April 2025 Releases

A class property that content in safe edit depended on was removed in the CMS/6.61.0 release. This removed property caused a fatal error on affected assets. This hotfix release re-adds the property. Additionally, a bypass has been added when unknown properties are found in safe editing data. Customers no longer experience fatal errors when affected assets attempt to access a non-existent property.

Several dependencies have been upgraded in Squiz Data Services to address security issues, ensuring a safer and more reliable system.

A minor improvement was made to components that reference page assets to respect the Matrix context when used in a content page or standard page assets.

Component Service often fetched content from Squiz Content Management but did not use the Matrix context. When a component is used on a page that handles context, any content fetched from Squiz Content Management should respect the context.

When a user selected an image within a component, but then purged that asset from Squiz Content Management completely, the page preview could not load.

Error handling and reporting were added through an error placeholder element to ensure pages will still load under these circumstances.

When removing personalization or A/B testing from a content block, blocks could end up in a "Hidden (Empty)" state in the page outline. Standalone hidden blocks could affect the Preview panel by incorrectly showing duplicated content and missing overlays.

If the default variant of a block is hidden (empty) and all other variants are removed, then that hidden (empty) block is now entirely deleted from the page outline. Standalone hidden (empty) blocks no longer appear in page outline views, and overlays and content appear correctly when personalization or A/B testing is removed.

Due to the unavailability of V8 memory and time limits, complex JavaScript executions caused entire Squiz Content Management instances to run out of memory (OOM). This OOM failure cascaded down the technology stack to the infrastructure hosting the instance.

V8 JavaScript memory and time limits were added in this release and are configurable through the System Configuration area in Squiz Content Management. With this change, server side JavaScript executes within the limits of V8 JavaScript. V8 throws an exception if it reaches the limits instead of taking down the instance.

A string was passed to a method that expected an int|float value. When upgraded to php81, a fatal error would occur when attempting to edit JSON web token assets.

The type is now set to int, and a safe default has been implemented if invalid values are unintentionally passed to the method. Users on an instance with php81 will no longer see a fatal error on the JSON Web Token asset when attempting to edit its settings.

The ^as_asset keyword modifier previously did an additional query to the DB to check that each asset existed before loading it.

The ^as_asset keyword modifier was improved to remove the query, which makes the keyword modifier return results faster.

A non-countable typed value was being passed to a method that required a countable type (for example, an array) Systems on php81 would encounter a fatal error in this scenario.

The value’s type is now correctly checked and handled before attempting to count it. The selection limit rule for select input types on custom forms will no longer fatal error in this way.

The message previously would show the time to expire, which could be confusing if the user with locks refreshed their locks (resetting the lock wait time in the message)

The message has removed the expiry time to make the message simpler and less confusing for users.

Simple edit users (content editor users) authenticated externally could not edit links to their user assets. Triggers that physically link the user to user groups were blocked when running as a simple edit user (content editor).

A bypass of the check for editing the links to the active user was put in place for triggers with Ignore permissions selected, which fixes the originally discovered issue.

A type array variable was being passed to a function that only accepts a string type value.

Passing ?a= query parameters with an array value was causing fatal errors.

The value is now checked to be of the correct type before calling the function in question. Passing ?a= query parameters with an array value will no longer cause fatal errors.

The components with the inline editable region were not fully accountable for any hidden inline editable regions. The hidden inline editable regions appeared unexpectedly while the Content screen was scrolled.

An element visibility check was added to ensure the hidden inline editable regions are not visible. The components with inline editable regions like tabs and accordions can be edited inline with the correct overlays and regions behaving as they should on the Content page.

When adding an image using Viper or the formatted text editor (FTE), the default behavior sets the width and height using the original image’s dimensions. However, image elements should use the variety’s width and height values for images with a derived variety. Because the image element defaulted to using the original image’s dimensions, images resized or optimized into different varieties were displayed with the wrong dimensions.

The fix involved updating the logic to correctly retrieve the width and height parameters from the content store. This change ensures that whenever an image variant is provided, its specific dimensions are used rather than falling back to those of the original file. Images now appear with the proper dimensions, maintaining the intended aspect ratio and layout within the text content in Viper and FTE.

The resource browser search was not pushing link assets to the search collection. As a result, users experienced incomplete search results within the resource browser.

The push logic in the search collection was updated to include link asset types.

After the update, the resource browser search correctly includes link assets and all other supported asset types. This change ensures that users can search for and retrieve link assets as required.

Previously, deleting a component would fail if the associated Content Schema could not be removed. Consequently, this meant that if a component had been used within a Content Page, its deletion would be unsuccessful.

