Contao Open Source CMS Changelog for the version 5.3

About Contao 5.3 LTS

The first stable version of Contao 5.3 has been released on February 16, 2024, replacing Contao 4.13 as the long term support version. As an LTS version, 5.3 will be provided with bug fixes until February 14, 2027 and security-related updates until February 14, 2028. Contao 5.7 is the next LTS version of Contao and was released in February 2026, ensuring a smooth transition.

Changelog Contao 5.3

Contao 5.3.46 (2025-04-24)

Changelog of the fixed issues in Contao 5.3.46:

#9756 Conflict with league/flysystem-bundle 3.7 ( ausi )
#9730 Show infinitely repeating events only once if the list is open-ended ( ausi )
#9736 Require symfony/polyfill-php84 and update the usage of Mysql::ATTR_MULTI_STATEMENTS ( zoglo )
#9711 Support JSON-LD multiple types ( koertho )
#9717 Fix the missing Vary header in the CAPTCHA controller ( Toflar )
#9701 Cast bigint columns to integer ( ausi )
#9704 Add the charset to the news feed content type ( fritzmg )
#9694 Normalize paths in the generateScriptTag() and generateStyleTag() methods ( fritzmg )
#9665 Add the missing aspect ratios for Reels, Shorts and TikTok videos ( fritzmg )
#9656 Add text overflow handling to the tl_tip class ( Tastaturberuf )
#9625 Move the template editor check to a save_callback ( fritzmg )
#9638 Check for nested parent tables in the picker ( aschempp )
#9635 Encode invalid and disallowed URL protocols in BBCode ( ausi )

Contao 5.3.45 (2025-03-04)

Changelog of the fixed issues in Contao 5.3.45:

#9617 Fix the active status assignment when synchronizing newsletter recipients ( zonky2 )
#9308 Always allow pages to be copied to clipboard ( fritzmg )
#9611 Remove @charset and BOM from the compiled SCSS files ( fritzmg )
#9597 Trigger the InteractiveLoginEvent for the back end login ( falkgeist )
#9591 Remove preserveTags for password fields ( fritzmg )
#9574 Reset the globals and the response context on error pages ( fritzmg )
#9571 Use platformOptions instead of customSchemaOptions ( fritzmg )
#9564 Add the missing migration service definitions ( Toflar )
#9509 Fix the boolean return types of the validator ( ausi )
#9489 Do not dispatch search index messages in debug mode ( lukasbableck )
#9486 Remove the value field from the password palette ( fritzmg )
#9467 Add the missing basicEntities conversion for form fields ( fritzmg )
#9419 Allow to enable basic entities for the MetaWizard ( fritzmg )
#9395 Purge tl_cron_job records older than 1 year ( fritzmg )
#9418 Remove HTML in the tooltip of fileTree preview images ( fritzmg )
#9425 Fix an error in the profiler ( fritzmg )
#9416 Delete old XML files when migrating news feeds ( fritzmg )
#9415 Normalize the URL field length ( fritzmg )
#9400 Always use the contao.listener.image_size_options service ( fritzmg )
#9396 Normalize the imageSize fields ( fritzmg )
#9387 Do not show an error for unexpected subsequent migrations ( ausi )
#9345 Fix the line height for select and input fields ( fritzmg )
#9354 Add a BC comment for doctrine/dbal < 4.5.0 ( ausi )
#9339 Do not run migrations that were not previously pending ( ausi )
#9328 Prevent circular references when nesting records ( patrickjDE )
#9285 Check for FORM_SUBMIT in ModuleLogin::generate() ( fritzmg )
#9213 Fix the Contao icon color in the profiler ( lukasbableck )

Contao 5.3.44 (2025-01-12)

Changelog of the fixed issues in Contao 5.3.44:

#9200 Fix inconsistent hashes for schema changes ( lukasbableck )
#9182 Fix the tooltip flickering in the header bar ( zoglo )
#9168 Use break-word in listings ( fritzmg )
#9166 Improve the CAPTCHA script ( ausi )
#9121 Use the image UUID in search results ( fritzmg )
#9112 Fix the "Loading data …" box styling issues ( fritzmg )
#9089 Improve the NewsFeedListenerTest ( fritzmg )
#9090 Use MockHttpClient in FactoryTest ( fritzmg )
#9092 Fix a missing host in the be_conflict template ( aschempp )
#9059 Fix various PHP 8.5 issues ( aschempp )
#9061 Skip cron jobs in maintenance mode (again) ( aschempp )

Contao 5.3.43 (2025-11-26)

Changelog of the fixed issues in Contao 5.3.43:

#9045 Fix the legacy accordion templates ( zoglo )

Contao 5.3.42 (2025-11-25)

Security vulnerabilities closed:

Remote code execution in template closures (CVE-2025-65960)
Cross-site scripting in templates (CVE-2025-65961)

Changelog of the fixed issues in Contao 5.3.42:

#9032 Also delete the dev cache in contao-setup ( fritzmg )
#8997 Fix isHidden() for ContentProxy ( fritzmg )
#9023 Fix a PHP8 issue in the module wizard ( aschempp )
#9024 Fix rendering member fields without label ( aschempp )
#9011 Only load disabled images in AjaxRequest.toggleField if they exist ( zoglo )
#8945 Use the original Swiper markup ( leofeyer )
#9015 Ignore web profiler requests in the search index and fix the back end request regex ( fritzmg )
#8991 Move the try/catch block only around the insert statement ( bytehead )
#8993 Fix a bug with HTML encoded styles in HtmlAttributes ( ausi )
#8996 Fix a typo for addBefore in ModuleFaqReader ( fritzmg )

Contao 5.3.41 (2025-11-13)

Changelog of the fixed issues in Contao 5.3.41:

