Merge branch '5.9' into 6.x

# Conflicts:
#	CHANGELOG-WIP.md
#	src/Config/GeneralConfig.php
#	src/Field/Number.php
#	src/Support/Html.php
#	src/User/Elements/User.php
#	src/base/CpEditable.php
#	src/config/app.php
#	src/i18n/Locale.php
#	src/models/Site.php
#	src/models/UserGroup.php
#	yii2-adapter/legacy/base/ElementInterface.php
#	yii2-adapter/legacy/base/NestedElementInterface.php
#	yii2-adapter/legacy/base/NestedElementTrait.php
#	yii2-adapter/legacy/config/twig-sandbox.php
#	yii2-adapter/legacy/elements/Address.php
#	yii2-adapter/legacy/elements/Asset.php
#	yii2-adapter/legacy/elements/Entry.php
#	yii2-adapter/legacy/services/Gql.php
#	yii2-adapter/legacy/services/Security.php
#	yii2-adapter/legacy/web/View.php
#	yii2-adapter/legacy/web/twig/AllowedInSandbox.php
#	yii2-adapter/tests/_craft/config/general.php

Author: riasvdv

CHANGELOG.md

@@ -15,8 +15,11 @@
 - Fixed a JavaScript error that could occur if two control panel animations were triggered simultaneously.
 - Fixed a bug where it wasn’t possible to copy/paste nested entries within Matrix fields set to the inline-editable blocks view mode, for unpublished owner elements. ([#18185](https://github.com/craftcms/cms/pull/18185))
 - Fixed a bug where custom fields’ checkboxes weren’t getting removed from field layouts’ “Card Attributes” lists when removed from the layout.
+- Fixed a bug where consecutive hyphens (`-`) within Link fields’ “Class Name” values were getting removed. ([#18201](https://github.com/craftcms/cms/issues/18201))
 - Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8)
 - Fixed an XSS vulnerability. (GHSA-7pr4-wx9w-mqwr)
+- Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj)
+- Fixed an XSS vulnerability. (GHSA-9f5h-mmq6-2x78)
 
 ## 5.8.21 - 2025-12-04
 

config/twig-sandbox.php

@@ -0,0 +1,136 @@
+<?php
+
+return [
+    'allowedTags' => [
+        'apply',
+        'autoescape',
+        'for',
+        'if',
+        'macro',
+        'set',
+        'switch',
+        'verbatim',
+    ],
+    'allowedFilters' => [
+        'abs',
+        'address',
+        'append',
+        'ascii',
+        'base64_encode',
+        'batch',
+        'boolean',
+        'camel',
+        'capitalize',
+        'column',
+        'contains',
+        'currency',
+        'date',
+        'date_modify',
+        'datetime',
+        'default',
+        'diff',
+        'duration',
+        'e',
+        'escape',
+        'filesize',
+        'filter',
+        'filter',
+        'filterByValue',
+        'find',
+        'first',
+        'float',
+        'format',
+        'group',
+        'id',
+        'index',
+        'indexOf',
+        'integer',
+        'intersect',
+        'invoke',
+        'join',
+        'kebab',
+        'keys',
+        'last',
+        'lcfirst',
+        'length',
+        'length',
+        'lower',
+        'map',
+        'map',
+        'markdown',
+        'md',
+        'merge',
+        'merge',
+        'money',
+        'multisort',
+        'nl2br',
+        'number',
+        'number_format',
+        'pascal',
+        'percentage',
+        'prepend',
+        'push',
+        'raw',
+        'reduce',
+        'reduce',
+        'replace',
+        'replace',
+        'reverse',
+        'round',
+        'shuffle',
+        'slice',
+        'sort',
+        'spaceless',
+        'split',
+        'string',
+        'striptags',
+        't',
+        'time',
+        'timestamp',
+        'title',
+        'translate',
+        'trim',
+        'truncate',
+        'ucfirst',
+        'ucwords',
+        'unique',
+        'unshift',
+        'upper',
+        'url_encode',
+        'values',
+        'where',
+        'widont',
+        'without',
+        'withoutKey',
+    ],
+    'allowedFunctions' => [
+        'attr',
+        'ceil',
+        'collect',
+        'combine',
+        'cpUrl',
+        'cycle',
+        'dataUrl',
+        'date',
+        'date',
+        'encodeUrl',
+        'floor',
+        'max',
+        'min',
+        'ol',
+        'random',
+        'range',
+        'raw',
+        'seq',
+        'shuffle',
+        'siteUrl',
+        'svg',
+        'tag',
+        'timezone_names',
+        'ul',
+        'url',
+        'uuid',
+    ],
+    'allowedMethods' => [],
+    'allowedProperties' => [],
+];

resources/templates/_components/fieldtypes/Number/input.twig

@@ -25,7 +25,7 @@
 <div class="flex">
     {% if hasPrefix %}
         <div aria-hidden="true">
-            {{ prefix|t('site')|md(inlineOnly=true)|raw }}
+            {{ prefix|t('site')|md(inlineOnly=true,encode=true)|raw }}
         </div>
     {% endif %}
     <div>
@@ -51,7 +51,7 @@
     </div>
     {% if hasSuffix %}
         <div aria-hidden="true">
-            {{ suffix|t('site')|md(inlineOnly=true)|raw }}
+            {{ suffix|t('site')|md(inlineOnly=true,encode=true)|raw }}
         </div>
     {% endif %}
 </div>

