BookStack v23.12

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Page Includes - The way page include content is fetched & merged has changed significantly in this release, which in some cases may alter how included content appears on the page.

Full List of Changes

• Added simple WYSIWYG for description fields. (#4729, #2354, #2203)
• Added default template option for books. Thanks to @lennertdaniels. (#4721, #3918, #1803)
• Added OIDC RP-initiated logout. Thanks to @joancyho. (#4714, #4467, #3715)
• Added new Logical Theme System event to register web routes. (#4663)
• Updated email notifications to include the page parent chapter/book. Thanks to @Man-in-Black. (#4629)
• Updated and standardised DOM handling in the codebase. (#4673)
• Updated back redirection handling to not rely on referrer headers. (#4656)
• Updated book/chapter/shelf description character limit. (#4085)
• Updated design of buttons to be a bit friendlier. (#4728)
• Updated HTML exporting with better RTL handling. (#4645)
• Updated include tag handling to be structure/DOM aware. (#4688)
• Updated SAML2 dump debug option to include group parsing details. (#4706)
• Updated translations with latest Crowdin changes. (#4658)
• Updated WYSIWYG editor to allow video/embed alignment controls. (#4727, #3378)
• Updated WYSIWYG library TinyMCE from 6.5.1 to 6.7.2. (#4661)
• Fixed extra paragraphs & invalid syntax when using page includes. (#3385)
• Fixed lack of user invite via the API in certain cases. (#4720)
• Fixed page includes leading to duplicate IDs. (#3982)
• Fixed permission generation failure with large amounts of content. (#4695)
• Fixed PHP mbstring deprecation warnings. (#4638)
• Fixed SAML2 Single Logout (SLO) not invalidating session at point defined by the spec. (#4713)

BookStack v23.10.4

This was simply a follow-up of v23.10.3 to fix the app version number.
Please refer to the v23.10.3 security release for details if updating from an earlier version.

BookStack v23.10.3

Security Release

• Update Instructions
• Update details on blog

This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system.
Additionally, this update addresses a lack of permission check in some image creation actions.

Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.

Thanks to Carlos Bello from the Fluid Attacks Research Team for discovering and reporting this vulnerability.

Full List of Changes

• Updated thumbnail handling to for use of content as image data. (#4681)

BookStack v23.10.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed incorrect audit log dropdown behaviour. (#4652)
• Fixed redirects to the manfiest endpoint in some environments. (#4649)
• Updated translations with latest Crowdin changes. (#4643)

BookStack v23.10.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added "Norwegian Nynorsk" to user language options.
• Added JavaScript public event for customizing codemirror instances. (#4639)
• Added handling to allow jumping to headers/sections within collapsible sections. (#4637)
• Added PHP 8.3 support. (#4633)
• Updated translations with latest Crowdin changes. (#4631)
• Fixed header bar peeking through on markdown editor fullscreen mode. (#4641)
• Fixed incorrect color usage for editor toolbox active tabs. (#4630)

BookStack v23.10

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• User Detail/Preference Changes - Many of the URLs, paths and interfaces for user-self management have changed in this release. You may need to update any documentation or user guidance you may have surrounding users updating their own details or preferences.

