apostrophe 4.28.1 → 4.29.0

package/CHANGELOG.md

@@ -1,12 +1,37 @@
 # Changelog
 
-## 4.28.1
+## 4.29.0 (2026-04-15)
 
-### Patch Changes
+### Adds
+
+- Added support for pretty URL file attachments in the static build metadata pipeline. When `@apostrophecms/file` has `options.prettyUrls` enabled, the `getAllUrlMetadata` API now annotates affected attachments properly. The backend streaming proxy route was also fixed to correctly resolve relative uploadfs URLs during static builds.
+- Introduced Recently Edited manager as Admin Bar action, next to the existing Submitted Drafts. Allows modules to contribute filter choices.
+- Fix batch operations executed in a modal in a different locale causing wrong browser URL rewrite
+- Add background preset to the Styles Editor, supporting image, color, and gradient background CSS generation.
+
+### Fixes
+
+- Fix a focus trap bug where in the context menu focus would jump back to the first element when reaching the last one.
+- Bug fix: the "pretty URLs" feature of `@apostrophecms/file` is now compatible with locale prefixes.
+- Removed misleading return from `pruneDataForExternalFront`, a method intended to be overridden to modify data "in place" before it is sent to Astro or a similar frontend.
+- Fix layout column breadcrumb operations leaking in layout edit mode.
+- Fix edge case where widgets having styles and fields at the same time would show "Ungrouped" tab. Add `hideSingleTab` option that can be enabled in any widget to hide tabs from the widget editor when there is only one tab containing fields. This option can also be enabled globally in `@apostrophecms/widget-type` options.
+- Add background preset, supporting image, color and gradient background CSS generation.
+
+### Changes
+
+- Combine Styles and Column configuration in a single Styles Editor experience.
+- Use shorter placeholder text for relationship inputs in small/micro contexts.
+
+### Security
 
-- f8d1952: Bug fix: the "pretty URLs" feature of @apostrophecms/file is now compatible with locale prefixes.
+- Fix an XSS vulnerability allowing arbitrary markup to be inserted via the "SEO Title" or "Meta Description" fields provided by the `@apostrophecms/seo` module. The fix requires upgrading BOTH `apostrophe` and `@apostrophecms/seo`. A new mechanism for safely emitting JSON nodes has been introduced to make this type of vulnerability unlikely in the future. Thanks to [K Shanmukha Srinivasulu Royal](https://github.com/Chittu13) for reporting the vulnerability.
+- Fixed a security hole in the `.choices()` and `.counts()` query builders: formerly, these query builders could be used by the public to exfiltrate schema fields not included in the `publicApiProjection`, or fields locked down with a `viewPermission` property. Thanks to [offset](https://github.com/offset) for reporting this issue, which was not made public prior to the release of the fix.
+- Fixed an XSS vulnerability in color fields, which formerly accepted `-` followed by anything, including `</style>`, which could be used to inject other markup. Thanks to [restriction](https://github.com/restriction) for reporting the issue and proposing the fix.
+- Resolved a `publicApiProjection` bypass vulnerability for piece types. Thanks to [restriction](https://github.com/restriction) for reporting the issue and proposing the fix.
+- Ensured a minimum 2-second delay in the password reset flow to avoid disclosing whether the email or username was valid or not. Thanks to [restriction](https://github.com/restriction) for reporting the issue and proposing the fix.
 
-## 4.28.0
+## 4.28.0 (2026-03-19)
 
 ### Adds
 

package/README.md

@@ -1,6 +1,6 @@
 <div align="center">
   <a href="https://github.com/apostrophecms/apostrophe">
-    <img src="logo.svg" alt="ApostropheCMS logo" width="80" height="80">
+    <img src="https://static.apostrophecms.com/apostrophecms/apostrophe/logo.svg" alt="ApostropheCMS logo" width="80" height="80">
   </a>
 
   <h1>ApostropheCMS</h1>
@@ -139,4 +139,4 @@ ApostropheCMS is open source software licensed under the [MIT License](https://g
   <p>
     <em>Built with ❤️ by the <a href="https://apostrophecms.com">ApostropheCMS team</a></em>
   </p>
-</div>
+</div>

package/defaults.js

@@ -61,6 +61,7 @@ module.exports = {
     '@apostrophecms/file-tag': {},
     '@apostrophecms/soft-redirect': {},
     '@apostrophecms/submitted-draft': {},
+    '@apostrophecms/recently-edited': {},
     '@apostrophecms/command-menu': {},
     '@apostrophecms/translation': {}
   }

