BookStack v22.09

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Security - This release cycle contained a security release that added detail that's important to consider when BookStack content is used externally. See the v22.07.3 post for more detail.
• Revision Visibility - This update fixes a permission disparity with revisions. Revision content has always been accessible to those with page-view permissions, but the links to the revisions list previously required page-edit permission to show. This has been aligned, which may mean page revision links may now show to those that did not previously see them.
• Revision Limit Change - The default, per-page, revision limit has been doubled from 50 to 100, to account for new system-content updates that may occur. If desired, you can configure this to a custom value.
• Reference Index - New features have been added to track links between content in BookStack, which uses an internal reference index. Upon upgrade from an older BookStack version, this index will need to be rebuilt. This can be done with the "Regenerate References" command or via the "Regenerate References" maintenance action within BookStack.

Full List of Changes

• Added cross-item link reference tracking & updating. (#3656, #3683, #1969)
• Added OIDC group sync functionality. (#3616, #3004)
• Added reference view to shelves, chapters, books & pages. (#2864)
• Added new local_secure_restricted image storage option. (#3693)
• Added "page_include_parse" theme event. (#3698)
• Updated API docs to add detail for the request format. (#3652)
• Updated revision link visibility to show to users. (#2946)
• Updated shelf naming to be consistent across system. (#3553)
• Updated translations with latest Crowdin changes. (#3643, #3701)
• Updated role edit/create form with clarification upon image access permissions. (#3688)
• Fixed dates not using the correct encoding on some systems. (#3590)
• Fixed image delete button showing to those without permission to delete. (#3697)
• Fixed incorrect comment counts on Chinese language options. (#3554)
• Fixed list indentation when next to floated images. (#3672)
• Fixed various RTL text interface issues. (#3702)
• Fixed WYSIWYG drawing update not triggering draft save. (#3682)
• Fixed some additional SVG-based script cases not being filtered. (#3705)

BookStack v22.07.3

Security Release

• Update Instructions
• Update details on blog

This is a security release that adds additional filtering to page content to prevent certain cross-site-scripting techniques. These cross-site-scripting techniques would be already by blocked by BookStack's usage of Content-Security-Policy, but this change will help scenarios where BookStack content is used externally.

In addition, the API documentation has been updated with a section focused on content security to explain the security techniques BookStack uses by default, and to relay considerations for using BookStack content in an external system. The security page of our documentation has also been updated with such considerations:

https://www.bookstackapp.com/docs/admin/security/#using-content-externally

Upgrade is advised where BookStack content, accessible to edit by untrusted users, is used externally.
Those using BookStack content externally (API-based app developers) should read the new documentation and add any advised protections as necessary.

Thanks to the "JPCERT/CC Vulnerability Coordination Group" contact and the original reporter, Kenichi Okuno of Mitsui Bussan Secure Directions, Inc, for disclosing their report of the relevant vulnerability scenarios.

Full List of Changes

• Added API documentation section to advise of content security. (#3636)
• Updated Persian translations. Thanks to @samadha56. (#3639)
• Updated code block rendering to help prevent blank blocks on fresh cache. (#3637)
• Updated HTML filtering to prevent SVG animate case. (#3636)
• Updated translations with latest changes from Crowdin. (#3635)
• Updated revision list view to help prevent system memory exhaustion. (#3633)
• Fixed issue with permission checking prevent certain actions where permission should have allowed. (#3632)

BookStack v22.07.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added body-start/end partials to export template, for easier export customization via the visual theme system. (#3630)
• Added activity recording for revision delete/restore. (#3628)
• Updated translations with latest changes from Crowdin. (#3625)
• Updated user validation with sensible limit to name input. (#3614)
• Fixed issue where activity type could not be selected in the audit log. (#3623)
• Fixed possibility of breaking page load due to bad user language input. (#3615)

BookStack v22.07.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed issue where old WYSWYG editor code would be cached, preventing the editor from showing. (#3611)
• Updated translations with latest Crowdin changes. (#3605)

