9.4.0 Release Notes

Edit

Improvements?

Let us know by posting here.

New Features

  • Significant Improvements to Error Handling, including the ability to map PHP error types to different behaviors, a cleaner debug error handling page, and more.
  • Significant improvements to logging, including providing links over to user profile pages from logs, adding page identifiers to log messages, and much more.
  • Atomik theme now has five new skins available.
  • Improvements to task resiliency, including better logging of task errors, better display of errors in the command line, batch tasks will continue running even if one task in the batch fails.
  • Added the ability to bulk set page caching settings in the Dashboard page search interface.
  • Added the ability to bulk edit page type, page template and theme in the Dashboard page search interface.
  • Dashboard and CMS now supports dark mode! Set light mode or dark mode globally, or use your OS settings.
  • New Appearance Dashboard page (replaces Accessibility and includes existing Accessibility settings)
  • Added support for Open Graph to the core; head to the Open Graph Dashboard page to configure which properties and attributes field data to Open Graph tags.
  • Significant improvements to content import/export: added support for multilingual page mapping, additional page paths, external links and more (thanks mlocati)
  • Added the ability to specify storage and whether to override existing items when importing config values (thanks mlocati)
  • Added a Dashboard page allowing users to control which summary templates are available for which categories of content.
  • Added the ability to view detailed logging information on a board instance level when troubleshooting board behaviors.
  • Added “Total File Downloads” as an available column to the file manager (thanks SashaMcr)

Behavioral Improvements

  • Concrete is now tested to run under PHP 8.4.
  • Boards will now automatically refresh and regenerate their contents when relevant content displayed in them is added or changed throughout the site.
  • Much improved performance when working with external file storage locations like AWS S3.
  • Added a new config value, misc.img_src_absolute that defaults to false. When set to true, absolute URLs will be used when serving assets from the file manager (useful when using the data in your site for other purposes like sending emails, etc..) (thanks mlocati)
  • Added the ability to include system pages in the Dashboard Page search.
  • Update Languages Dashboard page now gives better feedback when updating languages (thanks mlocati)
  • Made the “page publish start date” input field required when enabled, so that users don’t accidentally publish pages when not intending to do so (thanks bikerdave)
  • Add condition on site tree ID for create multlingual url on single page when this page is in site tree (thanks 6tematik)
  • We now specify the file download from the Document Library (thanks ounziw)
  • Performance improvements when retrieving certain page data (thanks hissy)
  • Date and time of scheduled tasks is now shown in a friendlier format (thanks hissy)
  • Removing orphaned blocks will now no longer remove orphaned blocks from potentially unrelated pages, if those blocks had been shared via page defaults (not common) (thanks hissy)
  • Performance improvement: Do not get style sets and global stacks repeatedly (thanks hissy)
  • Performance improvements to the PageList class (thanks hissy)
  • Gallery block record is now cacheable (thanks hissy)
  • Admins can now add pages beneath system pages in the sitemap
  • RSS Displayer Block now supports ATOM feeds.
  • Improvement: accessibility for accessibility settings (thanks nratering)
  • CONCRETE and CONCRETE_LOGIN now respect the samesite setting (thanks gutig)

Bug Fixes

  • Fixed error where RSS feeds that were set up to filter by a parent page would die if that parent page were put in the trash (thanks mlocati)
  • Fix wrong arguments passed from Page\AddBlock dialog controller to the view (thanks mlocati)
  • Fixed added "Creation of dynamic property" in the PageView class under certain conditions in PHP 8+ (thanks jgarc186)
  • Miscellaneous PHP8 missing property bugs (thanks jgarc186)
  • Fixed: Text Area User Attribute / Ckeditor not showing on edit profile when wrapped with custom theme
  • Fixed inability to set separate active theme for sites from the theme Dashboard page when multisite was enabled.
  • Fixed: Grid framework views are broken in some edge cases (thanks hissy)
  • Fixed: Rename Express Object does not rename results folder name
  • Fixed: When installing a Snippet using the CIF format in a package if you bump up the version of the package the Snippets attempt to install a second time and return an error
  • Fixed issues selecting file manager folders when moving files under certain conditions (thanks hissy)
  • Fixed bug where visiting a folder in the frontend file chooser and then deleting it in the file manager woul render the frontend file chooser unusable.
  • Fixed inconsistencies when adding, editing and removing multiple Express form set controls via the Dashboard UI.
  • Fixed bug where certain kinds of select options could break the ability to run the Migration Tool exporter (thanks bitterdev)
  • Fixed bug in Concrete’s implementation of PHP Redis
  • Fix rendering content block images with custom width or height under certain conditions (thanks mlocati)
  • Fix file download stats issue when related page ID is out of range (thanks ahukkanen)
  • Fix clicking on "sort by" labels while adding/editing a board (thanks mlocati)
  • Fixed error when reindexing pages with certain Express blocks and attributes attached to them when the cache is disabled (thanks ahukkanen)
  • Fixed error “Only variables should be passed by reference” on user notifications page under PHP strict mode (thanks jgarc186)
  • Fixed some small errors when importing stack content (thanks mlocati)
  • Fix exporting page fields when page can't be found (thanks mlocati)

Developer Improvements

  • package-pack command now excludes phpunit.xml and tests directory when preparing a package for distribution (thanks biplobice)
  • Added the ability to include json strings as config in Concrete import XML (thanks mlocati)
  • When importing pages at paths that don’t exist, we now throw a specific exception that can be handled differently in different cases (thanks mlocati)
  • Fixed bug where output from tasks would not appear in realtime, even if using Mercure.

Security Updates

  • Fixed CVE-2025-0660 Stored XSS in Folder Function by adding sanitation to the folder selector dropdown output with commit 11bef02 and by fixing folder deletion issues with commit 7c134e9 for version 9. The “Add Folder” functionality lacked input sanitization, allowing a rogue admin to inject XSS payloads as foldernames. The Concrete CMS security team gave this vulnerability a CVSS v4.0 score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting HackerOne 2941432 and Mlocati for participating in fixing.

Backward Compatibility Notes

  • If you use the the concrete/bin/concrete c5:boards:refresh command, please note that the --regenerate option is now gone; instead, the refresh command only regenerates boards, making this option unnecessary. If you have cronned this command, please update the cron otherwise the command may not function properly (since it will error out, complaining about an invalid option.)
  • The concrete/bin/concrete c5:reindex command no longer works properly, and hasn’t for several versions (see https://github.com/concretecms/concretecms/issues/12455). In 9.4.0 this command has been removed. Instead, use concrete/bin/concrete task:reindex-content, which accomplishes what this command should (thanks ahukkanen)