apostrophe 4.30.1-beta.1 → 4.31.0

package/.claude/settings.local.json

@@ -0,0 +1,15 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(timeout 180 npx mocha:*)",
+      "Bash(timeout 600 npx mocha:*)",
+      "Bash(npm ls:*)",
+      "Bash(timeout 540 npx mocha:*)",
+      "Bash(echo:*)",
+      "Bash(timeout 10 node:*)",
+      "Bash(timeout 300 npx mocha:*)",
+      "Bash(timeout 60 npx mocha:*)",
+      "Bash(timeout 120 npx mocha:*)"
+    ]
+  }
+}

package/CHANGELOG.md

@@ -1,11 +1,31 @@
 # Changelog
 
-## 4.30.1
+## 4.31.0 (2026-06-10)
 
-### Patch Changes
+### Adds
+
+- Added support for `draggable: false` on non-inline `array` schema fields. Previously this option was only respected when `inline: true`. When set on a standard (modal-based) array field, drag-and-drop reordering and keyboard reordering are now disabled in the array editor's slat list.
+- Introduced support for postgres://, sqlite://, and multipostgres:// database URIs in addition to mongodb://. The new db-connect API supports all of the database operations currently used in our own core, pro and multisite modules. For more information see the documentation.
+- JSX support for templates within ApostropheCMS. JSX is now co-equal with Nunjucks, with a gradual migration strategy. Anyone who is familiar with React will be very comfortable writing JSX templates, which also offer a superior debugging experience, and templates can be migrated gradually. JSX is a great option for those who don't wish to create parallel Astro and ApostropheCMS projects, but still prefer a modern syntax. For more information, see the new [JSX templates guide](https://apostrophecms.com/docs/guide/jsx-templates.html).
+- The session secret and the uploadfs `disabledFileKey` can now be supplied via the `APOS_SESSION_SECRET` and `APOS_UPLOADFS_DISABLED_FILE_KEY` environment variables. As with other Apostrophe environment variables, these take precedence over the corresponding `app.js` configuration.
+
+### Fixes
 
+- Fixed an issue where using the Tab key to navigate within modals could incorrectly jump focus to a wrong element instead of the next input field.
+Fixed Tab navigation escaping out of modals when the form contained hidden sections or elements that became disabled after editing.
+- Fixed adding or removing an area field from a schema breaking existing documents on an external front such as Astro.
+- For Astro: `AposArea` now renders only schema-backed areas. A missing area no longer throws, and an area orphaned by removing its field from the schema (while its content remains in the document) renders nothing instead of breaking sibling areas in edit mode. Logged-in editors get a diagnostic message in place of an orphaned area; anonymous visitors see nothing.
+- Editable documents sent to an external front (Asgtro) now materialize empty area objects for schema area fields added after the document was created, so they can be edited in context.
+- `apos.util.getManagerOf` accepts a `{ log }` option to suppress its error log when probing objects that may not have a manager.
+- Fix more admin UI a11y issues.
+- Selecting an item in a relationship "browse" dialog no longer scrolls the title and Cancel/Select buttons out of view when the item is far down the list.
 - Sites with a custom filterByIndexPage method no longer experience failures in the sitemap module and potential creeping CPU performance penalties. A regression introduced with our static site support, but not specific to static sites.
 
+### Security
+
+- Server-side prototype pollution (CWE-1321) via dot-notation paths. `apos.util.set()` and `apos.util.get()` now refuse to traverse `__proto__`, `constructor` and `prototype` path segments. Previously an authenticated editor could send a PATCH REST API request whose patch operators (for example `$pullAll` with a key of `__proto__.publicApiProjection`) wrote to `Object.prototype`. A polluted `publicApiProjection` defeated the `publicApiCheck()` authorization gate on piece-type REST endpoints for subsequent unauthenticated requests, for the lifetime of the Node.js process. All users should update. Thanks to [tonghuaroot](https://github.com/tonghuaroot), [H3xV0rT3x](https://github.com/H3xV0rT3x), and [5h1kh4r](https://github.com/5h1kh4r) for reporting the vulnerability.
+- When `@apostrophecms/file` pretty URLs are enabled (`prettyUrls: true`), the upstream request used to serve the file is no longer built from the incoming `Host` header. The self-request is now resolved against the site's configured `baseUrl` (via `req.baseUrl`), falling back to the request host only when no `baseUrl` is configured. This closes a server-side request forgery (SSRF) vector in which the `Host` header could steer the proxied fetch at another host. The real-world risk was low: the path is constrained to an existing attachment's `/uploads/attachments/<cuid>-<slug>.<ext>`, and cuids are unique and immutable, so any reachable content was already public via the front door. Thanks to [EchoSkorJjj](https://github.com/EchoSkorJjj) for reporting the issue.
+
 ## 4.30.0
 
