⬆️ Bump getkirby/cms from 3.7.1 to 3.7.4

[dependabot[bot]]

Bumps getkirby/cms from 3.7.1 to 3.7.4.

Release notes

Sourced from getkirby/cms's releases.

3.7.4

🚨 Security

Cross-site scripting (XSS) from content entered in the tags and multiselect fields

Severity: high (CVSS score 7.1)

The tags and multiselect fields allow to select tags from an autocompleted list. The tags field also allows to enter new tags or edit existing tags. Kirby already handled escaping of the autocompleted tags, but unfortunately the Panel used HTML rendering for new or edited tags as well as for custom tags from the content file.

This allowed attackers with Panel access to store malicious HTML code in a tag. The browser of the victim who visited the modified page in the Panel will then have rendered this malicious HTML code.

It also allowed self-inflicted XSS attacks in the tags field (meaning that malicious code is executed in the browser of the user who entered it). This could be used in social engineering attacks where a victim is convinced by an attacker to enter malicious code into a tags field.

Visitors without Panel access could only use this attack vector if your site allows changing the content of a tags or multiselect field from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.

You are also not affected by these vulnerabilities if your site doesn't have untrustworthy users with Panel access or a way to modify field values from the frontend or if you don't use the tags or multiselect fields.

Note: The fixes for these vulnerabilities have the side effect that values in the tags and multiselect fields that come from dynamic options are displayed with double escaping (e.g. the & character is displayed as &). We will fix the double escaping issues with a refactoring of the options fields (tags, multiselect, checkboxes, radio, select and toggles) in Kirby 3.8.

🎉 Features

• Added support for hot module reloading (HMR) during plugin development using kirbyup #4541
• New Helpers::handleErrors() method for custom PHP error handling #4569
• New F::unlink() method for idempotent deletion of files and links (native PHP unlink() without a warning when the file is already deleted) #4569

✨ Enhancements

• The toggles field preview now uses bubbles #4566
• Reduced size of the Panel's vendor JS file by adding code splitting for the vuedraggable.js library #4504 Before

  dist/css/style.css   106.29 KiB / gzip:  18.02 KiB
  dist/js/index.js     303.70 KiB / gzip:  71.99 KiB
  dist/js/vendor.js    375.31 KiB / gzip: 120.69 KiB
  

  After

  dist/js/vuedraggable.js    40.74 KiB / gzip:  14.12 KiB
  dist/css/style.css        106.29 KiB / gzip:  18.01 KiB
  dist/js/index.js          304.25 KiB / gzip:  72.37 KiB 
  dist/js/vendor.js         334.73 KiB / gzip: 107.00 KiB
  

• Node dependencies have been updated #4568
• k-text has a new html prop to pass content that should be rendered as HTML (instead of providing text via the default slot). Use carefully as rendering HTML can be a gateway for XSS attacks. #4578
• The text block field input is now extendable in the blueprint #3016

🐛 Fixes

• UI Kit typos fixed for reference docs #4562
• Asset URLs no longer start with two slashes if the site's base URL was configured as / #4508

... (truncated)

Commits

• 44158e8 Update translations
• 1aaef26 Update version number
• 50ab654 Update dist files
• 110525e Fix XSS issue in the MultiselectInput
• cefb8fe Fix XSS issue in the TagsInput
• 04e9f52 Handle URL encoding in the Params class
• f16e064 Merge pull request #4593 from getkirby/fix/unlink
• 0db18b7 Merge pull request #4594 from getkirby/fix/k-text-html
• 3f805a6 Alphabetical reordering
• 406bd0c Fix F::remove() with non-existing files
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.