Content Toolkit

Strapi Release: 3.2.5

Tag Name: v3.2.5

Release Date: 10/22/2020

Open-source headless CMS built with Node.js. Provides developers with complete freedom in choosing their favorite tools and frameworks for frontend development.

Open Source Headless Developer-Friendly

TL;DR

Strapi v3.2.5 is a security-focused release that addresses several vulnerabilities in the admin panel, including XSS protection in the WYSIWYG editor and improved route permissions. It also fixes critical Draft & Publish feature regressions, adds telemetry events for role permissions updates, and officially confirms Node.js 14 support. This release is important for all Strapi users to upgrade to maintain security and stability.

Highlight of the Release

Security fixes for XSS vulnerabilities in the WYSIWYG editor preview
Added permissions to Content-Type Builder routes for improved security
Fixed Draft & Publish feature regressions and deep filtering issues
Official support for Node.js 14 confirmed
Added telemetry event for role permission updates

Migration Guide

No specific migration steps are required for this release. This is a patch release that focuses on security fixes and bug fixes.

For users experiencing issues with the Draft & Publish feature, upgrading to this version should resolve those problems without requiring manual intervention.

For comprehensive migration guides covering major version changes, please refer to the official Strapi migration documentation.

Upgrade Recommendations

This release contains important security fixes that address vulnerabilities in the admin panel. All Strapi users are strongly recommended to upgrade to v3.2.5 as soon as possible, especially if you're using the Draft & Publish feature or the WYSIWYG editor.

The upgrade process should be straightforward:

npm install [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Or if using Yarn:

yarn upgrade [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

After upgrading, restart your Strapi application.

Bug Fixes

Draft & Publish Fixes

Fixed critical regressions in the Draft & Publish feature:
- Now rebuilds tables if they were deleted in the database
- Runs creation/update of the database even if the model hasn't changed
- Fixed deep filtering functionality with Draft & Publish
- Fixed buildQuery for polymorphic relations

Dependency Issues

Fixed Immer dependency issue (#8413) that was causing problems in the admin panel

Package Updates

Bumped @babel/polyfill from 7.11.5 to 7.12.1
Bumped eslint-plugin-node from 11.0.0 to 11.1.0

New Features

New Telemetry Event

Added didUpdateRolePermissions event to track when role permissions are updated, providing better insights for the Strapi team on how permissions are being used and modified.

Node.js 14 Support

Officially confirmed support for Node.js 14, removing previous documentation warnings that indicated it wasn't supported.

Security Updates

Admin Panel Security Enhancements

Added proper permissions to Content-Type Builder routes to prevent unauthorized access
Fixed XSS (Cross-Site Scripting) vulnerability in the WYSIWYG editor preview functionality
Removed usage of unsecure proxy in the Upload plugin temporarily until a secure solution is implemented

These security issues were only exploitable by users with admin panel access and the appropriate permissions. Special thanks to Tomáš Melicher and Lukáš Václavík for discovering these vulnerabilities and helping improve Strapi's security.

Performance Improvements

No specific performance improvements were mentioned in this release. The focus was primarily on security fixes and bug fixes for the Draft & Publish feature.

Impact Summary

Strapi v3.2.5 is primarily a security-focused release that addresses several vulnerabilities in the admin panel, including XSS protection in the WYSIWYG editor and improved route permissions in the Content-Type Builder. These security fixes are critical for maintaining the integrity of your Strapi application.

The release also resolves significant issues with the Draft & Publish feature, fixing regressions that could affect content management workflows. Deep filtering with Draft & Publish has been improved, ensuring more reliable content queries.

For developers, the official confirmation of Node.js 14 support provides more flexibility in development environments. The addition of the didUpdateRolePermissions telemetry event will help the Strapi team better understand how permissions are being used and modified.

Overall, this release enhances security, stability, and reliability without introducing breaking changes, making it a recommended upgrade for all Strapi users.

Full Release Notes

🚨 Security

These security issues are only exploitable by a user with admin panel access and the right permissions.

[core:framework] Add permission to CTB routes (#8439) @Convly
[plugin:content-manager] Fix XSS security with the wysiwyg preview (#8440) @soupette
[plugin:upload] Remove usage of unsecure proxy for now (#8442) @alexandrebodin

Big shoutouts 🔥 to Tomáš Melicher and Lukáš Václavík for finding these issues and helping us make Strapi better !

🐛 Bug fix

[admin] Fix #8413 - Immer dependancy (#8420) @derrickmehaffy
[core:database] fix d&p regressions (#8314) @petersg83
[core:database] Fix deepFiltering with draft & publish (#8356) @Convly

💅 Enhancement

[admin] add didUpdateRolePermissions event (#8333) @petersg83
[documentation] Adapt README.md because NodeJS 14 is supported now (#8417) @bykof

📚 Migration guides can be found here 📚

Statistics:

File Changed73

Line Additions1,021

Line Deletions656

Line Changes1,677

Total Commits36

User Affected:

Enhanced security with improved permissions on Content-Type Builder routes
Protected from XSS vulnerabilities in the WYSIWYG editor preview
Better telemetry with new didUpdateRolePermissions event