 ### Adds

package/claude-tools/detect-handles.js

@@ -0,0 +1,46 @@
+// Require this before running mocha to detect what activates process.stdin
+// Usage: npx mocha -t 10000 --require ./claude-tools/detect-handles.js test/assets.js
+
+console.log(`stdin paused at startup: ${process.stdin.isPaused()}`);
+console.log(`stdin readableFlowing at startup: ${process.stdin.readableFlowing}`);
+
+// Monkey-patch stdin.resume to capture the call stack
+const origResume = process.stdin.resume.bind(process.stdin);
+process.stdin.resume = function(...args) {
+  console.log('\n=== process.stdin.resume() called ===');
+  console.log(new Error().stack);
+  return origResume(...args);
+};
+
+// Monkey-patch stdin.on to detect 'data' listener additions
+const origOn = process.stdin.on.bind(process.stdin);
+process.stdin.on = function(event, ...args) {
+  if (event === 'data' || event === 'readable') {
+    console.log(`\n=== process.stdin.on('${event}') called ===`);
+    console.log(new Error().stack);
+  }
+  return origOn(event, ...args);
+};
+
+// Periodically check stdin state changes
+let lastState = process.stdin.readableFlowing;
+const checker = setInterval(() => {
+  if (process.stdin.readableFlowing !== lastState) {
+    console.log(`\n=== stdin readableFlowing changed: ${lastState} -> ${process.stdin.readableFlowing} ===`);
+    console.log(new Error().stack);
+    lastState = process.stdin.readableFlowing;
+  }
+}, 100);
+checker.unref();
+
+const origRun = require('mocha/lib/runner').prototype.run;
+require('mocha/lib/runner').prototype.run = function(fn) {
+  return origRun.call(this, function(failures) {
+    console.log(`\nstdin paused at end: ${process.stdin.isPaused()}`);
+    console.log(`stdin readableFlowing at end: ${process.stdin.readableFlowing}`);
+    setTimeout(() => {
+      process.exit(failures ? 3 : 0);
+    }, 2000);
+    if (fn) fn(failures);
+  });
+};

package/claude-tools/minimal-hang-test.js

@@ -0,0 +1,28 @@
+// Minimal test to isolate what causes the hang.
+// Must reference the test/ directory as root for proper module resolution.
+const t = require('../test-lib/test.js');
+const path = require('path');
+
+// Fake a module object rooted in test/ like the real tests do
+const fakeModule = {
+  id: path.join(__dirname, '../test/fake'),
+  filename: path.join(__dirname, '../test/fake.js'),
+  paths: [path.join(__dirname, '../test/node_modules')]
+};
+
+describe('Minimal hang test', function() {
+  this.timeout(60000);
+  let apos;
+
+  after(async function() {
+    await t.destroy(apos);
+    console.log('after: destroy complete');
+  });
+
+  it('should create and use apos without hanging', async function() {
+    apos = await t.create({
+      root: fakeModule
+    });
+    console.log('apos created successfully');
+  });
+});

package/claude-tools/mongo-close-test.js

@@ -0,0 +1,11 @@
+// Test whether a MongoDB connection keeps the process alive after close()
+const mongoConnect = require('../../../packages/db-connect/lib/mongodb-connect');
+
+(async () => {
+  const uri = 'mongodb://localhost:27017/test_handle_leak';
+  console.log('Connecting...');
+  const client = await mongoConnect(uri);
+  console.log('Connected. Closing...');
+  await client.close();
+  console.log('Closed. Process should exit now if no leaked handles.');
+})();

