Contao Open Source CMS Changelog for the version 4.13

About Contao 4.13 LTS

The first stable version of Contao 4.13 has been released on February 17, 2022, replacing Contao 4.9 as the long term support version. As an LTS version, 4.13 has been provided with bug fixes until February 14, 2025 and security-related updates until February 14, 2026. Contao 5.3 has been the next LTS version of Contao and has been released in February 2024, ensuring a stress-free transition.

Changelog Contao 4.13

Contao 4.13.58 (2025-11-26)

Changelog of the fixed issues in Contao 4.13.58:

#9042 Convert the TextField input value using StringUtll::specialChars() ( zoglo )

Contao 4.13.57 (2025-11-25)

Security vulnerabilities closed:

Remote code execution in template closures (CVE-2025-65960)
Cross-site scripting in templates (CVE-2025-65961)

Contao 4.13.56 (2025-08-28)

Security vulnerabilitie closed:

Information disclosure in the front end search index (CVE-2025-57756)

Contao 4.13.55 (2025-08-13)

Changelog of the fixed issues in Contao 4.13.55:

#8662 Update enshrined/svg-sanitize to version 0.22 ( zoglo )

Contao 4.13.54 (2025-03-18)

Security vulnerability closed:

Cross site scripting through SVG uploads (CVE-2025-29790)

Contao 4.13.53 (2025-02-18)

Changelog of the fixed issues in Contao 4.13.53:

#8055 Use a non-blocking table lock for contao.cron ( fritzmg )
#8056 Make VFS tests compatible with league/flysystem-bundle 3.4.0 ( fritzmg )

Contao 4.13.52 (2025-01-22)

Changelog of the fixed issues in Contao 4.13.52:

#7929 Fix a permission error in non-tree views ( aschempp )

Contao 4.13.51 (2025-01-20)

Changelog of the fixed issues in Contao 4.13.51:

#7872 Fix tree rendering with filters and trails ( aschempp )
#7781 Allow page controllers to create the response context ( fritzmg )
#7460 Check if CURRENT_ID is defined in the DCA permission checks ( aschempp )
#7884 Add no-store to back end responses ( fritzmg )
#7883 Increase blob size for tl_user.session ( fritzmg )
#7875 Do not force HTTP method parameter override ( fritzmg )
#7876 Ignore pages in maintenance mode when generating the sitemap ( fritzmg )
#7809 Make sure the correct test-case package is installed in Contao ( aschempp )
#7770 Disable overlayClick for SimpleModal ( zoglo )
#7563 Add the missing relations to the DCAs ( aschempp )
#7820 Add the domain to the "root page dependent module" configuration ( aschempp )
#7551 Handle DCAs without fields in tl_user_group ( lukasbableck )
#7768 Fix the base path for canonical URLs ( fritzmg )
#7779 Do not normalize the resampling-filter array key ( ausi )
#7775 Consider the doNotDeleteRecords setting when deleting child records ( fritzmg )
#7766 Fix the sorting when copying multiple form fields as a non-admin user ( fritzmg )
#7756 Handle null result in 404 router provider ( aschempp )
#7747 Enable double encoding for JSON in Twig ( ausi )
#7725 Cache hot path in model ( fritzmg )

Contao 4.13.50 (2024-11-15)

Changelog of the fixed issues in Contao 4.13.50:

#7713 Use the RateLimiter component to limit password reset requests ( bytehead )
#7703 Backport the VFS interface adjustments ( m-vo )
#7581 Add a rate limit for password resets ( bytehead )
#7480 Fix search results overwriting root limit ( aschempp )
#7444 Use the service ID instead of the class name for cron jobs ( Toflar )
#7564 Decode entities in the CustomRgxpListener ( fritzmg )
#7550 Delete related opt-in tokens after a password change ( bytehead )
#7545 Add includeBlankOption for module and form content element ( fritzmg )
#7559 Fix warning in ModuleRegistration if editable field does not exist anymore ( fritzmg )
#7595 Add the resampling-filter Imagine option ( ausi )
#7605 Fix login redirect and session usage ( fritzmg )
#7629 Use UTC in BackupListCommandTest ( fritzmg )
#7692 Fix typo for purge XML files ( zonky2 )
#7532 Rename $buger to $burger in the BackendMenuListener ( zoglo )
#7547 Fix erroneous tag on contao.listener.make_response_private ( fritzmg )
#7535 Fix hardcoded limit to 30 in database statement ( Toflar )
#7533 Update box-size translation for image-size ( zoglo )

Contao 4.13.49 (2024-09-17)

Security vulnerabilities closed:

Directory traversal in the file selector widget (CVE-2024-45604)
Remote command execution through file upload (CVE-2024-45398)
Insert tag injection via canonical URL (CVE-2024-45612)

Contao 4.13.48 (2024-09-12)

Changelog of the fixed issues in Contao 4.13.48:

#7497 Use flex for the back end gallery layout ( fritzmg )
#7517 Fix the TinyMCE overflow on mobile devices ( zoglo )
#7466 Do not show the template warnings if a user only has group permissions ( leofeyer )
#7512 Allow the name attribute for the <details> element ( ausi )
#7506 Only get valid image extensions once ( zoglo )
#7483 Fix the description list markup for template templates ( fritzmg )
#7481 Fix a PHP8 error if a user has no groups ( aschempp )

Contao 4.13.47 (2024-08-23)

Changelog of the fixed issues in Contao 4.13.47:

#7462 Consistent handing of user fields ( aschempp )
#7459 Disable copying and deleting of tl_undo records ( lukasbableck )
#7433 Cast $alexf data to array ( fritzmg )
#7425 Encode e-mails in the MarkdownController ( Toflar )
#7380 Render partial tree instead of disabling root trails with breadcrumb ( aschempp )

Contao 4.13.46 (2024-08-06)

Changelog of the fixed issues in Contao 4.13.46:

#7365 Use the user data instead of magic methods ( aschempp )
#7379 Fix a PHP8 error if a user has no groups ( aschempp )
#7350 Ignore deleted cookies in the CsrfTokenCookieSubscriber ( fritzmg )
#7371 Add the playerColor migration ( fritzmg )
#7359 Fix a PHP8 error when sending newsletters ( aschempp )
#7357 Skip database backups if the remaining migrations will not be executed ( fritzmg )
#7356 Allow .ics file uploads and downloads ( aschempp )
#7340 Ignore duplicate opt-in submissions ( aschempp )
#7316 Introduce a Template::once() method ( Toflar )
#7332 Handle routing errors when trying to render the error screen ( aschempp )
#7323 Fix the login state for two-factor authentication ( fritzmg )

Contao 4.13.45 (2024-06-25)

Changelog of the fixed issues in Contao 4.13.45:

#7180 Correctly show the file tree if the widget is restricted to a path ( leofeyer )
#7275 Make ID always searchable in DC_Table ( Toflar )
#7281 Check CSRF and private response after the session ( ausi )
#7277 Improve the docs of quoteIdentifier() and findInSet() ( ausi )
#7263 Handle failed preg_split() return values for image sources ( aschempp )
#7266 Delete search index entries under more specific conditions ( fritzmg )
#7264 Replace non-routable URLs with an empty string for the [{]link*}} insert tags ( fritzmg )
#7246 Use ENT_QUOTES|ENT_SUBSTITUTE|ENT_HTML5 instead of just ENT_QUOTES ( leofeyer )
#7255 Support buildIfResourceExists() in the preview factory ( ausi )
#7254 Do not update the tstamp column on cut/paste ( ausi )
#7247 Support MODIFY queries in the database installer ( Toflar )
#7248 Handle legacy keywords when rendering an article in the back end ( fritzmg )
#7240 Only handle GET requests in the search index listener ( fritzmg )
#7233 Fix the _token_check logic ( leofeyer )
#7236 Add 'Bubble the back end log entries to file logs' again ( leofeyer )

Contao 4.13.44 (2024-05-23)

Changelog of the fixed issues in Contao 4.13.44:

