BookStack Beta v0.27.2

This release contains the following fixes:

• Fixed issue where the URL generation logic could use an incorrect scheme to that set via APP_URL. (#1613)

BookStack Beta v0.27.1

This release contains the following fixes:

• Fixed issue causing the markdown editor to not display a preview in Firefox.
• Fixed issue causing page popover edit button icon not to show. (#1616)
• Fixed export style issue causing grey backgrounds to be shown.

BookStack Beta v0.27.0

Links

• Update instructions
• Update details on blog

Full List of Changes

• Reviewed accessibility of BookStack to move towards WCAG 2.0 Support. (#1320, #1476)
• Added page templating functionality. (#129, #1527)
• Added the ability to send a new user a sign-up link where the user can set their own password. (#316)
• Added docker development environment. Thanks to @timoschwarzer. (#1504)
• Added the ability to set seperate storage types for Images and Attachments. (#1302)
• Added Hungarian translations. Thanks to @miles75. (#1554, #1573)
• Added notice to the "Custom HTML Head Content" setting to advise it does not apply while on the settings page. (#1144)
• Updated entity permissions table so it's hidden unless custom permissions are enabled to prevent confusion. Thanks to @timoschwarzer. (#1505)
• Updated French translations. Thanks to @lucaguindani. (#1485)
• Updated German translations. Thanks to @danielroehrig-mm. (#1561)
• Updated Brazilian Portuguese translations. Thanks to @DeehSlash. (#1534)
• Updated HTML code of base templates with locale definition. Thanks to @kostasdizas. (#1486)
• Updated the debug bar so it does not show unless explicitly enabled. (#1508)
• Updated entity colors so they can be easily overridden.
• Updated page navigation so full headings are included in the output but then truncated via CSS which can be overridden. (#1206)
• Updated markdown editor to render the preview in a sandboxed iframe that does not run JavaScript. (#1531).
• Re-wrote URL generation system to avoid incorrect redirects occurring during certain actions such as login and list view change. (#1536, #1459)
• Made it possible to run phpunit via the composer-installed copy. (#1555)
• Moved 'config' directory into 'app' directory to avoid confusion. (#1506)
• Redesigned front-end translation system to prevent an addition HTTP call on each page load. (#1258)
• Fixed issue causing main menu to be hidden by the page editor at certain widths. (#1556)
• Fixed missing word in social account description text. Thanks to @bjubes. (#1517)
• Fixed print CSS to work with the recent design changes. (#1472)
• Fixed sidebar layout issues on mid-level screen sizes. (#1434)
• Fixed issue that prevented scrolling in the WYSIWYG editor on iOS devices. (#1058)
• Fixed issue where multi-byte characters would not render correctly in the sidebar. (#1172)
• Fixed incorrect page navigation indentation. (#542)
• Removed use of babel and css autoprefixer from dev build system for faster builds. (#1468)
• Removed jQuery and replaced jQuery-based libraries.

BookStack Beta v0.26.4

Security Release

Update instructions

The release enhances the security of BookStack in a few different areas:

• Updated user profile behaviour so that users cannot change their email address unless they have permission to manage users. This is to prevent a user acting as an imposter, changing their email to one they don't own. Thanks to @Irrational-NX for raising.
• Improved the script escaping logic that was enhanced in the previous release, by also checking for iframes using javascript or data urls. Thanks again to @billford for raising this issue. (#1531)
• Updated the provided, and added an additional, .htaccess file to prevent apache indexes from listing image directories. Thanks to @davidtessier for raising.

BookStack Beta v0.26.3

Security Release

This release improves the escape logic for scripts that have been placed in page content. Thanks to @billford for raising this issue. (#1531)

BookStack Beta v0.26.2

This release contains the following fixes and changes:

• Updated Russian translations. Thanks to @kostefun. (#1446, #1445, #1444, #1443)
• Updated Dutch translations. Thanks to @NootoNooto. (#1437)
• Updated page navigation to exclude empty heading items. (#1429)
• Updated custom-homepage views to display more consistently. (#1423)
• Updated image uploads to resize at double the previous resolution. (#1108)
• Fixed issue where chapter description would not show on book export. (#1465)
• Fixed page navigation to work on when used on mobile screen sizes. (#1454)
• Fixed issue casing a redirect to the 404 page upon login. (#1452)
• Fixed missing search bar on mobile search page. (#1450)
• Fixed issue where a page could be deleted when previously set as the homepage option. (#1447)
• Fixed issue causing horizontal scrollbar to show on some mobile views. (#1441)
• Fixed text shown on 'Info' mobile tab being overly faded-out. (#1441)
• Fixed issue where some UI elements would shown over the page editor when in mobile full-screen mode. (#1424)
• Fixed issue where pasting table content would insert as an image instead of a table or text. (#987)
• Fixed issue where book description would not show if it contained multi-byte characters. (#816)

