Zope 5.8.3 → 5.8.5 ------------------ - Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. works the same as before. (CVE-2023-42458) See security advisory. - Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil. - Added image dimensions to SVG file properties #1146. - Fix username not in access log for error requests, see issue #1155. - Update to newest compatible versions of dependencies. - Add preliminary support for Python 3.12rc3. - Disable a ZCatalog (more precisly: Products.PluginIndexes) performance test which occasionally fails on GitHub. For details, see #1136. - Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6. - Update to newest compatible versions of dependencies. - Add preliminary support for Python 3.12rc1. - Make mapply __signature__ aware. This allows to publish methods decorated via a decorator which sets __signature__ on the wrapper to specify the signature to use. For details, see #1134. Note: mapply still does not support keyword only, var positional and var keyword parameters. - Make Zope’s parameters for denial of service protection configurable #1141. - Update RestrictedPython to version 6.2 to mitigate a security problem. (CVE-2023-41039) - Update AccessControl to version 6.2 to mitigate a security problem. (CVE-2023-41050) pip: 23.1.2 → 23.2 ------------------ setuptools: 67.8.0 → 68.0.0 --------------------------- Plone: 6.0.6 → 6.0.7 -------------------- plone.api: 2.0.3 → 2.0.4 ------------------------ Bug fixes: - Do not run GitHub Actions tests twice. Only run GitHub Actions tests when commiting directly against master or main or opening a pull request agains master or main. This avoids to run the same test suite for the same environment twice. [thet] (#0) - Mockup TinyMCE settings: Remove unused AtD related views. Fix a test which was checking for "checkDocument" among other available views. "checkDocument" was a TinyMCE endpoint for unmaintained "After the Deadline" plugin, which is now removed. (#504) Documentation: - Enhance API docs of `portal.translate` to show that the domain is optional in some cases. @thet (#510) plone.app.contentmenu: 3.0.2 → 3.0.3 ------------------------------------ Bug fixes: - Fix "Add item to default page" modal form. [sverbois] (#54) Internal: - Update configuration files. [plone devs] (7723aeaf) plone.app.discussion: 4.0.1 → 4.0.2 ----------------------------------- Internal: - Update configuration files. [plone devs] (cfffba8c) plone.app.event: 5.0.1 → 5.1.0 ------------------------------ New features: - Cache the events from the 'Upcoming Events' portlet [frapell] (#351) Internal: - Update configuration files. [plone devs] (5ed054fb) plone.app.layout: 4.0.6 → 4.0.7 ------------------------------- Bug fixes: - Fix nested `li` tags after zpretty in `contentviews.pt` [petschki] (#350) Internal: - Update configuration files. [plone devs] (7723aeaf, cfffba8c) plone.app.linkintegrity: 4.0.1 → 4.0.2 -------------------------------------- Bug fixes: - Remove outgoing 'isReferencing' RelationValues from catalog on deleting content item. [ksuess] (#93) Internal: - Update configuration files. [plone devs] (7723aeaf) plone.app.locales: 6.0.15 → 6.0.16 ---------------------------------- - Fixes in Dutch translation [ThibautBorn] - Config with default template [gforcada] plone.app.multilingual: 7.0.1 → 7.0.3 ------------------------------------- Bug fixes: - Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``. [maurits] (#304) - Do not unset the language on the Indonesian root language folder when saving the control panel. This language has ``id`` as code. This is not allowed as an id in Plone, so it is created as ``id-id`` instead. This needs some special handling. Added upgrade to recursively fix this language folder to set the Indonesian language. This is only done when the folder itself has the wrong language. [maurits] (#304) - Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred. [maurits] (#304) - Fix ``set_recursive_language`` to actually find child objects. [maurits] (#304) plone.app.querystring: 2.0.5 → 2.0.6 ------------------------------------ Bug fixes: - Fix the currentUser operation when the current user's username is different from their user id. @davisagli (#135) plone.app.robotframework: 2.0.1 → 2.1.0 --------------------------------------- New features: - Add support for `playwright`-based tests via `robotframework-browser`. [datakurre] (#3813) Bug fixes: - Remove unused and empty keyword that was displaying an error. [gforcada] (#147) plone.app.upgrade: 3.0.6 → 3.0.8 -------------------------------- Bug fixes: - Fix error in site syndication settings when