apostrophe 4.30.0-alpha.1 → 4.30.0

package/.claude/settings.local.json

@@ -0,0 +1,15 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(timeout 180 npx mocha:*)",
+      "Bash(timeout 600 npx mocha:*)",
+      "Bash(npm ls:*)",
+      "Bash(timeout 540 npx mocha:*)",
+      "Bash(echo:*)",
+      "Bash(timeout 10 node:*)",
+      "Bash(timeout 300 npx mocha:*)",
+      "Bash(timeout 60 npx mocha:*)",
+      "Bash(timeout 120 npx mocha:*)"
+    ]
+  }
+}

package/CHANGELOG.md

@@ -1,10 +1,38 @@
 # Changelog
 
-## 4.30.0-alpha.1
+## 4.30.0
 
 ### Adds
 
-- Postgres and SQLite alpha release
+- Layout widget gap is now controllable through the styles system, both site-wide via a global `layoutGap` preset and per widget via a `gap` styles field. A new `className` option allows additional CSS classes to be added to the widget grid container.
+
+### Fixes
+
+- Fixed layout widget not regaining full focus when switching back to Edit content mode.
+- Fixed illegal HTML `id` attribute values generated by the admin UI.
+- Fixed orderable table array items dragging the entire floating window.
+- Fixed keyboard shortcuts for widget operations (copy, cut, paste, duplicate, remove) blocking the browser's native clipboard behavior when no widget was focused. Previously, selecting and copying text while logged in was intercepted unconditionally by the admin UI.
+- Removed duplicate `<meta charset>` tag from `outerLayoutBase.html` and standardized charset to `utf-8`.
+- Updated `apostrophe` and `oembetter` to remove oembed services that no longer support public access, eliminating them as a potential future XSS vector. New `minimumAllowlist` and `minimumEndpoints` options on `@apostrophecms/oembed` allow developers to prune the list further.
+
+### Security
+
+- **Password reset base URL requirement:** The password reset feature now refuses to operate unless `baseUrl` or `APOS_BASE_URL` is set, preventing a vulnerability where ApostropheCMS could be convinced to send emails with links to attacker-controlled sites. Only affects projects with `passwordReset: true` on the login module. Thanks to [SPIDY](https://github.com/Mujahidkhan525) for reporting.
+- **XSS via full name field:** A malicious full name containing HTML was executed in the page title tooltip in the admin bar, posing an XSS risk to other users. All multi-user projects should update promptly. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting.
+- **XSS via image widget link URL:** Users with editing privileges could trigger arbitrary JavaScript via a `javascript:` URL in the image widget's link URL field. A migration is included to strip any such URLs already in the database. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting.
+- **SSRF via rich text HTML import:** The rich text widget's HTML import feature no longer fetches images from arbitrary hosts, which could be used to probe internal networks or exfiltrate internal images. Configure `imageImportAllowedHostnames` on `@apostrophecms/rich-text-widget` to opt in. Thanks to [Yiğit Şengezer](https://github.com/yigitsengezer) and [Sainithin0309](https://github.com/Sainithin0309) for reporting.
+-  **the xmp tag could be used to pass forbidden markup through sanitize-html**, even when xmp itself. This was fixed in `sanitize-html` and the dependency was bumped. Thanks to [Vincenzo Turturro](https://github.com/sushi-gif) for reporting the vulnerability.
+- **the `linkHref` field of image widgets was an XSS vulnerability** because it did not use the `url` field type. This means that a user with editing privileges could potentially carry out XSS. In addition, we have updated the `launder` module to sanitize URLs more robustly for the `url` field type, and bumped that dependency. Also, a database migration is included to clean any XSS attacks that could be present in existing links. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting the issue.
+
+### Accessibility
+
+- Corrected ARIA semantics on the top admin navigation bar.
+- Improved the document context title (admin bar middle group) and the underlying `AposContextMenu` machinery.
+- Improved the locale switcher (`AposLocalePicker`).
+- The Recently Edited Documents tray icon now exposes its action via `aria-label`.
+- Fixed `.apos-sr-only` so screen-reader-only content is correctly exposed to the accessibility tree.
+- Icon-only context-utility buttons in the admin bar tray (e.g. the global settings cog) now expose their action via `aria-label`.
+
 