#7077 Render the Contao login page even if the current route is not a Contao page ( aschempp )
#7232 Consolidate the route definitions in invokable controllers ( leofeyer )
#7224 Backport 'Set a low priority for the back end fallback route' ( fritzmg )
#7213 Check the cookie headers in the isSessionEmpty() method ( ausi )
#7227 Store the referrer by default in backend scope ( fritzmg )
#7181 Adjust the deprecation for custom template names ( leofeyer )
#7194 Handle quoted columns names in the boolean fields migration ( ausi )
#7179 Render the date::Y insert tag inline ( leofeyer )
#7171 Backport the boolean fields migration ( fritzmg )
#7169 Correctly resolve child definitions for callback tags ( Toflar )
#7160 Restore the time period back end settings ( fritzmg )
#7086 Add a fallback route for the back end ( aschempp )
#7161 Send an X-Robots-Tag: noindex header in the back end ( fritzmg )
#7126 Automatically set ParameterType::BOOLEAN for booleans ( fritzmg )
#7155 Backport 'Fix non-existent "contao.image.image_factory" in FeedItem.php' ( stefansl )

Contao 4.13.43 (2024-04-19)

Changelog of the fixed issues in Contao 4.13.43:

#7131 Make the PhpTemplateProxyNode class compatible with Twig 3.9 ( ausi )

Contao 4.13.42 (2024-04-17)

Changelog of the fixed issues in Contao 4.13.42:

#7123 Ensure compatibility with Twig 3.9 ( leofeyer )

Contao 4.13.41 (2024-04-16)

Changelog of the fixed issues in Contao 4.13.41:

#7076 Fix the markup of the trusted device checkbox in the login template ( aschempp )
#7109 Add the missing FilesystemItem::getName() method ( Toflar )
#7072 Use display: grid in the image gallery preview ( zoglo )
#7092 Remove the feViewable configuration ( fritzmg )
#7078 Fix a PHP 8 error if there is no default palette ( aschempp )
#7069 Correctly run the file extension migration on Windows ( lukasbableck )
#7052 Skip token validation if the session is empty and new ( ausi )
#7033 Register theme templates in the global namespace, too ( ausi )
#7036 Handle CSV fields in the registration and personal data module ( qzminski )

Contao 4.13.40 (2024-04-09)

Security vulnerabilities closed:

Session cookie disclosure in the crawler (CVE-2024-28235)
Cross site scripting in the file manager (CVE-2024-28190)
Insert tag injection via the form generator (CVE-2024-28191)
Remember-me tokens are not cleared after a password change (CVE-2024-30262)
Insufficient BBCode sanitization (CVE-2024-28234)

Contao 4.13.39 (2024-03-20)

Changelog of the fixed issues in Contao 4.13.39:

#7029 Update the DBAFS cache when creating files ( m-vo )
#6957 Prevent infinite loops of migrations ( richardhj )
#6771 Backport the UnwrapTwigExceptionListener ( bytehead )
#6986 Ignore empty image size items ( ausi )
#6926 Set the X-Frame-Options header for popups ( richardhj )

Contao 4.13.38 (2024-03-07)

Changelog of the fixed issues in Contao 4.13.38:

#6959 Do not make a response private if the session is empty ( Toflar )
#6965 Always lowercase the file extension in the DBAFS ( leofeyer )
#6866 Correctly generate record labels with foreign keys ( aschempp )
#6966 Set the correct URL when generating multiple aliases ( leofeyer )
#6949 Fix the Twig loader infrastructure ( m-vo )
#6947 Correctly output the legend for the security question ( fritzmg )
#6940 Handle unicode strings in insert tag flags ( ausi )
#6905 Camelize the file system service argument ( richardhj )
#6906 Update the tstamp column only on tl_files in the DBAFS ( richardhj )
#6909 Also strip query parameter from QUERY_STRING variable in ServerBag ( fritzmg )
#6892 Merge the Cache-Control header in PageRegular ( MarkejN )

Contao 4.13.37 (2024-02-12)

Changelog of the fixed issues in Contao 4.13.37:

#6870 Improve the CAPTCHA ( ausi )
#6868 Do not add duplicate paths in our own Twig filesystem loader ( m-vo )
#6832 Do not load the sitemap from cache for authenticated users ( fritzmg )
#6849 Add the missing use statement for FormHidden ( fritzmg )
#6848 Improve the ConfigureFilesystemPass performance ( fritzmg )
#6826 Randomize CSRF tokens once per request ( ausi )
#6825 Add a foreign key declaration for form and module fields ( rorych )
#6798 Correctly show past events if "hide running events" is active ( janborg )
#6801 Handle empty sessions in the CSRF cookie subscriber ( Toflar )
#6808 Support HTML5 entities with double_encode: false ( ausi )
#6777 Ensure absolute paths in the ImageObject schema.org data ( leofeyer )
#6778 Correctly check the "show" permission in the site structure ( leofeyer )
#6764 Prevent argument errors on malicious login attempts ( fritzmg )
#6762 Fix mov mime type ( ausi )
#6717 Allow prefixing simple tokens with # ( Toflar )
#6724 Redirect in the BackendConfirm controller if there is no INVALID_TOKEN_URL in the session ( leofeyer )

Contao 4.13.36 (2024-01-17)

Changelog of the fixed issues in Contao 4.13.36:

#6721 Revert "Allow data-lightbox in TinyMCE by default" ( fritzmg )
#6697 Fix an error if a gallery image does not exist ( fritzmg )
#6474 Retrieve the PageModel correctly in ContaoMailer ( fritzmg )
#6692 Make FrontendTemplateTrait::getTemplate() static ( Shadow-Devil )
#6699 Fix the compression in the contao:backup:create command ( Toflar )
#6700 Fix tests when MAILER_DSN env var is defined ( fritzmg )
#6684 Do not overwrite id, pid, ptable and sorting when restoring a version ( leofeyer )
#6463 Fix a PHP8 error in the Frontend::addToUrl() method ( zonky2 )
#6342 Fix a PHP 8 error in the Form class ( zonky2 )
#6689 Fix the description of the "template data" field ( fiedsch )
#6622 Use the name of the related field when getting options from another record ( asconsulting )
#6599 Disallow the web profiler in the robots.txt file ( aschempp )
#6554 Fix NULL handling in the SerpPreview widget ( aschempp )
#6434 Cache the cteAlias references ( fritzmg )
#6169 Support the template_from_string() Twig function ( richardhj )
#6644 Correctly check the theme export permissions ( aschempp )
#6621 Add example content to the auto-generated .env file ( aschempp )
#6549 Update page registry when generating multiple page aliases ( aschempp )
#6625 Do not show the end time of open-ended events ( ausi )
#6571 Fix relative asset paths in feeds ( fritzmg )
#6616 Backport the cache warmer test fix ( fritzmg )
#6593 Add a data container setting to hide the orderBy column in the back end listing ( ameotoko )
#6602 Update the insert tags doc link ( aschempp )

Contao 4.13.35 (2023-11-30)

Changelog of the fixed issues in Contao 4.13.35:

#6574 Fix and improve logging deprecation messages ( Toflar )
#6575 Fix the safe analysis for the contao_html and contao_html_attr strategies ( m-vo )
#6576 Correctly reset the page registry ( aschempp )
#6460 Fix the news URL cache when the archive is added ( aschempp )
#6568 Add the missing autowiring alias for the image sizes service ( Toflar )
#6524 Improve performance when loading language files that do not exist ( fritzmg )
#6535 Fix ongoing events ( ausi )
#6532 Bubble the back end log entries to file logs ( aschempp )
#6430 Only consider the main request in the MergeHttpHeadersListener class ( Toflar )
#6545 Change the form permission constant ( aschempp )
#6522 Remove the XLIFF level restriction ( fritzmg )
#6514 Make sure the session cookie is always lax ( Toflar )
#6511 Fix undefined array key warning in DC_Table::deleteAll ( fritzmg )
#6507 Use placeholders for URLs in translation strings ( leofeyer )
#6501 Fix the date format in the Feed class ( leofeyer )

