BookStack v22.06.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest CrowdIn changes. (#3540, #3531)
• Fixed bug causing LDAP/SAML2 group mapping to fail if the "External Auth Ids" role field contained upper case characters. (#3535)
• Fixed differing behaviour, between select button and double-click, in the link selector popup. (#3534)

BookStack v22.06.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated entity-selector-popup to reset state upon successful selection. (#3528)
• Updated translations with latest CrowdIn changes. (#3526)
• Fixed non-translated settings category options. (#3529)
• Fixed issue where tags would not be saved upon book update. (#3527)
• Fixed long code in "Custom Head" setting breaking page layout. (#3523)

BookStack v22.06

Links

• Update instructions
• Update details on blog

Upgrade Notices

• SAML/LDAP Group Mapping - Within the "External Authentication Ids" field for a BookStack role, a backslash followed by a comma (\,) will now cause the comma to be treated as a literal comma within the mapping name, instead of acting as a value separator to define multiple mappings.

Full List of Changes

• Added ability to convert chapters to books, and books to shelves. (#3499, #1087)
• Added ability to auto-initiate login for SAML and OIDC auth users. Thanks to @rjmidau. (#3406, #3216, #2175)
• Added ability to use commas in the role "External Auth ID". (#3416, #3405)
• Added body-start/end templates as a convenience to theme system users. (#894)
• Added OCaml to the code editor language list and fixed highlighting type. (#3511)
• Added TypeScript to the code editor language list. (#3494)
• Added common audio types to our WebSafeMimeSniffer for non-download attachment usage. (#3485)
• Added LaTex to the code editor language list. (#3458)
• Updated the UI/design with a mass of fixes & improvements. (#3433)
• Updated WYSIWYG code editor interface. (#3512)
• Updated API docs to remove non-existant image_id field. (#3474)
• Updated logging system to not log StoppedAuthenticationException events. (#3468)
• Updated the markdown editor preview display to be patch-updated. (#3454)
• Updated export templates into smaller chunks for easier override. (#3443)
• Updated translations with latest Crowdin changes. (#3428)
• Fixed tag overview entity-counts showing incorrect values. (#3435)
• Fixed incorrectly placed debug script on default home page. (#3430)
• Fixed text after line-breaks not being indexed. (#3508)
• Fixed new WYSIWYG code snippets being shown as a single line. (#3507)

BookStack v22.04.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added Persian to language list. (#3426)
• Updated API docs to detail rate-limit information. (#3423)
• Updated translations with latest Crowdin changes. (#3418)
• Fixed broken attachment downloads in environments where PHP output buffering is disabled. (#3415)
• Fixed LDAP_DUMP_* options throwing error when LDAP details contain binary data. (#3396)
• Updated PHP dependency versions.

BookStack v22.04.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed issue where a duplicate slash could occur in the URL leading to a 404 page. (#3404)
• Updated translations with latest changes from Crowdin. (#3402)

BookStack v22.04

Links

• Update instructions
• Update details on blog

Upgrade Notices

• Database Changes - This release makes some significant changes to data within the database which may cause the update to take a little longer than usual to run. Please give the update extra time to complete.
• REST API Page Create/Update Changes - Create & update page requests now have the potential to change the current editor type for that page, depending on the content type sent in the request, if the API user has permission to change the page editor.
• URL Handling - The way we handle URLs has changed this release to hopefully address some issues in specific scenarios. These changes have been tested and should not affect existing working environments but there's an increased risk this release for setups with more complex URL handling. Please raise an issue or jump into our Discord server if you have any issues with URLs after upgrading.

Full List of Changes

• Added ability to switch editor types on a per-page basis. (#3387, #458, #369)
• Added new recycle bin API endpoints. Thanks to @Julesdevops. (#3377, #3372)
• Added ability to pass diagrams.net configuration options. (#3391)
• Added Uzbek language option to allow translation, not yet active in the interface. (#3383)
• Updated translations with latest Crowdin updates. (#3384, #3358)
• Updated database polymorphic relations to simpler morphmap. (#3395)
• Updated file handling in many cases to stream data for better efficiency, reduce memory usage and avoid hitting limits. (#3365, #2886)
• Updated URL handling to be more stable in sub-path scenarios. (#3364, #2765, #2058)
• Updated content update handling to increment updated_at field, even if only tags are changed. (#3319)
• Fixed editor Portuguese translation duplication. Thanks to @evandroamaro. (#3373)
• Fixed API issue where tags would not be applied on API shelf update. (#3370)
• Fixed development build command lacking Windows/non-bash compatibility. (#3323)

BookStack v22.03.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed issue where /settings redirect would lead to wrong location in some scenarios. (#3356)
• Fixed non-active prevention of custom HTML head content on settings views. (#3355)
• Updated translations with latest Crowdin changes. (#3354)
• Updated project PHP dependencies.

BookStack v22.03

Links

• Update instructions
• Update details on blog

Upgrade Notices

• Webhook Data Changes - Properties found at the related_item -> created_by/updated_by/owned_by path of the webhook data will now be an object instead of an ID integer. If you were using these ids you'd now need to access them within the relevant objects. (For example related_item.created_by.id).

Full List of Changes

• Added support for checkbox tasklists in the WYSIWYG editor. (#3333, #4)
• Added WYSIWYG control to remove & edit links. (#3276, #3298)
• Added WYSIWYG Ctrl+Shift+K shortcut to show entity selector popup shortcut in WYSIWYG editor. (#3244, #3298)
• Added LDAP user group debugging option. (#3345)
• Added support for the Basque language. (#3296)
• Updated settings view with a re-organized layout for a less confusing user experience. (#3349, #3221)
• Updated code block rendering in WYSIWYG to help prevent scroll jumping upon undo/redo. (#3326)
• Updated translations with latest Crowdin updates. (#3320)
• Updated webhook data to include details of page/chapter/shelf/book creator/updater/owner. (#3279)
• Updated webhook data to include revision details on page_update and page_create events. (#3218)
• Fixed lack of translation support for some editor buttons. (#3342)
• Fixed incorrect page concatenation in book markdown export. (#3341)
• Fixed usage of <br> tags within code blocks instead of newlines when using the WYSIWYG editor. (#3327)
• Fixed image thumbnail generation not taking EXIF rotation data into account. (#1854)

BookStack v22.02.3

Security Release

• Update Instructions
• Update details on blog

This is a security release that adds better protections against embedded content that could be used in malicious ways. This effectively restricts embedded iframe content in an allow-list approach.

A new ALLOWED_IFRAME_SOURCES option has been added to provide configuration of allowed embed/iframe sources within BookStack pages, and this defaults to a couple of popular services such as YouTube and Vimeo.

Please see this link for more detail regarding this option:

• https://www.bookstackapp.com/docs/admin/security/#iframe-src-control
  • ("Iframe Source Control" section)

It's advised to upgrade as soon as possible if untrusted users can create or update pages within your BookStack instance.

Thanks to @416e6e61 (Anna) for discovering and reporting this vulnerability via huntr.dev.

Full List of Changes

• Added iframe allow-list control to prevent a range of malicious uses of untrusted iframe sources. (#3314)
• Updated translations with latest Crowdin changes. (#3312)

BookStack v22.02.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added cache breaker to WYSIWYG onward loading to prevent plugin errors appearing if cached. (#3303)
• Updated translations with latest Crowdin changes. (#3301)
• Updated sidebar fade to be more subtle when in dark mode. (#3203)
• Fixed WYISWYG editor issue where blank lines would collapse. (#3302)