 ## 4.29.0 (2026-04-15)
 

package/eslint.config.js

@@ -7,8 +7,7 @@ module.exports = defineConfig([
     '**/blueimp/**/*.js',
     'test/public',
     'test/apos-build',
-    'coverage',
-    'claude-tools'
+    'coverage'
   ]),
   apostrophe
 ]);

package/lib/mongodb-connect.js

@@ -0,0 +1,62 @@
+const mongo = require('@apostrophecms/emulate-mongo-3-driver');
+const dns = require('dns');
+
+// Connect to MongoDB, using the modern topology and parser, and
+// a tolerant policy to successfully connect to "localhost" even if
+// the first record returned by the resolver doesn't reach mongodb's
+// bind address because localhost resolves first to ::1 (ipv6) and
+// mongodb lists only on 127.0.0.1 (ipv4) by default. For broadest
+// compatibility we don't assume we know this will happen, we try all the
+// addresses that localhost actually resolves to and succeed with the
+// first one that works.
+
+module.exports = async (uri, options) => {
+  const connectOptions = {
+    useUnifiedTopology: true,
+    useNewUrlParser: true,
+    ...options
+  };
+  let parsed;
+  try {
+    parsed = new URL(uri);
+  } catch (e) {
+    // Parse failed, e.g. old school replica set URI
+    // with commas, just let the mongo driver handle it
+    return mongo.MongoClient.connect(uri, connectOptions);
+  }
+  if (!parsed || (parsed.protocol !== 'mongodb:') || (parsed.hostname !== 'localhost')) {
+    return mongo.MongoClient.connect(parsed.toString(), connectOptions);
+  }
+  const records = await dns.promises.lookup('localhost', { all: true });
+  if (!records.length) {
+    // The computer that reaches this point has bigger problems 😅
+    throw new Error('Unable to resolve localhost to an IP address.');
+  }
+  return new Promise((resolve, reject) => {
+    let failed = 0;
+    let succeeded = false;
+    records.forEach(attempt);
+    async function attempt(record) {
+      try {
+        const parsed = new URL(uri);
+        parsed.hostname = record.address;
+        const result = await mongo.MongoClient.connect(parsed.toString(), connectOptions);
+        if (!succeeded) {
+          succeeded = true;
+          resolve(result);
+        } else {
+          // We succeeded in reaching localhost at both ip4 and ip6,
+          // but we only need one of them to succeed
+          await result.close();
+        }
+      } catch (e) {
+        failed++;
+        if (failed === records.length) {
+          // None succeeded, so reject with the last error
+          // (which one we reject with doesn't really matter)
+          reject(e);
+        }
+      }
+    }
+  });
+};

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposAdminBar.vue

@@ -11,7 +11,6 @@
     <nav
       ref="adminBar"
       :class="classes"
-      role="menubar"
       aria-label="Apostrophe Admin Bar"
     >
       <div class="apos-admin-bar__row">

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposAdminBarMenu.vue

@@ -1,8 +1,5 @@
 <template>
-  <ol
-    class="apos-admin-bar__items"
-    role="menu"
-  >
+  <ol class="apos-admin-bar__items">
     <li
       v-if="pageTree"
       class="apos-admin-bar__item"
@@ -12,7 +9,6 @@
         label="apostrophe:pages"
         class="apos-admin-bar__btn"
         :modifiers="['no-motion']"
-        role="menuitem"
         action-test-label="page-manager-button"
         @click="emitEvent({ action: '@apostrophecms/page:manager' })"
       />
@@ -33,7 +29,6 @@
           class: 'apos-admin-bar__btn',
           type: 'subtle'
         }"
-        role="menuitem"
         @item-clicked="emitEvent"
       />
       <Component
@@ -44,7 +39,6 @@
         :modifiers="['no-motion']"
         class="apos-admin-bar__btn"
         :action-test-label="`${item.name}-manager-button`"
-        role="menuitem"
         @click="emitEvent(item)"
       />
     </li>
@@ -62,7 +56,6 @@
           type: 'primary',
           modifiers: ['round', 'no-motion']
         }"
-        role="menuitem"
         @item-clicked="emitEvent"
       />
     </li>
@@ -89,6 +82,7 @@
           :label="item.label"
           :action="item.action"
           :state="trayItemState[item.name] ? [ 'active' ] : []"
+          :attrs="trayItemAttrs(item)"
           @click="emitEvent(item)"
         />
       </template>
@@ -185,6 +179,29 @@ export default {
       } else {
         return item.options.tooltip;
       }
+    },
+    // Tray utility buttons render icon-only, so the visible label
+    // (e.g. "Global Content") is sr-only and doesn't describe what the
+    // button does. Make them accessible by providing an aria-label based on
+    // the tooltip content.
+    trayItemAttrs(item) {
+      const tooltip = item.options?.tooltip;
+      let key = null;
+      if (item.options?.toggle) {
+        if (this.trayItemState[item.name] && tooltip?.deactivate) {
+          key = tooltip.deactivate;
+        } else if (tooltip?.activate) {
+          key = tooltip.activate;
+        }
+      } else if (typeof tooltip === 'string') {
+        key = tooltip;
+      } else if (tooltip && typeof tooltip.content === 'string') {
+        key = tooltip.content;
+      }
+      if (!key) {
+        return {};
+      }
+      return { 'aria-label': this.$t(key) };
     }
   }
 };