#8969 Correctly set the table on fake DC in copy callback ( aschempp )
#8986 Fix a bug with float values in the HtmlAttributes class ( ausi )
#8959 Fix the widget description if the label is not an array ( aschempp )
#8946 Fix an error when trying to render a deleted CE/FM via Twig function ( lukasbableck )
#8601 Change the response Content-Type for feeds in debug mode ( fritzmg )
#8941 Do not render the SERP preview on POST requests ( aschempp )
#8798 Correctly filter disabled groups in the front end ( bright-cloud-studio )
#8936 Do not check the publishing state for content URL results ( aschempp )
#8937 Do not check the parent page type when moving pages ( aschempp )
#8916 Pass through the ImageInterface instance in the figure builder ( fritzmg )
#8731 Replace insert tags in link titles in the hyperlink controller ( dennisbohn )
#8738 Ensure a correct cron job return value ( kuestenweb )
#8903 Do not preload reader modules if there are no articles in the layout ( zoglo )

Contao 5.3.40 (2025-09-30)

Changelog of the fixed issues in Contao 5.3.40:

#8853 Use a pointer cursor for the preview toolbar toggle ( fritzmg )
#8879 Update paragonie/constant_time_encoding ( paragonie-security )
#8881 Handle directories in the file image preview ( aschempp )
#8859 Fix the undefined method named "shouldPreload" error ( ausi )
#8819 Do not hardcode the file preview ( aschempp )
#8751 Fix the template module class ( aschempp )
#8814 Do not check the page type when adding child pages ( aschempp )
#8805 Fix the permission check on pages in article view ( aschempp )
#8085 Preload the reader modules ( ausi )
#8795 Remove the deprecation from Input::stripTags() ( ausi )
#8780 Move the preview toolbar into the shadow DOM ( zoglo )
#8787 Handle infinite recursion in the insert tag parser ( ausi )
#8779 Check if the Content-Type header exists before using it in the PreviewToolbarListener ( lukasbableck )

Contao 5.3.39 (2025-09-04)

Changelog of the fixed issues in Contao 5.3.39:

#8717 Only duplicate fragment services if needed ( Toflar )
#8759 Restore the "empty event list" message ( fritzmg )
#8754 Additionally check the disablePermissionsChecks flag for back end modules ( fritzmg )
#8730 Ignore empty styles in HtmlAttributes::addStyle() ( ausi )
#8755 Use a 16:9 aspect ratio in translations ( fritzmg )
#8746 Fix the default size of video elements ( aschempp )
#8752 Backup the response context ( aschempp )

Contao 5.3.38 (2025-08-28)

Security vulnerabilities closed:

Information disclosure in the front end search index (CVE-2025-57756)
Information disclosure in the news module (CVE-2025-57757)
Improper access control in the back end voters (CVE-2025-57758)
Improper privilege management for page and article fields (CVE-2025-57759)

Changelog of the fixed issues in Contao 5.3.38:

#8741 Add an ID to the CAPTCHA in the registration form ( fritzmg )
#8727 Deprecate some user variables ( fritzmg )
#8729 Do not use the request locale in the Countries and Locales classes ( ausi )
#8726 Allow to create a user without a request ( aschempp )
#8580 Add the group index and count to events ( fritzmg )
#8708 Add a higher priority to the BooleanFieldsMigration ( fritzmg )
#8701 Check undefined global objPage ( bytehead )
#8698 Fix the invalid permission check in tl_content ( aschempp )
#8694 Fix the compatibility with php-feed-io/feed-io 6.1.1 ( ausi )
#8681 Only vote on pid and ptable for parent mode ( aschempp )
#8675 Check for main request in the PreviewToolbarListener ( fritzmg )

Contao 5.3.37 (2025-08-13)

Changelog of the fixed issues in Contao 5.3.37:

#8665 Initialize the clock in the 2FA authenticator ( zoglo )

Contao 5.3.36 (2025-08-13)

Changelog of the fixed issues in Contao 5.3.36:

#8660 Update enshrined/svg-sanitize to version 0.22 ( bytehead )
#8652 Update spomky-labs/otphp to version 11 ( bytehead )

Contao 5.3.35 (2025-08-12)

Changelog of the fixed issues in Contao 5.3.35:

#8654 Allow version 2 of guzzlehttp/promises ( bytehead )
#8582 Change the newsletter recipient icon according to the start/stop date ( fritzmg )
#8622 Do not use load callbacks to set default values ( fritzmg )
#8627 Improve the root page error message ( aschempp )
#8358 Fix an undefined index error for href in the news menu template ( Tastaturberuf )
#8602 Rename the attr() function to attrs() ( zoglo )
#8609 Remove the ClipboardManager class constant ( aschempp )
#8648 Fix an SQL error when disabling subscribed members ( fritzmg )
#8600 Add aria-current="page" to the active navigation item ( zoglo )
#8597 Add the missing autowiring alias for FileDownloadHelper ( fritzmg )
#8592 Switch to php-feed-io/feed-io ( fritzmg )
#8579 Reset $blnDetailsLoaded in PageModel when setting a new row ( fritzmg )
#8572 Correctly check permissions to create a new clipboard ( aschempp )
#8032 Disable the asFragment option of the #[AsInsertTag] attribute ( ausi )
#8527 Add a PROCESS_CONSUMER_NAME env variable to all initiated subprocesses ( richardhj )
#8526 Add number format validation for slider settings ( de-es )
#8466 Use :: to reference fragment methods ( dmolineus )
#8515 Use Backend::addToUrl() for DataContainer::switchToEdit() ( aschempp )

Contao 5.3.34 (2025-06-30)

Changelog of the fixed issues in Contao 5.3.34:

#8499 Remove noSearch from news_feed and use permission for newsArchives options ( fritzmg )
#8373 Correctly resolve the preview URL inside content elements ( aschempp )
#8379 Fix absolute path URLs not enabling the lightbox ( fritzmg )
#8463 Use :: to reference controller methods (Symfony 6+ compatibility) ( dmolineus )
#8455 Fix side-effects in Document::getContentCrawler() ( Toflar )
#8457 Catch parse errors in the auto service registration ( Toflar )
#8405 Fix multiple issues with referrers in the back end ( Toflar )
#8419 Encode URLs in the preview link controller ( fritzmg )
#8439 Remove the title attribute from the breadcrumb elements ( fritzmg )
#8436 Remove the popstate listener for table revision ( fritzmg )
#8433 Do not override error_reporting in contao-api ( fritzmg )
#8416 Correctly check if the core modules are installed for comments ( aschempp )
#8420 Do not show the Swiper buttons in the back end preview ( fritzmg )
#8417 Add the fieldset legend IDs again ( aschempp )
#8361 Correctly support the default callback on tagged services ( aschempp )
#8409 Remove leftover language strings from the CSS editor ( aschempp )
#8407 Prevent deep merging of contao.messenger.web_worker.transports ( md-netdesign )
#8406 Fix the permission check when copying elements ( aschempp )
#8389 Handle empty news feed items in the news feed controller ( fritzmg )
#8392 Always tag the news archives in the news feed controller ( fritzmg )
#8388 Check if articles exist in the FetchArticlesForFeedEvent listener ( fritzmg )
#8385 Also embed SVG images in emails ( fritzmg )
#8381 Add the missing autowiring alias for the DcaUrlAnalyzer ( aschempp )
#8376 Use Path::join instead of Path::makeAbsolute ( fritzmg )
#8363 Check the member groups before excluding content from indexing ( aschempp )
#8365 Drop the guests column after migration ( aschempp )
#8367 Handle union and intersection types when autoloading app services ( aschempp )
#8295 Exclude folders from valid file name check ( fritzmg )

Contao 5.3.33 (2025-05-14)

Changelog of the fixed issues in Contao 5.3.33:

#8319 Recursively run StringUtil::decodeEntities() on arrays ( aschempp )
#8274 Add search listeners for news, events and FAQs ( CMSworker )
#8330 Mention basic entities in the UPGRADE.md file ( fritzmg )
#8221 Add workers to the functional tests ( fritzmg )
#8342 Catch exceptions in the DelegatingIndexer ( Toflar )
#8269 Fix the back end layout for mobile devices ( fritzmg )
#8286 Unify the .cte_preview styles ( fritzmg )
#8324 Remove the tableless leftovers ( aschempp )
#8327 Make tl_newsletter_subscriptions.email nullable ( fritzmg )
#8334 Correctly support the :collapsed keyword in the palette manipulator ( zoglo )
#8336 Make the Dropzone overlay in the file tree fixed ( fritzmg )
#8322 Allow absolute URLs in DCA backlinks ( aschempp )
#8341 Strip more irrelevant query parameters ( Toflar )
#8344 Remove error_reporting from contao-setup ( fritzmg )
#8328 Add alwaysSave to tl_calendar_feed.feedBase ( fritzmg )
#8304 Render the QR code margin directly in the image ( Tastaturberuf )
#8307 Throw an exception on backup errors ( fritzmg )
#8309 Use the module ID for flash bag variables in the newsletter modules ( fritzmg )

Contao 5.3.32 (2025-04-17)

Changelog of the fixed issues in Contao 5.3.32:

#8180 Fix ESI support for fragment elements ( aschempp )
#8270 Fix page sorting with same languages across domains ( aschempp )
#8275 Remove redundant code ( leofeyer )
#8265 Show all search results in tree mode ( aschempp )
#8267 Make the badge-title mobile friendly ( zoglo )
#8262 Fix the metadata for breadcrumbs ( fritzmg )
#8240 Do not use the title attribute in the download content elements ( fritzmg )
#8263 Do not override page requirements and defaults ( aschempp )
#8233 Make the OrderFieldMigration available for third-party developers ( aschempp )
#8258 Do not redirect if the two-factor page is the current page ( zoglo )
#7678 Unify the autoloader in CLI scripts ( aschempp )
#8256 Fix the fallback FormCaptcha namespace ( fritzmg )

Contao 5.3.31 (2025-03-25)

Changelog of the fixed issues in Contao 5.3.31:

#8232 Make the maintenance tasks in the user profile configurable ( Toflar )
#8211 Skip cron jobs in maintenance mode ( aschempp )
#8190 Handle arrays when converting basic entities ( leofeyer )
#8219 Add a missing database connection argument ( fritzmg )
#8201 Prevent useless database connections ( Toflar )
#8198 Disable pasting data images by default in tinyMCE ( Toflar )
#8162 Do not remove request tokens from the HTML response anymore ( richardhj )

Contao 5.3.30 (2025-03-18)

Security vulnerability closed:

Cross site scripting through SVG uploads (CVE-2025-29790)

Contao 5.3.29 (2025-03-12)

Changelog of the fixed issues in Contao 5.3.29:

#8186 Correctly set the tree root if showRootTrails is not enabled ( aschempp )
#8176 Replace newsletter insert tags in front end scope ( ausi )
#8173 Only add the pid and sorting fields in edit/override multiple mode for admins ( leofeyer )
#8172 Also show the edit-all operation if a table is only sortable ( aschempp )
#8179 Add the missing scroll-offset#store action to the all button ( zoglo )
#8181 Show errors for failed elements in the back end ( ausi )

Contao 5.3.28 (2025-03-05)

Changelog of the fixed issues in Contao 5.3.28:

#8175 Fix an SQL error if there are no pages at all ( aschempp )
#8167 Handle array values in the form_session_data insert tag ( leofeyer )
#8165 Check the default table options in the RememberMeMigration ( leofeyer )

Contao 5.3.27 (2025-03-04)

Changelog of the fixed issues in Contao 5.3.27:

#8146 Reintroduce "Show to guests only" for pages ( fritzmg )
#8161 Always fetch root IDs in the correct order ( aschempp )
#8159 Ignore tokens from Contao 4 in the RememberMeMigration ( leofeyer )
#8150 Fix duplicate text in the search results context ( ausi )
#8151 Also import SQL dumps from var/backups when importing a theme ( ausi )
#8143 Fix row size too large error ( ausi )
#8139 Only assume a self-referencing table in mode 5 when deleting records ( leofeyer )
#8130 Add body template and attributes callback to the maker bundle ( aschempp )
#8131 Add spellcheck="false" to the search input field ( fritzmg )
#8128 Modernize the maker bundle ( fritzmg )
#8093 Change Template to FragmentTemplate in the maker bundle ( christianbarkowsky )
#8123 Improve the language cache warmer performance ( fritzmg )

Contao 5.3.26 (2025-02-17)

Changelog of the fixed issues in Contao 5.3.26:

#8087 Generate the correct path when adding Contao components as assets ( pressi )
#8086 Log all sent and failed email messages ( fritzmg )
#8088 Prevent useless messages in the search listener ( Toflar )
#8068 Handle Contao 5.5 operation keys (forward compatibility) ( leofeyer )
#8078 Make sure Request.Contao options are always initialized ( fritzmg )

Contao 5.3.25 (2025-02-11)

Changelog of the fixed issues in Contao 5.3.25:

#8053 Use table lock for the contao.cron service again ( fritzmg )
#8036 Fix the Mootools request URL ( aschempp )
#8026 Replace the deprecated global variable request_token ( bytehead )
#8022 Add the request token to Ajax request changing the sorting ( leofeyer )
#8016 Enable enableKeyboardAccessibility for the ace editor ( zoglo )
#8005 Remove el.blur() from all scripts ( leofeyer )
#8001 Use Symfony locks instead of DB locks for the Cron service ( fritzmg )
#7991 Sort the news feed in descending order ( zoglo )
#7990 Unset the default UriSigner parameters when generating download URLs ( fritzmg )
#7951 Update the .draft styles ( zoglo )
#7995 Allow using basic entities in TinyMCE fields ( ausi )
#7975 Add breadcrumb separators to the back end title ( ausi )
#7986 Add missing ref for edit profile redirect ( fritzmg )
#7988 Set defaultSearchField for tl_page to title ( fritzmg )
#7977 Fix using numeric theme/identifier names in the ContaoFilesystemLoader ( m-vo )
#7982 Prevent useless DB queries in the CommandSchedulerListener ( Toflar )
#7920 Improve the TemplateLocator performance ( fritzmg )
#7945 Fix the download mime type ( ausi )
#7942 Remove background from regular MODE_PARENT listings ( fritzmg )
#7943 Fix a bug with unknown insert tag end names ( ausi )
#7939 Do not use DC_Table::generateRecordLabel() for breadcrumbs ( ausi )

Contao 5.3.24 (2025-01-22)

Changelog of the fixed issues in Contao 5.3.24:

#7930 Fix a permission error in non-tree views ( aschempp )
#7915 Adjust the :hover of the limit-toggler ( zoglo )

Contao 5.3.23 (2025-01-20)

Changelog of the fixed issues in Contao 5.3.23:

#7899 Fix tree rendering with filters and trails ( aschempp )
#7904 Add custom template settings for the feed reader module ( de-es )
#7898 Fix variadic parameters with string keys ( aschempp )

Contao 5.3.22 (2025-01-16)

Changelog of the fixed issues in Contao 5.3.22:

#7889 Also persist theme slugs in the Twig hierarchy cache ( m-vo )
#7762 Show an error message when copying newsletter recipient records ( fritzmg )
#7843 Fix dynamic Twig inheritance when in a theme context ( m-vo )
#7882 Fix a PHP 8 issue in the tl_user_group::getExcludedFields() method ( leofeyer )
#7793 Unwrap Twig exceptions ( aschempp )
#7880 Ensure that Widget::$arrOptions is always an array ( leofeyer )
#7801 Correctly render nested fragments with the allowedTypes option in the debug view ( bytehead )
#7874 Handle query parameters when generating download URLs ( fritzmg )
#7415 Fix an error if a record in the clipboard is deleted before pasting ( lukasbableck )
#7865 Add no-store to back end responses ( fritzmg )
#7800 Increase the blob size for tl_user.session ( fritzmg )
#7815 Correctly handle fragment priority ( aschempp )
#7856 Fix an SQL syntax error in the FileExtensionMigration ( lukasbableck )
#7860 Set $dc->table and $dc->id in the FallbackRecordLabelListener ( lukasbableck )

Contao 5.3.21 (2025-01-03)

Changelog of the fixed issues in Contao 5.3.21:

#7832 Use the correct _store_referrer request attribute ( fritzmg )
#7827 Do not overwrite the current referrer with the table referrer ( ausi )
#7795 Remove empty locales in the meta wizard and add the primary language ( Toflar )
#7797 Ignore pages in maintenance mode when generating the sitemap ( qzminski )
#7799 Introduce constants for paste into/after ( fritzmg )
#7798 Do not force HTTP method parameter override ( fritzmg )
#7789 Consider the addImage checkbox when collecting RSS enclosures ( CMSworker )
#7821 Add chosen to tl_form_field.type ( zoglo )
#7010 Handle nested content elements in the back end breadcrumb menu ( ausi )
#7822 Backport the record labeler service ( ausi )

Contao 5.3.20 (2024-12-10)

Changelog of the fixed issues in Contao 5.3.20:

#7785 Use CAST(… AS BINARY) instead of BINARY ( leofeyer )
#7690 Fix the help wizard ( bytehead )
#7773 Add the missing relations to the DCAs ( aschempp )
#7732 Add the domain to the "root page dependent module" configuration ( aschempp )
#7757 Disallow creating or updating elements with invalid parent record ( aschempp )
#7755 Handle ampersands in the alt attribute of the picture insert tag ( markocupic )
#7772 Use the correct session bag in the preview link listener ( leofeyer )
#7758 Make the default (global) operations more consistent ( aschempp )
#7765 Disable overlayClick for SimpleModal ( zoglo )
#7767 Fix the base path for canonical URLs ( fritzmg )
#7778 Do not normalize the resampling-filter array key ( ausi )
#7751 Make sure the correct test-case package is installed in Contao ( aschempp )

Contao 5.3.19 (2024-11-28)

Changelog of the fixed issues in Contao 5.3.19:

#7752 Fix the sorting when copying multiple form fields as a non-admin user ( qzminski )
#7753 Replace insert tags in Twig surrogate parent templates ( ausi )
#7556 Enable double encoding for JSON in Twig ( ausi )
#7750 Handle null result in 404 router provider ( aschempp )
#7749 Make Contao 5.3 compatible with PHP 8.4 ( bytehead )
#7744 Fix the "lost password" module ( leofeyer )

Contao 5.3.18 (2024-11-20)

Changelog of the fixed issues in Contao 5.3.18:

