sites (thanks mlocati)

Added a page changes report that lets users export a full list of versions that have been created during a particular time period.

Nascent support for the upcoming REST API (defaulted to off.)

Add ability to configure password requirements in a new Password Options Dashboard page.

Add ability to keep users from reusing the same password.

Add ability to automatically log users out after a period of inactivity.

Added a Dashboard page to control Automated Logout settings that were previously only available by editing PHP config files directly (thanks mlocati)

Added ability to automatically log out all signed-in users from the Automated Logout page.

Added a dashboard page to configure trusted proxy IPs (thanks mlocati)

Show URL of selected page in sitemap selector (thanks mlocati)

Added an external authentication type based on OAuth2 authorization, allowing one concrete5 site to act as the authentication provider for another.

Add support to generate animated GIF thumbnails (Requires Imagick) (thanks mlocati)

Add “Scheduled” as an option for page searches (thanks deek87)

Add the ability to automatically deactivate user accounts that receive many failed login attempts

You now can control whether CSV exports contain a BOM with an Export Options Dashboard settings page (thanks mlocati)

Added ability for YouTube videos to skip setting a cookie (thanks HamedDarragi and tigerxy)

Behavioral Improvements

We have removed the spaces from URLs generated by the topic list block for improved display (thanks JackVanson)

We now show the types of Express entities being viewed in the Dashboard page header (thanks hissy)

Show errors when displaying Ajax dialogs fails (thanks mlocati)

We now remember the state of both sitemaps in the 2-up sitemap interface, instead of just 1 (thanks mlocati)

Split install steps in smaller chunks for better performance (thanks mlocati)

SVG images in the image block can now be resized in the image block (thanks dimger)

When entities that own other entities are deleted in Express their child entities will also be deleted.

Improvements to the stack panel: you can now drag the entire row (instead of a small handle) and you can click an arrow to expand/collapse the stack (thanks mlocati)

My Account now honors user attribute sets (thanks marvinde)

Registration now honors user attribute sets (thanks marvinde)

Added the ability to sanitize uploaded SVG files (thanks mlocati)

Improved performance of large CSV exports (thanks mlocati)

Express Entry Detail block now modifies the title of the page when it’s rendering a detailed express entry (thanks hissy)

Improvements to drag performance and experience in sitemap (thanks mlocati)

Miscellaneous improvements to editing external links – https://github.com/concrete5/concrete5/pull/7004 (thanks mlocati)

When deleting an element (express entity, file, page, site, user), the associated row in the index table are automatically deleted (thanks mlocati)

Uploading files via the Your Computer dialog in the File Manager now has chunking support (thanks joemeyer)

Fixed error where “stay signed in for two weeks” didn’t work (thanks Xianghar)

Send a JSON error response only if the client is requesting a JSON response (thanks mlocati)

When showing changelog updates for packages we now read from CHANGELOG.txt and CHANGELOG.md if they exist (thanks mlocati)

You can now view SVG images in the file manager like other image files (thanks mlocati)

Remove frameborder attribute on YouTube block and use CSS border for W3C validation (thanks marvinde)

Show different text for aliases and external links in removal confirmation (thanks mlocati)

New and existing databases will be updated to utf8mb4 – adding emoji support! (thanks mlocati)

Add a version-specific querystring parameter to URL local assets based on core version or the package version (thanks mlocati)

Improvements and consolidation of different libraries used to upload files (thanks mlocati)

Added CKEditor Emoji plugin (thanks mlocati)

Allow sending the registration notification to multiple email addresses (thanks marvinde)

Fixing issue with Image Editor not adding crossOrigin (thanks deek87)

Moving Delete all channels button to header to remove ambiguity (thanks joemeyer)

Use translated text when dislaying checkbox labels with the checkbox custom attribute (thanks mlocati)

Fixed bug where deleted pages could break uses of the page selector component that referred to them (thanks Ruud-Zuiderlicht)

We use less memory when uploading and resizing large images in the file manager (thanks mlocati)

Better validation against unexpected input when filtering page list blocks and page title blocks by months and years (thanks hissy)

Better error checking against remote files uploaded in the file manager (thanks mlocati)

Keep animations when ConstrainImageProcessor resizes animated GIFs (only works if you’re using Imagick support in PHP) (thanks mlocati)

Return the default 404 error page if a feed can't be found (thanks mlocati)

You can now merge social links as well as append them in config (thanks mesuva)

We force MyISAM database tables for the PageSearchIndex now only if the MySQL version of InnoDB tables doesn’t support it (thanks mlocati)

Downloading multiple files with the same name downloads only one (thanks marvinde)

Added the ability to replace a page with another page (thanks mlocati)

Update CKEditor from 4.10.0 to 4.11.1 and add Auto Link plugin (thanks MrKarlDilkington)

Fixed workflow emails showing irrelevant dates in some cases (thanks katzueno)

Fixed: Group Combination returns wrong group combination if there is another entity contains same group combination (thanks deek87)

Improved speed when adding files to file sets because we no longer refresh thumbnails on every add to file set (thanks mlocati).