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposContextBreakpointPreviewMode.vue

@@ -14,6 +14,7 @@
         :label="screen.label"
         :tooltip="$t(screen.label)"
         :title="$t(screen.label)"
+        :attrs="shortcutAttrs(screen)"
         :icon="screen.icon"
         :icon-only="true"
         type="subtle"
@@ -36,6 +37,7 @@
       :active-item="mode"
       :center-on-icon="true"
       menu-placement="bottom-end"
+      :dialog-label="'apostrophe:breakpointPreviewSelectMenu'"
       @item-clicked="selectBreakpoint"
     />
     <Transition>
@@ -320,6 +322,13 @@ export default {
     },
     setShowDropdown() {
       this.showDropdown = Object.values(this.screens).some(({ shortcut }) => !shortcut);
+    },
+    shortcutAttrs(screen) {
+      return {
+        'aria-label': this.$t('apostrophe:breakpointPreviewShortcut', {
+          breakpoint: this.$t(screen.label)
+        })
+      };
     }
   }
 };

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposContextTitle.vue

@@ -33,6 +33,8 @@
           :disabled="hasCustomUi || isUnpublished"
           :center-on-icon="true"
           menu-placement="bottom-end"
+          :dialog-label="'apostrophe:publicationStatusMenu'"
+          :trigger-aria-label="draftTriggerAriaLabel"
           @item-clicked="switchDraftMode"
         />
         <AposLabel
@@ -56,6 +58,15 @@
 <script>
 import dayjs from 'dayjs';
 
+function escapeHtml(s) {
+  return String(s)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 export default {
   name: 'TheAposContextTitle',
   props: {
@@ -78,8 +89,8 @@ export default {
       if (this.context.updatedBy) {
         const editor = this.context.updatedBy;
         editorLabel = '';
-        editorLabel += editor.title ? `${editor.title} ` : '';
-        editorLabel += editor.username ? `(${editor.username})` : '';
+        editorLabel += editor.title ? `${escapeHtml(editor.title)} ` : '';
+        editorLabel += editor.username ? `(${escapeHtml(editor.username)})` : '';
       }
       return editorLabel;
     },
@@ -91,6 +102,13 @@ export default {
         type: 'quiet'
       };
     },
+    draftTriggerAriaLabel() {
+      return this.$t('apostrophe:publicationStatusTrigger', {
+        status: this.$t(
+          this.draftMode === 'draft' ? 'apostrophe:draft' : 'apostrophe:published'
+        )
+      });
+    },
     isUnpublished() {
       return !this.context.lastPublishedAt;
     },

package/modules/@apostrophecms/area/index.js

@@ -19,7 +19,8 @@ module.exports = {
           action: {
             type: 'command-menu-area-cut-widget'
           },
-          shortcut: 'Ctrl+X Meta+X'
+          shortcut: 'Ctrl+X Meta+X',
+          requireWidgetFocus: true
         },
         [`${self.__meta.name}:copy-widget`]: {
           type: 'item',
@@ -27,7 +28,8 @@ module.exports = {
           action: {
             type: 'command-menu-area-copy-widget'
           },
-          shortcut: 'Ctrl+C Meta+C'
+          shortcut: 'Ctrl+C Meta+C',
+          requireWidgetFocus: true
         },
         [`${self.__meta.name}:paste-widget`]: {
           type: 'item',
@@ -35,7 +37,8 @@ module.exports = {
           action: {
             type: 'command-menu-area-paste-widget'
           },
-          shortcut: 'Ctrl+V Meta+V'
+          shortcut: 'Ctrl+V Meta+V',
+          requireWidgetFocus: true
         },
         [`${self.__meta.name}:duplicate-widget`]: {
           type: 'item',
@@ -43,7 +46,8 @@ module.exports = {
           action: {
             type: 'command-menu-area-duplicate-widget'
           },
-          shortcut: 'Ctrl+Shift+D Meta+Shift+D'
+          shortcut: 'Ctrl+Shift+D Meta+Shift+D',
+          requireWidgetFocus: true
         },
         [`${self.__meta.name}:remove-widget`]: {
           type: 'item',
@@ -51,7 +55,8 @@ module.exports = {
           action: {
             type: 'command-menu-area-remove-widget'
           },
-          shortcut: 'Backspace'
+          shortcut: 'Backspace',
+          requireWidgetFocus: true
         }
       },
       modal: {