package/claude-tools/stdin-ref-test.js

@@ -0,0 +1,14 @@
+// Check if process.stdin keeps the process alive
+// If this script hangs, stdin is ref'd. If it exits, stdin is unref'd.
+
+console.log(`stdin isTTY: ${process.stdin.isTTY}`);
+console.log(`stdin readableFlowing: ${process.stdin.readableFlowing}`);
+console.log(`stdin isPaused: ${process.stdin.isPaused()}`);
+
+// Check ref status
+if (typeof process.stdin.unref === 'function') {
+  console.log('stdin has unref method');
+}
+
+console.log('Waiting to see if process exits on its own...');
+// Don't do anything - just see if the process exits

package/eslint.config.js

@@ -7,7 +7,9 @@ module.exports = defineConfig([
     '**/blueimp/**/*.js',
     'test/public',
     'test/apos-build',
-    'coverage'
+    'test/modules/jsx-mixed-test/views/syntax-error.jsx',
+    'coverage',
+    'claude-tools'
   ]),
   apostrophe
 ]);

package/modules/@apostrophecms/area/index.js

@@ -140,7 +140,7 @@ module.exports = {
               // so this logic is reproduced partially
               self.apos.doc.walk(area, (o, k, v) => {
                 if (v && v.metaType === 'area') {
-                  const manager = self.apos.util.getManagerOf(o);
+                  const manager = self.apos.util.getManagerOf(o, { log: false });
                   if (!manager) {
                     self.apos.util.warnDevOnce(
                       'noManagerForDocInExternalFront',
@@ -285,6 +285,95 @@ module.exports = {
           self.missingWidgetTypes[name] = true;
         }
       },
+      // Build an empty area and attach it to `parent[name]`. When the area's
+      // location can be resolved inside the *persisted* document, also stub it
+      // into the database so the backend recognizes it for later edits.
+      // Returns the area.
+      //
+      // Options:
+      // - `throwIfNotFound` (default `false`): when `parent` is doc-backed but
+      //   the document or the container cannot be located in the database,
+      //   throw a `notfound` error instead of returning an in-memory-only
+      //   stub. The `{% area %}` tag opts in to preserve its historical
+      //   behavior; the external front annotator leaves it off so a render is
+      //   never brought down by such a case.
+      //
+      // Used by the `{% area %}` tag and the external front annotator as the
+      // single source of truth for stubbing schema areas that have no value
+      // yet.
+      async addMissingArea(parent, name, { throwIfNotFound = false } = {}) {
+        const area = {
+          metaType: 'area',
+          _id: self.apos.util.generateId(),
+          items: []
+        };
+        parent[name] = area;
+
+        const docId = parent._docId ??
+          (parent.metaType === 'doc' ? parent._id : null);
+        const areaDotPath = await self.resolvePersistedAreaDotPath(parent, name);
+        if (!areaDotPath) {
+          if (throwIfNotFound && docId) {
+            throw self.apos.error('notfound');
+          }
+          return area;
+        }
+
+        const result = await self.apos.doc.db.updateOne(
+          {
+            _id: docId,
+            // Idempotent and race-safe: only write when still absent.
+            [areaDotPath]: { $eq: null }
+          },
+          {
+            $set: { [areaDotPath]: self.apos.util.clonePermanent(area) }
+          }
+        );
+        if (result.modifiedCount === 0) {
+          // Another request stubbed it first (or it already existed): adopt
+          // the persisted `_id` so we render the same area.
+          const refreshed = await self.apos.doc.db.findOne({ _id: docId });
+          const persisted = refreshed && self.apos.util.get(refreshed, areaDotPath);
+          if (persisted?._id) {
+            area._id = persisted._id;
+          }
+        }
+        return area;
+      },
+
+      // Resolve the MongoDB dot-path at which `parent[name]` should be stored,
+      // computed from the *persisted* document so it always reflects real
+      // storage (not the in-memory graph with its loaded relationships). The
+      // `parent` object is located inside the freshly read document by its
+      // `_id`. Returns the dot-path string, or `null` when the area cannot be
+      // safely persisted (no doc id, doc not in the database, or `parent` is
+      // not part of the persisted document, e.g. loaded relationship data).
+      async resolvePersistedAreaDotPath(parent, name) {
+        const docId = parent._docId ??
+          (parent.metaType === 'doc' ? parent._id : null);
+        if (!docId) {
+          return null;
+        }
+        const mainDoc = await self.apos.doc.db.findOne({ _id: docId });
+        if (!mainDoc) {
+          return null;
+        }
+        if (parent._id === docId) {
+          return name;
+        }
+        if (!parent._id) {
+          return null;
+        }
+        const found = self.apos.util.findNestedObjectAndDotPathById(
+          mainDoc,
+          parent._id,
+          { ignoreDynamicProperties: true }
+        );
+        if (!found) {
+          return null;
+        }
+        return `${found.dotPath}.${name}`;
+      },
       prepForRender(area, context, fieldName) {
         const manager = self.apos.util.getManagerOf(context);
         const field = manager.schema.find(field => field.name === fieldName);
@@ -451,7 +540,10 @@ module.exports = {
         // Loop over the docs in the array passed in.
         for (const doc of within) {
           if (self.apos.externalFrontKey) {
-            self.apos.template.annotateDocForExternalFront(doc, { scene: req.scene });
+            await self.apos.template.annotateDocForExternalFront(
+              doc,
+              { scene: req.scene }
+            );
           }
 