Fixed incorrect flag showing if a page is aliased from one locale to the next (thanks Ruud-Zuiderlicht)

Fixing errors in UserList::filterByInAnyGroup (thanks deek87)

Fix issue where some console commands didn’t have a description even though it had been set in the command class (thanks mlocati)

Fixed: When using inline blocks, I can edit other inline blocks (thanks hissy)

(Try to) redirect to the newly generated thumbnail if it's the requested one (thanks mlocati)

Dashboard page title tags are now translated properly (thanks mlocati)

Stack In Dashboard leave pop-up menu when adding a content block (thanks mlocati)

Bug Fixes

Fixed inability to delete conversation messages from dashboard (thanks hissy)

Fixed: Unpublished scheduled page gets published when there is a new version with schedule (thanks deek87)

Fixed: Avoid displaying an empty message when forcing exit edit mode (thanks mlocati)

Fixed built-in limit of 1920x1080 on some uploads (thanks mlocati)

Fixed: Automatically resize uploaded images" breaks PNG semi-transparency (thanks mlocati)

Fixed: User with 'Approve Changes' permission is not able to approve content in global areas (thanks mlocati)

Fixed: Avoid error on getting users of group permission access entity when group has been deleted (thanks hissy)

Improved page version publishing date support to ensure that versions cannot overlap (thanks mlocati)

Fix too many results in PagerAdapter::getSlice (thanks mlocati)

Fixing Issue when deleting users who created other users (Thanks deek87)

Fixed bug where a session cookie is always created in a multilingual site, even when it shouldn’t be required (thanks marvinde and mlocati)

Fixed poor performance when running the search indexing job on large sites where areas are set to use the blacklist indexing method (thanks ahukkanen)

Fixed: Trying to add a larger number of files to a file set in bulk leads to an out of memory error (thanks mlocati)

Fixed errors and buggy behaviors in sitemap overlay dialog (thanks marvinde)

Fixed minor display issues with the page version listing dialog/panel (thanks marvinde)

Fixed When the Zend I18N component loads language files with wrong or missing plural rules (thanks mlocati)

Correctly detect if sendPrivateMessage returned an error (thanks mlocati)

Fixed Call to a member function getTimezones() on null on editing profile (thanks mlocati)

MIscellaneous bug fixes with scheduled pages and 404 experience (thanks deek87)

Fix ParentPageField search field when page is no (more) available (thanks mlocati)

Fixed bug where editing an express entry in the Dashboard doesn’t re-show the entry form when validation is failed (thanks ahukkanen)

Fixed inability to add page type composer output control blocks if you were not the super admin but you still had access to page type defaults (thanks hissy)

Fixed: Single::addGlobal can create the same single page repeatedly (thanks hissy)

Fix resizing images on import when only max height is set (thanks mlocati)

Fixed: Thumbnail error takes down Dashboard completely (thanks mlocati)

Fixed: we now check more appropriate permissions when checking to see if users have permissions to edit stacks (in advanced permissions) (thanks mlocati)

Fixed: Deleting attributes used with customized results in advanced search leads to an error (thanks mlocati)

Fixed: RSS Feed can not be filtered by multilingual parents (thanks mlocati)

Add CSRF validation token to Copy Languages (thanks mlocati)

Fixed bug when the site id contained in the ConcreteSitemapTreeID cookie does not match a valid site (thanks marvinde and a3020).

Fix an error when selecting trash or system pages as the parent page on page search (thanks deek87)

Fixed: Old draft pages of multilingual site upgraded from 5.7.5.13 to 8.4.x gets error (thanks deek87)

Fixed bug where users could see certain aspects of others users private messages (thanks mlocati)

Patch Zend HTTP with security update to fix https://framework.zend.com/security/advisory/ZF2018-01 (thanks mlocati)

Fixed: Currently when using a userSelector if you search for a user or load a new page and try to use the dropdown to select user(s). The option will disappear. (thanks deek87)

Fixed: Page Selector with pagination doesn't work (thanks marvinde)

Fixed bug where exporting forms might put the form data in the wrong columns.