#7730 Show section headlines in the back end preview ( leofeyer )
#7729 Allow basic entities in section headlines ( leofeyer )
#7727 Make the abstract entities migration case-sensitive ( leofeyer )
#7670 Prevent possible type error in DC_Table::getClipboardPermission ( fritzmg )
#7699 Do not load the CAPTCHA script in the back end preview ( leofeyer )
#7698 Skip fragments which inherit legacy modules in debug:fragments ( bytehead )
#7682 Remove superfluous domain encoding ( falkgeist )
#7720 Cache hot path in model ( Toflar )
#7631 Allow page controllers to create the response context ( fritzmg )
#7715 Consider the doNotDeleteRecords setting when deleting child records ( patrickjDE )
#7716 Fix login redirect and session usage ( fritzmg )
#7712 Fix the permissions check for "save and duplicate" ( aschempp )
#7708 Decode entities for favorites labels ( fritzmg )
#7717 Use the RateLimiter component to limit password reset requests ( bytehead )
#7674 Flag deprecated Twig functions as deprecated ( m-vo )
#7667 Harden CSP header parsing ( bytehead )

Contao 5.3.17 (2024-10-23)

Changelog of the fixed issues in Contao 5.3.17:

#7665 Fix the ContentElementTypeListener ( Toflar )

Contao 5.3.16 (2024-10-22)

Changelog of the fixed issues in Contao 5.3.16:

#7617 Deprecate Controller::sendFileToBrowser() and add the postDownload hook to the UPGRADE.md file ( Toflar )
#7637 Check permissions on all operations in the PermissionCheckingVirtualFilesystem decorator ( m-vo )
#7516 Use a listener to set the allowed element types ( aschempp )
#7650 Enable pauseOnMouseEnter in the Swiper template by default ( fritzmg )
#7660 Fix a type error in CalendarContentVoter ( fritzmg )
#7639 Improve the template DX when overwriting variables ( m-vo )
#7626 Improve the VFS extra metadata handling ( m-vo )
#7012 Do not redefine existing fragments ( bytehead )
#7622 Replace newlines in CSP headers ( bytehead )
#7623 Fix an invalid array access in the Model::cloneOriginal() method ( Toflar )
#7618 Add the missing root--dark icon ( zoglo )
#7583 Fix tooltips on mobile devices ( fritzmg )
#7570 Do not save long file extensions during filesync ( fritzmg )
#7555 Use the resource finder in the Twig template locator ( aschempp )
#7527 Move fieldset legend padding to button ( fritzmg )
#7553 Remove PDF remnants ( fritzmg )
#7561 Fix a type error in NewsContentVoter ( fritzmg )
#7537 Add a null check for a possible empty array ( bytehead )

Contao 5.3.15 (2024-09-17)

Security vulnerabilities closed:

Remote command execution through file upload (CVE-2024-45398)
Insert tag injection via canonical URL (CVE-2024-45612)

Contao 5.3.14 (2024-09-12)

Changelog of the fixed issues in Contao 5.3.14:

#7509 Handle string IDs in the article content voter ( aschempp )
#7525 Only add the galleryTpl field to the legacy gallery element ( fritzmg )
#7467 Correctly handle news feed URLs in the page routing listener ( leofeyer )
#7513 Fix the parent record loading in the dynamic parent table voter ( aschempp )
#7489 Fix the description list markup for template templates ( fritzmg )
#7484 Fix type error in downloads content element ( fritzmg )
#7485 Fix the name of symlinked filesystem adapters ( fritzmg )
#7477 Fix the line height of the ellipsis containers ( leofeyer )
#7472 Consider subfolders and Twig templates within the theme export ( zoglo )

Contao 5.3.13 (2024-08-06)

Changelog of the fixed issues in Contao 5.3.13:

#7465 Fix the content element player start time ( kllmanu )
#7443 Show a warning if a personal data module allows to change the password ( leofeyer )
#7088 Add voters for content elements ( aschempp )
#7440 Generate a new session ID after a member has changed their password ( leofeyer )
#7235 Allow toggling fieldset states with keyboard actions (A11Y) ( zoglo )
#7428 Improve the web worker time limit ( ausi )
#7435 Restore the previous messages order in DC_Table ( fritzmg )
#7439 Use ERR.submit in all DC forms ( fritzmg )
#7367 Improve the visibility of the .limit_toggler in the back end ( lukasbableck )
#7416 Encode mailto addresses in the markdown element ( Toflar )
#7407 Add the DataContainer::getActiveRecord() method ( Toflar )
#7422 Prevent endless recursion when copying elements with children ( ausi )

Contao 5.3.12 (2024-08-06)

Changelog of the fixed issues in Contao 5.3.12:

#7385 Clone content elements with all data ( aschempp )
#7411 Make sure to add the assets/files context to all image paths ( leofeyer )
#7397 Use maxLines: Infinity to automatically resize the ACE editor ( leofeyer )
#7398 Make the theme icons forward compatible ( leofeyer )
#7382 Fix the double form submission script ( leofeyer )
#7376 Skip database backups if the remaining migrations will not be executed ( fritzmg )
#7381 Fix the padding of the main content area on mobile devices ( leofeyer )
#7374 Fix the z-index of the limit height toggle ( leofeyer )
#7364 Use the modified element when cloning ( aschempp )
#7358 Use the widget attributes to generate the DCA row ( aschempp )
#7348 Cleanup a leftover service argument ( Toflar )
#7343 Do not limit the number of download items ( mpitz )
#7327 Add the :never return type to methods that never return ( aschempp )
#7319 Generate public URIs for automatically mounted adapters replacing symlinks ( m-vo )
#7320 Handle .<ext>.twig file extensions in DC_Folder ( m-vo )

Contao 5.3.11 (2024-06-28)

Changelog of the fixed issues in Contao 5.3.11:

#7315 Fix the priority of the web worker and improve memory handling ( Toflar )
#7317 Fix missing submitter in form data ( ausi )
#7309 Fix infinite loop in encore dev --watch ( zoglo )

Contao 5.3.10 (2024-06-25)

Changelog of the fixed issues in Contao 5.3.10:

#7300 Remove two leftover clearing DIVs ( leofeyer )
#7293 Prevent double form submission ( ausi )
#7294 Fix symlinked file not inside root directory ( ausi )
#7292 Evaluate scripts in Ajax form responses ( ausi )
#7296 Fix toggling nodes if there is no global operation ( leofeyer )
#7291 Fix drag and drop in the file manager ( leofeyer )
#7289 Skip sleeping in messenger web worker ( ausi )
#7055 Return to the list view after adding items to the clipboard ( aschempp )
#7287 Fix missing query parameters in the file insert tag ( ausi )
#7283 Use the translator language instead of the request language for the iflng and ifnlng insert tags ( Toflar )
#7282 Check CSRF and private response after the session ( ausi )
#7270 Replace non-routable URLs with an empty string for the [{]link*}} insert tags ( fritzmg )
#7268 Initialize the Contao framework when working with opt-in tokens ( aschempp )
#7253 Rework the messenger integration ( Toflar )
#7262 Remove the process timeout in the SuperviseWorkersCommand ( md-netdesign )
#6985 Undeprecate using $model->classes ( aschempp )
#6991 Cache relative paths in the ContaoFilesystemLoader ( m-vo )
#7244 Replace insert tags when parsing widget templates ( fritzmg )
#7241 Use the original ID for nested fragments if available ( aschempp )
#7239 Fix more edge cases in the HtmlAttributes class ( ausi )
#7228 Overwrite the page metadata before parsing the news article ( lukasbableck )
#7237 Fix an endless loop in the DC_Folder::getParentFilemounts() method ( leofeyer )
#7225 Do not trigger the PHP header() deprecation for certain headers ( fritzmg )

Contao 5.3.9 (2024-05-24)

Changelog of the fixed issues in Contao 5.3.9:

#7102 Invalidate the pagemounts cache in the back end access voter when duplicating a page ( lukasbableck )
#7197 Remove a redundant strlen() check ( leofeyer )
#7223 Correctly set the status code of the fallback route to 404 ( veronikaplenta )
#7214 Make Twig 3.10.2 the minimum requirement ( leofeyer )
#7202 Fix the CSS class of legacy templates in new elements and modules ( veronikaplenta )

Contao 5.3.8 (2024-05-07)

Changelog of the fixed issues in Contao 5.3.8:

#7195 Handle quoted columns names in the boolean fields migration ( ausi )
#7133 Skip permissions checks for child records ( aschempp )
#7192 Hide migrated news feeds in the navigation menu ( leofeyer )
#7189 Fix the ParsedSequence::serialize() method ( ausi )
#7186 Allow contao.insert_tag tags without method and priority ( fritzmg )
#7164 Do not use the deprecated replaceInsertTags hook ( ausi )
#7175 Check access to fieldsOfTable for the file edit operation ( aschempp )
#7149 Show all page types in the help wizard ( leofeyer )
#7145 Allow hyphens in custom legacy template names ( fritzmg )
#7151 Add the component style sheets before the user style sheets ( leofeyer )
#7049 Implode arrays recursively when showing undo records ( leofeyer )
#7168 Allow to move an error page within its root ( aschempp )
#7173 Correctly set the defer attribute for combined deferred scripts ( ReneLuecking )
#7170 Use the new onpalette_callback to unset fields in the file manager ( aschempp )
#7165 Fix invalid HTML markup in splash screens ( bennyborn )
#7154 Store enum fields in the DCA extractor cache ( SeverinGloeckle )
#7153 Fix non-existent "contao.image.image_factory" in FeedItem.php ( stefansl )
#7148 Disable the search index listener in the back end ( Toflar )
#7144 Fix the PHP subprocess call once again ( Toflar )
#7147 Catch the URL generator exception in the news insert tag ( qzminski )
#7146 Test the deserialize Twig filter ( ausi )
#7139 Add a deserialize Twig filter ( leofeyer )

Contao 5.3.7 (2024-04-19)

Changelog of the fixed issues in Contao 5.3.7:

#7089 Make the member group voter cacheable ( aschempp )
#7129 Make the PhpTemplateProxyNode class compatible with Twig 3.9 ( ausi )
#7130 Fix the elements check in the sectionwizard.js script ( qzminski )
#7127 Use PhpSubprocess instead of Process in the ProcessUtil class ( Toflar )

Contao 5.3.6 (2024-04-17)

Changelog of the fixed issues in Contao 5.3.6:

#7122 Ensure compatibility with Twig 3.9 ( leofeyer )
#7112 Handle empty strings in the StringResolver class ( qzminski )

Contao 5.3.5 (2024-04-16)

Changelog of the fixed issues in Contao 5.3.5:

#7113 Fix the order of the media block in the text element markup ( ausi )
#7107 Use Encore to minify the SVG icons ( leofeyer )
#7071 Add the missing styles to the new table element ( zoglo )
#7106 Enable the sortAttrs option in the SVGO configuration ( leofeyer )
#7017 Fix the elements check in the modulewizard.js script ( qzminski )
#7073 Use display: grid in the image gallery preview ( zoglo )
#7074 Initialize Handorgel on the element ( zoglo )
#7081 Add the missing WysiwygStyleProcessor autowiring alias ( Toflar )
#7064 Also unset the disable, start and stop fields when an admin edits themselves ( aschempp )
#7057 Cache SQL queries in the page type voter ( aschempp )
#7046 Fix some edge cases when parsing HTML style attributes ( ausi )

Contao 5.3.4 (2024-04-09)

Security vulnerabilities closed:

Session cookie disclosure in the crawler (CVE-2024-28235)
Cross site scripting in the file manager (CVE-2024-28190)
Insert tag injection via the form generator (CVE-2024-28191)
Remember-me tokens are not cleared after a password change (CVE-2024-30262)
Insufficient BBCode sanitization (CVE-2024-28234)

Contao 5.3.3 (2024-03-22)

Changelog of the fixed issues in Contao 5.3.3:

#7045 Fix a bug in setIfExists() with Stringable objects ( ausi )
#7044 Fix double encoding/decoding in the HtmlAttributes class ( ausi )

Contao 5.3.2 (2024-03-21)

Changelog of the new features in Contao 5.3.2:

#7037 Add the csp_unsafe_inline_style Twig filter ( ausi )

Changelog of the fixed issues in Contao 5.3.2:

#7039 Revert the changes to the "file uploaded" check ( fritzmg )
#7032 Harden mime type handling in the FilesystemItem class ( m-vo )
#7026 Show headlines in article teasers again ( zoglo )
#7006 Use the fragment registry in the debug:fragments command ( bytehead )
#7031 Allow version 5 of lcobucci/jwt ( leofeyer )
#7027 Register theme templates in the global namespace, too ( ausi )
#7028 Enable collapsible fieldsets without storage ( aschempp )
#7021 Override the access decision strategy instead of the manager ( aschempp )
#7016 Fix a PHP 8 warning in the tl_article.getActiveLayoutSections() method ( qzminski )
#7008 Fix the traceable access decision manager ( aschempp )
#7007 Return to the list view after adding items to the clipboard ( aschempp )
#6996 Use voters for theme permissions ( aschempp )
#7002 Add the user access voter ( aschempp )
#6993 Fix the front end module permissions ( aschempp )
#7005 Make the ParentAccessTrait::hasAccessToParent() method private ( aschempp )
#7003 Improve permission error message for DCA actions ( aschempp )
#6968 Set the email message priority to "high" ( Toflar )
#6995 Disable background workers if they are not supported ( Toflar )
#6952 Convert protocol-relative URLs in the string resolver ( aschempp )

Contao 5.3.1 (2024-03-08)

Changelog of the new features in Contao 5.3.1:

#6954 Register the dotenv:dump command by default in the Contao managed edition ( Toflar )

Changelog of the fixed issues in Contao 5.3.1:

#6982 Cache Image::getHtml() to speed up the tree view ( Toflar )
#6963 Fix the newsfeed migration ( aschempp )
#6916 Use Model::findById() instead of Model::findByPk() ( leofeyer )
#6960 Show the route configuration in the news feed page ( aschempp )
#6969 Fix the dotenv:dump command ( aschempp )
#6979 Allow using insert tags in image alt and title attributes ( leofeyer )
#6975 Deprecate inheriting CSS classes in nested elements ( aschempp )
#6978 Use UrlUtil::makeAbsolute() when converting relative URLs ( leofeyer )
#6961 Fix a type error in the login module ( aschempp )
#6956 Use attrs().mergeWith() in Twig templates ( leofeyer )
#6962 Make sure the .env.local.php is loaded correctly ( Toflar )
#6953 Fix double inheritance of legacy templates in Twig ( ausi )
#6950 Correctly register the AutoRefreshTemplateHierarchyListener ( m-vo )
#6951 Fix that the guests migration only migrates one field at a time ( aschempp )
#6943 Correctly generate the URLs to subscribe to comments ( leofeyer )
#6946 Improve the performance of the database dumper ( Toflar )
#6944 Correctly check if a "jump to" page is set when generating event feeds ( leofeyer )
#6919 Make full authentication optional in the personal data module ( leofeyer )
#6941 Handle unicode strings in insert tag flags ( ausi )
#6938 Add a button to the "invalid request token" template ( leofeyer )
#6939 Correctly implement the ImageFactoryInterface ( leofeyer )
#6936 Fix the Twig loader infrastructure ( m-vo )
#6927 Use files instead of data: resources to avoid breaking CSP ( leofeyer )
#6925 Only make string URL absolute if it does not have a scheme ( aschempp )
#6917 Fix two CSS issues ( leofeyer )

Contao 5.3.0 (2024-02-16)

Changelog of the fixed issues in Contao 5.3.0:

#6854 Handle routing exceptions during news and event URL generation ( fritzmg )
#6900 Improve logging of request parameters ( aschempp )
#6898 Add type="button" to the accordion toggler ( fritzmg )
#6895 Fix the column name in the "remember me" migration ( aschempp )
#6893 Move adding the schema.org data to the _download.html.twig component ( leofeyer )
#6889 Correctly cache Contao translations that only exist as Symfony translations ( fritzmg )
#6890 Always allow the "read" action in the front end modules voter ( bezin )
#6880 Correctly handle dark icons in data-icon and data-icon-disabled ( zoglo )

Changelog of the new features in Contao 5.3.0-RC4:

#6814 Allow adding a source to multiple CSP directives at once ( aschempp )
#6858 Remove the @internal flag from the backup manager ( Toflar )

Changelog of the fixed issues in Contao 5.3.0-RC4:

#6882 Make the commands lazy again ( leofeyer )
#6852 Fix the TemplateOptionsListener ( fritzmg )
#6867 Correctly initialize multiple accordions on the same page ( leofeyer )
#6861 Hide the trail in the SERP preview if no URL can be generated ( leofeyer )
#6856 Add the "toggle visibility" button for articles and content elements again ( aschempp )
#6857 Fix the "remember me" migration ( leofeyer )
#6855 Cast the template identifier to string ( leofeyer )

Changelog of the new features in Contao 5.3.0-RC3:

#6819 Focus the first input/textarea after duplicating a wizard row ( leofeyer )
#6436 Add a global Twig variable with Contao state ( aschempp )
#6742 Add a basic entity for zero-width whitespaces ( aschempp )

Changelog of the fixed issues in Contao 5.3.0-RC3:

#6851 Rewrite Controller::getParentEntries() ( ausi )
#6833 Handle dynamic parent tables in the Controller::getParentEntries() method ( leofeyer )
#6843 Fix relative front end preview links ( aschempp )
#6840 Keep login module errors ( aschempp )
#6838 Fix the article content voter ( aschempp )
#6841 Remove obsolete hardcoded configuration in the page registry ( aschempp )
#6835 Do not require full authentication in the "change password" module ( leofeyer )
#6803 Fix the referrer URL if elements are moved inside a nested element ( leofeyer )
#6839 Fix routes with parameters in the SERP widget ( aschempp )
#6831 Correctly set the target path in the login module ( leofeyer )
#6830 Fix the order of the content elements ( aschempp )
#6805 Correctly handle denied access in the firewall ( aschempp )
#6815 Drop the custom "remember me" implementation ( aschempp )
#6807 Improve the debug message for FigureBuilder link attributes ( aschempp )
#6809 Mark $secret as sensitive parameter ( aschempp )
#6794 Fix ptable for copyAll and cutAll ( ausi )