package/lib/safe-json-script.js

@@ -0,0 +1,27 @@
+// Serialize `data` to a JSON string that is safe to embed inside an HTML
+// `<script>` element. `JSON.stringify` on its own does NOT escape the
+// sequences `</script>`, `<!--` or `<![CDATA[`, so untrusted data (e.g.
+// editor-provided SEO fields) in a JSON body could otherwise break out of
+// the surrounding script tag and inject arbitrary HTML/JS (stored XSS).
+// Escaping `<` as its `\u003c` form keeps the JSON valid while neutralizing
+// all of those sequences. Line and paragraph separators are also escaped
+// since they are valid in JSON but illegal in some JavaScript parsers.
+//
+// This is the single source of truth for that escaping. The template
+// `renderNodes` helper uses it to render `{ json: ... }` node bodies, so in
+// most cases you should just build a node like:
+//
+//   {
+//     name: 'script',
+//     attrs: { type: 'application/ld+json' },
+//     body: [ { json: data } ]
+//   }
+//
+// and let `renderNodes` do the right thing.
+
+module.exports = function safeJsonForScript(data) {
+  return JSON.stringify(data, null, 2)
+    .replace(/</g, '\\u003c')
+    .replace(/\u2028/g, '\\u2028')
+    .replace(/\u2029/g, '\\u2029');
+};

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposAdminBarLocale.vue

@@ -123,7 +123,7 @@ export default {
             itemName: '@apostrophecms/i18n:localize',
             props: {
               doc: apos.adminBar.context,
-              locale
+              targetLocale: locale
             }
           });
         } else {

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposContextBar.vue

@@ -579,6 +579,7 @@ export default {
         doc = await apos.http.get(`${action}/${this.context.aposDocId}`, {
           qs: {
             aposMode: this.draftMode,
+            aposLocale: apos.i18n.locale,
             project: { _url: 1 }
           }
         });

package/modules/@apostrophecms/area/ui/apos/components/AposAreaWidget.vue

@@ -83,6 +83,7 @@
           :tiny-screen="tinyScreen"
           :widget="widget"
           :options="options"
+          :breadcrumb-operations="widgetBreadcrumbOperations"
           :disabled="disabled"
           :is-focused="isFocused"
           @widget-focus="getFocus"
@@ -304,10 +305,6 @@ export default {
       type: Boolean,
       default: false
     },
-    breadcrumbDisabled: {
-      type: Boolean,
-      default: false
-    },
     generation: {
       type: Number,
       required: false,
@@ -426,7 +423,8 @@ export default {
       return apos.modules[this.moduleOptions?.widgetManagers[this.widget?.type]] ?? {};
     },
     widgetBreadcrumbOperations() {
-      return (this.widgetModuleOptions.widgetBreadcrumbOperations || []);
+      return (this.widgetModuleOptions.widgetBreadcrumbOperations || [])
+        .filter(op => op.hidden !== true);
     },
     shouldSkipEdit() {
       return !this.widgetModuleOptions.widgetOperations

package/modules/@apostrophecms/area/ui/apos/components/AposBreadcrumbOperations.vue

@@ -75,6 +75,15 @@ export default {
         return {};
       }
     },
+    // Override module breadcrumb operations.
+    // If not provided (undefined or null), operations will be pulled from the
+    // widget's module options.
+    breadcrumbOperations: {
+      type: Array,
+      default() {
+        return null;
+      }
+    },
     isFocused: {
       type: Boolean,
       default: false
@@ -130,7 +139,10 @@ export default {
       return apos.modules[this.moduleOptions?.widgetManagers[this.widget?.type]] ?? {};
     },
     widgetBreadcrumbOperations() {
-      return (this.widgetModuleOptions.widgetBreadcrumbOperations || [])
+      return (
+        this.breadcrumbOperations ||
+        this.widgetModuleOptions.widgetBreadcrumbOperations || []
+      )
         .map((operation) => ({
           component: this.getOperationComponent(operation),
           props: this.getOperationProps(operation),