upgrading. [maurits] (#315) - Add Upgrade Step to fix ISyndicationSettings [1letter] (#315) - Added upgrade to 6018, Plone 6.0.7. [maurits] (#6018) plone.app.viewletmanager: 4.0.2 → 4.0.3 --------------------------------------- Bug fixes: - Fix styles when toolbar is on top. [petschki] (#29) - Only show one Hide or Show button per viewlet on the manage-viewlets page. Make it clear that a viewlet is hidden by making it more subdued / opaque. [maurits] (#3831) Internal: - Update configuration files. [plone devs] (cfffba8c) plone.app.widgets: 4.0.1 → 5.0.0 -------------------------------- Breaking changes: - Make this package deprecated. Widget base classes moved to ``plone.app.z3cform.widgets.patterns``. Also see ``plone.app.widgets.utils`` for information about moving utility methods to their new location. [petschki] (#220) plone.app.z3cform: 4.2.1 → 4.3.0 -------------------------------- New features: - Introduce new Email-Widget which is used for `plone.schema.email.IEmail` fields. It uses the input type `email`. [jensens] (#173) Bug fixes: - Fix OrdereSelectWidget browser validation when the input is required. [petschki] (#178) - Ignore form validation when `ignoreRequiredOnExtract` is set. [petschki] (#179) Internal: - Update configuration files. [plone devs] (cfffba8c) plone.base: 1.1.3 → 1.1.4 ------------------------- Bug fixes: - Remove action property `modal` default value. Fixes: https://github.com/plone/Products.CMFPlone/issues/3801 [petschki] (#3801) Internal: - Update configuration files. [plone devs] (1a7a3da3) plone.dexterity: 3.0.2 → 3.0.3 ------------------------------ Bug fixes: - Respect locally allowed types when pasting objects [cekk] (#146) - Fix a memory leak as reported in https://github.com/plone/Products.CMFPlone/issues/3829, changing interface declaration type as suggested by @d-maurer in https://github.com/plone/plone.dexterity/issues/186 [mamico] (#187) Internal: - Update configuration files. [plone devs] (55bda5c9) plone.namedfile: 6.1.1 → 6.2.1 ------------------------------ New features: - Add internal modification timestamp with fallback to _p_mtime. [mathias.leimgruber] (#149) - Use new internal modification timestamp as part of the hash key for scales. [mathias.leimgruber] (#150) Bug fixes: - Fix stored XSS (Cross Site Scripting) for SVG images. Done by forcing a download instead of displaying inline. See `security advisory `_. [maurits] (#1) - Fixed the issue where SVG images containing extensive metadata were not being displayed correctly (resulting in a width/height of 1px). This problem could occur when the tag exceeded the MAX_INFO_BYTES limit. Fixes `issue 147 `_. [mliebischer] (#147) plone.outputfilters: 5.0.3 → 5.0.4 ---------------------------------- Bug fixes: - Call registry once per filter rather than for each img tag. [gotcha] (less_call_to_registry) Internal: - Update configuration files. [plone devs] (7723aeaf) plone.recipe.zope2instance: 6.12.0 → 6.12.1 ------------------------------------------- Documentation: - Update README: for ``RotatingFileHandler`` ``maxCount`` is not a valid keyword argument. Use ``backupCount``. [gforcada] (#190) plone.rest: 3.0.0 → 3.0.1 ------------------------- Bug fixes: - When ``++api++`` is in the url multiple times, redirect to the proper url. When the url is badly formed, for example ``++api++/something/++api++``, give a 404 NotFound. Fixes a denial of service. See `security advisory `_. [maurits] (#1) plone.restapi: 8.40.0 → 8.43.3 ------------------------------ New features: - Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas [erral] (#1598) - When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`. When deserializing blocks, `image_scales` is removed. @davisagli (#1642) - Add `visit_blocks` util for finding all nested blocks. @davisagli (#1648) Bug fixes: - Fix stored XSS (Cross Site Scripting) for SVG image in user portrait. Done by forcing a download instead of displaying inline. Normal accessing via an image tag is not affected and is safe. See `security advisory `_. [maurits] (#1) - Make new release to add missing changelog entries for 8.43.1. [maurits] (#8431) - Use incoming request to produce location for @tus-upload [instification] (#1570) - Fix broken relations info. @ksuess (#1673) - Remove the hard code dependency by plone.app.multilingual, use it conditionaly instead [@folix-01] (#1639) - Fix timezone of dates for revisions in the `@history` service. @davisagli (#1647) - Fix types expander in root for Plone 5.2 (for non-Dexterity Plone Site Root) @sneridagh (#1669) - Fix path2uid method, to handle suffix with non-traversable objects. @cekk @mamico (#1649) Documentation: - Added translation code through expansion. @Akshat2Jain (#1374) - Restores formatting and fixes some MyST syntax from #1689. @stevepiercy (#1691) - Documentation fixes for #1599. @stevepiercy (#1692) - Fix linkcheckbroken 301 redirect to https://www.4teamwork.ch/en. @stevepiercy (#1693) - Move expansion docs from endpoints to usage, and add a list of all expandable components. Fixes #1677. @stevepiercy (#1678) - added instruction to ensure consistent code formatting. @Akshat2Jain (#1664) - Fix html_meta tags, and remove stray spaces that prevented the glossary from rendering. @stevepiercy (#1663) Internal: - Fix test cleanup. @davisagli (#1680) - Updated package installation to use constraints.txt for black package, ensuring compatibility and consistent versions. @Akshat2Jain (#1671) - Update Makefile and buildout to use Plone 6.0.6. @davisagli (#1672) - Allow GHA tests to run on PRs from forks. @Akshat2Jain (#1656) plone.schemaeditor: 4.0.3 → 4.0.4 --------------------------------- Bug fixes: - Remove dependency on `plone.app.z3cform` which is circular. [petschki] (#104) plone.session: 4.0.3 → 4.0.4 ---------------------------- Bug fixes: - Do not set an auth cookie after password reset, unless the user is authenticated. Otherwise anonymous users will be logged in immediately, even when autologin after password reset is false. Fixes `issue 3835 `_. [maurits] (#3835) Internal: - Update configuration files. [plone devs] (7723aeaf) plone.staticresources: 2.1.3 → 2.1.7 ------------------------------------ Bug fixes: - Update Bootstrap to ``5.3.2``, bootstrap-icons to ``1.11.1`` and Mockup to ``5.1.5``. [petschki] (#303) - Mockup 5.1.4 - see https://github.com/plone/mockup/releases/tag/5.1.4 [petschki] (#302) - Upgrade various dependencies. [petschki] (#300) - Update mockup=5.1.2 [petschki] (#299) Internal: - Update configuration files. [plone devs] (cfffba8c) plone.testing: 8.0.3 → 8.0.4 ---------------------------- Bug fixes: - Fix tests when run with ZODB 5.8.1+. [maurits] (#581) plone.volto: 4.0.9 → 4.1.0 -------------------------- New features: - Add `block_types` index to zcatalog. By default it is only added for new Plone sites. To add it to an existing site, run `plone.volto.upgrades.add_block_types_index` manually. [margaridasp, davisagli] (#4778) Bug fixes: - Change the implementation for finding nested blocks to use an IBlockVisitor adapter. @davisagli (#127) - Fix missing translations for head_title field. @davisagli (#130) - Use the plone.app.multilingual conditionally so as is not an explicit dependency [@foxtrot-01] (#119) plonetheme.barceloneta: 3.1.3 → 3.1.4 ------------------------------------- Bug fixes: - Update Bootstrap to 5.3.2 [petschki] #346 - Update Bootstrap to ``5.3.1`` [petschki] #343 Internal: - Update configuration files. [plone devs] cfffba8c Documentation: - Fix broken links in the readme. [maurits] #338 Products.CMFPlone: 6.0.6 → 6.0.7 -------------------------------- Bug fixes: - Register site syndication settings from plone.base instead of CMFPlone. [maurits] #315 - Explicitly disable ``Products.CMFCore.explicitacquisition`` in Plone 6. [jaroel] explicitacquisition - Update `plone.app.z3cform` dependency version and deprecate `plone.app.widgets` [petschki] #3821 - Updated metadata version to 6018. [maurits] #6018 Tests: - Fix unstable robot test scenario Reorder Folder Contents. [maurits] #3811 Products.PlonePAS: 8.0.1 → 8.0.2 -------------------------------- Internal: - Update configuration files. [plone devs] (cfffba8c) Products.statusmessages: 5.0.5 → 5.0.6 -------------------------------------- Internal: - Update configuration files. [plone devs] (cc314a2b) collective.recipe.vscode: 0.1.8 → 0.1.9 --------------------------------------- robotsuite: 2.3.1 → 2.3.2 ------------------------- - Fix to support screenshots / images below sub directories [datakurre] Products.CMFCore: 3.0 → 3.2 --------------------------- - Improve handling of PortalFolder filter input. - Provide a way to not publish items that are acquired. ZEO: 5.4.0 → 5.4.1 ------------------ cryptography: 41.0.1 → 41.0.3 ----------------------------- exceptiongroup: 1.1.1 → 1.1.2 ----------------------------- importlib-metadata: 6.6.0 → 6.8.0 --------------------------------- importlib-resources: 5.12.0 → 5.13.0 ------------------------------------ jsonschema: 4.17.3 → 4.18.2 --------------------------- lxml: 4.9.2 → 4.9.3 ------------------- mock: 5.0.2 → 5.1.0 ------------------- trio: 0.22.0 → 0.22.2 --------------------- typing-extensions: 4.5.0 → 4.7.1 -------------------------------- zipp: 3.15.0 → 3.16.1 ---------------------