           const rendered = [];

package/modules/@apostrophecms/area/lib/custom-tags/area.js

@@ -59,46 +59,7 @@ module.exports = function(self) {
       }
       area = doc[name];
       if (!area) {
-        // Problem: area is in schema but that doesn't guarantee it
-        // has a value, for instance the field could be new in the schema.
-        // But we need an area _id. Stub it into the db on the fly
-        // without race conditions
-        area = {
-          metaType: 'area',
-          _id: self.apos.util.generateId(),
-          items: []
-        };
-        doc[name] = area;
-        const docId = doc._docId || ((doc.metaType === 'doc') ? doc._id : null);
-        if (docId) {
-          let mainDoc = await self.apos.doc.db.findOne({ _id: docId });
-          if (!mainDoc) {
-            throw self.apos.error('notfound');
-          }
-          let docDotPath;
-          try {
-            docDotPath = (doc._id === docId) ? '' : self.apos.util.findNestedObjectAndDotPathById(mainDoc, doc._id).dotPath;
-          } catch (e) {
-            // Race condition: someone removed the area's parent object.
-            // Unlikely thanks to advisory locking
-            throw self.apos.error('notfound');
-          }
-          const areaDotPath = docDotPath ? `${docDotPath}.${name}` : name;
-          await self.apos.doc.db.updateOne({
-            _id: docId,
-            // Prevent race condition
-            [areaDotPath]: {
-              $eq: null
-            }
-          }, {
-            $set: {
-              [areaDotPath]: self.apos.util.clonePermanent(area)
-            }
-          });
-          mainDoc = await self.apos.doc.db.findOne({ _id: docId });
-          // Prevent race condition
-          area._id = self.apos.util.get(mainDoc, areaDotPath)._id;
-        }
+        area = await self.apos.area.addMissingArea(doc, name, { throwIfNotFound: true });
       }
       const manager = self.apos.util.getManagerOf(doc);
       const field = manager.schema.find(field => field.name === name);

package/modules/@apostrophecms/area/ui/apos/components/AposBreadcrumbOperations.vue