Full List of Changes

• Added new "My Account" area. (#4615)
• Added Uzbek language translations. Thanks to @mrmuminov. (#4527)
• Added artisan command for re-fetching existing user avatar images. Thanks to @MarcHagen. (#4560, #1893)
• Added basic PWA support. Thanks to @GamerClassN7. (#4430, #1253)
• Added new header bar partials for easier customization. (#4564)
• Added "View Tags" button to non-default homepage views. (#4558)
• Updated page editor interface with a new design. (#4604)
• Updated app caching behaviour to avoid expiry scenarios. (#4600)
• Updated cleanup-images command to allow non-interactive running. (#4541)
• Updated comment notification options to only show if comments active. Thanks to @tusharnain4578. (#4552, #4508)
• Updated editor entity selector to pre-fill with selected text. (#4571)
• Updated file & image upload handling for better indication of issues. (#4578, #4454)
• Updated guest user logic to reduce complexity and overlapping methods. (#4554, #4448)
• Updated HTTP calling in the codebase to align all handling. (#4525)
• Updated icon handling to remove unneeded global helper. (#4553)
• Updated language handling to reduce complexity and duplicated logic. (#4555, #4501)
• Updated logical theme system to capture load errors for better reporting & debugging. (#4504)
• Updated mixed entity endpoints to share and align logic. (#4444)
• Updated OIDC config handling to move logic out of config file. (#4494)
• Updated OIDC request timeout to 5 seconds. (#4397)
• Updated older notifications codebase to align with newer code organisation. (#4500)
• Updated print view to ignore extra elements. (#4594)
• Updated Slack authentication to use official Laravel implementation. (#4464)
• Updated the default email settings to use example domain. (#4518)
• Updated translations with latest Crowdin changes. (#4523)
• Updated username truncation to always show some part of the name. Thanks to @Bajszi97. (#4533, #4489)
• Updated security docs to remove huntr references. Thanks to @radiantwave. (#4616, #4618)
• Fixed awkward sidebar scroll behaviour at mid-level screen sizes. Thanks to @LawssssCat. (#4562)
• Fixed buggy dark/light mode button when dark mode is the default. (#4543)
• Fixed enter press incorrectly clearing tag input field. (#4570)
• Fixed issue where "?" would show shortcuts when typing in an input. (#4606)
• Fixed lack of content in plaintext export options. (#4557)
• Fixed missing notification text in German-language emails. (#4567)
• Fixed odd default homepage layout at iPad-like width. (#4596)
• Fixed un-aligned text across elements when they show their empty states. (#4563)
• Enabled Albanian translations for BookStack on Crowdin. (#4065)
• Enabled Finnish translations for BookStack on Crowdin. (#4614)
• Enabled Norwegian Nynorsk translations for BookStack on Crowdin. (#4447)

BookStack v23.08.3

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed comment reply notifications not being sent to the correct/expected user. (#4548)
• Fixed JavaScript error that could appear when not having comment permissions. (#4531)
• Fixed wrong French translation in notification preferences. (#4511)
• Updated translations with latest Crowdin changes. (#4512)

BookStack v23.08.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed WYSIWYG filtering issue, introduced in v23.08.1, which breaks page editing and drawing use when certain elements exist in page content. (#4510, #4509)
• Updated translations with latest Crowdin changes. (#4506)

BookStack v23.08.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated preferences view styles to better respond to content and screen sizes to prevent wrapping buttons. (#4502)
• Updated WYSIWYG editor filtering to help prevent page pointer being pasted into pages. (#4474)
• Updated translations with latest Crowdin changes. (#4481)
• Fixed a range of typos in our dev docs. Thanks to @omahs. (#4484)
• Fixed deleted watched books/chapters/pages breaking notification preferences view from loading. (#4499)
• Fixed notifications not being sent in receiver language preference. (#4497, #4480)

BookStack v23.08

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Security - Webhooks - In scenarios where admin users are not trusted, webhooks could potentially be used maliciously. This update adds a control for such functionality. Please read our documentation for the new ALLOWED_SSR_HOSTS option if this may be a concern for your instance.

Full List of Changes

• Added content notification system. (#4390, #4371, #241)
• Added browser-based drawing backup storage mechanism. (#4457, #4421)
• Added order/priority control within books via the API. Thanks to @rouet. (#4313, #4298)
• Added host allow list option for server side requests like webhooks. (#4410)
• Added additional comment-specific activities. (#4389)
• Updated translations with latest Crowdin changes. (#4380, #4462)
• Fixed API docs caching failure when using DB cache driver. (#4453)
• Fixed overly wide page view when using an RTL language. (#4429)
• Fixed status cache check to work better for simultaneous requests. (#4396)
• Fixed markdown editor scrolling on mobile screen sizes. (#4466)