# 4.11.0 (unreleased) ## Overview - [Regression test and Security audit](#audit) - [Dropping support for PHP 7.3](#phpeol) - [Features and enhancements](#features-and-enhancements) - [Upload and use WebP images in the CMS](#webp) - [Preview any DataObject in any admin section](#cms-preview) - [Meta generator tag now shows framework version number](#meta-tag-version) - [Allow-plugins configuration option in Composer versions 2.2.0 and up](#composer) - [Users will recieve an email if their password is changed](#change-password-email) - [Other features](#other-features) - [Bugfixes](#bugfixes) - [Dependency and internal API changes](#dependency-internal-api-changes) ## Regression test and Security audit{#audit} This release has been comprehensively regression tested and passed to a third party for a security-focused audit. While it is still advised that you perform your own due diligence when upgrading your project, this work is performed to ensure a safe and secure upgrade with each recipe release. ## Dropping support for PHP 7.3{#phpeol} In accordance with our [PHP support policy](/Getting_Started/Server_Requirements), Silverstripe CMS Recipe release 4.11.0 drops support for PHP 7.3. We expect to drop support for PHP 7 altogether around January 2023. ## Features and enhancements {#features-and-enhancements} ### Upload and use WebP images {#webp} WebP is an alternative image format for displaying picture on websites. It provides generally better results in most use cases to JPEG and PNG. Read [An image format for the Web](https://developers.google.com/speed/webp) for more information about WebP. WebP has wide – but not universal – support across web browsers. Internet Explorer is the main browser that does not support WebP at this stage. Read [Can I use WebP?](https://caniuse.com/webp) to see which browsers can render WebP images. Until now, Silverstripe CMS would default to blocking content authors from uploading WebP images. Given that [Internet Explorer will be end-of-life in June 2022](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/) and that its market share are now under 1% according to most surveys, we decided the time had come to enable WebP by default in the CMS. Once your project is upgraded to Silverstripe Recipe CMS 4.11, your content authors will automatically be able to upload WebP images and add them to web pages. We recommend you have a conversation with your users about the pros and cons of WebP so they can make an informed decisions about when to use this image format. If your website still caters to a significant number of visitors with browsers that do not support WebP, you can disable WebP image upload by adding this snippet to your YML config: ```yml --- Name: myproject-assetsfiletypes After: '#assetsfiletypes' --- SilverStripe\Assets\File: allowed_extensions: webp: false ``` Read [Allowed file types](/Developer_Guides/Files/Allowed_file_types) in the Silverstripe CMS documentation for more information on how to enable or disable new image file formats. ### Preview any DataObject in any admin section {#cms-preview} The CMS preview panel has historically been available for `Versioned` `DataObject`s in the Pages admin section. This has now been expanded to allow any `DataObject` (regardless of whether it uses the`Versioned` extension) to be previewed in any section of the CMS. This can be used to allow content authors to see the content they are creating in the context it will be presented to users. Example use cases include previewing `DataObject`s which belong to a page (e.g. the [dnadesign/silverstripe-elemental module](https://github.com/silverstripe/silverstripe-elemental) allows previewing elemental blocks which are not inline-editable), and previewing `DataObject`s in a custom admin section, such as templates for emails or system-generated PDF documents. The [Preview Documentation](https://docs.silverstripe.org/en/4/developer_guides/customising_the_admin_interface/preview/) has been updated with code examples which show how to enable CMS preview on `DataObject`s in a couple of different scenarios. ### Meta generator tag now shows framework version number {#meta-tag-version} The meta generator tag, which can be seen in the meta tags when you view source on a regular page, now includes the framework version truncated to show just the major and minor version, e.g. 4.11. This version number will provide aggregate installation numbers to the product team who maintain Silverstripe CMS which will be used to make informed product decisions. If you dislike this behaviour, the entire meta generator tag can be disabled via: ```yml SilverStripe\CMS\Model\SiteTree: meta_generator: '' ``` The version portion of the metagenerator tag can be disabled via: ```yml SilverStripe\CMS\Model\SiteTree: show_meta_generator_version: false ``` ### Allow-plugins configuration option in Composer versions 2.2.0 and up {#composer} - As of Composer 2.2.0, the [allow-plugins](https://getcomposer.org/doc/06-config.md#allow-plugins) option adds a layer of security. Developers will be prompted to allow plugins when running `composer install` for the first time on existing projects, or for any new projects not using `silverstripe/installer` or `silverstripe/recipe-kitchen-sink`. - The plugins needed for all silverstripe projects are: `composer/installers` `silverstripe/recipe-plugin` `silverstripe/vendor-plugin` New installations using `silverstripe/silverstripe-installer` and `silverstripe/recipe-kitchen-sink` from 4.11 onwards will have the above plugins added to the `allowed-plugins` configuration by default. - From July 2022 composer will no longer prompt to allow plugins when running `composer install`. This won't affect new installs using silverstripe/installer or silverstripe-recipe-kitchen-sink, but will affect other new projects, and existing projects where `allowed-plugins` hasn't yet been defined. In those cases developers will need to declare the allowed plugins manually in the project's `composer.json` file. ### Users will recieve an email if their password is changed {#change-password-email} The `SilverStripe\Security\Member.notify_password_change` configuration has been set to `true` by default - it used to be `false`. This means when a user changes their password on a project in "live" mode, they will recieve an email alerting them that their password was changed. The email includes a link to change their password again, so that users can recover their account in the event that someone else changed their password without their knowledge. This change was made to improve the default security of your projects, but if you do not want this behaviour you can disable it by setting the configuration to false: ```yml SilverStripe\Security\Member: notify_password_change: false ``` The email content can also be changed by overriding the `SilverStripe\Control\Email\ChangePasswordEmail` template. Note that this configuration is already enabled by default in the `cwp/cwp-core` module. Projects which have that as a dependency won't experience any change in behaviour. ### Other new features {#other-features} - A new [AbstractGridFieldComponent](https://api.silverstripe.org/4/SilverStripe/Forms/GridField/AbstractGridFieldComponent.html) class has been added to make it easier to globally add fundamental functionality to `GridFieldComponent`s. All classes packaged with the Silverstripe framework which implement the `GridFieldComponent` interface are subclasses of the new abstract class, making them all `Injectable`. Maintainers of third-party packages which include classes that implement `GridFieldComponent` are encouraged to subclass the `AbstractGridFieldComponent` abstract class. - New options have been added to the [dnadesign/silverstripe-elemental module](https://github.com/silverstripe/silverstripe-elemental) to control what content is indexed for searching elemental blocks. see [the documentation](https://github.com/silverstripe/silverstripe-elemental/blob/4/docs/en/searching-blocks.md) for details. ## Bugfixes {#bugfixes} This release includes a number of bug fixes to improve a broad range of areas. Check the change logs for full details of these fixes split by module. Thank you to the community members that helped contribute these fixes as part of the release! ## Dependency and internal API changes {#dependency-internal-api-changes} - If `guzzlehttp/guzzle` is required, it must now be at least `7.3.0`. This was done to ensure that v2 of `guzzlehttp/psr7` is installed, which is used by `embed/embed` v4 - `embed/embed` has been upgraded from v3 to v4. The internal implementation of the internal `Embeddable` interface has been changed from `EmbedResource` to `EmbedContainer` - `embed/embed` has been configured to use a guzzle client instead of the default curl client so that a proxy configuration value can be set if required