package/modules/@apostrophecms/area/ui/apos/components/AposAreaWidget.vue

@@ -536,6 +536,7 @@ export default {
     apos.bus.$on('widget-focus-parent', this.focusParent);
     apos.bus.$on('context-menu-toggled', this.getFocusForMenu);
     apos.bus.$on('suppress-focused-widget-controls', this.doSuppressWidgetControls);
+    apos.bus.$on('clear-focused-widget-control-suppression', this.clearSuppressionFlags);
 
     this.breadcrumbs.$lastEl = this.$el;
 
@@ -573,6 +574,7 @@ export default {
     // Remove the focus parent listener when unmounted
     apos.bus.$off('widget-focus-parent', this.focusParent);
     apos.bus.$off('suppress-focused-widget-controls', this.doSuppressWidgetControls);
+    apos.bus.$off('clear-focused-widget-control-suppression', this.clearSuppressionFlags);
     window.removeEventListener('scroll', this.stickyControlsScroll);
     window.removeEventListener('resize', this.stickyControlsResize);
     this.unregisterFromGraph();

package/modules/@apostrophecms/command-menu/ui/apos/components/TheAposCommandMenu.vue

@@ -10,6 +10,7 @@
 import { mapActions, mapState } from 'pinia';
 import AposThemeMixin from 'Modules/@apostrophecms/ui/mixins/AposThemeMixin';
 import { useModalStore } from 'Modules/@apostrophecms/ui/stores/modal';
+import { useWidgetStore } from 'Modules/@apostrophecms/ui/stores/widget';
 
 export default {
   name: 'TheAposCommandMenu',
@@ -50,7 +51,13 @@ export default {
               .flatMap(command => {
                 return command.shortcut
                   .split(' ')
-                  .map(shortcut => [ shortcut.toUpperCase(), command.action ]);
+                  .map(shortcut => [
+                    shortcut.toUpperCase(),
+                    {
+                      ...command.action,
+                      requireWidgetFocus: command.requireWidgetFocus || false
+                    }
+                  ]);
               });
           })
       );
@@ -111,6 +118,9 @@ export default {
             ? keys.slice('SHIFT+'.length)
             : keys];
         if (action) {
+          if (action.requireWidgetFocus && !useWidgetStore().focusedWidget) {
+            return;
+          }
           event.preventDefault();
           apos.bus.$emit(action.type, action.payload);
           return;

package/modules/@apostrophecms/db/index.js

@@ -4,12 +4,11 @@
 //
 // ### `uri`
 //
-// The databse connection URI. See the [MongoDB URI documentation](https://docs.mongodb.com/manual/reference/connection-string/)
-// and the postgres documentation.
+// The MongoDB connection URI. See the [MongoDB URI documentation](https://docs.mongodb.com/manual/reference/connection-string/).
 //
 // ### `connect`
 //
-// If present, this object is passed on as options to the database adapters "connect"
+// If present, this object is passed on as options to MongoDB's "connect"
 // method, along with the uri. See the [MongoDB connect settings documentation](http://mongodb.github.io/node-mongodb-native/2.2/reference/connecting/connection-settings/).
 //
 // By default, Apostrophe sets options to retry lost connections forever,
@@ -21,16 +20,9 @@
 //
 // ### `client`
 //
-// An existing MongoDB-compatible client object. If present, it is used
+// An existing MongoDB connection (MongoClient) object. If present, it is used
 // and `uri`, `host`, `connect`, etc. are ignored.
 //
-// ### `adapters`
-//
-// An array of adapters, each of which must provide `name`, `connect(uri, options)`,
-// and `protocols` properties. `name` may be used to override a core adapter,
-// such as `postgres` or `mongodb`. `connect` must resolve to a client object
-// supporting a sufficient subset of the mongodb API.
-//
 // ### `versionCheck`
 //
 // If `true`, check to make sure the database does not belong to an
@@ -57,15 +49,15 @@
 // in your project. However you may find it easier to just use the
 // `client` option.
 
