Skip to content

Statamic 5.73.21#19

Merged
lostgeek merged 38 commits into
5.xfrom
statamic-5.73.21
May 4, 2026
Merged

Statamic 5.73.21#19
lostgeek merged 38 commits into
5.xfrom
statamic-5.73.21

Conversation

@markjensen-novu
Copy link
Copy Markdown

@markjensen-novu markjensen-novu commented May 4, 2026
edited by macroscopeapp Bot
Loading

First of all, thank you 🫵 for taking the time to contribute to Statamic, we really appreciate it! 💜

Please take 30 seconds to read the following so we can be as efficient as possible when reviewing and considering merging PRs:

1️⃣ Is this your first PR? If so, please read our contribution guide first.

2️⃣ Please make sure to create a new branch for your PR.

3️⃣ Typically you should target the branch of the most current release, e.g. 5.x, unless your PR includes a breaking change, in which case you should target the master branch for the next major release.

4️⃣ We really appreciate it if your PR includes tests. This makes it much easier for us to review, merge, and release. A PR with tests is usually reviewed and merged 5x-10x faster.

5️⃣ If your PR introduce a new feature, adds to an existing one, or changes current behavior, please open an issue for it in the statamic/docs repo referencing your PR. A simple "Goes along with statamic#9000" is enough. Otherwise it's really easy to forget and no will ever become aware of your ✨ sparkling ✨ invention if it's not documented.

6️⃣ Remove this placeholder text and replace it with a description of what this PR is doing.

Note

Harden security across Statamic 5.73.21 with access control, input validation, and live preview fixes

  • Forgot password endpoints now always return a generic success response regardless of whether the user exists or is throttled, preventing user enumeration.
  • Reset form URLs are validated more robustly: encrypted values must be internal; plaintext values must be safe relative paths without control characters or excessive length.
  • Password protection bypass via live preview tokens is now scoped to the specific item being previewed (isLivePreviewOf), not any live preview request.
  • getQueryableValue across entries, assets, users, terms, and other models now uses an explicit allowlist instead of method_exists, preventing invocation of arbitrary methods (e.g. delete, save).
  • Dictionary file paths are validated against path traversal (..) before use.
  • SVG assets are sanitized on reupload when svg_sanitization_on_upload is enabled, and SVG responses in the CP include a script-src 'none' CSP header.
  • CP sort parameters across entries, users, terms, assets, and form submissions are now validated via OrderBy::column before being applied.
  • Taxonomy term revisions are removed: CP routes, controllers, and UI props for term revisions are deleted.
  • Stache index loading is now re-entrant safe via a stack, fixing URI blinking during any concurrent index load.
  • Risk: term revision data and routes are permanently removed; any code depending on term working copies or revision endpoints will break.
📊 Macroscope summarized 21da7d1. 64 files reviewed, 2 issues evaluated, 0 issues filtered, 2 comments posted

🗂️ Filtered Issues

micahhenshaw and others added 30 commits March 12, 2026 10:07
@micahhenshaw
[5.x] Removed a comment from the js code output of the StaticCacher (s…
e2482c1 
…tatamic#14233)

Co-authored-by: Micah Henshaw <micah@potent.com.au>
@marcorieser @jesseleite
[5.x] Fix ensure field has config (statamic#14195)
a9f513b 
Co-authored-by: Jesse Leite <jesseleite@gmail.com>
@jasonvarga
[5.x] Relationship endpoint authorization (statamic#14254)
7c820bb
@jasonvarga
changelog
5b0c01c
@jasonvarga @duncanmcclean
[5.x] Sanitize SVGs on asset reupload (statamic#14270)
ecc1caa 
Co-authored-by: Duncan McClean <duncan@duncanmcclean.com>
@duncanmcclean
[5.x] Prevent path traversal in file dictionary (statamic#14272)
f243f13
@duncanmcclean @jasonvarga
[5.x] Prevent term creation via fieldtype without permission (statami…
92cb9e2 
…c#14274)

Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
changelog
6dd9fb6
@duncanmcclean @jasonvarga
[5.x] Add additional URL::isExternalToApplication() tests (statamic…
27105a1 
…#14288)

Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
[5.x] Harden password reset (statamic#14296)
beb2adc
@jasonvarga
changelog
ea0fa7f
@duncanmcclean @jasonvarga
[5.x] Fix PHP sanitization edge cases (statamic#14300)
a0aea71 
Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
[5.x] Fix live preview token scope (statamic#14304)
90a6e0b
@jasonvarga @duncanmcclean
[5.x] Handle more cases in external url detection (statamic#14312)
5fe9103 
Co-authored-by: Duncan McClean <duncan@duncanmcclean.com>
@jasonvarga
[5.x] Allow external redirects from Form::getSubmissionRedirect (stat…
828bbf9 
…amic#14318)
@duncanmcclean @jasonvarga
[5.x] Relationship fieldtype authorization tweaks (statamic#14307)
b193c40 
Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
[5.x] Add CSP header to svg route (statamic#14325)
3eaa80c
@duncanmcclean @jasonvarga
[5.x] Add authorization to revision routes (statamic#14301)
33e0ceb 
Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
[5.x] Restrict markdown preview endpoint (statamic#14326)
cdf7ab4
@jasonvarga
[5.x] Sanitize password reset form redirect value (statamic#14327)
3259d65
@jasonvarga @duncanmcclean
[5.x] Fix config through Antlers views (statamic#14328)
72768d7 
Co-authored-by: Duncan McClean <duncan@duncanmcclean.com>
@jasonvarga
changelog
291a660
@duncanmcclean @jasonvarga
[5.x] Fix term revisions error (statamic#14347)
7a77832 
Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
changelog
7e37196
@jasonvarga
[5.x] Harden OrderBys (statamic#14421)
5dda35e
@jasonvarga
changelog
9c22645
@daun @jasonvarga
[5.x] Fix form submission types (statamic#14430)
afd636f 
Co-authored-by: Jason Varga <jason@pixelfear.com>
@o1y @claude @jasonvarga
[5.x] Fix Stache index re-entrancy causing null URIs on cold stache (s…
e9edd39 
…tatamic#14181)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
[5.x] Add @default support to Antlers content allowlists (statamic#…
868d5ad 
…14440)
@edalzell @jasonvarga
[5.x] Add link tag to allowed Antlers tags (statamic#14438)
73cc75a 
Co-authored-by: Jason Varga <jason@pixelfear.com>
jasonvarga and others added 8 commits April 7, 2026 16:34
@jasonvarga
changelog
7b0694e
@duncanmcclean
[5.x] Remove negative assertions from TestCase (statamic#14458)
f3893f6
@duncanmcclean @jasonvarga
[5.x] Harden OrderBys (statamic#14474)
ee88420 
Co-authored-by: Jason Varga <jason@pixelfear.com>
@duncanmcclean @claude @jasonvarga
[5.x] Harden query value resolution (statamic#14476)
88dd005 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Jason Varga <jason@pixelfear.com>
@jasonvarga
changelog
a6ba7c5
@jasonvarga @claude
[5.x] Always show success when using forgot password form (statamic#1…
bc302de 
…4539)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jasonvarga
changelog
d130ae2
@markjensen-novu
Merge branch '5.x' into statamic-5.73.21
21da7d1
macroscopeapp[bot]
macroscopeapp Bot reviewed May 4, 2026
View reviewed changes
Comment thread src/Structures/Page.php
Comment thread src/Auth/User.php
@lostgeek lostgeek merged commit 9173fe1 into 5.x May 4, 2026
7 of 33 checks passed
@lostgeek lostgeek deleted the statamic-5.73.21 branch May 4, 2026 07:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@markjensen-novu @lostgeek @micahhenshaw @marcorieser @jasonvarga @duncanmcclean @daun @o1y @edalzell