Fixed: Page version menu doesn't close automatically (thanks joemeyer)

Fixed: Option for the multilingual canonical URL is not respected (thanks 1stthomas)

Fixed: https://github.com/concrete5/concrete5/issues/7152 (thanks mlocati)

Fixed: Block is not being rendered using custom template after editing when custom template was set programmatically (thanks fabian)

Only parse $_SERVER[‘argv’] on the command line (thanks mlocati)

Developer Updates

Completely new routing component with a much nicer syntax for creating custom routes to closures, controllers and other classes, with full support for route requirements, HTTP verbs and much more. (fully backward compatible)

concrete5 now supports PHP 7.3

Adding Redis as a Session and Cache handler (thanks deek87 and concrete5 Japan)

Added the ability to rescan files via a console command.

Much improved console command, including support for progress bar, Laravel-like syntax definitions and more.

Improve ability to configure and extend concrete5 session.

New memcache session handler. See https://github.com/concrete5/concrete5/pull/7258 for configuration information.

Added an option to control whether or not to display parent page in AutoNav (thanks hissy)

Allow custom class loading from the package for a custom permission key (thanks biplobice)

Trigger event when the display order of a page changes (thanks a3020)

Improved SiteLocaleSelector: show Country in addition to Language, and added new selectMultiple method to the class (thanks mlocati)

Add a config value to toggle the generator meta tag (thanks marvinde)

Upgrade Imagine image manipulation library from 0.7.1 to 1.0.0 (thanks mlocati)

Refactored certain old tools files into routes, views and controllers (thanks mlocati, marvinde)

Added the ability to automatically include CSS files when adding/editing blocks by including an auto.css file in the block folder (thanks mlocati).

Image Slider block - remove old CSS and JS assets code (thanks MrKarlDilkington)

Refactoring and code improvements to CookieJar service (thanks mlocati)

Improved code quality and removal of PHP NOTICE errors (thanks mlocati, a3020)

Tons of new docblocks added to core classes (thanks mlocati)

Fix docblocks in Number service (thanks a3020)

Improve installation detection by allowing {$env}.database.php

Let sitemap event listeners modify the sitemap data (thanks mlocati and a3020)

Source code(tar.gz)
Source code(zip)
8.5.0RC2(Feb 26, 2019)

Source code(tar.gz)
Source code(zip)
8.4.5(Feb 26, 2019)
Bug Fixes

Fixes a vulnerability which permitted authenticated users to view the contents of arbitrary messages sent through the My Account section.

Source code(tar.gz)
Source code(zip)
8.5.0RC1(Feb 7, 2019)

Source code(tar.gz)
Source code(zip)
8.4.4(Jan 10, 2019)
Feature Updates

Improvement for compliance and GDPR: Storage of form data submitted through the form block is now optional. It is a new checkbox in the block (thanks Faker Ben Ali)

Behavioral Improvements

Much improved performance in the Stacks panel menu for sites with a lot of stacks – stacks lazily load the blocks within them.

Dashboard Welcome Page: hides the "Customize" button if the user does not have permission to edit the page content (thanks marvinde)

Allow disabling of Sitemap button in CKEditor concrete5link core plugin (thanks joemeyer)

Fixed W3C validation errors in Elemental (thanks MPagel)

Bug Fixes

Fix XSS error when certain error messages could contain HTML (thanks mlocati)

Fix error where EditorServiceProvider was complaining about array_merge not being a valid array

Fixed: GDPR - ConversationMessages are not deleted when a user is deleted (thanks marvinde)

Fix typo in list of CKEditor plugins ('applying') (thanks a3020)

Source code(tar.gz)
Source code(zip)
8.4.3(Sep 24, 2018)
Behavioral Improvements

The word ‘Action’ is now properly localized in in-page notifications (thanks mlocati)

The icon of external links now more clearly distinguishes them from page aliases (thanks mlocati)

Create collection handle when aliasing the homepage (thanks mlocati)

Bug Fixes

Bug Fix: Tags block - support mixed case tag names when setting selected tag class (thanks MrKarlDilkington)

Fixed bug where archived notification alerts were showing up in Waiting for Me.

Fix PHP 7.2 count error in Calendar Dashboard Colors system page (thanks altinkonline)

Fix Page::movePageDisplayOrderToSibling() when working with aliases (thanks mlocati)

Fixed incorrectly returning object instead of text string when working with textarea attributes under some circumstances.

Fixed Exception in Marketplace.php after site/project has been removed from community account

Fixed accidentally deleting all FileSets when deleting a user (thanks deek87)

Fix alternative canonical URL not installing properly when set during installation (thanks a3020)

Fixed: Deactivating users in bulk fails in 8.4.2 when a workflow is attached to the permission.

Fixed Express Entry association view on owned element when creating elements showing a list of all entries instead of none.