Contao 4.13.34 (2023-11-06)

Changelog of the fixed issues in Contao 4.13.34:

#6492 Fix the arguments of the contao.command.user_list service ( xprojects-de )

C6ontao 4.13.33 (2023-11-06)

Changelog of the fixed issues in Contao 4.13.33:

#6490 Focus the TinyMCE dialog after using the picker ( ausi )
#6487 Fixed debug log not shown when crawler is running ( Toflar )
#6345 Fix redirect to language without URL prefix ( aschempp )
#6473 Cast boolean to integer in DC_Table::copy ( fritzmg )
#6466 Correctly handle metadata in Dbafs ( aschempp )
#6467 Compare the actual row format instead of the create options ( ausi )
#6459 Correctly reset the context when generating preview URL fails ( aschempp )
#6462 Remove the kernel.reset tag ( aschempp )
#6457 Add member login preview links to known limitations ( ausi )
#6417 Change user commands to not use models ( aschempp )
#6444 Enable code highlighting for Twig ( m-vo )

Contao 4.13.32 (2023-10-17)

Changelog of the fixed issues in Contao 4.13.32:

#6437 Support themes from ZIP files ( aschempp )
#6431 Make sure valid URLs start with a slash ( aschempp )
#6425 Do not set database_version in the install tool ( aschempp )

Contao 4.13.31 (2023-10-09)

Changelog of the fixed issues in Contao 4.13.31:

#6419 Use href for lightbox resource ( fritzmg )
#6422 Correctly tag cached responses with forms ( aschempp )
#6401 Create one <script> block per JSON-LD context ( leofeyer )
#6391 Do not forward pages with parameters by default ( leofeyer )
#6393 Generate the file tree preview images with a 1x, 2x source set ( leofeyer )
#6390 Do not allow route parameters for redirect pages ( leofeyer )
#6349 Fix an "access array offset on value of type null" error in the help wizard ( leofeyer )
#6384 Fix legacy route matching for unpublished pages ( fritzmg )
#6352 Fix a PHP8 warning on undefined $GLOBALS['TL_CSS'] ( aschempp )

Contao 4.13.30 (2023-08-30)

Changelog of the fixed issues in Contao 4.13.30:

#6343 Fix warning if reference page of navigation module gets deleted ( fritzmg )
#6333 Correctly add the schema.org data of multiple FAQ archives on the same page ( Toflar )
#6348 URL-encode file paths for edit multiple ( ausi )
#6332 Always allow unpublished pages in preview entry point ( aschempp )
#6331 Check the preview script before the firewall ( aschempp )
#6325 Do not URL-encode insert tags in specialcharsUrl() ( ausi )
#6317 Use primary language for slug generation ( fritzmg )
#6279 Fix bug with huge PDF files in the back end preview ( ausi )
#6311 Remove another left-over errorInfo() call ( leofeyer )
#6309 Fix warnings when using Image::get ( fritzmg )
#6310 Allow storing large integers in the calendar bundle ( leofeyer )
#6308 Encode the form data when sending it as XML file ( leofeyer )
#6307 Fix the .htaccess rewrite rules ( leofeyer )
#6306 Correctly handle users without username in the registration module ( e-spin )
#6302 Generate the file manager preview images with a 1x, 2x source set ( leofeyer )
#6297 Remove the left-over errorInfo() call ( leofeyer )
#6296 Allow to set field and inputName on DataContainer ( aschempp )
#6293 Add redirect for app.php to prevent duplicate content ( bennyborn )
#6276 Use PDF TrimBox when generating previews ( ausi )

Contao 4.13.29 (2023-08-01)

Changelog of the fixed issues in Contao 4.13.29:

#6261 Fix the FAQ page and list modules ( leofeyer )
#6251 Handle insert tags in news and event URLs ( leofeyer )
#6252 Set the correct PIDs when copying folders recursively ( leofeyer )
#6127 Recursively implode fields when generating record labels ( aschempp )
#6250 Correctly show options with the same label in the filter menu ( leofeyer )
#6240 Do not set the unsubscribe header for test newsletters ( aschempp )
#6234 Fix the variable naming in the DCA schema provider ( leofeyer )

Contao 4.13.28 (2023-07-25)

Security vulnerability closed:

Cross site scripting in widgets with units (CVE-2023-36806)

Contao 4.13.27 (2023-07-21)

Changelog of the fixed issues in Contao 4.13.27:

#6226 Replace the token in the storage for preview link authentication ( ausi )
#5829 Make the RegisterFragmentType compiler pass reusable ( richardhj )
#6159 Include the category data in the FAQ list template ( aschempp )
#6229 Fix PHP8 issues in the database installer ( aschempp )
#6222 Handle missing files in the StringUtil::insertTagToSrc() method ( ausi )
#6231 Fix the ReflectionProperty::setValue() method signature ( ausi )
#6217 Fix relative redirects ( fritzmg )
#6221 Improve the UrlUtil::makeAbsolute() method ( ausi )

Contao 4.13.26 (2023-07-10)

Changelog of the fixed issues in Contao 4.13.26:

#6197 Handle empty label fields in the picker ( leofeyer )
#6187 Make the template module more flexible ( fritzmg )
#6148 Correctly encode URLs in the sitemap ( aschempp )
#6180 Fix rootNodes for table picker ( aschempp )
#6171 Revert 'Use real path for .env.local' ( ausi )
#6168 Fix highlighting for phrase searches ( ausi )

Contao 4.13.25 (2023-06-21)

Changelog of the fixed issues in Contao 4.13.25:

#6151 Fix a PHP8 issue in the be_help template ( aschempp )
#6161 Accumulate several PHP8 fixes ( leofeyer )
#6160 Ensure multiSRC is not mandatory when useHomeDir is selected ( cliffparnitzky )
#6073 Check string length for short hex color ( zonky2 )
#6130 Use setMetadata() in the addImageToTemplate() method ( leofeyer )
#6145 Add authorModel to the news templates ( fritzmg )
#6144 Support vimeo unlisted video privacy hash ( ausi )
#6152 Fix undefined array key 0 in stylesheet ( ausi )
#6123 Prepend the web dir in FigureBuilder::fromUrl() ( fritzmg )
#6141 Remove entity mapping type for app bundle ( aschempp )
#6140 Always define a reference type in PageModel::getFrontendUrl() ( fritzmg )
#6139 Support relative URLs as canonical URLs ( ausi )
#6142 Fix force language in PageModel::getFrontendUrl() ( fritzmg )
#6138 Fix book navigation in PHP 8 ( fritzmg )
#6132 Require version ^2.15.1 of friendsofsymfony/http-cache ( leofeyer )
#5871 Set templateGroup for faux requests ( fritzmg )
#6109 Correctly track whether config files exist ( aschempp )
#6121 Do not generate a secret in the install tool anymore ( leofeyer )
#6089 Add the missing annotation for the widget type field ( aschempp )
#6113 Add recipient and channel ID to subject for List-Unsubscribe ( de-es )
#5968 Fix security and CSRF issues on the command line ( aschempp )
#6035 Make sure login constants are set when rendering error page ( aschempp )
#5694 Parse back end URLs with Symfony assets ( aschempp )
#6087 Make named parameter matching in routing non-possessive ( fritzmg )
#6084 Compare start and stop dates as numbers instead of strings ( aschempp )

Contao 4.13.24 (2023-05-25)

Changelog of the fixed issues in Contao 4.13.24:

#6064 Merge the "overwrite metadata" with the default metadata ( leofeyer )
#6080 Fix the randomImage caption bug ( agonyz )
#6066 Use real path for .env.local ( fritzmg )
#6077 Also handle transport exceptions when sending newsletters ( leofeyer )
#6075 Fix root page dependent module when there is no module for a root page ( fritzmg )
#6071 Make the support link language-agnostic ( aschempp )
#5985 Support readonly in TinyMCE and ACE editor ( zonky2 )
#6063 Do not filter folders named 0 in the file manager ( leofeyer )
#6062 Do not mark as copy more than once ( fritzmg )
#6052 Fix a PHP8 warning in the PageSelector class ( aschempp )
#6038 Load the page details before manipulating root page data ( aschempp )
#6041 Fix a PHP 8 error if the label insert tag does not match ( aschempp )
#6040 Add missing space after page icon ( ameotoko )
#6015 Only modify changed values in the Dotenv dumper ( ausi )
#5930 Correctly detect empty HTML when generating DCA labels ( aschempp )
#6014 Fix backtracking in insert tags regular expressions ( ausi )
#6006 Prepend the base path to the Contao Manager URL in the back end ( aschempp )
#5966 Ensure that root pages are always shown in the correct order ( Toflar )

Contao 4.13.23 (2023-05-03)

Changelog of the fixed issues in Contao 4.13.23:

#5979 Check for the debug.stopwatch service ( fritzmg )

Contao 4.13.22 (2023-05-02)

Changelog of the fixed issues in Contao 4.13.22:

#6003 Add a method to retrieve the original route path ( aschempp )
#6002 Fix a type error in the meta wizard ( ausi )
#5984 Make the multiSRC field mandatory for galleries and downloads ( cliffparnitzky )
#5993 Fix the type hint in the Hybrid class ( leofeyer )
#5951 Auto-generate and dump the APP_SECRET during contao-setup ( m-vo )
#5971 Add an optional class attribute to the figure builder ( a-v-l )
#5986 Allow flysystem-bundle ^3.0 ( Toflar )

Contao 4.13.21 (2023-04-25)

Security vulnerability closed:

Directory traversal in the file manager (CVE-2023-29200)

Contao 4.13.20 (2023-04-19)

Changelog of the fixed issues in Contao 4.13.20:

#5962 Fix an undefined array key warning when comparing versions with different fields ( fritzmg )
#5851 Do not auto-link images in the news reader ( leofeyer )
#5959 Remove unnecessary locale tags from languages ( ausi )
#5955 Remove the "symfony/proxy-manager-bridge" dependency ( leofeyer )
#5893 Correctly check the mounted pages in the hasAccess() method ( leofeyer )
#5952 Ignore exceptions when adding trusted devices ( aschempp )
#5942 Do not treat sub-directories of Twig namespace roots as template paths ( m-vo )
#5908 Correctly handle response status codes from legacy entry points ( aschempp )
#5934 Fix the search query in DC_Folder ( leofeyer )
#5917 Consider foreign keys when sorting the list view ( dennisbohn )
#5927 Fix the version panel alignment ( fritzmg )

Contao 4.13.19 (2023-04-04)

Changelog of the fixed issues in Contao 4.13.19:

#5914 Regenerate the symlinks when moving or duplicating folders ( leofeyer )
#5910 Support PHP and XML config files in the app ( Toflar )
#5913 Fix a PHP 8 issue in the mod_breadcrumb.html5 template ( leofeyer )
#5892 Normalize the line endings in the file editor ( leofeyer )
#5890 Fix the incorrect formatting of numbers with decimal places ( qzminski )
#5888 Remove the @internal hints at constructor level ( leofeyer )
#5876 Always allow toggling a field that is not excluded ( aschempp )
#5884 Prevent foreign key check errors when deleting a parent record with children ( qzminski )
#5883 Add psr/log ^2.0 and ^3.0 ( JanoschOltmanns )
#5887 Fix urlencoded paths in DC_Folder ( ausi )

Contao 4.13.18 (2023-03-16)

Changelog of the fixed issues in Contao 4.13.18:

#5879 Remove the q shortcut from contao:crawl ( fritzmg )

Contao 4.13.17 (2023-03-15)

Changelog of the fixed issues in Contao 4.13.17:

#5864 Fix subpalette toggling ( aschempp )
#5820 Throw an exception if a model relation is incomplete ( aschempp )
#5830 Handle invalid back end confirm requests ( aschempp )
#5868 Always redirect ajax requests when session expired ( Toflar )
#5863 Correctly handle sub-subpalettes in editAll mode ( aschempp )
#5873 Create deferred image in legacy image class ( fritzmg )
#5862 Used parsed referer for target path in login module ( fritzmg )
#5860 Also consider the referer when redirecting back in the login module ( fritzmg )
#5854 Fix an integrity constraint violation in the Versions class ( leofeyer )
#5856 Add the multiple attribute to the list and table wizards ( leofeyer )
#5855 Add the FigureBuilder::fromUrl() method ( ausi )
#5850 Fix a possible CSRF cookie race condition ( leofeyer )
#5843 Fix possible undefined headline data ( rabauss )
#5842 Fix a PHP8 issue with the back end breadcrumb menu ( leofeyer )
#5834 Refresh the cache after updating metadata in the Dbafs class ( Toflar )
#5815 Make the captcha widget cacheable ( ausi )
#3540 Improve handling of pages with tl_page.requireItem ( SeverinGloeckle )
#5774 Ignore if global_operation has no class ( aschempp )
#5793 Do not rely on the current session IDs ( ausi )
#5817 Fix invalid HTML output of DC_Table ( fritzmg )
#5795 Add the missing option to resume crawling from CLI ( Toflar )

Contao 4.13.16 (2023-02-22)

Changelog of the fixed issues in Contao 4.13.16:

#5809 Fix the "root page dependent modules" module ( bytehead )
#5790 Load app routes before everything else ( aschempp )
#5811 Clear the session value when toggle is closed ( aschempp )
#5802 Fix public folder renaming on Windows ( fritzmg )
#5792 Skip invalid article links if the URL cannot be generated ( aschempp )
#5797 Purge the new records when revising tables ( ausi )
#5799 Define line endings for templates ( fritzmg )
#5787 Disable ToggleNodesLabelListener if not in back end ( fritzmg )
#5785 Fix file uploads erroneously overwriting existing files ( fritzmg )
#5786 Handle negative PHP ini precision in StringUtil ( ausi )
#5674 Dynamically change the "expand/collapse all" label ( aschempp )
#5782 Fix the remaining opt-in token validation queries ( leofeyer )
#5619 Allow using both modern fragments and Twig templates in extensions ( m-vo )
#5777 Do not URL-decode file paths in FigureBuilder ( ausi )
#5692 Unify newlines in textarea widgets ( aschempp )
#5759 Fix the image encoding in the RSS feeds ( qzminski )
#5753 Always set currentRecord when initializing widgets ( leofeyer )
#5740 Correctly handle numeric paths (part 2) ( m-vo )
#5544 Merge CSS classes in the "root page dependent modules" module ( bytehead )
#5696 Fix installer issue if SQL field has no precision ( aschempp )
#5741 Fix reordering trees when the PID is null ( aschempp )
#5708 Add the missing null check for button_callback ( aschempp )
#5606 Use the request language to match iflng tags ( aschempp )
#5709 Check for trail page before rendering the navigation ( aschempp )
#5669 Skip pages in sitemap.xml if URL cannot be generated ( aschempp )

Contao 4.13.15 (2023-01-13)

Changelog of the fixed issues in Contao 4.13.15:

#5667 Correctly sort images and downloads by date ( leofeyer )
#5662 Handle symlinked upload directories outside the Contao root ( qzminski )
#5625 Correctly handle invalid size in TextArea widget ( aschempp )
#5643 Fix array index check in tl_calendar_events ( Defcon0 )
#5629 Fix PHP8 Warning picture_default ( zonky2 )
#5618 Correctly handle numeric paths ( m-vo )
#5603 Set $useLastModified in FilesystemConfiguration::addDefaultDbafs() ( Toflar )
#5620 Fix {{date::Y}} caching ( fritzmg )
#5587 Also display the visible root trail when searching/filtering ( Toflar )
#5575 Ensure parameters are strings ( fritzmg )
#5526 Correctly sort tree items when PID can be null ( aschempp )
#5564 Do not run our Twig filesystem warmer on sub requests ( m-vo )
#5559 Allow data-lightbox in TinyMCE by default ( fritzmg )
#5556 Fix SitemapController not working for protected pages ( Toflar )
#5540 Fix a PHP 8 warning in the StyleSheets class ( fritzmg )