Error handling during component deletion was improved to resolve this. As a result, components can now be deleted without error, even after they have been used in Content Pages.

The FormattedText type was expanded to include more content block types.

This increased complexity was not efficiently processed during saving and rendering, particularly with deeply nested content structures.

Components would then experience timeouts, and the service would crash due to high CPU usage.

The JSON Schema processing of FormattedText has been short-circuited to utilize more efficient handlers to address this.Components using FormattedText now have reduced response times and the service is stabilized.

Corrected a typo in the JSONata operator tips to ensure accurate guidance is provided to users during expression building.

Due to Snowflake restrictions, the authentication mechanism has been updated to OAuth 2.0.

This update introduces a breaking change, rendering it incompatible with versions 1.x.x, and necessitates the updating of existing credentials.

Enhancements include the implementation of a reusable client and connection for all actions and triggers.

Furthermore, the Node engine has been updated to version 20.x, Sailor to version 2.7.5, and the component-commons-library to version 3.2.2.

The Send Request Action now supports attachments, allowing users to upload images and files.

The Node engine has been updated to version 20.x. Additionally, Sailor has been updated to version 2.7.5, the component-commons-library to version 3.2.2, and Axios to version 1.8.4. Various development dependencies have also been updated.

The input metadata for the Lookup Objects Action has been corrected.

An issue that prevented data emission in Emit Individually mode for the Lookup Objects Action has been resolved.

The Sailor version has been updated to 2.7.5, and the component-commons-library version has been updated to 3.2.2.

Verifying credentials now functions correctly even when the API version is not explicitly included in the URL.

The Node.js engine has been updated to version 20.x. Additionally, Sailor has been updated to version 2.7.5, and the component-commons-library is now at version 3.2.2.

Missing or removed properties from a Rest Resource asset saved in safe mode caused pages that used the Rest Resource asset not to render and throw errors. Additional checks now verify if properties exist before assigning the property. This change ensures that pages dependent on Rest Resource assets render as intended.

Modernizing the Metadata screen to use React meant that assets on the frontend that use the Custom Edit Layout asset could not use the %metadata-F_metadata_values% keyword to show the entire Metadata value editing interface.

Using the %metadata-F_metadata_values% keyword in a Custom Edit Layout would result in a blank table. This bug did not affect keywords that printed individual sections or fields.

The implemented fix uses the "classic" metadata values editing output when not in the Admin UI. A similar switch is used to show the classic interface in the Contents screen (for example, while editing metadata found in Component Templates). Custom Edit Layouts subsequently print the expected metadata editing interface using the %metadata-F_metadata_values% keyword.

Missing system version metadata was causing a PHP fatal error due to an incorrect return type from a function. In most cases, pages would fail to render completely for public users.

The incorrect return type was fixed, and regression tests were added. Missing system version metadata now generates a warning and allows the page to continue rendering.

The Deja Vu internal object caching system would store the temporary properties of forms such as the current submission. Custom Form Pages would sometimes load with a submission in context, which led to different site users overwriting the same form submission.

The temporary variables of the forms are no longer written to Deja Vu.

Form state such as the current submission is only set when the request specifies it, and when the checks for access to that submission pass.

Multiple Availability Zones (AZ) are used in Squiz DXP to maximize availability for DXP Content Management instances. It was discovered that request times could be significantly degraded when a web node picked a database instance that caused traffic to flow between AZs.

Squiz Content Management now keeps track of latencies between database instances and uses the fastest instance for read queries. Using the fastest database instance allows most traffic to stay within the same AZ, providing optimized response times to the user.

The forward response header feature was case-sensitive, which could cause issues with HTTP header forwarding. Case-sensitive headers could cause potential issues if the forwarded header and the allowed header name do not match exactly.

The fix changes the forward response feature to be case-insensitive, as HTTP headers are case-insensitive by nature. Headers can now match based on their names and not the case.

In Squiz DXP, checking a newly uploaded file into the file versioning repository and back into the data directory for use involves read operations from different database instances. It was discovered that replication lag could cause the checkout to read from the previous version of the file versioning history, before the new version was written to the database.

The checkout operation now uses the read-write endpoint when uploading a new file, which is also used by the check-in process immediately before.

Occasionally, the search database powering Resource Browser Search would end up in a read-only state if too many updates were received. This condition prevented assets from being added to the database, which meant searching for assets could be inconsistent. New assets sometimes fail to appear in results.

The Resource Browser Search now self-recovers the search database if it is read-only, allowing assets to be added to the database records.