Fixing permission checker on image_uploading / thumbnail options page (thanks deek87)

Fix package installer not checking dependencies on other packages (thanks acohin)

Avoid errors in editing express entry detail block on PHP 7.2 under certain circumstances (thanks hissy)

Fixed: Datepicker options has no effect in 8.4.2 (thanks alexeytrusov)

Require pagination asset from express entry list block (thanks hissy)

Source code(tar.gz)
Source code(zip)
8.4.1(Jul 13, 2018)
8.4.1

Feature Updates

Added the ability to automatically deactivate users based on how long it’s been since they’ve logged in.

Added the ability to save search presets for users and pages and Express objects. (thanks marvinde)

Added the ability to sort block types and block type sets in the Dashboard (thanks mlocati)

Add support for theme-color meta tag in the Basics settings section of the Dashboard (thanks mlocati)

Allow upscaling images for thumbnails based on thumbnail type (thanks mlocati, jneijt)

Add tooltips to the plugins listed on the Rich Text Editor page in the Dashboard that describe what they do (thanks mlocati)

The Page Selector attribute is now integrated into the core (thanks marvinde)

Added a Draft List block type to the Waiting for Me screen in the Desktop (thanks marvinde)

Added a command line script to generate sitemap.xml (thanks mlocati)

Behavioral Improvements

Reworked Add Content Panel Functionality: Make it so that clicking again on the plus/add panel closes the panel (like all others.), If a user option/clicks the panel when opening it, activate the blue/pinned/locked functionality. Clicking to close the panel closes the panel and removes this functionality (thanks marvinde)

Use UI localization context in concrete5 toolbar & account menu (thanks mlocati)

Fixed: Whoops report is confusing the reporting with the original error when adding or updating blocks that fail (thanks mlocati)

Version approved date is now shown in the approved version panel (thanks marvinde)

Fixed: Language Switcher's language text should display in their native language (thanks mlocati)

We now highlight localized stacks that have been created to override global stacks in a multilingual website (thanks mlocati)

Make marketplace error handling more consolidated and handle timeouts

Set links color in jquery ui dialogs (thanks mlocati)

Better support for with MySQL 8 (thanks mlocati)

Support for multiple Page List blocks on a page (thanks marvinde)

Fix handling of JavascriptLocalizedAsset URL & path (thanks mlocati)

Don't try to get package lists when concrete5 is not installed in language-install CLI command (thanks mlocati)

Reduce concurrency problems in FileSystemStashDriver::storeData (can be a problem when clearing a cache on a high traffic site) (thanks mlocati)

Added a link to the concrete5 Slack channel on the installation screen (thanks mlocati)

Added a link to the concrete5 Sack channel in the welcome screen (thanks mlocati)

Improved performance in route resolution (thanks mlocati)

Avoid long timeouts when checking the Google API Key in Google Maps block (thanks mlocati)

Avoid warning in Securimage::check when no captcha token is received (thanks mlocati)

Add $subject to form email templates to make it easier to customize (thanks katzueno)

Add option to not create session cookies in multilingual sites (thanks mlocati)

Changed Redactor to CKEditor in the Conversations Rich text editor

Add ability to change social network icon via config (thanks goesredy)

Bug Fixes

Fixed irritating bug where adding multiple express form controls of the same type in a row would cause an error and require form controls to be added and re-saved before proceeding (thanks JeffPaetkau!)

Fixed error when trying to login using certain third party authentication types (thanks fabian)

Fixed: File Manager - Duplicate and blank search presets created when creating multiple search presets without page refresh (thanks marvinde)

Fixed bug where Next/Previous block might skip pages under certain conditions (thanks gfischershaw, mlocati)

Fixed: C5 8.4.0 - Unable to select root page (home) when adding a new page in sitemap on a multilingual site

Specifying the items per page for an express entity now works.

Fixed: 8.4, File Manager in versions, "Invalid file version" when removing old item (thanks mlocati)

Fixed Call to a member function generate() on null at index.php/dashboard/extend/update

Fixed bug resolving proper Multilingual Section from browser locale under certain situations (thanks mlocati)

Fix HackerOne issue 277479 (thanks mlocati)

Fixed: Copy page moves cID instead of copy in MultilingualPageRelations table (thanks 1stthomas)

Fixed Express Bug: Argument 1 passed to DashboardFormContext::setLocation() must be an instance of TemplateLocator, boolean given

Fixed exception thrown when accessing index.php/ccm/system/accept_privacy_policy directly.