BookStack v22.07

Links

• Update instructions
• Update details on blog

Full List of Changes

• Added 'Sort Book' action to chapters. (#3598, #2335)
• Added ability to favourite code languages in the WYSIWYG code editor. (#3593, #3542)
• Added option to set IP address storage precision. (#3560)
• Added tag-based css classes to the HTML body tag for tag-based content CSS targeting. (#3583)
• Added new Logical Theme System event, emitted upon any system activity event. (#3572)
• Added editor shortcuts for bullet and numbered lists. (#3599, #1269)
• Updated shelf book management interface with better usability and book search bar. (#3591, #3266)
• Updated translations with latest changes from Crowdin. (#3600, #3545)
• Updated WYSIWYG editor to TinyMCE 6. (#3580, #3517)
• Updated DOMPDF, and other PHP dependencies. (#3579)
• Updated permission system to only "cache" view-based permissions for better performance, and made many other performance improvements. (#3569)
• Updated WYSIWYG color options to have no names, for better cross-language usage. (#3530)
• Updated tests to use ssddanbrown/asserthtml library. (#3519)
• Fixed comment count translation in Chinese translations. Thanks to @GongMingCai. (#3556)
• Fixed issue where AVATAR_URL=false would not properly disable Gravatar fetching. (#1835)
• Fixed some German translation typos and grammar. Thanks to @smartshogu. (#3570)
• Fixed issue where WYSIWYG toolbar would remain when after inserting a drawing. (#3597)

BookStack v22.06.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest CrowdIn changes. (#3540, #3531)
• Fixed bug causing LDAP/SAML2 group mapping to fail if the "External Auth Ids" role field contained upper case characters. (#3535)
• Fixed differing behaviour, between select button and double-click, in the link selector popup. (#3534)

BookStack v22.06.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated entity-selector-popup to reset state upon successful selection. (#3528)
• Updated translations with latest CrowdIn changes. (#3526)
• Fixed non-translated settings category options. (#3529)
• Fixed issue where tags would not be saved upon book update. (#3527)
• Fixed long code in "Custom Head" setting breaking page layout. (#3523)

BookStack v22.06

Links

• Update instructions
• Update details on blog

Upgrade Notices

• SAML/LDAP Group Mapping - Within the "External Authentication Ids" field for a BookStack role, a backslash followed by a comma (\,) will now cause the comma to be treated as a literal comma within the mapping name, instead of acting as a value separator to define multiple mappings.

Full List of Changes

• Added ability to convert chapters to books, and books to shelves. (#3499, #1087)
• Added ability to auto-initiate login for SAML and OIDC auth users. Thanks to @rjmidau. (#3406, #3216, #2175)
• Added ability to use commas in the role "External Auth ID". (#3416, #3405)
• Added body-start/end templates as a convenience to theme system users. (#894)
• Added OCaml to the code editor language list and fixed highlighting type. (#3511)
• Added TypeScript to the code editor language list. (#3494)
• Added common audio types to our WebSafeMimeSniffer for non-download attachment usage. (#3485)
• Added LaTex to the code editor language list. (#3458)
• Updated the UI/design with a mass of fixes & improvements. (#3433)
• Updated WYSIWYG code editor interface. (#3512)
• Updated API docs to remove non-existant image_id field. (#3474)
• Updated logging system to not log StoppedAuthenticationException events. (#3468)
• Updated the markdown editor preview display to be patch-updated. (#3454)
• Updated export templates into smaller chunks for easier override. (#3443)
• Updated translations with latest Crowdin changes. (#3428)
• Fixed tag overview entity-counts showing incorrect values. (#3435)
• Fixed incorrectly placed debug script on default home page. (#3430)
• Fixed text after line-breaks not being indexed. (#3508)
• Fixed new WYSIWYG code snippets being shown as a single line. (#3507)

BookStack v22.04.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added Persian to language list. (#3426)
• Updated API docs to detail rate-limit information. (#3423)
• Updated translations with latest Crowdin changes. (#3418)
• Fixed broken attachment downloads in environments where PHP output buffering is disabled. (#3415)
• Fixed LDAP_DUMP_* options throwing error when LDAP details contain binary data. (#3396)
• Updated PHP dependency versions.

BookStack v22.04.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed issue where a duplicate slash could occur in the URL leading to a 404 page. (#3404)
• Updated translations with latest changes from Crowdin. (#3402)