@@ -119,7 +119,6 @@ export default {
         icon: 'plus-icon',
         type: 'group',
         modifiers: [ 'small', 'inline' ],
-        role: 'menuitem',
         class: 'apos-area-modify-controls__button',
         iconSize: 16,
         disableFocus: !this.isFocused

package/modules/@apostrophecms/area/ui/apos/components/AposWidgetControls.vue

@@ -90,7 +90,6 @@ export default {
         icon: 'plus-icon',
         type: 'group',
         modifiers: [ 'small', 'inline' ],
-        role: 'menuitem',
         class: 'apos-area-modify-controls__button',
         iconSize: 16,
         disableFocus: !this.tabbable

package/modules/@apostrophecms/attachment/index.js

@@ -656,7 +656,10 @@ module.exports = {
       // to avoid template errors
       getMissingAttachmentUrl() {
         const defaultIconUrl = '/modules/@apostrophecms/attachment/img/missing-icon.svg';
-        self.apos.util.warn('Template warning: Impossible to retrieve the attachment url since it is missing, a default icon has been set. Please fix this ASAP!');
+        const e = new Error();
+        self.apos.util.warn('Template warning: Impossible to retrieve the attachment url since it is missing, a default icon has been set. Please fix this ASAP!\n\n' +
+          e.stack
+        );
         // Convert static asset path to full URL, which matters when static
         // assets are in uploadfs
         return self.apos.asset.url(defaultIconUrl);

package/modules/@apostrophecms/db/index.js

@@ -4,11 +4,12 @@
 //
 // ### `uri`
 //
-// The MongoDB connection URI. See the [MongoDB URI documentation](https://docs.mongodb.com/manual/reference/connection-string/).
+// The databse connection URI. See the [MongoDB URI documentation](https://docs.mongodb.com/manual/reference/connection-string/)
+// and the postgres documentation.
 //
 // ### `connect`
 //
-// If present, this object is passed on as options to MongoDB's "connect"
+// If present, this object is passed on as options to the database adapters "connect"
 // method, along with the uri. See the [MongoDB connect settings documentation](http://mongodb.github.io/node-mongodb-native/2.2/reference/connecting/connection-settings/).
 //
 // By default, Apostrophe sets options to retry lost connections forever,
@@ -20,9 +21,16 @@
 //
 // ### `client`
 //
-// An existing MongoDB connection (MongoClient) object. If present, it is used
+// An existing MongoDB-compatible client object. If present, it is used
 // and `uri`, `host`, `connect`, etc. are ignored.
 //
+// ### `adapters`
+//
+// An array of adapters, each of which must provide `name`, `connect(uri, options)`,
+// and `protocols` properties. `name` may be used to override a core adapter,
+// such as `postgres` or `mongodb`. `connect` must resolve to a client object
+// supporting a sufficient subset of the mongodb API.
+//
 // ### `versionCheck`
 //
 // If `true`, check to make sure the database does not belong to an
@@ -49,15 +57,15 @@
 // in your project. However you may find it easier to just use the
 // `client` option.
 
-const mongodbConnect = require('../../../lib/mongodb-connect');
-const escapeHost = require('../../../lib/escape-host');
+const dbConnect = require('@apostrophecms/db-connect');
+const escapeHost = require('../../../lib/escape-host.js');
 