Changelog of the new features in Contao 5.3.0-RC2:

#6738 Add a Twig function to generate content URLs ( aschempp )
#6719 Support CSP on WYSIWYG editors like TinyMCE ( Toflar )

Changelog of the fixed issues in Contao 5.3.0-RC2:

#6788 Use the content URL generator in the redirect page controller ( aschempp )
#6775 Remove the @internal flag from the HTTP cache subscribers ( leofeyer )
#6758 Improve how headlines can be adjusted in Twig ( m-vo )
#6747 Increase the z-index of the jump targets ( zoglo )
#6767 Use the inputUnit widget for the section headline field ( leofeyer )
#6743 Use autoconfiguration where possible ( leofeyer )
#6761 Limit the CSP header size to avoid server errors ( Toflar )
#6760 Correctly set the link title and text in the downloads controller ( fritzmg )
#6759 Normalize the Twig CSP method names ( fritzmg )
#6744 Fix the "delete files" button in the file manager ( aschempp )
#6740 Add the TemplateTrait::inlineStyle() method ( fritzmg )
#6737 Properly assign parameters to contao.crawl.escargot.factory ( zoglo )
#6736 Unify the deprecation messages ( leofeyer )

Changelog of the new features in Contao 5.3.0-RC1:

#6606 Generate newsletter URLs using the content URL generator ( aschempp )
#6597 Generate FAQ URLs using the content URL generator ( aschempp )
#6604 Generate news URLs using the content URL generator ( aschempp )
#6607 Generate event URLs using the content URL generator ( aschempp )
#6596 Implement the content URL generator ( aschempp )
#6631 Add the ability to set Content Security Policies ( fritzmg )
#6672 Add a Stimulus controller to handle scrolling in the back end ( zoglo )
#6392 Implement the redirect page as page controller ( fritzmg )
#5424 Add a description list content element ( aschempp )
#6215 Add canonical links to news and events ( aschempp )
#6675 Add the page permission voters ( aschempp )
#6232 Implement front end module permissions ( bezin )
#6646 Add an image size voter ( aschempp )
#6584 Add enum support for DCAs and models ( SeverinGloeckle )
#6683 Add more database indexes ( Toflar )
#6650 Decouple the calendar, FAQ and news bundles from the comments bundle ( zoglo )
#6639 Allow adding a "lost password" page to the login module ( zoglo )
#6529 Add the DNS mapping migration ( fritzmg )
#5810 Add a VFS decorator that supports user permissions ( m-vo )
#6605 Optimize the MySQL indexes ( leofeyer )
#6652 Sort options by key if they use language references ( leofeyer )
#6558 Inline the CSS from a newsletter template before sending ( leofeyer )
#6626 Add a modern content slider element ( leofeyer )
#6673 Properly name the worker supervision cron ( Toflar )
#6669 Use the attributes_callback to make the logout redirect mandatory ( aschempp )
#6661 Add a z-index to the limit toggler ( zoglo )
#6668 Sync the logic to generate multiple aliases ( aschempp )
#6516 Implement worker supervision ( Toflar )
#6651 Do not load style sheets lazily by default ( leofeyer )
#6648 Add a modern accordion element ( leofeyer )
#6615 Automatic login for cross-domain preview links ( aschempp )
#6643 Add a voter for tl_newsletter_recipients ( aschempp )
#6642 Add a voter for tl_undo ( aschempp )
#6638 Add the onpalette_callback ( aschempp )
#6553 Automatically enable the Strict Transport Security (HSTS) header ( Toflar )
#6620 Rename "childs" to "children" ( leofeyer )
#6521 Nested content elements ( ausi )
#6469 Add more security voters ( leofeyer )
#6614 Sort the tables in the database backup ( de-es )
#6603 Unify the deprecation messages ( leofeyer )
#6594 Remove column from articles URL ( aschempp )
#6353 Add a tab menu to jump to palette sections ( leofeyer )
#6583 Make Symfony 6.4 the minimum version ( leofeyer )
#6569 Show the back end header on scroll-up ( leofeyer )
#6557 Make the back end header sticky on all devices ( leofeyer )
#6551 Use the picker to select article target in news and calendar ( aschempp )
#6518 Populate contao_ Symfony translations into $GLOBALS['TL_LANG'] ( fritzmg )
#6527 Rewrite tree mode toggling to Stimulus controller ( aschempp )
#6303 Implement a global "expand/collapse elements" button ( aschempp )
#6533 Register a web processor to add log extras ( aschempp )
#6528 Automatically generate the global operations ( aschempp )
#6206 Make the downloads controller more flexible for own sources ( Toflar )
#6494 Automatically translate the default maintenance template ( Toflar )
#6485 Add schema.org support to the virtual file system ( Toflar )
#6513 Automatically load routes in app controllers ( aschempp )
#6465 Allow to re-use the ProcessUtil data ( Toflar )
#6496 Add the event end date to the schema.org data ( leofeyer )
#6506 Add a maximum duration for the back end crawler ( leofeyer )
#6495 Make the back end crawler configurable ( leofeyer )
#6497 Wrap the news date and author in a template block ( leofeyer )
#6498 Replace insert tag flags based on the context ( leofeyer )
#6477 Clean up a TODO ( Toflar )
#6429 Deprecate the MergeHttpHeadersListener class ( leofeyer )
#6446 Rename the templates/_new folder to templates/twig ( leofeyer )
#6404 Remove the BC layers in the ContaoCache class ( fritzmg )
#6386 Deprecate the System::setCookie() method ( Toflar )
#6236 Allow array for page parameters ( aschempp )
#6337 Upgrade the Symfony contracts ( leofeyer )
#6338 Remove the "roave/better-reflection" dependency ( leofeyer )
#6336 Make doctrine/dbal 3.6 the minimum version ( leofeyer )
#6339 Upgrade doctrine/collections and doctrine/persistence ( leofeyer )
#6335 Make Symfony 6.3 the minimum version ( leofeyer )
#6289 Set auto password hasher for all user classes ( fritzmg )
#6324 Always set the JSON_THROW_ON_ERROR flag ( leofeyer )
#6157 Use createElementNS for namespaced XML elements ( ausi )