-const dbConnect = require('@apostrophecms/db-connect');
-const escapeHost = require('../../../lib/escape-host.js');
+const mongodbConnect = require('../../../lib/mongodb-connect');
+const escapeHost = require('../../../lib/escape-host');
 
 module.exports = {
   options: {
     versionCheck: true
   },
   async init(self) {
-    await self.connectToDb();
+    await self.connectToMongo();
     await self.versionCheck();
   },
   handlers(self) {
@@ -89,12 +81,14 @@ module.exports = {
   },
   methods(self) {
     return {
-      // Connect to the database and sets self.apos.dbClient
-      // and self.apos.db. Builds a mongodb URI by default,
-      // accepting host, port, user, password and name options
-      // if present. More typically a URI is specified via
-      // APOS_DB_URI, or via APOS_MONGODB_URI for bc.
-      async connectToDb() {
+      // Open the database connection. Always uses MongoClient with its
+      // sensible defaults. Builds a URI if necessary, so we can call it
+      // in a consistent way.
+      //
+      // One default we override: if the connection is lost, we keep
+      // attempting to reconnect forever. This is the most sensible behavior
+      // for a persistent process that requires MongoDB in order to operate.
+      async connectToMongo() {
         if (self.options.client) {
           // Reuse a single client connection http://mongodb.github.io/node-mongodb-native/2.2/api/Db.html#db
           self.apos.dbClient = self.options.client;
@@ -102,67 +96,32 @@ module.exports = {
           self.connectionReused = true;
           return;
         }
-        let uri;
-        const viaEnv = process.env.APOS_DB_URI || process.env.APOS_MONGODB_URI;
-        if (viaEnv) {
-          uri = viaEnv;
+        let uri = 'mongodb://';
+        if (process.env.APOS_MONGODB_URI) {
+          uri = process.env.APOS_MONGODB_URI;
         } else if (self.options.uri) {
           uri = self.options.uri;
         } else {
-          const validAdapters = [ 'mongodb', 'sqlite', 'postgres', 'multipostgres' ];
-          const adapter = process.env.APOS_DEFAULT_DB_ADAPTER || self.options.defaultAdapter || 'mongodb';
-          if (!validAdapters.includes(adapter)) {
-            throw new Error(`Invalid defaultAdapter: "${adapter}". Must be one of: ${validAdapters.join(', ')}`);
+          if (self.options.user) {
+            uri += self.options.user + ':' + self.options.password + '@';
+          }
+          if (!self.options.host) {
+            self.options.host = 'localhost';
+          }
+          if (!self.options.port) {
+            self.options.port = 27017;
           }
           if (!self.options.name) {
             self.options.name = self.apos.shortName;
           }
-          if (adapter === 'sqlite') {
-            const path = require('path');
-            uri = `sqlite://${path.resolve(self.apos.rootDir, 'data', self.options.name + '.sqlite')}`;
-          } else {
-            const credentials = self.options.user
-              ? encodeURIComponent(self.options.user) + ':' + encodeURIComponent(self.options.password) + '@'
-              : '';
-            if (adapter === 'mongodb') {
-              if (!self.options.host) {
-                self.options.host = 'localhost';
-              }
-              if (!self.options.port) {
-                self.options.port = 27017;
-              }
-              uri = 'mongodb://' + credentials + escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
-            } else {
-              // postgres or multipostgres
-              if (!self.options.host) {
-                self.options.host = 'localhost';
-              }
-              if (!self.options.port) {
-                self.options.port = 5432;
-              }
-              uri = adapter + '://' + credentials + escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
-            }
-          }
+          uri += escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
         }
 
