2.0.0-rc.1

RC release

2.0.0-beta.4

Release v2.0.0-beta.4

1.7.52

Release v1.7.52

2.0.0-beta.3

Improved

• Twig sandbox is now the sole layer of SSTI protection on editor-authored content — the legacy regex pre-filter has been retired. With the sandbox stable in beta.2 (allowlist-based Twig\Sandbox\SecurityPolicy covering tags / filters / functions / methods / properties), the security.twig_filter.* blacklist + whitelist that pre-dated it served only as a logging fallback when the sandbox was disabled. Removed across the board: blueprint section + 6 fields (twig_filter.enabled, logging, admin_hint, whitelist.{functions,filters,properties}); the twig_filter: block in system/config/security.yaml; Security::cleanDangerousTwig() / cleanDangerousTwigWithStatus() / getDangerousTwigPatterns(); the CALLABLE_DANGEROUS_NAMES and INTROSPECTION_NAMES constants and their compiled-pattern caches; Security::logTwigBlock() / twigWhitelistHint() and the per-request dedup map; the three Twig::process{Page,String,Site} call sites that used to wrap content in the regex pass before handing it to Twig; and tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php. The sandbox remains toggleable via security.twig_sandbox.enabled for sites that genuinely need container access from page content; the toggle now ships with an explicit warning that disabling it removes the only SSTI protection on editor-authored content. The admin-hint comment Twig appended after a filtered render moves with the rename: appendTwigFilterAdminHint → appendSandboxAdminHint, reading from the new security.twig_sandbox.admin_hint config (default true). Net effect: a single, clean enforcement layer; ~350 fewer lines of regex; one config story to document; the sandbox is what catches a violation, the sandbox is what logs it. No upgrade action needed — security.twig_filter.* keys in user yaml are silently ignored.

Bugfix

• Fixed selectize field optionally able to store keys

1.7.51

Release v1.7.51

2.0.0-beta.2

Summary

• Twig content sandbox — page content authored in the editor now renders through a Twig sandbox with allowlisted tags / filters / functions / methods / properties, blocking the SSTI class of attacks. Theme templates are unaffected.
• Admin UI for the sandbox — new "Twig Sandbox" section under Configuration → Security with toggles and editable allowlists; can be disabled wholesale if a site needs the old unrestricted behaviour.
• Dedicated logs/security.log — every blocked Twig expression is logged with the page route and a pointer to the exact setting to change.
• Soft-fail on sandbox violations — the rest of the page still renders, visitors see a small placeholder, admins get a hint to the log entry.
• Smarter dangerous-Twig filter — fewer false positives (e.g. {{ page.header.user.mail }} no longer flagged just because it contains "mail").
• Major security hardening pass — fixes for ten advisories shipped together:
  • Path-traversal in FormFlash (GHSA-hmcx-ch82-3fv2)
  • Salt disclosure via sandboxed Twig (GHSA-3f29-pqwf-v4j4) — HMAC key moved to user/config/security-private.php, auto-migrated on first request
  • User-uniqueness bypass in UserObject::save (GHSA-rr73-568v-28f8)
  • HMAC-signed FileCache payloads (GHSA-gwfr-jfjf-92vv) — tampered files treated as misses
  • Five-part JobQueue / Session flash / InstallCommand shell-arg / Twig-callable advisory (GHSA-vj3m-2g9h-vm4p)
  • XSS event-handler regex tightened (GHSA-9695-8fr9-hw5q + co.)
  • svg, math, option, select added to xss_dangerous_tags defaults
  • Markdown image attribute injection blocked (GHSA-r7fx-8g49-7hhr)
  • SVG XXE / billion-laughs hardening (GHSA-3446-6mgw-f79p)
  • Zip-Slip primitives rejected by Installer::unZip (GHSA-w48r-jppp-rcfw)

2.0.0-beta.1

New

• Rebrand 1.8-beta as 2.0-beta
• NEW Quark2 theme fro Grav 2.0
• NEW Migrate Grav plugin required to get from 1.x to 2.0
• NEW API support plugin support required for Admin2
• NEW Admin2 is the new default Admin for Grav 2.0
• Moved to Github Markdown Alerts over Markdown Notices

1.8.0-beta.29

Improved

• Avoid mail in twig content trigger security error
• Don’t do internal grav-based gzip, rely on webserver
• Updated vendor libs

Bugfix

• Fix for grav not picking up config + page changes
• Fix for unusual format SVGs
• Fix for nested config changes
• Fix for user editing causing hashed_password to be removed
• Fix of setEscaper move in Twig 3.9+
• Fix for broken symlinks

1.8.0-beta.28

beta release

1.8.0-beta.27

prepare for beta.27 release

Signed-off-by: Andy Miller <rhuk@mac.com>