 module.exports = {
   options: {
     versionCheck: true
   },
   async init(self) {
-    await self.connectToMongo();
+    await self.connectToDb();
     await self.versionCheck();
   },
   handlers(self) {
@@ -81,14 +89,12 @@ module.exports = {
   },
   methods(self) {
     return {
-      // Open the database connection. Always uses MongoClient with its
-      // sensible defaults. Builds a URI if necessary, so we can call it
-      // in a consistent way.
-      //
-      // One default we override: if the connection is lost, we keep
-      // attempting to reconnect forever. This is the most sensible behavior
-      // for a persistent process that requires MongoDB in order to operate.
-      async connectToMongo() {
+      // Connect to the database and sets self.apos.dbClient
+      // and self.apos.db. Builds a mongodb URI by default,
+      // accepting host, port, user, password and name options
+      // if present. More typically a URI is specified via
+      // APOS_DB_URI, or via APOS_MONGODB_URI for bc.
+      async connectToDb() {
         if (self.options.client) {
           // Reuse a single client connection http://mongodb.github.io/node-mongodb-native/2.2/api/Db.html#db
           self.apos.dbClient = self.options.client;
@@ -96,32 +102,67 @@ module.exports = {
           self.connectionReused = true;
           return;
         }
-        let uri = 'mongodb://';
-        if (process.env.APOS_MONGODB_URI) {
-          uri = process.env.APOS_MONGODB_URI;
+        let uri;
+        const viaEnv = process.env.APOS_DB_URI || process.env.APOS_MONGODB_URI;
+        if (viaEnv) {
+          uri = viaEnv;
         } else if (self.options.uri) {
           uri = self.options.uri;
         } else {
-          if (self.options.user) {
-            uri += self.options.user + ':' + self.options.password + '@';
-          }
-          if (!self.options.host) {
-            self.options.host = 'localhost';
-          }
-          if (!self.options.port) {
-            self.options.port = 27017;
+          const validAdapters = [ 'mongodb', 'sqlite', 'postgres', 'multipostgres' ];
+          const adapter = process.env.APOS_DEFAULT_DB_ADAPTER || self.options.defaultAdapter || 'mongodb';
+          if (!validAdapters.includes(adapter)) {
+            throw new Error(`Invalid defaultAdapter: "${adapter}". Must be one of: ${validAdapters.join(', ')}`);
           }
           if (!self.options.name) {
             self.options.name = self.apos.shortName;
           }
-          uri += escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
+          if (adapter === 'sqlite') {
+            const path = require('path');
+            uri = `sqlite://${path.resolve(self.apos.rootDir, 'data', self.options.name + '.sqlite')}`;
+          } else {
+            const credentials = self.options.user
+              ? encodeURIComponent(self.options.user) + ':' + encodeURIComponent(self.options.password) + '@'
+              : '';
+            if (adapter === 'mongodb') {
+              if (!self.options.host) {
+                self.options.host = 'localhost';
+              }
+              if (!self.options.port) {
+                self.options.port = 27017;
+              }
+              uri = 'mongodb://' + credentials + escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
+            } else {
+              // postgres or multipostgres
+              if (!self.options.host) {
+                self.options.host = 'localhost';
+              }
+              if (!self.options.port) {
+                self.options.port = 5432;
+              }
+              uri = adapter + '://' + credentials + escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
+            }
+          }
         }
 
-        self.apos.dbClient = await mongodbConnect(uri, self.options.connect);
+        self.apos.dbClient = await dbConnect(uri, {
+          ...self.options.connect,
+          adapters: self.options.adapters
+        });
         self.uri = uri;
         // Automatically uses the db name in the connection string
         self.apos.db = self.apos.dbClient.db();
       },
+      // Connect to a database using the appropriate adapter based on the URI protocol.
+      // Returns a client object compatible with the MongoDB driver interface.
+      // This method has no side effects — it does not set apos.db or apos.dbClient.
+      // It can be used to make temporary connections, e.g. for dropping a test database.
+      async connectToAdapter(uri, options) {
+        return dbConnect(uri, {
+          ...options,
+          adapters: self.options.adapters
+        });
+      },
       async versionCheck() {
         if (!self.options.versionCheck) {
           return;

package/modules/@apostrophecms/doc-type/ui/apos/logic/AposDocContextMenu.js

@@ -273,13 +273,13 @@ export default {
       });
     },
     moduleName() {
-      if (apos.modules[this.context.type].action === apos.modules['@apostrophecms/page'].action) {
+      if (apos.modules[this.context.type]?.action === apos.modules['@apostrophecms/page'].action) {
         return '@apostrophecms/page';
       }
       return this.context.type;
     },
     moduleOptions() {
-      return apos.modules[this.moduleName];
+      return apos.modules[this.moduleName] || {};
     },
     isUpdateOperation() {
       return !!this.context._id;
@@ -482,7 +482,9 @@ export default {
       );
     },
     preview(doc) {
-      window.open(doc._url, '_blank').focus();
+      // window.open() returns null when a popup blocker intercepts it,
+      // so guard before calling focus().
+      window.open(doc._url, '_blank')?.focus();
     },
     async copy(doc) {
       // If there are changes warn the user before discarding them before

package/modules/@apostrophecms/express/index.js

@@ -579,6 +579,8 @@ module.exports = {
           name: self.apos.shortName + '.sid',
           cookie: {}
         });
+        // Env overrides config, per Apostrophe convention.
+        sessionOptions.secret = process.env.APOS_SESSION_SECRET || sessionOptions.secret;
         _.defaults(sessionOptions.cookie, {
           path: '/',
           httpOnly: true,