Fixed: Deleting theme error does not have a method 'getPackageItems

Fixed out of memory error happening on non-US systems when a broken legacy package is included in the packages directory (thanks mlocati)

Fixed errors with the Page List block not properly filtering by date options (thanks gfischershaw)

Fixed 8.4.0RC2 - Search presets cannot be deleted in bulk (as the context menu suggests

Fix a bug where the file manager's breadcrumb is behind the search form (thanks marvinde)

Fixed inability to disable CKEditor plugins (thanks mlocati)

Fix setTrustedProxies for Symfony 3.3.0 (thanks mlocati)

Fixed: FileFolder::getNodeByName and duplicated folder names (thanks mlocati)

Fix setting the "required" attribute of the privacy agreement on install page (thanks mlocati)

Actually add translatable strings extracted from config files to Translations instance (thanks mlocati)

Developer Updates

Much improve sitemap.xml generation routine, including better memory usage, better ability for extension, and cleaner code (thanks mlocati)

General code cleanup (thanks mlocati)

Add "withKey" feature to configuration (thanks mlocati)

Add Thumbnail Type events (thanks a3020)

Fix returning file objects in Exception classes (thanks a3020)

Added on_block_output event (thanks a3020)

Added a debug option in the Dashboard to report PHP NOTICE errors (thanks mlocati)

Bring back the setNameSpace() method in ItemList (thanks marvinde)

Source code(tar.gz)
Source code(zip)
8.4.0(Jun 8, 2018)
Feature Updates

Added ability to specify custom thumbnail types per file sets (e.g. if a file is in the Header file set, the Header thumbnail type will be generated for it, otherwise it will not.) (thanks mlocati)

Calendar block has new agenda views for year list, month list, week and day (thanks MrKarldilkington)

Added a System Email Addresses Dashboard page that lets you set the default email addresses – previously this had to be done in config code (thanks MrKarlDilkington)

Added bulk user commands: activate, deactivate, delete, remove from group and add to gorup (thanks JeRoNZ)!

If a site is connected to the concrete5.org marketplace, any packages installed on the site will have their language files automatically downloaded from translate.concrete5.org (thanks mlocati)

Adds search header to express entity selector for selecting express entities against pages, users, files, etc… (thanks sjorssnoeren)

Added the ability to specify an end date for page publishing.

Added the ability to delete individual Log entries (thanks marvinde, mlocati)

Added new “Start Time” option to YouTube block; YouTube block will also respect “Start Time” if specified in the YouTube URL (thanks jlucki)

Added a new Reset Edit Mode Dashboard page that allows all currently checked-out pages to be checked in and edit mode to be restored on them.

Updated CKEditor to 4.9.1 (thanks MrKarlDilkington)

Added a new image slider navigation option in the image slider block: “None” (thanks biplobice)

Added the ability to edit topic tree names (thanks gutigrewal)

Added the ability to unapprove an approved version through the versions menu.

Behavioral Improvements

We now only set sessions when you attempt to login or use custom session code, in order to reduce the number of sites that set cookies for GDPR.

Added a data collection notice to installation, added a banner to Dashboard for GDPR compliance.

Massive improvements to image handling in the core, (thanks mlocati!). Full details found here: https://github.com/concrete5/concrete5/pull/6415

ItemList: always included ordered-by columns in select statement (thanks mlocati)

Folded registration email notification preferences into the System Email Addresses Dashboard page (thanks biplobice)

Much better localization and translation support in the newly introduced calendar components (thanks mlocati)

We will now inhibit the execution of automatic updates/installations if one is currently in progress (thanks mlocati).

Improved support when using MySQL 8 (thanks mlocati)

Improvements to the interactive installation process defaults (thanks mlocati)

Fixed errors when the update process may require long time, because of many migrations need to be executed or because a migration requires long time to be executed, and the PHP execution may reach its maximum time limit (thanks mlocati)

Improvements to the coding of the installation process (thanks mlocati)

Automatically set maintenance mode during core updates (thanks mlocati)

Apply nowrap white space on private message box status column (https://github.com/concrete5/concrete5/pull/6350) (thanks biplobice)

Send 500 code instead of 200 on creating an error response (https://github.com/concrete5/concrete5/pull/6350) (thanks hissy)

Optimizations to UserList classes and group search (thanks deek87)

Improvements and optimizations to the auto rotate image processor (thanks mlocati)

We now return. 404 response when requesting an invalid tool (thanks mlocati)

Improvements to the update process when the calendar add-on was migrated to the new built-in calendar.