Contao 4.13.14 (2022-11-28)

Changelog of the fixed issues in Contao 4.13.14:

#5518 Correctly handle missing inputType in DCA ( aschempp )
#5532 Make sure text content is always a string ( aschempp )
#5333 Correctly handle invalid path in DC_Folder ( aschempp )
#5524 Fixed potential PHP8 issues in picker widget ( aschempp )
#5520 Improve the stability of the JSON export for the "user list" command ( richardhj )
#5517 Handle possibly missing variable ( aschempp )
#5511 Fix undefined array key access ( bytehead )
#5510 Fix PHP8 issues in TimePeriod widget ( aschempp )

Contao 4.13.13 (2022-11-15)

Changelog of the fixed issues in Contao 4.13.13:

#5498 Handle broken images in FigureBuilder#buildIfResourceExists() ( m-vo )
#5499 Fix automatic DBAFS sync for root resources ( m-vo )
#5485 Fix and improve mime type handling in the VFS ( m-vo )
#5454 Check the preview link validity on every request ( ausi )
#5434 Restore previous translations in $GLOBALS['TL_LANG'] ( fritzmg )
#5493 Fix the autoFocusFirstInputField function ( leofeyer )
#5467 Correctly handle special characters when encoding domain names ( leofeyer )
#5471 Use executeStatement() in the Dbafs class ( leofeyer )
#5470 Use executeStatement() instead of query() in search ( ausi )
#5453 Make the version updates and the install tool MySQLi compatible ( leofeyer )
#5451 Fix bug in Search::removeEntry() ( ausi )
#5442 Do not boot Contao framework in DefaultIndexer::delete() ( Toflar )
#5438 Don’t throw error for empty insert tag ( ausi )
#5422 Fix more PHP8 issues ( aschempp )
#5366 Rename the internal route name for generating page routes ( aschempp )
#5410 Fix several VFS/UUID related issues ( m-vo )

Contao 4.13.12 (2022-10-13)

Changelog of the fixed issues in Contao 4.13.12:

#5355 Backport the database configuration error checks ( m-vo )
#5361 Fix the oncopy_callback ( fritzmg )

Contao 4.13.11 (2022-10-11)

Changelog of the fixed issues in Contao 4.13.11:

#5346 Ignore invalid jumpTo pages in the FAQ back end module ( leofeyer )
#5350 Fix an "unknown system variable" error ( ausi )
#5345 Fix the version edit URL ( leofeyer )
#5326 Fix the sitemap cache invalidation in the news module ( qzminski )
#5344 Fix the LONG_TERM_SUPPORT constant ( leofeyer )
#5341 Fix a possible non-numeric value issue ( leofeyer )
#5337 Backport the localconfig file check to Contao 4.13 ( fritzmg )
#5332 Fix return type of FilterIterator ( aschempp )
#5318 Trigger the oncopy_callback for child records ( leofeyer )
#5317 Disable spell checking in the password field toggle ( leofeyer )
#5309 Backport support for nested template paths ( m-vo )
#5312 Fix another "Undefined array key" issue ( leofeyer )
#5306 Use real placeholders in password fields ( leofeyer )
#5302 Fix an "Undefined array key" issue in the registration module ( leofeyer )
#5291 Harden the unique field check ( leofeyer )

Contao 4.13.10 (2022-09-16)

Changelog of the fixed issues in Contao 4.13.10:

#5284 Include mounted root pages in the topMostRootIds ( ausi )

Contao 4.13.9 (2022-09-15)

Changelog of the fixed issues in Contao 4.13.9:

#5277 Fix the order of the palette combiner ( ausi )
#5269 Don't return empty theme directories in the TemplateLocator ( m-vo )
#5268 Fix page mounts not being applied correctly ( Toflar )
#5260 Fix a PHP8 issue if the confirmation key is not translated ( aschempp )
#5249 Fix cache tagging for aliased content elements ( fritzmg )
#5240 Improve the order of operations during the Contao setup ( m-vo )
#5234 Correctly list the templates in "override all" mode ( leofeyer )
#5227 Fix the password field icon ( leofeyer )
#5222 Use the firewall name instead of the scope to determine the access strategy ( aschempp )
#5221 Correctly validate same page alias with required parameters on multiple domains ( aschempp )
#5206 Deprecate the article-to-PDF functionality ( aschempp )
#5194 Deprecate the Controller::setStaticUrls() method ( leofeyer )

Contao 4.13.8 (2022-08-17)

Changelog of the fixed issues in Contao 4.13.8:

#5185 Make the maker-bundle compatible with symfony/maker-bundle >= 1.44.0 ( leofeyer )
#4571 Allow searching content elements and members by ID ( christianbarkowsky )
#5099 Fix the preview link purge job ( aschempp )
#5167 Allow usages of picker without active record ( bezin )
#5170 Correctly replace insert tags within links in the markdown element ( Toflar )
#5165 Add the password toggle to the "change password" dialog ( leofeyer )
#5137 Set login constants in request listener ( fritzmg )
#5159 Do not define ptable for tl_content ( fritzmg )

Contao 4.13.7 (2022-08-15)

Changelog of the fixed issues in Contao 4.13.7:

#5112 Allow subpalettes based on value 0 in case of selects ( dennisbohn )
#5142 Support pid foreign keys in DC_Table ( richardhj )
#5104 Skip the database backup in contao:migrate command if there is no work to do ( qzminski )
#5092 Check database version in migrate command ( ausi )
#4979 Fix legacy routing matcher not matching the route if page has no alias ( qzminski )
#5064 Deprecate the MAILER_URL environment variable ( aschempp )
#4988 Redirect to fragment URL on preview URL error ( aschempp )
#5009 Keep the ResponseContextAccessor available for autowiring ( aschempp )
#5061 Improve canonical URL help text ( ausi )
#5129 Handle non-existing table in DcaExtractor ( aschempp )
#5108 Do not override manually defined ptable configuration ( dmolineus )
#5016 Fix several argument warnings on PHP methods ( aschempp )
#5095 Don’t use deprecated getIdentifierQuoteCharacter() ( ausi )
#5098 Fix compatibility with doctrine/dbal 3.3.8 ( ausi )
#5071 Deprecate noCache parameter of DcaLoader ( ausi )
#5059 Fix illegal string offsets in the translator ( ausi )
#5026 Also set collation for database.sql files ( fritzmg )
#5020 Fix wrong UUID being applied when moving resources ( m-vo )
#4965 Use cache_suffix for TinyMCE ( fritzmg )
#4973 Deprecate the importUser hook ( bytehead )
#4957 Fixed str_replace errors when passing null ( aschempp )
#4961 Always set both collate and collation to the same value ( fritzmg )
#4952 Allow iterating FilesystemItemIterator multiple times ( m-vo )
#4933 Do not set header in Ajax::executePostActions ( fritzmg )
#4948 Fix potential PHP 8 warnings when resizing an uploaded image ( qzminski )

Contao 4.13.6 (2022-07-05)

Changelog of the fixed issues in Contao 4.13.6:

#4941 Reduce System::getContainer and $container->getParameter calls ( fritzmg )
#4932 Deprecate insert tag flag uncached ( ausi )
#4808 Various PHP 8 fixes ( aschempp )
#4945 Hard-code timezone to avoid time deviation ( bezin )
#4926 Allow to exclude all tl_page fields ( aschempp )
#4870 Disable widgets for configured settings ( aschempp )
#4878 Make sure eval.rte is a string ( fritzmg )
#4891 Fix the query string being lost during the preview script redirect ( qzminski )
#4889 Fix a potential PHP 8 warning in tl_article callback ( qzminski )
#4881 Use the resource finder in the lightbox migration ( leofeyer )
#4883 Hide the "icon" table header in the user and member module ( leofeyer )
#4886 Always unlock search tables to prevent deadlocks ( ausi )
#4877 Fix a potential PHP 8 warning in the Search class ( qzminski )
#4848 Fix a few potential PHP 8 warnings ( qzminski )
#4850 Show array keys als fallback for sorting dropdowns ( Tastaturberuf )
#4861 Fix a potential version comparison if the field definitions are missing ( qzminski )
#4857 Correctly add the preview script ( leofeyer )
#4849 Show array keys instead of nothing in show column mode ( Tastaturberuf )
#4833 Order the languages in the meta wizard ( leofeyer )
#4778 Fix undefined array key while button generation ( rabauss )
#4838 Improve DropSearchMigration ( fritzmg )
#4836 Fix infinite loop while loading of countries ( rabauss )
#4807 Fix date filtering in DC_Table ( fritzmg )
#4794 Deprecate Controller::generateMargin ( bezin )
#4786 Do not allow empty values for the badge title and custom CSS/JS scripts ( leofeyer )
#4782 Add a cache timeout for the {{date::Y}} insert tag ( Toflar )
#4799 Always set both collate and collation to the same value ( fritzmg )

Contao 4.13.5 (2022-06-03)

Changelog of the new features in Contao 4.13.5:

#3924 Show page name in duplicate alias error ( aschempp )
#4665 Make the template element more flexible ( doishub )
#4672 Add a deprecation helper to detect insert tags in Twig templates ( m-vo )

Changelog of the fixed issues in Contao 4.13.5:

#4785 Fix the while loop in the Controller::getParentEntries() method ( leofeyer )
#4784 Return 0 after deleting a deferred image reference ( leofeyer )
#4757 Fix a potential PHP 8 warning in booknav frontend module ( qzminski )
#4763 Correctly toggle checkbox groups with collapseUncheckedGroups ( aschempp )
#4774 Fix a potential PHP 8 error in the Contao\Environment class ( qzminski )
#4767 Fix a potential PHP 8 warning in the Contao\Controller class ( qzminski )
#4679 Fix several accessibility issues in the back end navigation ( aschempp )
#4752 Deprecate orderField ( ausi )
#4732 Fix a potential PHP 8 warning in the sitemap module ( qzminski )
#4747 Apply the rel=lightbox migration to all rte fields ( ausi )
#4728 Fix DBAFS when upload_path contains subfolders ( fritzmg )
#4733 Undeprecate reload…tree ajax post actions ( ausi )
#4739 Make sure page language is always a string in routing ( aschempp )
#4720 Fix a potential PHP 8 warning in the breadcrumb module ( qzminski )
#4719 Fix the PHP 8 warning if a $_SERVER variable does not exist ( qzminski )
#4713 Also override Return-Path and Sender address ( fritzmg )
#4717 Correctly handle index pages without URL prefix ( aschempp )
#4692 Harden against invalid input ( leofeyer )
#4691 Fix failing backup on contao:migrate must abort the command ( Toflar )
#4683 Drop the DBAFS file size limit ( m-vo )
#4673 Fix undefined array key warning when using an article list ( MarkejN )
#4662 Deprecate the move operation ( aschempp )
#4443 Expose public URIs in the VFS ( m-vo )
#4681 Fix the PHP 8 warning in Contao\Date class ( qzminski )
#4669 Remove all "Unable to generate URL for page" log entries ( leofeyer )
#4668 Fix the hasText/hasDetails usage ( leofeyer )
#4667 Stop using the deprecated VERSION constant ( bezin )
#4656 Unset TL_CONFIG in ContaoTestCase::tearDown() ( fritzmg )
#4643 Remove superfluous class name in deprecation messages ( fritzmg )
#4632 Undeprecate some autowiring aliases ( fritzmg )
#4641 Fix missing PurgePreviewLinksCron registration ( fritzmg )
#4623 Improve how the Contao Twig escaper works ( m-vo )
#4617 Ensure that the license field in the MetaWizard contains a URL ( Toflar )
#4592 Support both collation: and collate: ( leofeyer )
#4631 Fix the empty URL check in the getCandidates() method ( leofeyer )
#4627 Fix RelLightboxMigration if ContaoCommentsBundle is not installed ( fritzmg )
#4608 Deprecate the Backend::getTinyTemplates() method ( de-es )

Contao 4.13.4 (2022-05-05)

Changelog of the fixed issues in Contao 4.13.4:

#4329 Deprecated Cache lib ( Toflar )
#4506 Disable the TinyMCE context menu by default ( de-es )
#4504 Improve the XDebug experience ( m-vo )
#4514 Do not use head and attribute data in search context ( aschempp )
#4603 Correctly generate the edit URL of a version ( leofeyer )
#4396 Deprecate the StringUtil::toHtml5() method ( m-vo )
#4604 Use host name without port in some controllers ( bezin )
#4601 Correctly toggle the CSS class when (un)publishing a format definition ( leofeyer )
#4600 Fix the DCA picker in the CSS editor ( leofeyer )
#4599 Do not throw an exception if a page insert tag cannot be generated ( leofeyer )
#3995 Replace old back end paths ( aschempp )
#4501 Fix undefined sorting mode for group header ( rabauss )
#4489 Fix the SendNewsletterEvent when sending as text only ( fritzmg )
#4573 Add loop as an option to YouTube videos ( Wusch )
#4567 Deprecate Controller::getSpellcheckerString() ( ausi )
#4523 Handle predefined image sizes when validating the ImageSize widget ( qzminski )
#4549 Fix a type error in the listing module ( Toflar )
#4534 Fix the FAQ page module throwing a warning in PHP 8 if author could not be fetched ( qzminski )
#4535 Fix the registration module throwing a warning in PHP 8 if captcha is disabled ( qzminski )
#4533 Fix an error when unpacking an associative array of model search criteria values ( qzminski )
#4527 Deprecate Contao\Request ( Toflar )
#4521 Fix the translation domain in the root page dependent select ( leofeyer )
#4456 Fix the record preview ( bezin )
#4437 Correctly resolve parameters when prepending bundle config ( aschempp )
#4451 Quote all schema names, same as we do for inserts ( ausi )
#4448 Skip row size calculation for MyISAM ( ausi )
#4447 Fix simple token parser default value for unknown variables ( m-vo )

Contao 4.13.3 (2022-05-05)

Security vulnerability closed:

Changelog of the fixed issues in Contao 4.13.3:

Prevent XSS via canonical tags in the front end ( CVE-2022-24899 )

Contao 4.13.2 (2022-03-31)

Changelog of the fixed issues in Contao 4.13.2:

#4431 Allow to purge the preview cache in the user profile ( leofeyer )
#4433 Always create an article if page has no layout ( aschempp )
#4426 Add the service subscriber tag to the correct controller ( m-vo )
#4303 Move the logic from LogoutHandler to LogoutSuccessListener ( bytehead )
#4301 Remove file title from sources element ( CMSworker )
#4425 Return the prefix-relative path when getting filesystem items from the VFS ( m-vo )
#4410 Use symfony/polyfill-intl-idn instead of true/punycode ( leofeyer )
#4179 Add a warning for too large database row sizes ( ausi )
#4297 Fix requireItem sorting ( aschempp )
#4346 Drop useless framework initialization ( m-vo )
#4397 Fix several VFS bugs ( m-vo )
#4398 Add missing annotations in ContentModel for showPreview ( m-vo )
#4311 Remove nullable response in controllers ( aschempp )
#4353 Ensure the decorated access decision manager shows up in profiler ( Toflar )
#4302 Always render protected pages in the pretty error screen listener ( aschempp )
#4376 Increase the speed of the functional tests ( ausi )
#4374 Fix minor typo in InsertTags ( fritzmg )
#4359 Fix code style for InsertTags::executeReplace ( fritzmg )
#4300 Fix symlink tests on Windows ( m-vo )
#4287 Fix the route sorting in the Route404Provider ( leofeyer )
#4288 Revert an accidental change in the cal_ templates ( leofeyer )
#4292 Ignore file symlinks when auto-mounting adapters ( m-vo )

