⬆️ Bump getkirby/cms from 3.5.5 to 3.5.7

[dependabot]

Bumps getkirby/cms from 3.5.5 to 3.5.7.

Release notes

Sourced from getkirby/cms's releases.

3.5.7

Security

Cross-site scripting (XSS) from field and configuration text displayed in the Panel

This release fixes the following XSS vulnerabilities inside the Panel:

• Placeholders in core translation strings (e.g. in error or info messages) are now escaped.
• Error message boxes in dialogs and the fields section now only display the escaped exception message.
• Data displayed in the users and settings view (list of users/languages) is now escaped.
• The default text displayed by the files and pages sections (filename/page title), the files, pages and users fields (filename/page title/username) and by query-based checkboxes, radio, tags and multiselect fields (default text depending on the used query) is now escaped.

Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.

You can find out more about the issues and fixes in our security advisory.

PHPMailer update

• PHPMailer has a new security release, which fixes two of their security issues. There seems to be a small, insignificant breaking change in their validator code, according to their release notes. We still decided to add the security fixes as soon as possible and include it in this release.

🎉 Features

• Support for custom callbacks for Str::template() (e.g. to escape query output) #3454

Str::template($value, $data, [
    'callback' => function ($result) {
        return Str::ucwords($result);
    }
]);

• The Box component now supports a text-only mode (with the html prop set to false). For compatibility, the default value is currently true. We plan to make false (escaped text) the new default behavior in Kirby 3.6.0.
• The Autocomplete component now has support for HTML in the text property with a new html property (defaults to false).
• New this.$helper.string.escapeHTML (or this.$esc) helper to escape HTML special characters as entities

Enhancements

• Improved blocks and layout field value for isEmpty() field method support #3153
• Supports new assets extensions map|json|avif|mjs for plugins #3436
• Str::template() now supports an $options array that can contain fallback, callback, start, end attributes. We plan to deprecate the old $fallback, $start and $end arguments in 3.6.0. #3454
• The Kirby\Sane\Svg::$allowedNamespaces property is now public to allow customizing it to your needs. #3424
• Dropdowns in the Panel are now automatically aligned vertically, depending on their position in the window. #3080
• The Card component now supports HTML in its text property for consistency with ListItem.
• The Radio, Tags and Multiselect input components now support HTML in their text properties for consistency with Checkboxes.

Fixes

• Toggle and checkbox field labels support HTML again #3278
• Filtering based on field value sizes issue fixed #3382

... (truncated)

Commits

• 3395389 Merge pull request #3475 from getkirby/release/3.5.7
• fb408ca Fix notice issue in OptionsQuery
• f5ead62 Merge pull request from GHSA-2f2w-349x-vrqm
• a86e751 Update dist files and composer
• 00c0b21 Update Panel dist files
• a6eb9ee Escape default text values in options queries
• c2c97ba Escape text/info for <k-list-item>/<k-card>
• 39ea492 Don't display exceptions as HTML
• fdf48fb Escape translation placeholders
• 483e877 New escapeHTML string helper method
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #46.