package/modules/@apostrophecms/asset/lib/globalIcons.js

@@ -23,6 +23,7 @@ module.exports = {
   'arrow-expand-vertical-icon': 'ArrowExpandVertical',
   'arrow-left-icon': 'ArrowLeft',
   'arrow-right-icon': 'ArrowRight',
+  'arrow-top-right-icon': 'ArrowTopRight',
   'arrow-up-icon': 'ArrowUp',
   'binoculars-icon': 'Binoculars',
   'calendar-icon': 'Calendar',
@@ -109,6 +110,7 @@ module.exports = {
   'keyboard-tab': 'KeyboardTab',
   'label-icon': 'Label',
   'lightbulb-on-icon': 'LightbulbOn',
+  'link-external-icon': 'OpenInNew',
   'link-icon': 'Link',
   'list-status-icon': 'ListStatus',
   'lock-icon': 'Lock',
@@ -124,6 +126,7 @@ module.exports = {
   'play-box-icon': 'PlayBox',
   'playlist-edit-icon': 'PlaylistEdit',
   'plus-icon': 'Plus',
+  'recently-edited-icon': 'ClockOutline',
   'redo-icon': 'RedoVariant',
   'refresh-icon': 'Refresh',
   'resize-bottom-right-icon': 'ResizeBottomRight',

package/modules/@apostrophecms/attachment/index.js

@@ -217,6 +217,11 @@ module.exports = {
 
             await self.crop(req, _id, sanitizedCrop);
 
+            if (req.body.annotate) {
+              const attachment = await self.db.findOne({ _id });
+              return self.annotateAttachment(attachment, sanitizedCrop);
+            }
+
             return true;
           }
         ]
@@ -611,6 +616,42 @@ module.exports = {
           height: sanitizeInteger(crop.height, 0, 0, 10000)
         };
       },
+      // Given an attachment object and an optional crop,
+      // return a clone with `_urls` fully populated for all
+      // configured image sizes. For non-image attachments
+      // a single `_url` is set instead.
+      annotateAttachment(attachment, crop) {
+        const result = { ...attachment };
+        result._isCroppable = self.isCroppable(result);
+        if (crop && crop.width) {
+          result._crop = _.pick(crop, 'width', 'height', 'top', 'left');
+        }
+        if (result.group === 'images') {
+          result._urls = {};
+          if (result._crop) {
+            result._urls.uncropped = {};
+          }
+          for (const size of self.imageSizes) {
+            result._urls[size.name] = self.url(result, { size: size.name });
+            if (result._crop) {
+              result._urls.uncropped[size.name] = self.url(result, {
+                size: size.name,
+                crop: false
+              });
+            }
+          }
+          result._urls.original = self.url(result, { size: 'original' });
+          if (result._crop) {
+            result._urls.uncropped.original = self.url(result, {
+              size: 'original',
+              crop: false
+            });
+          }
+        } else {
+          result._url = self.url(result);
+        }
+        return result;
+      },
       // This method return a default icon url if an attachment is missing
       // to avoid template errors
       getMissingAttachmentUrl() {
@@ -1459,7 +1500,8 @@ module.exports = {
           uploadsUrl: self.uploadfs.getUrl(),
           croppable: self.croppable,
           sized: self.sized,
-          maxSize: self.options.maxSize
+          maxSize: self.options.maxSize,
+          imageSizes: self.imageSizes
         };
       },
       // Middleware method used when only those with attachment privileges

package/modules/@apostrophecms/color-field/index.js

@@ -32,9 +32,15 @@ module.exports = {
               throw self.apos.error('required');
             }
 
+            const isVariable = destination[field.name].startsWith('--');
             const test = new TinyColor(destination[field.name]);
-            if (!test.isValid && !destination[field.name].startsWith('--')) {
+            if (!test.isValid && !isVariable) {
               destination[field.name] = null;
+            } else if (isVariable) {
+              // CSS custom property names: only allow alphanumeric, hyphens, underscores
+              if (!/^--[a-zA-Z0-9_-]+$/.test(destination[field.name])) {
+                destination[field.name] = null;
+              }
             }
           },
           isEmpty: function (field, value) {

package/modules/@apostrophecms/doc/index.js

@@ -1553,7 +1553,8 @@ module.exports = {
         ];
 
         function validate ({
-          action, context, type = 'modal', label, modal, conditions, if: ifProps
+          action, context, type = 'modal', label, modal, conditions, if: ifProps,
+          crossLocale
         }) {
           const allowedConditions = [
             'canPublish',
@@ -1596,6 +1597,15 @@ module.exports = {
               'invalid', 'The if property in addContextOperation must be an object containing properties and values that will be checked against the current document in order to show or not the context operation.'
             );
           }
+
+          if (
+            crossLocale !== undefined &&
+            typeof crossLocale !== 'boolean'
+          ) {
+            throw self.apos.error(
+              'invalid', 'The crossLocale property in addContextOperation must be a boolean.'
+            );
+          }
         }
       },
       getBrowserData(req) {

package/modules/@apostrophecms/doc-type/index.js

@@ -1261,6 +1261,17 @@ module.exports = {
           result = await actionModule.update(toReq, update);
         }
 