Contao 4.13.1 (2022-03-15)

Changelog of the fixed issues in Contao 4.13.1:

#4026 Fix multiple page controller routing issues ( aschempp )
#4281 Add missing isSortable checks to the picker widget ( MarkejN )
#4279 Fix bug with database query returing non-string types ( ausi )
#4272 Add a help wizard if the canonical URL fields are disabled ( leofeyer )
#4273 Adjust the "Recreate the XML files" description ( leofeyer )
#4270 Only shorten the main headline elements if necessary ( leofeyer )
#4275 Fix a potential PHP 8 incompatibility when generating a DCA column ( qzminski )
#4274 Fall back to the section key if there is no label ( leofeyer )
#4271 Correctly show all breadcrumb items ( leofeyer )
#4197 Fix some dynamic routes handling ( aschempp )
#4269 Use the correct web dir in the InstallWebDirCommand ( leofeyer )
#4268 Fix the type hint of the MessageCatalogue::isContaoDomain() method ( leofeyer )
#4267 Fix two minor issues in the install tool ( leofeyer )
#4158 Set DB server version in install tool ( ausi )
#4228 Improve the performance of contao:backup:create ( Toflar )
#4261 Fix SQL error in purge expired data cron ( ausi )
#4262 Fix SQL commands not supported in prepared statements ( ausi )
#4264 Make search accent insensitive ( ausi )
#4254 Fix infinite loop while loading of languages ( rabauss )
#4202 Fix the remaining image size labels ( fritzmg )
#4265 Use service_closure instead of lazy service ( ausi )
#4259 Avoid error if the DATABASE_URL environment variable is an empty string ( qzminski )
#4245 Decode equal sign when parsing query parameters of figure insert tag ( m-vo )
#4244 Make sure tl_content.type has an index ( Toflar )
#4216 Skip non-UTF-8 resources when syncing the DBAFS ( m-vo )
#4230 Fix undefined array index warnings for content elements and forms ( fritzmg )
#4224 Execute BackendTemplate#compile() when using the AbstractBackendController ( m-vo )
#4221 Fix the FigureRendererTest ( aschempp )
#4208 Lower max file size in Dbafs service ( m-vo )
#4183 Clarify the backup command description ( Mynyx )
#4162 Fix the widget height ( leofeyer )

Contao 4.13.0 (2022-02-17)

Changelog of the new features in Contao 4.13.0:

#4123 Add a link to the Contao manual in the back end ( MDevster )
#3990 Fast manual file sync for the back end ( m-vo )
#4004 Support virtual filesystem in CLI backup management ( Toflar )
#4042 Enable SQL strict mode by default ( m-vo )
#4012 Allow filtering for files/directories when listing contents ( m-vo )
#3613 Add a root page dependent module selector ( bytehead )
#3419 Add options to customize the layout inheritance for pages ( SeverinGloeckle )
#3774 Add a DBAFS service and integrate Flysystem ( m-vo )
#3872 Add front end preview links ( aschempp )
#3702 Add a system logger service ( SeverinGloeckle )
#3785 Show member groups for content elements when protected ( fritzmg )
#3684 Use the metadata for the player caption ( fritzmg )
#3180 Render be_main with custom back end controller ( m-vo )
#2959 Add the back end attributes and badge title to the preview toolbar ( rabauss )
#3498 Improve the undo module for better editor experience ( bezin )
#3926 Add CSS definitions for info texts in widgets ( leofeyer )
#3914 Show route path with regexp in page settings ( aschempp )
#3883 Improve the maintenance mode command ( aschempp )
#3848 Add file previews for downloads ( ausi )
#3644 Allow MODE_PARENT without child_record_callback ( fritzmg )
#3911 Support Typescript in the code editor ( leofeyer )
#3630 Support image sizes in news and calendar feeds ( bezin )
#3489 Add the "send newsletter" event ( SeverinGloeckle )
#3888 Deprecate System::getTimeZones() ( ausi )
#3843 Add route priority and allow the same page alias with different parameters ( aschempp )
#3862 Add an "overview page" field ( leofeyer )
#3889 Add generic toggle operation handling ( aschempp )
#3793 Allow creating nested folders in the file manager ( leofeyer )
#3737 Improve the system maintenance mode ( Toflar )
#3850 Add a backup retention policy ( Toflar )
#3729 Maintenance mode per root page ( aschempp )
#3628 Make image width and height overwritable in the upload widget ( doishub )
#3839 Remove page from index if "Do not search" is checked ( aschempp )
#3819 Add comments to our interfaces and abstract classes ( leofeyer )
#3812 Increase the length of URL fields ( fritzmg )
#3797 Allow previewing unroutable pages ( aschempp )
#3813 Replace ramsey/uuid with symfony/uid ( m-vo )
#3804 Always show debug log and fetch crawl status earlier ( Toflar )
#3798 Use unroutable pages types to limit queries ( aschempp )
#3605 Do not generate routes for error pages ( fritzmg )
#3660 Add Chosen to select menus in the backend DCA filters ( qzminski )
#3674 Add a DCA option to collapse inactive checkbox groups ( SeverinGloeckle )
#3604 Use the back end access voter instead of hasAccess() and isAllowed() ( aschempp )
#3615 Add the maker bundle ( sheeep )
#3727 Link parent elements in the back end breadcrumb trail ( Toflar )
#3750 Make Symfony 5.4 the minimum requirement ( leofeyer )
#3719 Forward error handling to routing controller ( aschempp )
#3614 Add a nonce to all string placeholders ( m-vo )
#3620 Deprecate the request_token insert tag ( m-vo )
#3631 Backup management on CLI ( Toflar )
#3611 Decorate the access decision manager ( Toflar )
#3706 Add a service ID linter and adjust the service IDs ( leofeyer )
#3686 Do not use FQCN service IDs for non-autowiring services ( leofeyer )
#3458 Add deprecations ( ausi )
#3603 Add a setting for allowed insert tags ( ausi )
#3619 Add PHP8 attributes for our existing service annotations ( aschempp )
#3659 Add a cache tag service for entity/model classes ( m-vo )
#3638 Add an insert tags service ( ausi )
#3622 Make replacing insert tags more granular ( m-vo )
#3472 Make the backend path configurable ( richardhj )
#3616 Support canonical URLs in the front end ( Toflar )
#3207 Relay statement parameters to doctrine dbal ( ausi )
#3617 Do not index documents if the canonical URL does not match ( Toflar )
#3625 Add a template element and module ( ausi )
#3609 Move the simple token parser into the String namespace ( leofeyer )
#3602 Add the HtmlDecoder service ( leofeyer )
#3606 Keep insert tags as chunked text and handle them in the HTML escaper ( m-vo )
#2892 Add constants for the DCA sorting modes and flags ( bezin )
#3535 Set the contao.web_dir parameter from composer.json ( m-vo )
#3230 Add blank insert tag argument to open links in new window ( ausi )
#3542 Support image formats AVIF, HEIC and JXL ( ausi )
#3523 Upgrade to Doctrine 3 ( ausi )
#3530 Replace patchwork/utf8 with symfony/string ( leofeyer )
#3391 Always show the parent trails in the tree view ( Toflar )
#3522 Optionally delete the home directory in the "close account" module ( leofeyer )
#3524 Add an event count to the event list ( leofeyer )
#3379 Add "Do Not Track" option to the Vimeo content element ( MarkejN )
#3445 Allow to pass the actual 40x page to the page type ( aschempp )
#3442 Change all occurrences of master (request) to main ( aschempp )
#3439 Use the PHP 7.4 syntax ( leofeyer )
#3436 Drop the contao/polyfill-symfony package ( leofeyer )
#3191 Use v2 of league/commonmark ( Toflar )
#3434 Update the dependencies and remove the BC layers ( leofeyer )