BookStack Beta v0.26.1

This release contains the following fixes and changes:

• Updated Swedish translations. Thanks to @Hambern. (#1433)
• Updated Spanish translations. Thanks to @moucho. (#1420)
• Updated Ukrainian translations. Thanks to @Mant1kor. (#1419)
• Updated tabbing order on login forms to be consistent and as expected. (#1418)
• Fixed issue where "Toggle Details" Button does not properly save state when using the Guest user. (#1431)
• Fixed issue where editor image paste, and markdown drawing insert, would fail with an error. (#1428)
• Fixed styling of card headers on the 404 page. (#1427)
• Fixed issues where Book names could leak via the shelves listing when set as the homepage option. (#1425)

Special thanks to @Bolthier for providing many good, detailed, bug reports since yesterday's release.

BookStack Beta v0.26.0

Links

• Update instructions
• Update details on blog

Upgrade Notes

Internet Explorer Support - IE11 Support has now been dropped. We may support any critical issues for view-only scenarios otherwise please use a modern browser.

Translations - Since many interfaces and lines of text have been updated, It may take a little while for some translations to catch-up. Expect to see more English text than usual if you're using a non-English language option.

Images - Due to changes how images are handled, as detailed below, some types of images may become inaccessible. Old logo images will be deleted when changed. Unused Book/Shelf cover images & User profile images will be become inaccessible after the update so you may want to delete them before upgrade.

Security - On previous versions of BookStack it was possible for users to insert JavaScript via the Markdown editor using on* html attributes. These will now be removed on page render unless you have set ALLOW_CONTENT_SCRIPTS=true. If untrusted users has access to your BookStack you may want to scan for <<space_char>>on in the HTML column of the pages table to identify any malicious intent.

Full List of Changes

• Updated the application design for better mobile functionality and improved general UX. (#1153)
• Updated how profile, system & cover images are set & added extra permission checks on image actions. (#1410, #1307, #1128)
• Added the possibility to create a book directly within a shelf. Thanks to @cw1998. (#1366, #1260)
• Added sign-up link to login form and fixed differing name validation on sign-up. Thanks to @cw1998. (#1395, #1239)
• Added code block syntax highlight for OCaml, Haskell, Rust. Thanks to @XVilka. (#1344)
• Updated page content script escaping logic to strip inline JS event attributes. Thanks to @Xiphoseer for reporting.
• Updated revision restore to require confirmation and changed the method from GET so it's less likely to be accidentally triggered. (#1321)
• Updated shortcut used for markdown drawing manager to be cross-platform. (#1228)
• Updated Swedish translations. Thanks to @Hambern. (#1417)
• Fixed issue where duplicate ID's could sometimes break pages. (#1393)
• Fixed issue where user role assignments were not remembered, for roles with a dot in the name, on validation failure. Thanks to @cw1998. (#1392, #1325)
• Fixed issue where the port would be ignored if a full LDAP server URI was used. (#1386, #1278)
• Dropped IE11 support. (#1164)

BookStack Beta v0.25.5

Security Release

This release works on the changes from v0.25.4 and v0.25.3 to include additional security measures on file uploads.

For this release, Uploaded image files which have a name that includes more than a single extension are prevented from being uploaded since these could be used to upload executable files on some web-servers. In addition, Attachment uploads are now saved with randomly generated file names to make such upload operations safer to file name exploits.

Additional Changes

This release also contains the following translation updates:

• Added Czech translations. Thanks to @cima. (#1347)
• Updated russian translations . Thanks to @agvol. (#1348)
• Updated 'Spanish Argentina' translation. Thanks to @leomartinez. (#1327)

BookStack Beta v0.25.4

Security Release

This release patches a security vulnerability that allowed PHP files, using a non-.php extension, to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.

This is a continuation upon the security updates enforced in v0.25.3. Please see that release for further information on this kind of vulnerability.

This update applies a whitelist to file extensions for uploaded images to ensure php-like files, such as .phtml or .php3, cannot exploit web servers that execute such files.