package/modules/@apostrophecms/file/index.js

@@ -248,14 +248,15 @@ module.exports = {
             const uglyUrl = self.apos.attachment.url(file.attachment, {
               prettyUrl: false
             });
-            // For relative URLs (local uploadfs, not CDN), resolve
-            // against the current server's origin so the proxy can
-            // make the self-request.  During static builds
-            // `attachment.url()` may return only a path.
-            const proxyUrl = uglyUrl.startsWith('/')
-              ? `${req.protocol}://${req.get('host')}${uglyUrl}`
-              : uglyUrl;
-            return await streamProxy(req, proxyUrl, { error: self.apos.util.error });
+            // `uglyUrl` may be relative (local uploadfs) or absolute
+            // (S3/CDN). For the relative case `streamProxy` resolves it
+            // against `req.baseUrl`, which reflects the configured
+            // `baseUrl` (or locale hostname) and only falls back to the
+            // request host when the site has none. We deliberately do
+            // not build the upstream URL from the raw `Host` header
+            // here, as that is attacker-controlled and would allow the
+            // self-request to be redirected to an arbitrary host (SSRF).
+            return await streamProxy(req, uglyUrl, { error: self.apos.util.error });
           } catch (e) {
             self.apos.util.error('Error in pretty URL route:', e);
             return res.status(500).send('error');

package/modules/@apostrophecms/http/index.js

@@ -2,7 +2,7 @@ const _ = require('lodash');
 const qs = require('qs');
 const fetch = require('node-fetch');
 const tough = require('tough-cookie');
-const escapeHost = require('../../../lib/escape-host');
+const escapeHost = require('../../../lib/escape-host.js');
 const util = require('util');
 
 module.exports = {

package/modules/@apostrophecms/i18n/i18n/en.json

@@ -205,6 +205,7 @@
   "editImageRelationshipTitle": "Adjust Image",
   "editRelationship": "Edit Relationship",
   "editRelationshipFor": "Edit Relationship for {{ title }}",
+  "editSubform": "Edit {{ label }}",
   "editType": "Edit {{ type }}",
   "editWidget": "Edit Widget",
   "editWidgetForeignTooltip": "Click to edit this content in its natural context",
@@ -569,6 +570,7 @@
   "richTextHighlight": "Mark",
   "richTextHorizontalRule": "Horizontal Rule",
   "richTextHorizontalRuleDescription": "Add a horizontal separator",
+  "richTextEditor": "Rich text editor",
   "richTextInsertMenuHeading": "Insert element...",
   "richTextItalic": "Italic",
   "richTextLink": "Link",
@@ -632,6 +634,7 @@
   "slugInUse": "Slug already in use",
   "someoneElseTookControl": "{{ who }} took control of this document in another tab or window. A document can only be edited in one place at a time.",
   "splitCell": "Split Cell",
+  "status": "Status",
   "style": "Style",
   "styleAlignment": "Alignment",
   "styleBackground": "Background",

package/modules/@apostrophecms/image/ui/apos/components/AposMediaManagerEditor.vue

@@ -14,7 +14,7 @@
           v-if="activeMedia.attachment && activeMedia.attachment._urls"
           class="apos-media-editor__thumb"
           :src="activeMedia.attachment._urls[restoreOnly ? 'one-sixth' : 'one-third']"
-          :alt="activeMedia.description"
+          :alt="activeMedia.description || ''"
         >
       </div>
       <ul class="apos-media-editor__details">
@@ -484,7 +484,7 @@ export default {
 
     & {
       line-height: var(--a-line-tallest);
-      color: var(--a-base-4);
+      color: var(--a-base-2);
     }
   }
 

package/modules/@apostrophecms/image/ui/apos/components/AposMediaUploader.vue

@@ -252,6 +252,9 @@ export default {
     @include apos-transition();
 
     & {
+      // Contain the visually hidden (`.apos-sr-only`, position: absolute)
+      // file input so focusing it does not scroll a distant ancestor.
+      position: relative;
       display: flex;
       box-sizing: border-box;
       align-items: center;