9.4.3 Release Notes

Behavioral Improvements

    Many block types that didn’t properly report their file usage to the Dashboard File Details page now do so (thanks mlocati)
    RSS Feeds created and listed in the Dashboard now include a convenience link to view the contents of the feed (thanks Mesuva)
    Force download view_inline will no longer download a file if the file is not viewable inline, instead it will just return (thanks Allan-macareux)
    When comparing page versions, we will now sort the version IDs to ensure that you’re always comparing old versions to new versions regardless of the order of query string arguments, and we’ll also order the version IDs in the tab description more sensibly.
    You can now set the background of stack contents in the Dashboard to a temporary white or black (does not affect content or how its rendered) in order to assist when working on content that differs from the Dashboard color scheme (thanks mlocati)

Bug Fixes

    Many bug fixes to the Concrete content import/export system (thanks mlocati)
    Fixed bug where Concrete proxy settings were not sending URLs that were https:// through the proxy (thanks hissy)
    Sites that registered a proxy server in the Dashboard will now use that proxy server when connecting to the marketplace for add-on downloads and updates (thanks hissy)
    When editing the frontend of a site on mobile, the pages icon in the toolbar was positioned incorrectly. This is now fixed.
    Fixed error when assigning a new page attribute to multiple pages via Page Search (thanks danklassen)
    Fixed bug where Option List attributes that were defined through CIF XML on import or through custom code were not properly assigning to a page.
    Fixed error where leaving a comment larger than 255 characters on a page version would trigger a database error (thanks SashaMcr)

Developer Updates

    Massive improvements to block import and export, including the ability to import and export many block types that were not possible (Calendar, etc…) (thanks mlocati)
    Minor translation improvements (thanks mlocati)
    Certain ancient functions now marked as deprecated since PHP provides their functionality natively (thanks mlocati)
    We now dispatch the "on_add_canonical_page_path" when adding a canonical path (thanks biplobice)
    Fixed bug running the c5:ide-symbols console command under certain conditions (thanks mlocati)

Security Fixes

    Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page by adding more sanitization to the Url::setVariable method with commit 12643 for version 9 and commit 12646 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. Thanks Fortbridge for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.
    Fixed CVE-2025-8573 Stored XSS from Home Folder on Members Dashboard page with commit 12643. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. Version 8 is not affected. Thanks sealldev for reporting HackerOne 3145536.
    Fixed inconsistent behavior when using the rich text editor. Before the fix, users pasting HTML into the “content” pane of the rich text editor and saving the content resulted in HTML-escaped versions of the content. Note that re-saving it would then save it as HTML.
	
9.4.2 Release Notes


Behavioral Improvements

    File Chooser will now remember the last tab you had selected (in addition to the current behavior of allowing site-wide setting of Recent Files or File Manager as the default option.)
    Updated certain color values in Atomik theme skins to make them conform better to accessibility guidelines.
    Updated certain Dashboard interfaces to look better in Dark mode.
    SVG thumbnails and detail images are now properly displayed in the File Manager (thanks mnakalay)
    When a block that is exported has custom design properties, we now only include the values that are set, rather than a potentially large amount of empty XML nodes (thanks mlocati)
    Added the ability to disable automatic board regeneration using Board Settings.

Bug Fixes

    Fixed errors that would occur when attempting to regenerate or schedule custom board elements without new Board Instance Logging enabled.
    Fixed fatal error that would occur if OpenGraph support is enabled but rendered on a view where no page is present (thanks mlocati)
    Searching file sets in the bulk add to file set dialog not works again.
    File Tracker feature now correctly notes when files are referenced in rich text content (thanks mlocati)
    Fixed bug where stack menu in the Dashboard didn’t show up on mobile (thanks SashaMcr)
    Fixed weird padding on add pages menu item on mobile in the Dashboard.
    Fixed appearance glitches in certain dialogs due to the way that jQuery UI dialog changed appending CSS classes to HTML elements.
    Fixed error where a page without an active version appearing in the Top Navigation Bar would cause a sitewide error.
    Fixed links not appearing properly in Concrete dialogs.
    Fixed error where files identified by a UUID would not be exported properly when using the Migration Tool (thanks mlocati)
    Fixed: Express Form - admin can check off notifications and not enter an email address (thanks danklassen)
    Fixed occasional, unexplained errors when saving the Tags block.
    Tags block now shows the tag selector again when applying tags to the target page when choosing a specific page.
    Reverted page list performance improvement that actually degraded performance under certain conditions.
    Fixed: Scheduled Publication of a page leads to an error in the Top Navigation block controller
    Bug fixes to exported output of the Feature block type, Feature block type now uses the standard Destination Picker component for selecting link (thanks mlocati)
    Fixed Uncaught Exception: Could not convert database value to 'object' as an error was triggered by the unserialization: 'Return type of Concrete\Core\Entity\Board\InstanceLogEntry::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice' under certain conditions (thanks ahukkanen)

Developer Updates

    Classmap symbols files used by IDEs for Concrete development are now excluded from Composer (which will result in Composer reporting fewer errors when running) (thanks mlocati)
    Allow defining custom parent dir for VolatileDirectory by passing $parentDirectory (thanks mlocati)