Update Feed

Contao 5.3.20

2 January 2025

Contao version 5.3.20 is now available.

Upgrading to Contao 5.3.20

Contao 5.3.20 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Contao updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Contao install to test the 5.3.20 upgrade prior to applying it live. Get started managing your Contao installations with Installatron

What's New in Contao 5.3.20

5.3.20

Bug Fixes

Use CAST(… AS BINARY) instead of BINARY (leofeyer)
Fix the help wizard (bytehead)
Add the missing relations to the DCAs (aschempp)
Add the domain to the "root page dependent module" configuration (aschempp)
Disallow creating or updating elements with invalid parent record (aschempp)
Handle ampersands in the alt attribute of the picture insert tag (markocupic)
Use the correct session bag in the preview link listener (leofeyer)
Make the default (global) operations more consistent (aschempp)
Disable overlayClick for SimpleModal (zoglo)
Fix the base path for canonical URLs (fritzmg)
Do not normalize the resampling-filter array key (ausi)
Make sure the correct test-case package is installed in Contao (aschempp)

5.3.19

Bug Fixes

Fix the sorting when copying multiple form fields as a non-admin user (qzminski)
Replace insert tags in Twig surrogate parent templates (ausi)
Enable double encoding for JSON in Twig (ausi)
Handle null result in 404 router provider (aschempp)
Make Contao 5.3 compatible with PHP 8.4 (bytehead)
Fix the "lost password" module (leofeyer)

5.3.18

Bug Fixes

Show section headlines in the back end preview (leofeyer)
Allow basic entities in section headlines (leofeyer)
Make the abstract entities migration case-sensitive (leofeyer)
Prevent possible type error in DC_Table::getClipboardPermission (fritzmg)
Do not load the CAPTCHA script in the back end preview (leofeyer)
Skip fragments which inherit legacy modules in debug:fragments (bytehead)
Remove superfluous domain encoding (falkgeist)
Cache hot path in model (Toflar)
Allow page controllers to create the response context (fritzmg)
Consider the doNotDeleteRecords setting when deleting child records (patrickjDE)
Fix login redirect and session usage (fritzmg)
Fix the permissions check for "save and duplicate" (aschempp)
Decode entities for favorites labels (fritzmg)
Use the RateLimiter component to limit password reset requests (bytehead)
Flag deprecated Twig functions as deprecated (m-vo)
Harden CSP header parsing (bytehead)

5.3.17

Bug Fixes

Fix the ContentElementTypeListener (Toflar)

5.3.16

Bug Fixes

Deprecate Controller::sendFileToBrowser() and add the postDownload hook to the UPGRADE.md file (Toflar)
Check permissions on all operations in the PermissionCheckingVirtualFilesystem decorator (m-vo)
Use a listener to set the allowed element types (aschempp)
Enable pauseOnMouseEnter in the Swiper template by default (fritzmg)
Fix a type error in CalendarContentVoter (fritzmg)
Improve the template DX when overwriting variables (m-vo)
Improve the VFS extra metadata handling (m-vo)
Do not redefine existing fragments (bytehead)
Replace newlines in CSP headers (bytehead)
Fix an invalid array access in the Model::cloneOriginal() method (Toflar)
Add the missing root--dark icon (zoglo)
Fix tooltips on mobile devices (fritzmg)
Do not save long file extensions during filesync (fritzmg)
Use the resource finder in the Twig template locator (aschempp)
Move fieldset legend padding to button (fritzmg)
Remove PDF remnants (fritzmg)
Fix a type error in NewsContentVoter (fritzmg)
Add a null check for a possible empty array (bytehead)

5.3.15

Security
CVE-2024-45398: Remote command execution through file uploads
CVE-2024-45612: Insert tag injection via canonical URLs

5.3.14

Bug Fixes

Handle string IDs in the article content voter (aschempp)
Only add the galleryTpl field to the legacy gallery element (fritzmg)
Correctly handle news feed URLs in the page routing listener (leofeyer)
Fix the parent record loading in the dynamic parent table voter (aschempp)
Fix the description list markup for template templates (fritzmg)
Fix type error in downloads content element (fritzmg)
Fix the name of symlinked filesystem adapters (fritzmg)
Fix the line height of the ellipsis containers (leofeyer)
Consider subfolders and Twig templates within the theme export (zoglo)