+        // Record when this document was localized. Uses a direct DB
+        // update so the timestamp survives regardless of the schema
+        // convert pipeline. Covers both single and batch localization
+        // (localizeBatch calls this method per document).
+        const localizedAt = new Date();
+        await self.apos.doc.db.updateOne(
+          { _id: result._id },
+          { $set: { localizedAt } }
+        );
+        result.localizedAt = localizedAt;
+
         await self.emit('afterLocalize', req, draft, result, eventOptions);
 
         return result;
@@ -1610,6 +1621,59 @@ module.exports = {
         return doc;
       },
 
+      // Returns true if the named filter is permitted to expose distinct
+      // values through the `choices` / `counts` query builders given the
+      // publicApiProjection. When no publicApiProjection is in effect
+      // (authenticated API callers), all fields are permitted.
+      //
+      // This guards against leaking distinct values of fields excluded by
+      // `publicApiProjection`, since MongoDB's `distinct` operator ignores
+      // projections. Projections set explicitly by authenticated users are
+      // not restricted — they are a voluntary narrowing of query results,
+      // not a security boundary.
+      choicesFieldAllowedByProjection(filter, projection) {
+        if (!projection || !Object.keys(projection).length) {
+          return true;
+        }
+        // Builders that aren't named after a top-level schema field are
+        // not gated by the projection.
+        const field = self.schema.find(f => f.name === filter);
+        if (!field) {
+          return true;
+        }
+        const topLevel = filter.split('.')[0];
+        const values = Object.values(projection);
+        const hasInclusion = values.some(v => v && v !== 0);
+        const hasExclusion = values.some(v => v === 0 || v === false);
+        if (hasInclusion) {
+          // Inclusion projection: field must be explicitly included.
+          return Boolean(projection[topLevel]);
+        }
+        if (hasExclusion) {
+          // Exclusion projection: field must not be explicitly excluded.
+          return projection[topLevel] !== 0 && projection[topLevel] !== false;
+        }
+        return true;
+      },
+
+      // Returns true if the current user is permitted to view the named
+      // schema field according to any schema-level `viewPermission`.
+      // Non-schema filters are permitted. A dot-notated filter is matched
+      // against the top-level schema field, since `viewPermission` is
+      // declared on top-level fields (see `removeForbiddenFields`).
+      choicesFieldAllowedByViewPermission(req, filter) {
+        const topLevel = filter.split('.')[0];
+        const field = self.schema.find(f => f.name === topLevel);
+        if (!field || !field.viewPermission) {
+          return true;
+        }
+        return self.apos.permission.can(
+          req,
+          field.viewPermission.action,
+          field.viewPermission.type
+        );
+      },
+
       composeFilters() {
         // TODO: keep in sync with page/index.js composeFilters
         self.filters = Object.entries(self.filters)
@@ -2157,24 +2221,6 @@ module.exports = {
           }
         },
 
-        // `.attachments(true)` annotates all attachment fields in the
-        // returned documents with URLs as documented for the
-        // `apos.attachment.all` method. Used by our REST APIs.
-
-        attachments: {
-          def: true,
-          after(results) {
-            const attachments = query.get('attachments');
-
-            if (attachments) {
-              self.apos.attachment.all(results, { annotate: true });
-            }
-          },
-          launder(b) {
-            return self.apos.launder.boolean(b);
-          }
-        },
-
         // `.autocomplete('sta')` limits results to docs which are a good match
         // for a partial string beginning with `sta`, for instance `station`.
         // Appropriate words must exist in the title or other text schema fields
@@ -2427,6 +2473,28 @@ module.exports = {
           }
         },
 
