Zope 5.8.3 → 5.8.5
------------------
- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. works the same as before. (CVE-2023-42458) See security advisory.
- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
- Added image dimensions to SVG file properties #1146.
- Fix username not in access log for error requests, see issue #1155.
- Update to newest compatible versions of dependencies.
- Add preliminary support for Python 3.12rc3.
- Disable a ZCatalog (more precisly: Products.PluginIndexes) performance test which occasionally fails on GitHub. For details, see #1136.
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
- Update to newest compatible versions of dependencies.
- Add preliminary support for Python 3.12rc1.
- Make mapply __signature__ aware. This allows to publish methods decorated via a decorator which sets __signature__ on the wrapper to specify the signature to use. For details, see #1134. Note: mapply still does not support keyword only, var positional and var keyword parameters.
- Make Zope’s parameters for denial of service protection configurable #1141.
- Update RestrictedPython to version 6.2 to mitigate a security problem. (CVE-2023-41039)
- Update AccessControl to version 6.2 to mitigate a security problem. (CVE-2023-41050)
pip: 23.1.2 → 23.2
------------------
setuptools: 67.8.0 → 68.0.0
---------------------------
Plone: 6.0.6 → 6.0.7
--------------------
plone.api: 2.0.3 → 2.0.4
------------------------
Bug fixes:
- Do not run GitHub Actions tests twice.
Only run GitHub Actions tests when commiting directly against master or main or
opening a pull request agains master or main. This avoids to run the same test
suite for the same environment twice.
[thet] (#0)
- Mockup TinyMCE settings: Remove unused AtD related views.
Fix a test which was checking for "checkDocument" among other available views.
"checkDocument" was a TinyMCE endpoint for unmaintained "After the Deadline"
plugin, which is now removed. (#504)
Documentation:
- Enhance API docs of `portal.translate` to show that the domain is optional in some cases. @thet (#510)
plone.app.contentmenu: 3.0.2 → 3.0.3
------------------------------------
Bug fixes:
- Fix "Add item to default page" modal form. [sverbois] (#54)
Internal:
- Update configuration files.
[plone devs] (7723aeaf)
plone.app.discussion: 4.0.1 → 4.0.2
-----------------------------------
Internal:
- Update configuration files.
[plone devs] (cfffba8c)
plone.app.event: 5.0.1 → 5.1.0
------------------------------
New features:
- Cache the events from the 'Upcoming Events' portlet
[frapell] (#351)
Internal:
- Update configuration files.
[plone devs] (5ed054fb)
plone.app.layout: 4.0.6 → 4.0.7
-------------------------------
Bug fixes:
- Fix nested `li` tags after zpretty in `contentviews.pt`
[petschki] (#350)
Internal:
- Update configuration files.
[plone devs] (7723aeaf, cfffba8c)
plone.app.linkintegrity: 4.0.1 → 4.0.2
--------------------------------------
Bug fixes:
- Remove outgoing 'isReferencing' RelationValues from catalog on deleting content item.
[ksuess] (#93)
Internal:
- Update configuration files.
[plone devs] (7723aeaf)
plone.app.locales: 6.0.15 → 6.0.16
----------------------------------
- Fixes in Dutch translation
[ThibautBorn]
- Config with default template
[gforcada]
plone.app.multilingual: 7.0.1 → 7.0.3
-------------------------------------
Bug fixes:
- Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``.
[maurits] (#304)
- Do not unset the language on the Indonesian root language folder when saving the control panel.
This language has ``id`` as code. This is not allowed as an id in Plone, so it is created as ``id-id`` instead.
This needs some special handling.
Added upgrade to recursively fix this language folder to set the Indonesian language. This is only done when the folder itself has the wrong language.
[maurits] (#304)
- Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred.
[maurits] (#304)
- Fix ``set_recursive_language`` to actually find child objects.
[maurits] (#304)
plone.app.querystring: 2.0.5 → 2.0.6
------------------------------------
Bug fixes:
- Fix the currentUser operation when the current user's username is different from their user id. @davisagli (#135)
plone.app.robotframework: 2.0.1 → 2.1.0
---------------------------------------
New features:
- Add support for `playwright`-based tests via `robotframework-browser`.
[datakurre] (#3813)
Bug fixes:
- Remove unused and empty keyword that was displaying an error.
[gforcada] (#147)
plone.app.upgrade: 3.0.6 → 3.0.8
--------------------------------
Bug fixes:
- Fix error in site syndication settings when upgrading.
[maurits] (#315)
- Add Upgrade Step to fix ISyndicationSettings
[1letter] (#315)
- Added upgrade to 6018, Plone 6.0.7.
[maurits] (#6018)
plone.app.viewletmanager: 4.0.2 → 4.0.3
---------------------------------------
Bug fixes:
- Fix styles when toolbar is on top.
[petschki] (#29)
- Only show one Hide or Show button per viewlet on the manage-viewlets page.
Make it clear that a viewlet is hidden by making it more subdued / opaque.
[maurits] (#3831)
Internal:
- Update configuration files.
[plone devs] (cfffba8c)
plone.app.widgets: 4.0.1 → 5.0.0
--------------------------------
Breaking changes:
- Make this package deprecated. Widget base classes moved to ``plone.app.z3cform.widgets.patterns``.
Also see ``plone.app.widgets.utils`` for information about moving utility methods to their new location.
[petschki] (#220)
plone.app.z3cform: 4.2.1 → 4.3.0
--------------------------------
New features:
- Introduce new Email-Widget which is used for `plone.schema.email.IEmail` fields.
It uses the input type `email`.
[jensens] (#173)
Bug fixes:
- Fix OrdereSelectWidget browser validation when the input is required.
[petschki] (#178)
- Ignore form validation when `ignoreRequiredOnExtract` is set.
[petschki] (#179)
Internal:
- Update configuration files.
[plone devs] (cfffba8c)
plone.base: 1.1.3 → 1.1.4
-------------------------
Bug fixes:
- Remove action property `modal` default value.
Fixes: https://github.com/plone/Products.CMFPlone/issues/3801
[petschki] (#3801)
Internal:
- Update configuration files.
[plone devs] (1a7a3da3)
plone.dexterity: 3.0.2 → 3.0.3
------------------------------
Bug fixes:
- Respect locally allowed types when pasting objects [cekk] (#146)
- Fix a memory leak as reported in https://github.com/plone/Products.CMFPlone/issues/3829, changing interface declaration type as suggested by @d-maurer in https://github.com/plone/plone.dexterity/issues/186 [mamico] (#187)
Internal:
- Update configuration files.
[plone devs] (55bda5c9)
plone.namedfile: 6.1.1 → 6.2.1
------------------------------
New features:
- Add internal modification timestamp with fallback to _p_mtime.
[mathias.leimgruber] (#149)
- Use new internal modification timestamp as part of the hash key for scales.
[mathias.leimgruber] (#150)
Bug fixes:
- Fix stored XSS (Cross Site Scripting) for SVG images.
Done by forcing a download instead of displaying inline.
See `security advisory `_.
[maurits] (#1)
- Fixed the issue where SVG images containing extensive metadata were not being displayed
correctly (resulting in a width/height of 1px). This problem could occur when the