-        self.apos.dbClient = await dbConnect(uri, {
-          ...self.options.connect,
-          adapters: self.options.adapters
-        });
+        self.apos.dbClient = await mongodbConnect(uri, self.options.connect);
         self.uri = uri;
         // Automatically uses the db name in the connection string
         self.apos.db = self.apos.dbClient.db();
       },
-      // Connect to a database using the appropriate adapter based on the URI protocol.
-      // Returns a client object compatible with the MongoDB driver interface.
-      // This method has no side effects — it does not set apos.db or apos.dbClient.
-      // It can be used to make temporary connections, e.g. for dropping a test database.
-      async connectToAdapter(uri, options) {
-        return dbConnect(uri, {
-          ...options,
-          adapters: self.options.adapters
-        });
-      },
       async versionCheck() {
         if (!self.options.versionCheck) {
           return;

package/modules/@apostrophecms/http/index.js

@@ -2,7 +2,7 @@ const _ = require('lodash');
 const qs = require('qs');
 const fetch = require('node-fetch');
 const tough = require('tough-cookie');
-const escapeHost = require('../../../lib/escape-host.js');
+const escapeHost = require('../../../lib/escape-host');
 const util = require('util');
 
 module.exports = {

package/modules/@apostrophecms/i18n/i18n/en.json

@@ -89,6 +89,8 @@
   "breakpointPreviewExit": "Exit",
   "breakpointPreviewMobile": "Mobile",
   "breakpointPreviewSelect": "Select Breakpoint",
+  "breakpointPreviewSelectMenu": "Breakpoint preview menu",
+  "breakpointPreviewShortcut": "Preview at {{ breakpoint }} breakpoint",
   "breakpointPreviewTablet": "Tablet",
   "browse": "Browse",
   "browseDocType": "Browse {{ type }}",
@@ -387,6 +389,7 @@
   "mediaUploadViaDrop": "Drop ’em when you’re ready",
   "mediaUploadViaExplorer": "Or click to open the file explorer",
   "mergeCells": "Merge Cells",
+  "menu": "Menu",
   "minLabel": "Min:",
   "minSize": "Min size of {{ width }}x{{ height }}",
   "minimumSize": "Minimum size of {{ width }} x {{ height }} px",
@@ -475,6 +478,8 @@
   "publishBeforeUsingTooltip": "Publish this content before using it in a relationship",
   "publishType": "Publish {{ type }}",
   "published": "Published",
+  "publicationStatusMenu": "Publication status",
+  "publicationStatusTrigger": "Publication status: {{ status }}. Change publication status.",
   "publishingBatchConfirmation": "Are you sure you want to publish {{ count }} {{ type }}?",
   "publishingBatchConfirmationButton": "Yes, publish content.",
   "rawCssAndJs": "Raw CSS and JS",
@@ -490,6 +495,7 @@
   "recentlyEditedActionSubmitted": "Submitted",
   "recentlyEditedCurrentUser": "Me ({{ user }})",
   "recentlyEditedDocuments": "Recently edited documents",
+  "recentlyEditedManagerOpen": "Open recently edited documents manager",
   "recentlyEditedEditedBy": "Edited by",
   "recentlyEditedClearAllFilters": "Clear all filters",
   "recentlyEditedClearSearch": "Clear search",
@@ -643,6 +649,8 @@
   "styleGradientAngle": "Angle",
   "styleGradientEnd": "End Color",
   "styleGradientStart": "Start Color",
+  "styleLayoutGap": "Layout Gap",
+  "styleLayoutGapHelp": "Sets the spacing between columns inside layout sections across the site.",
   "styleLeft": "Left",
   "styleMargin": "Margin",
   "styleOverlayColor": "Overlay Color",

package/modules/@apostrophecms/i18n/index.js

@@ -29,10 +29,6 @@
 // in the same language as the website content.
 // Example: `defaultAdminLocale: 'fr'`.
 //
-// ### `encoding`
-//
-// Defaults to `'utf-8'`. You almost certainly do not want to change this.
-//
 // ### `slugDirection`
 //
 // Controls the default `direction` value of slug schema. Can be `ltr`, `rtl` or
@@ -81,8 +77,6 @@ module.exports = {
     },
     // If true, slugifying will strip accents from Latin characters
     stripUrlAccents: false,
-    // You almost certainly do not want to change this
-    encoding: 'utf-8',
     slugDirection: 'ltr'
   },
   async init(self) {
@@ -166,7 +160,6 @@ module.exports = {
     await self.i18next.init(i18nextOptions);
     self.addInitialResources();
     self.enableBrowserData();
-    self.encoding = self.options.encoding;
   },
   handlers(self) {
     return {
@@ -1369,7 +1362,7 @@ module.exports = {
   helpers(self) {
     return {
       encoding() {
-        return self.encoding;
+        return 'utf-8';
       }
     };
   }