5.3.13

Bug Fixes

Fix the content element player start time (kllmanu)
Show a warning if a personal data module allows to change the password (leofeyer)
Add voters for content elements (aschempp)
Generate a new session ID after a member has changed their password (leofeyer)
Allow toggling fieldset states with keyboard actions (A11Y) (zoglo)
Improve the web worker time limit (ausi)
Restore the previous messages order in DC_Table (fritzmg)
Use ERR.submit in all DC forms (fritzmg)
Improve the visibility of the .limit_toggler in the back end (lukasbableck)
Encode mailto addresses in the markdown element (Toflar)
Add the DataContainer::getActiveRecord() method (Toflar)
Prevent endless recursion when copying elements with children (ausi)

5.3.12

Bug Fixes

Clone content elements with all data (aschempp)
Make sure to add the assets/files context to all image paths (leofeyer)
Use maxLines: Infinity to automatically resize the ACE editor (leofeyer)
Make the theme icons forward compatible (leofeyer)
Fix the double form submission script (leofeyer)
Skip database backups if the remaining migrations will not be executed (fritzmg)
Fix the padding of the main content area on mobile devices (leofeyer)
Fix the z-index of the limit height toggle (leofeyer)
Use the modified element when cloning (aschempp)
Use the widget attributes to generate the DCA row (aschempp)
Cleanup a leftover service argument (Toflar)
Do not limit the number of download items (mpitz)
Add the :never return type to methods that never return (aschempp)
Generate public URIs for automatically mounted adapters replacing symlinks (m-vo)
Handle .<ext>.twig file extensions in DC_Folder (m-vo)

5.3.11

Bug Fixes

Fix the priority of the web worker and improve memory handling (Toflar)
Fix missing submitter in form data (ausi)
Fix infinite loop in encore dev --watch (zoglo)

5.3.10

Bug Fixes

Remove two leftover clearing DIVs (leofeyer)
Prevent double form submission (ausi)
Fix symlinked file not inside root directory (ausi)
Evaluate scripts in Ajax form responses (ausi)
Fix toggling nodes if there is no global operation (leofeyer)
Fix drag and drop in the file manager (leofeyer)
Skip sleeping in messenger web worker (ausi)
Return to the list view after adding items to the clipboard (aschempp)
Fix missing query parameters in the file insert tag (ausi)
Use the translator language instead of the request language for the iflng and ifnlng insert tags (Toflar)
Check CSRF and private response after the session (ausi)
Replace non-routable URLs with an empty string for the {{link*}} insert tags (fritzmg)
Initialize the Contao framework when working with opt-in tokens (aschempp)
Rework the messenger integration (Toflar)
Remove the process timeout in the SuperviseWorkersCommand (md-netdesign)
Undeprecate using $model->classes (aschempp)
Cache relative paths in the ContaoFilesystemLoader (m-vo)
Replace insert tags when parsing widget templates (fritzmg)
Use the original ID for nested fragments if available (aschempp)
Fix more edge cases in the HtmlAttributes class (ausi)
Overwrite the page metadata before parsing the news article (lukasbableck)
Fix an endless loop in the DC_Folder::getParentFilemounts() method (leofeyer)
Do not trigger the PHP header() deprecation for certain headers (fritzmg)

5.3.9

Bug Fixes

Invalidate the pagemounts cache in the back end access voter when duplicating a page (lukasbableck)
Remove a redundant strlen() check (leofeyer)
Correctly set the status code of the fallback route to 404 (veronikaplenta)
Make Twig 3.10.2 the minimum requirement (leofeyer)
Fix the CSS class of legacy templates in new elements and modules (veronikaplenta)

5.3.8

Bug Fixes

Handle quoted columns names in the boolean fields migration (ausi)
Skip permissions checks for child records (aschempp)
Hide migrated news feeds in the navigation menu (leofeyer)
Fix the ParsedSequence::serialize() method (ausi)
Allow contao.insert_tag tags without method and priority (fritzmg)
Do not use the deprecated replaceInsertTags hook (ausi)
Check access to fieldsOfTable for the file edit operation (aschempp)
Show all page types in the help wizard (leofeyer)
Allow hyphens in custom legacy template names (fritzmg)
Add the component style sheets before the user style sheets (leofeyer)
Implode arrays recursively when showing undo records (leofeyer)
Allow to move an error page within its root (aschempp)
Correctly set the defer attribute for combined deferred scripts (ReneLuecking)
Use the new onpalette_callback to unset fields in the file manager (aschempp)
Fix invalid HTML markup in splash screens (bennyborn)
Store enum fields in the DCA extractor cache (SeverinGloeckle)
Fix non-existent "contao.image.image_factory" in FeedItem.php (stefansl)
Disable the search index listener in the back end (Toflar)
Fix the PHP subprocess call once again (Toflar)
Catch the URL generator exception in the news insert tag (qzminski)
Test the deserialize Twig filter (ausi)
Add a deserialize Twig filter (leofeyer)