Fixed: Dashboard Sitemap Tree Deleting items should refresh Trash (thanks marvinde)

Fixed: In sitemap, when you delete a page, plus sign doesn't appear next to the trash can 'til after page reload (thanks marvinde)

Do not automatically upgrade the core in maintenance mode (thanks mlocati)

Fixed: When deleting a layout, the message "Are you sure you wish to delete this block?" is shown (https://github.com/concrete5/concrete5/issues/6289)

Improvements to SNS authentication, Facebook authentication specifically (thanks biplobice, deek87). More details here: https://github.com/concrete5/concrete5/pull/6018

Better database encoding when databases don’t use UTF-8 by default (thanks upline-pro)

Use Selectize for Data Source element select multiple inputs (thanks MrKarlDilkington)

Removed old unused Newsflow code (thanks mlocati)

Highlight Default Page Template in Defaults and Output for Page Type (thanks MrKarlDilkington)

Fixed exception filling logs on invalid file (https://github.com/concrete5/concrete5/issues/6449#issuecomment-366931290)

Fixed inability to use theme editor CSS classes in CKEditor when using in the Dashboard and non-pages (Thanks MrKarlDilkington)

Consider text/plain images as SVG images (thanks mlocati)

Add block type name to delete block modal message (thanks MrKarlDilkington)

Actively discouraging certain CLI commands when run as root (thanks mlocati)

Show different message when public profile option isn't changed (thanks biplobice)

Added cache to core area layout block.

Improve performance of file manager in certain editor configurations (thanks hissy)

Allow layout presets to optionally have no container element defined (thanks MrKarlDilkington)

Better ADA compliance: adding for=”” attributes to label tags in login forms, forgot password forms, all core attributes and express form attributes.

Add aria attributes and title to Social Links block links and icons (thanks MrKarlDilkington)

The dropdown area on the Add Content menu is now clickable (thanks marvinde)

Removed useless 'More Details' link from package upgrade page (thanks a3020)

Help prevent block form and file manager modals from blending in with background page content (thanks MrKarlDilkington)

Added a link to the concrete5.org privacy policy from the login page where backgrounds are pulled from concrete5.org.

Fixed some errors searching express objects in the Dashboard in some cases (https://github.com/concrete5/concrete5/pull/6601) (thanks hissy)

Add alt attribute to generic thumbnail icons to increase accessibility in Document Library block (thanks MrKarlDilkington)

Fix handling of package dependency errors (Thanks mlocati)

Suggestion: Stays at draft page after "Save and Exit" on Composer (thanks marvinde)

Bug Fixes

Fixed multiple bugs that arose because actually removing a multilingual section via the Dashboard didn’t delete the pages in the site tree.

Fixed error where full page caching was still connecting to the database.

Fix block dragging in edit mode – it wasn’t scrolling the page in certain browsers (https://github.com/concrete5/concrete5/issues/6321) (}thanks mlocati)

Fixed: no longer using client side code for rating messages (https://github.com/concrete5/concrete5/pull/6337) (thanks mlocati)

Fixed bug in survey block where page the survey was on was missing (thanks marvinde)

Fix issue where updating page defaults on a multilingual site wouldn't push blocks out to all pages in all locales

Fixed: Adding file selector to form fails on element with special characters (thanks jneijt)

Fixed bug where pages duplicated would lose custom block cache settings on the resulting pages.

Fixes issue when a file with multiple versions is the cursor (thanks deek87)

Fixed: JS Cache combined with "use strict" breaks core javascript (thanks mlocati)

Fixed: z-index issue when selecting Calendar Events categories (thanks MrKarlDilkington)

Fixed bug where pages duplicated would lose custom grid container settings on the resulting pages.

Add missing folder icon in Document Library block (thanks MrKarlDilkington)

Fixed Error in core_area_layout when activating block cache in 8.4RC2 (thanks mehl)

Fix error with folder item list returning too many items when filtering by multiple file sets

Fixed bug where replying to messages when logged in would cause replies to show up multiple times before a page refresh (thanks marvinde)

Fixed bug where applying custom styles to a global area’s blocks would not refresh those styles without a full browser reload.

Fixed: we now sanitize the alt text in avatars (https://github.com/concrete5/concrete5/pull/6339) (thanks Remo)

Sanitize output on folder names (https://github.com/concrete5/concrete5/pull/6341) (thanks Remo)

Fixed error running command line utilities when a concrete5 installation has been updated through the Dashboard.

Fix missing closing h3 tag in Calendar Event block (thanks hissy)

Fixed missing CSRF token when deleting a conversation message (https://hackerone.com/reports/87729)

Warnings when attempting to install concrete5 on a database that will make the table names lowercase (thanks mlocati)

Fixed: Unmapping a locale page, removes the mapping for all locales (thanks Seanom)

Fixed: Wrong language used in a single page controller (thanks mlocati)

Fix H1 309466 (thanks mlocati)

Better permissions checking on Express entry list results in custom Express objects and Express forms.