+        // `.attachments(true)` annotates all attachment fields in the
+        // returned documents with URLs as documented for the
+        // `apos.attachment.all` method. Used by our REST APIs.
+        //
+        // Must appear after the `relationships` builder so that
+        // relationship `_fields` (e.g. crop coordinates) are
+        // available when `attachment.all` generates `_urls`.
+
+        attachments: {
+          def: true,
+          after(results) {
+            const attachments = query.get('attachments');
+
+            if (attachments) {
+              self.apos.attachment.all(results, { annotate: true });
+            }
+          },
+          launder(b) {
+            return self.apos.launder.boolean(b);
+          }
+        },
+
         // `.addUrls(true)`. Invokes the `addUrls` method of all doc type
         // managers with relevant docs among the results, if they have one.
         //
@@ -2450,20 +2518,47 @@ module.exports = {
             if (!val) {
               return;
             }
-            const byType = {};
-            for (const doc of results) {
-              byType[doc.type] = byType[doc.type] || [];
-              byType[doc.type].push(doc);
+
+            async function addUrlsByType(reqForUrls, docs) {
+              const byType = {};
+              for (const doc of docs) {
+                byType[doc.type] = byType[doc.type] || [];
+                byType[doc.type].push(doc);
+              }
+              for (const type of Object.keys(byType)) {
+                const manager = self.apos.doc.getManager(type);
+                if (manager?.addUrls) {
+                  await manager.addUrls(reqForUrls, byType[type]);
+                }
+              }
             }
-            const interesting = Object.keys(byType).filter(type => {
-              // Don't freak out if the projection was really conservative
-              // and the type is unknown, etc.
-              const manager = self.apos.doc.getManager(type);
-              return manager && manager.addUrls;
-            });
-            for (const type of interesting) {
-              await self.apos.doc.getManager(type).addUrls(req, byType[type]);
+
+            // When locale(null) was used, docs may span multiple
+            // locales. Group by locale and resolve URLs with a
+            // locale-appropriate req so each doc gets the correct
+            // _url for its own locale.
+            if (query.get('locale') === null) {
+              const locales = self.apos.i18n.locales;
+              const byLocale = {};
+              for (const doc of results) {
+                const locale =
+                  doc.aposLocale?.split(':')[0] || req.locale;
+                if (!locales[locale]) {
+                  continue;
+                }
+                byLocale[locale] = byLocale[locale] || [];
+                byLocale[locale].push(doc);
+              }
+              for (const [ locale, localeDocs ] of Object.entries(byLocale)) {
+                const localeReq = locale === req.locale
+                  ? req
+                  : req.clone({ locale });
+                await addUrlsByType(localeReq, localeDocs);
+              }
+              return;
             }
+
+            await addUrlsByType(req, results);
           }
         },
 
@@ -2510,10 +2605,34 @@ module.exports = {
         pageUrl: {
           def: true,
           after(results) {
+            const req = query.req;
+            const crossLocale = query.get('locale') === null;
+            const localeReqs = {};
             for (const result of results) {
-              if ((!result.archived) && result.slug && self.apos.page.isPage(result)) {
-                result._url = `${query.req.prefix}${result.slug}`;
+              if (
+                (!result.archived) &&
+                result.slug &&
+                self.apos.page.isPage(result)
+              ) {
+                const urlReq = getReqForLocale(result);
+                result._url = `${urlReq.prefix}${result.slug}`;
+              }
+            }
+            function getReqForLocale(doc) {
+              if (!crossLocale || !doc.aposLocale) {
+                return req;
+              }
+              const locale = doc.aposLocale.split(':')[0];
+              if (!self.apos.i18n.locales[locale]) {
+                return req;
+              }
+              if (!localeReqs[locale]) {
+                localeReqs[locale] =
+                  locale === req.locale
+                    ? req
+                    : req.clone({ locale });
               }
+              return localeReqs[locale];
             }
           }
         },
@@ -2641,6 +2760,7 @@ module.exports = {
             const choices = {};
             const baseQuery = query.get('choices-query-prefinalize');
             baseQuery.set('choices-query-prefinalize', null);
+            const publicApiProjection = query.get('publicApiProjection');
             for (const filter of filters) {
               // The choices for each filter should reflect the effect of all
               // filters except this one (filtering by topic pairs down the list
@@ -2656,6 +2776,19 @@ module.exports = {
               if (!query.builders[filter].launder) {
                 continue;
               }
+              // Do not leak distinct values of fields excluded by the
+              // publicApiProjection. MongoDB's `distinct` ignores projections,
+              // so we must enforce this ourselves here. Only applies to the
+              // public API; authenticated users who set their own projections
+              // are not restricted.
+              if (!self.choicesFieldAllowedByProjection(filter, publicApiProjection)) {
+                continue;
+              }
+              // Do not leak distinct values of fields the current user does
+              // not have permission to view via a schema-level viewPermission.
+              if (!self.choicesFieldAllowedByViewPermission(query.req, filter)) {
+                continue;
+              }
               // Now shut it off
               _query[filter](null);
               choices[filter] = await _query.toChoices(filter, { counts: query.get('counts') });

package/modules/@apostrophecms/doc-type/ui/apos/components/AposDocEditor.vue

@@ -990,7 +990,7 @@ export default {
 
       const isLocalized = await apos.modal.execute('AposI18nLocalize', {
         doc: saved || this.original,
-        locale,
+        targetLocale: locale,
         moduleName: this.moduleName,
         shouldRedirect: false
       });