5.3.7

Bug Fixes

Make the member group voter cacheable (aschempp)
Make the PhpTemplateProxyNode class compatible with Twig 3.9 (ausi)
Fix the elements check in the sectionwizard.js script (qzminski)
Use PhpSubprocess instead of Process in the ProcessUtil class (Toflar)

5.3.6

Bug Fixes

Ensure compatibility with Twig 3.9 (leofeyer)
Handle empty strings in the StringResolver class (qzminski)

5.3.5

Bug Fixes

Fix the order of the media block in the text element markup (ausi)
Use Encore to minify the SVG icons (leofeyer)
Add the missing styles to the new table element (zoglo)
Enable the sortAttrs option in the SVGO configuration (leofeyer)
Fix the elements check in the modulewizard.js script (qzminski)
Use display: grid in the image gallery preview (zoglo)
Initialize Handorgel on the element (zoglo)
Add the missing WysiwygStyleProcessor autowiring alias (Toflar)
Also unset the disable, start and stop fields when an admin edits themselves (aschempp)
Cache SQL queries in the page type voter (aschempp)
Fix some edge cases when parsing HTML style attributes (ausi)

5.3.4

Security
CVE-2024-28235: Session cookie disclosure in the crawler
CVE-2024-28190: Cross site scripting in the file manager
CVE-2024-28191: Insert tag injection via the form generator
CVE-2024-28234: Insufficient BBCode sanitization

5.3.3

Bug Fixes

Fix a bug in setIfExists() with Stringable objects (ausi)
Fix double encoding/decoding in the HtmlAttributes class (ausi)

5.3.2

Highlights

Add the csp_unsafe_inline_style Twig filter (ausi)

Bug Fixes

Revert the changes to the "file uploaded" check (fritzmg)
Harden mime type handling in the FilesystemItem class (m-vo)
Show headlines in article teasers again (zoglo)
Use the fragment registry in the debug:fragments command (bytehead)
Allow version 5 of lcobucci/jwt (leofeyer)
Register theme templates in the global namespace, too (ausi)
Enable collapsible fieldsets without storage (aschempp)
Override the access decision strategy instead of the manager (aschempp)
Fix a PHP 8 warning in the tl_article.getActiveLayoutSections() method (qzminski)
Fix the traceable access decision manager (aschempp)
Return to the list view after adding items to the clipboard (aschempp)
Use voters for theme permissions (aschempp)
Add the user access voter (aschempp)
Fix the front end module permissions (aschempp)
Make the ParentAccessTrait::hasAccessToParent() method private (aschempp)
Improve permission error message for DCA actions (aschempp)
Set the email message priority to "high" (Toflar)
Disable background workers if they are not supported (Toflar)
Convert protocol-relative URLs in the string resolver (aschempp)

5.3.1

Highlights

Bug Fixes

Cache Image::getHtml() to speed up the tree view (Toflar)
Fix the newsfeed migration (aschempp)
Use Model::findById() instead of Model::findByPk() (leofeyer)
Show the route configuration in the news feed page (aschempp)
Fix the dotenv:dump command (aschempp)
Allow using insert tags in image alt and title attributes (leofeyer)
Deprecate inheriting CSS classes in nested elements (aschempp)
Use UrlUtil::makeAbsolute() when converting relative URLs (leofeyer)
Fix a type error in the login module (aschempp)
Use attrs().mergeWith() in Twig templates (leofeyer)
Make sure the .env.local.php is loaded correctly (Toflar)
Fix double inheritance of legacy templates in Twig (ausi)
Correctly register the AutoRefreshTemplateHierarchyListener (m-vo)
Fix that the guests migration only migrates one field at a time (aschempp)
Correctly generate the URLs to subscribe to comments (leofeyer)
Improve the performance of the database dumper (Toflar)
Correctly check if a "jump to" page is set when generating event feeds (leofeyer)
Make full authentication optional in the personal data module (leofeyer)
Handle unicode strings in insert tag flags (ausi)
Add a button to the "invalid request token" template (leofeyer)
Correctly implement the ImageFactoryInterface (leofeyer)
Fix the Twig loader infrastructure (m-vo)
Use files instead of data: resources to avoid breaking CSP (leofeyer)
Only make string URL absolute if it does not have a scheme (aschempp)
Fix two CSS issues (leofeyer)