Fixed bug with queues and queueable jobs where one job running might start executing the jobs of another process (thanks ahukkanen)

Fixed bug where you couldn’t unset a “More Details” calendar event page link in the calendar event edit popup.

Fixed: Google map - multiple API calls if Check API clicked multiple times (thanks MrKarlDilkington)

Fixed: Delete user attribute values on user delete (thanks marvinde)

Removed unnecessary paragraph tags in output of FAQ block (thanks djkazu)

Fix: https://www.concrete5.org/community/forums/customizing_c5/8.3.1-symphony-error

Fixing some cases where exporting form results to CSV could result in a 404 error under advanced and custom permission use cases.

Fixed: Creating a page alias in another site tree does not modify the siteTreeID

Sanitize the link of external pages in the sitemap (https://github.com/concrete5/concrete5/pull/6346/) (thanks mlocati)

Fixed: PageList topic filtering MySQL error (mode ONLY_FULL_GROUP_BY) (thanks mlocati)

Fixed minor XSS vulnerability in unused $step GET parameter (thanks jordanlev)

Fixed: "Schedule Publishing" dialogs are not removed when adding page (thanks marvinde)

Fix locale and language of MultilingualPageRelations when site locale changes (thanks mlocati)

https://github.com/concrete5/concrete5/issues/6490 (thanks marvinde)

Fixed Minor Bug: "Move to Folder" in Filemanager and not selecting a target causes exception

Fixed: Deleting a File Leaves it Selected in Form (thanks marvinde)

Fixed: Applying a theme to a site in the Dashboard only does it to a single multilingual tree

Fixed: Unable to add new options to select attribute in composer under PHP 7.2

Fixed Access Denied bug when editing blocks with validation errors under certain conditions (https://github.com/concrete5/concrete5/issues/6425) (thanks marvinde)

Fixed: The file manager's breadcrumb appears on the full sitemap page (thanks marvinde)

Fixed: Possibility to crash calendar event list if number of events is not specified

Sanitize the output of page short description in the pages panel (https://github.com/concrete5/concrete5/pull/6347) (thanks mlocati)

Fix: area layout using preset not deleted after deleting area layout (thanks mlocati)

Fix migration to version 8 when MultilingualPageRelations contains invalid data (thanks mlocati)

Fixed: Unable to decode session object after updating profile information and using database sessions on certain multilingual installations.

Fix: The file manager's breadcrumb appears on the full sitemap page (thanks marvinde)

Fixed: Running an advanced search on Express forms can produce error in PHP 7.2.

Fixed error when upgrading from 5.7 with custom address attribute countries (thanks mlocati)

Developer Updates

Add support for the "media" attribute for CSS resources (thanks marvinde)

Added on_locale_add, on_locale_delete and on_locale_change events (thanks dimger)

Add on_block_before_render event (thanks a3020)

Old page statistics code has been removed (thanks a3020)

Add on_block_duplicate event (thanks a3020)

Removed inline JavaScript from Google Maps block view layer (thanks Remo)

Updated to jQuery 1.12.4 (thanks MrKarlDilkington)

You can now specify default block templates by a particular page type (thanks haeflimi) (see details here: https://github.com/concrete5/concrete5/pull/6456)

Added a console command to rerun certain migrations (thanks mlocati)

Add a configuration key to set the Composer autosave idle timeout (thanks mlocati)

Update responsive-slides asset from 1.54 to 1.55 (thanks apaccou)

Add c5:is-installed CLI command (thanks mlocati)

Updated the fullcalendar JavaScript library to version 3.8 (thanks MrKarlDilkington)

Updated Punic Unicode library to 3.0.1 (thanks mlocati)

dispatch a additional event when File Sets are deleted (thanks haeflimi)

Added phpdoc comments for better API documentation (thanks mlocati, AdamBassett)

Updated Imagine image procesing library to 0.7 (thanks mlocati)

Updated Symfony components to 3.4.7

JavaScript is now fully testable (thanks mlocati)

Let FileFolderManager filter by file extensions, improve FileManager service (thanks mlocati)

Source code(tar.gz)
Source code(zip)

Owner

concrete5

GitHub https://www.concrete5.org

Make development easier with IDE helpers for Winter CMS!

IDE Helpers This plugin adds barryvdh/ide-helpers package to October for better IDE support. Installation git clone into /plugins/flynsarmy/idehelper

4 Dec 11, 2021

Sage is a productivity-driven WordPress starter theme with a modern development workflow.

WordPress starter theme with a modern development workflow

12k Jan 5, 2023

Bedrock is a modern WordPress stack that helps you get started with the best development tools and project structure.