Changelog of the fixed issues in Contao 4.13.0:

#4151 Make the crontao.cron service lazy ( aschempp )
#4149 Use static description for commands ( m-vo )
#4133 Improve the preview links back end ( aschempp )
#4141 Support symlinks in the upload directory ( m-vo )
#4145 Fix time sensitive tests ( ausi )
#4126 Check return type of generateLabelRecord method ( bezin )
#4143 Do not use transactions for restoring backups ( ausi )
#4139 Adjust labels for root page dependent modules ( bytehead )
#4121 Show custom Twig templates in the back end dropdowns ( m-vo )
#4140 Add feed image size property doc comment ( bezin )
#4136 Increase the minimum version of the Composer runtime API ( dmolineus )
#4117 Do not add the element name to the PHP attribute in the maker bundle ( leofeyer )
#4134 Remove custom template option ( bytehead )
#4099 Do not store record preview for DC_Folder instances ( bezin )
#4114 Allow DCAs without driver ( leofeyer )
#4113 Return an empty string if there is no driver ( leofeyer )
#4112 Skip all dot files when syncing the DBAFS ( m-vo )
#4103 Fix the color of bold strings inside error messages ( leofeyer )
#3992 Automatically generate Twig IDE auto-completion mappings ( m-vo )
#4096 Fix an undefiend array key ( richardhj )
#4065 Fix order of parameters in AsContentElement and AsFrontendModule constructors ( m-vo )
#4078 Fix 'Purge the preview cache' (path not found) ( AlexanderWillner )
#4095 Fix the logger service calls ( SeverinGloeckle )
#4094 Fix missing fallback for densities in preview factory ( m-vo )
#4093 Allow autowiring of preview factory ( m-vo )
#4074 Fix contao:user:list with empty database ( AlexanderWillner )
#4052 Do not fetch similar pages with empty alias ( aschempp )
#4046 Encode binary data as hex literal in backup dump ( ausi )
#3994 Pre-render record preview for undo view on delete ( bezin )
#4057 Limit image width in tl_undo_preview ( bezin )
#4021 Fix time sensitive test ( ausi )
#4022 Add missing option showFilePreview to fileTree widget ( ausi )
#4049 Support \Attribute::TARGET_METHOD for our DI attributes ( m-vo )
#4060 Fix the missing request token in ModulePassword.php ( dennisbohn )
#4034 Fix 'Warning: Undefined array key 1' in insert tags ( xprojects-de )
#4032 Add a conflict for doctrine/dbal:3.3.0 ( leofeyer )
#4027 Also make the AvailableTransports service alias public ( fritzmg )
#4028 Fix replacing insert tags on non-strings ( aschempp )
#4030 Correctly handle parameter for requireItem ( aschempp )
#4001 Check $objPage in Controller::getTemplate() ( xprojects-de )
#4002 Add a better exception message if a page is unroutable ( leofeyer )
#4005 Fixed missing service name adjustments ( Toflar )
#3991 Fix an 'Attempt to read property "language" on null' warning ( dennisbohn )
#3987 Fix the available transports service ( fritzmg )
#4000 Make sure the requestToken variable is defined ( leofeyer )
#3979 Sort the root IDs if there is a sorting column ( leofeyer )
#3978 Change the root page icon in maintenance mode ( aschempp )
#3935 Allow Flysystem v3 ( m-vo )
#3975 Allow custom labels for the overview links ( leofeyer )
#3970 Handle quoted column names in the Statement class ( leofeyer )
#3969 Do not enable the maintenance mode for new pages ( leofeyer )
#3968 Correctly hash the preview file path ( ausi )
#3943 Generate useful error message on routing issues ( aschempp )
#3961 Gray out expired preview links ( leofeyer )
#3953 Fix the PackageUtil class ( ausi )
#3962 Fix the button alignment in the parent view ( leofeyer )
#3934 Fix the permission check for preview links ( aschempp )
#3949 Fix a leftover System::log call ( fritzmg )
#3952 Fix default log context for Email::sendTo ( SeverinGloeckle )
#3945 Make security.encoder_factory public again ( bytehead )
#3927 Explicitly set rootPaste, deprecate implicit rootPaste ( ausi )
#3937 Various small filesystem tweaks ( m-vo )
#3938 Remove remaining deprecations ( bytehead )
#3896 Improve the toggle operation ( aschempp )
#3909 Correctly handle types and empty values in DC_Table::save() ( aschempp )
#3929 Adjust the SERP preview formatting ( leofeyer )
#3916 Fixed tl_page permissions for routing fields ( aschempp )
#3912 Move the imgSize labels to the default.xlf file ( leofeyer )
#3917 Update maintenance response and add to preview endpoint ( aschempp )
#3905 Deprecate the PackageUtil class ( leofeyer )
#3829 Handle $objPage not being set in the InsertTags class ( leofeyer )
#3892 Fix method name to get default token value ( aschempp )
#3891 Fix memory issues in the backup command ( aschempp )
#3884 Check for unpublished elements when generating the RSS feed ( leofeyer )
#3885 Unify the command output format ( aschempp )
#3873 Stop using BE_USER_LOGGED_IN constant ( aschempp )
#3871 Rename the token value method ( aschempp )
#3866 Fix some minor issues ( leofeyer )
#3865 Use generic image format labels ( leofeyer )
#3868 Set logout response depending on scope ( bytehead )
#3846 Fixed debug:pages command and show dynamic content composition ( aschempp )
#3858 Revert replacing insert tags in the template inheritance trait ( leofeyer )
#3859 Deprecate two global variables ( leofeyer )
#3863 Harden the Picker class against undefined array keys ( leofeyer )
#3861 Fix the back end pagination menu ( leofeyer )
#3845 Register a controller for error page types ( aschempp )
#3816 Rework the @throws annotations ( leofeyer )
#3835 Remove the alias field from unroutable pages ( aschempp )
#3837 Do not check on null as the username can be empty ( bytehead )
#3810 Use mode constants in Picker widget ( bezin )
#3801 Add a missing isset() when checking for the mailer DSN ( aschempp )
#3795 Fix issues with non-admin users ( leofeyer )
#3799 Make the page registry service public ( aschempp )
#3796 Correctly handle unroutable legacy types ( aschempp )
#3778 Ensure type-safety when replacing legacy insert tags ( aschempp )
#3765 Do not deprecate the autowiring aliases ( leofeyer )
#3695 Switch to Symfony's version of the Path helper ( m-vo )
#3764 Make the autowiring aliases of renamed services public ( leofeyer )
#3744 Show bubbled exceptions in the pretty error screen listener ( aschempp )
#3743 Fix the PasswordHasherFactory usage ( bytehead )
#3746 Upgrade symfony/security-bundle to 5.4 and fix TokenInterface usage ( bytehead )
#3735 Correctly fix a wrong method usage ( leofeyer )
#3723 Stop using the LegacyEventDispatcherProxy class ( leofeyer )
#3720 Fix security permissions for custom backend paths ( aschempp )
#3714 Do not unnecessarily fetch the PageRoute twice ( aschempp )
#3705 Fix a typo in a listener ID ( leofeyer )
#3691 Fix an array to string conversion ( leofeyer )
#3696 Lower the maximum insert tag recursion level ( m-vo )
#3680 Fix a wrong method usage ( leofeyer )
#3681 Fix the fragment handler ( leofeyer )
#3676 Replace FragmentRendererPass with tagged locator ( aschempp )
#3257 Fix the Symfony 5.3 security deprecations ( bytehead )
#3658 Correctly check whether the root page allows canonical URLs ( leofeyer )
#3645 Restore backwards compatiblilty for DB Statement ( ausi )
#3653 Do not block the contao.backend namespace ( leofeyer )
#3643 Fix the DB query in the Versions class ( leofeyer )
#3641 Replace the remaining mode/flag numbers with constants ( leofeyer )
#3596 Fix the visible root trail check in the extended tree view ( Toflar )