BookStack v24.02.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#4877)
• Updated breadcrumb book & shelf lists to be name-ordered. (#4876)
• Updated MFA inputs to avoid auto-complete. Thanks to @ImMattic. (#4849)
• Fixed non-breaking spaces causing combined words in page navigation. (#4836)
• Fixed page navigation click not jumping to headers in nested collapsible blocks. (#4878)

BookStack v24.02

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Security - The v23.12 branch of BookStack recently had a security release, which you can find details of in our v23.12.3 blogpost.
• Comments - The ability to use markdown content in comments has been removed in this release, replaced by a WYSIWYG editor. Markdown in comments was a fairly hidden feature though so was not commonly utilised. Existing markdown comments will remain although formatting may be lost if old markdown comments are edited.
• Commands - The "Regenerate Comment Content" command has been removed in this release since this action is now redundant.
• OIDC Authentication - Proof Key for Code Exchange (PKCE) support has been added to BookStack OIDC authentication. This should not affect existing OIDC use but you may want to enforce PKCE to be required for BookStack on your authentication system, if supported, for extra security.

Full List of Changes

• Added simple WYSIWYG comment editor inputs. (#4815, #3018)
• Added default page templates for chapters. Thanks to @Man-in-Black. (#4750, #4764)
• Added PKCE support for OIDC. (#4804, #4734)
• Added "Clear table formatting" & "Resize to contents" WYSIWYG table options. (#4845)
• Added "Toggle header row" button to table toolbar in WYSWIYG editor. (#985)
• Added attachment serving range request support. (#4758, #3274)
• Added new AUTH_PRE_REGISTER logical theme event. (#4833)
• Updated app entity loading to be more efficient and avoid global addSelects. (#4827, #4823)
• Updated book/shelf cover image wording to make sizing in usage clearer. (#4748)
• Updated PWA manifest to allow landscape use. Thanks to @shashinma. (#4828)
• Updated redirect handling to reduce chance of redirecting to images. (#4863)
• Updated some EN text for consistency/readability. (#4794)
• Updated WYSIWYG editor with improved cell selection formatting clearing. (#4850)
• Updated WYSIWYG text direction & alignment controls to work more reliably on complex structures. (#4843)
• Fixed breadcrumb dropdowns being partially out of view on mobile screen sizes. (#4824)
• Fixed description WYSIWYG not respecting RTL text. (#4810)
• Fixed header bar collapse on smaller screen sizes when no name or logo is used. (#4841)
• Fixed incorrect pagination display in RTL layout. (#4808)
• Fixed JavaScript error logged on WYSIWYG editor load due to how custom styles were imported. (#4814)
• Fixed scrollbars showing on WYSIWYG table cell range selection in some browsers. (#4844)
• Fixed WYSIWYG code block text direction controls not being respected. (#4809)

BookStack v23.12.3

Security Release

• Update Instructions
• Update details on blog

BookStack v23.12.3 has been released.
This is a security release that addresses a vulnerability in PDF generation that could be exploited to perform blind server-side-request forgery.

Upgrade is advised where untrusted users have permission to create/edit/update page content in your instance.

Full List of Changes

• Updated PHP dependencies, primarily to update php-svg-lib package.

BookStack v23.12.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed attachment list ctrl-click not opening attachments inline. (#4782)
• Updated translations with latest Crowdin changes. (#4779)
• Fixed entity selector popup pre-fill not searching term as expected. (#4778)

BookStack v23.12.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed chapter API missing expected "book_slug" field. (#4765)
• Updated translations with latest Crowdin changes. (#4747)

BookStack v23.12

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Page Includes - The way page include content is fetched & merged has changed significantly in this release, which in some cases may alter how included content appears on the page.

Full List of Changes

• Added simple WYSIWYG for description fields. (#4729, #2354, #2203)
• Added default template option for books. Thanks to @lennertdaniels. (#4721, #3918, #1803)
• Added OIDC RP-initiated logout. Thanks to @joancyho. (#4714, #4467, #3715)
• Added new Logical Theme System event to register web routes. (#4663)
• Updated email notifications to include the page parent chapter/book. Thanks to @Man-in-Black. (#4629)
• Updated and standardised DOM handling in the codebase. (#4673)
• Updated back redirection handling to not rely on referrer headers. (#4656)
• Updated book/chapter/shelf description character limit. (#4085)
• Updated design of buttons to be a bit friendlier. (#4728)
• Updated HTML exporting with better RTL handling. (#4645)
• Updated include tag handling to be structure/DOM aware. (#4688)
• Updated SAML2 dump debug option to include group parsing details. (#4706)
• Updated translations with latest Crowdin changes. (#4658)
• Updated WYSIWYG editor to allow video/embed alignment controls. (#4727, #3378)
• Updated WYSIWYG library TinyMCE from 6.5.1 to 6.7.2. (#4661)
• Fixed extra paragraphs & invalid syntax when using page includes. (#3385)
• Fixed lack of user invite via the API in certain cases. (#4720)
• Fixed page includes leading to duplicate IDs. (#3982)
• Fixed permission generation failure with large amounts of content. (#4695)
• Fixed PHP mbstring deprecation warnings. (#4638)
• Fixed SAML2 Single Logout (SLO) not invalidating session at point defined by the spec. (#4713)

BookStack v23.10.4

This was simply a follow-up of v23.10.3 to fix the app version number.
Please refer to the v23.10.3 security release for details if updating from an earlier version.

BookStack v23.10.3

Security Release

• Update Instructions
• Update details on blog

This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system.
Additionally, this update addresses a lack of permission check in some image creation actions.

Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.

Thanks to Carlos Bello from the Fluid Attacks Research Team for discovering and reporting this vulnerability.

Full List of Changes

• Updated thumbnail handling to for use of content as image data. (#4681)

BookStack v23.10.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed incorrect audit log dropdown behaviour. (#4652)
• Fixed redirects to the manfiest endpoint in some environments. (#4649)
• Updated translations with latest Crowdin changes. (#4643)

BookStack v23.10.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added "Norwegian Nynorsk" to user language options.
• Added JavaScript public event for customizing codemirror instances. (#4639)
• Added handling to allow jumping to headers/sections within collapsible sections. (#4637)
• Added PHP 8.3 support. (#4633)
• Updated translations with latest Crowdin changes. (#4631)
• Fixed header bar peeking through on markdown editor fullscreen mode. (#4641)
• Fixed incorrect color usage for editor toolbox active tabs. (#4630)