WordPress boilerplate with modern development tools, easier configuration, and an improved folder structure

5.7k Jan 9, 2023

A template package of package development for Concrete CMS Version 9.

A boilerplate to develop a package on Concrete CMS Version 9.

11 Nov 27, 2022

The repository for Coaster CMS (coastercms.org), a full featured, Laravel based Content Management System

The repository for Coaster CMS (coastercms.org) a Laravel based Content Management System with advanced features and Physical Web integration. Table o

392 Dec 23, 2022

Gitamin is an open source git repository management software built with the Laravel PHP Framework.

Gitamin(pronounced /ˈgɪtəmɪn/, inspired by Vitamin) is an open source git repository management software built with the Laravel PHP Framework.

347 Sep 20, 2022

Backdrop core code repository.

Backdrop is a full-featured content management system that allows non-technical users to manage a wide variety of content. It can be used to create al

880 Dec 28, 2022

CakePHP: The Rapid Development Framework for PHP - Official Repository

CakePHP is a rapid development framework for PHP which uses commonly known design patterns like Associative Data Mapping, Front Controller, and MVC. O

8.6k Dec 31, 2022

Database Repository / PHP Repository / Laravel Repository

Database Repository / PHP Repository / Laravel Repository Installation Use following command to add this package to composer development requirement.

6 Dec 21, 2022

Official Zend Framework repository

Welcome to the Zend Framework 3.0 Release! RELEASE INFORMATION Zend Framework 3.0.1dev This is the first maintenance release for the Zend Framework 3

5.6k Dec 29, 2022

Official repository of the AWS SDK for PHP (@awsforphp)

AWS SDK for PHP - Version 3 The AWS SDK for PHP makes it easy for developers to access Amazon Web Services in their PHP code, and build robust applica

5.7k Jan 1, 2023

The Official UnderCMS Repository

UnderCMS A hobbyist CMS from scratch What is that? This is a CMS (for Content Management System), a software to easily make websites. This is still ve

3 Dec 6, 2021

A plugin manager for PocketMine-MP downloads plugin from PocketMine-MP official plugin repository

oh-my-pmmp A plugin manager for PocketMine-MP Getting Started Prerequisites Your server MUST RUN the latest version of PocketMine. Installation From P

6 Jan 4, 2023

Official repository for Find A PR. Find A PR is a platform that curates a list of issues around Laravel based project.

About Find A PR This is the official repository for Find A PR. Find A PR is a platform that curates a list of issues around Laravel based project. Req

33 Dec 15, 2022

Official repository from rasional.my.id

About Laravel Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experie

2 Mar 29, 2022

Message Queue, Job Queue, Broadcasting, WebSockets packages for PHP, Symfony, Laravel, Magento. DEVELOPMENT REPOSITORY - provided by Forma-Pro

Supporting Enqueue Enqueue is an MIT-licensed open source project with its ongoing development made possible entirely by the support of community and

2.1k Dec 22, 2022

Official repository for concrete5 development

Related tags

Overview

Documentation

Installation

Community Channels

Legacy

Comments

Current status

Core translations

Package translations

Current problems

The solution (for me :wink:)

Description

Affected Version of Concrete CMS

Description

How to reproduce

Possible Solution

Additional Context

Before

After

Affected Version of Concrete CMS

Description

How to reproduce

Possible Solution

Additional Context

Affected Version of Concrete CMS

Description

How to reproduce

Possible Solution

Additional Context

Releases(8.5.12)

8.5.12(Nov 3, 2022)

Bug Fixes

8.5.11(Nov 1, 2022)

8.5.11

Bug Fixes

9.1.3(Oct 31, 2022)

9.1.3

Behavioral Improvements

Security Fixes

Medium

Low

Not Ranked

8.5.10(Oct 31, 2022)

8.5.10

Bug Fixes

Developer Updates

Security Fixes

Medium

Low

Not Ranked

9.1.2(Sep 15, 2022)

New Features

Behavioral Improvements

Bug Fixes

Backward Compatibility Notes

Developer Updates

8.5.9(Jun 23, 2022)

Bug Fixes

8.5.8(Jun 20, 2022)

Behavioral Improvements

Bug Fixes

Security Fixes

9.1.1(May 25, 2022)

Behavioral Improvements

Bug Fixes

Developer Updates

9.1.0(May 12, 2022)

New Features

Behavioral Improvements

Bug Fixes

Backward Compatibility Notes

Developer Updates

Security Fixes

9.0.2(Jan 24, 2022)

Behavioral Improvements

Bug Fixes

Developer Updates

9.0.1(Nov 9, 2021)