resources/templates/graphql/schemas/_edit.twig

@@ -122,9 +122,15 @@
         label: '{name} directive'|t('app', {
           name: '`@parseRefs`',
         }),
-        warning: 'Provides read-only access to user data and most content.',
+        warning: 'Can be exploited to reveal sensitive content by information disclosure attacks.'|t('app'),
       },
-    }) }}
+      'directive:transform': not craft.app.config.general.disableGraphqlTransformDirective ? {
+        label: '{name} directive'|t('app', {
+          name: '`@transform`',
+        }),
+        warning: 'Can be exploited by DoS attacks.'|t('app'),
+      },
+    }|filter) }}
   </div>
 
 {% endblock %}

resources/translations/cy/app.php

@@ -4,6 +4,8 @@
 
 namespace CraftCms\Cms\Component\Contracts;
 
+use craft\web\twig\AllowedInSandbox;
+
 /**
  * CpEditable defines the common interface to be implemented by components
  * that have a dedicated edit page in the control panel.
@@ -13,5 +15,6 @@ interface CpEditable
     /**
      * Returns the URL to the component’s edit page in the control panel.
      */
+    #[AllowedInSandbox]
     public function getCpEditUrl(): ?string;
 }

src/Component/Contracts/CpEditable.php

@@ -19,6 +19,7 @@ final class ConfigServiceProvider extends ServiceProvider
         'general',
         'redirects',
         'routes',
+        'twig-sandbox',
     ];
 
     #[Override]
@@ -27,6 +28,14 @@ public function register(): void
         Env::extend(fn () => ConstAdapter::class, 'CraftConstAdapter');
 
         $this->app->singleton(GeneralConfig::class, fn () => $this->app->make(ConfigRepository::class)->get('craft.general'));
+
+        collect($this->configFiles)->each(function (string $file) {
+            if ($file === 'general') {
+                return;
+            }
+
+            $this->mergeConfigFrom(__DIR__."/../../config/$file.php", "craft.$file");
+        });
     }
 
     public function boot(): void
@@ -41,7 +50,7 @@ private function bootPublishables(): void
             return;
         }
 
-        collect($this->configFiles)->each(function ($file) {
+        collect($this->configFiles)->each(function (string $file) {
             $this->publishes([__DIR__."/../../config/$file.php" => config_path("craft/$file.php")], 'craftcms-config');
         });
     }

src/Config/ConfigServiceProvider.php

@@ -1039,7 +1039,7 @@ class GeneralConfig extends BaseConfig
     public bool $disallowRobots = false;
 
     /**
-     * @var bool Whether the `transform` directive should be disabled for the GraphQL API.
+     * @var bool Whether the `@transform` directive should be disabled for the GraphQL API.
      *
      * ::: code
      * ```php Static Config
@@ -1050,7 +1050,15 @@ class GeneralConfig extends BaseConfig
      * ```
      * :::
      *
+     * ::: tip
+     * As of Craft 5.9.0, the `@transform` directive can be optionally included for each GraphQL schema,
+     * unless this setting is set to `true`.
+     * :::
+     *
      * @group GraphQL
+     *
+     * @since 3.6.0
+     * @deprecated in 5.9.0
      */
     public bool $disableGraphqlTransformDirective = false;
 
@@ -1240,6 +1248,24 @@ class GeneralConfig extends BaseConfig
      */
     public bool $enableTemplateCaching = true;
 
+    /**
+     * @var bool Whether user-defined Twig templates should be sandboxed.
+     *
+     * ::: code
+     * ```php Static Config
+     * ->enableTwigSandbox()
+     * ```
+     * ```shell Environment Override
+     * CRAFT_ENABLE_TWIG_SANDBOX=true
+     * ```
+     * :::
+     *
+     * @see enableTwigSandbox()
+     *
+     * @group Security
+     */
+    public bool $enableTwigSandbox = false;
+
     /**
      * @var string The prefix that should be prepended to HTTP error status codes when determining the path to look for an error’s template.
      *
@@ -4487,12 +4513,17 @@ public function disallowRobots(bool $value = true): self
     }
 
     /**
-     * Whether the `transform` directive should be disabled for the GraphQL API.
+     * Whether the `@transform` directive should be disabled for the GraphQL API.
      *
      * ```php
      * ->disableGraphqlTransformDirective(true)
      * ```
      *
+     * ::: tip
+     * As of Craft 5.9.0, the `@transform` directive can be optionally included for each GraphQL schema,
+     * unless this setting is set to `true`.
+     * :::
+     *
      * @group GraphQL
      *
      * @see $disableGraphqlTransformDirective
@@ -4719,10 +4750,10 @@ public function enableTemplateCaching(bool $value = true): self
     }
 
     /**
-     * Whether all Twig templates should be sandboxed.
+     * Whether user-defined Twig templates should be sandboxed.
      *
      * ```php
-     * ->enableTwigSandbox(false)
+     * ->enableTwigSandbox()
      * ```
      *
      * @group Security
@@ -4732,7 +4763,7 @@ public function enableTemplateCaching(bool $value = true): self
     #[Deprecated(message: 'in 6.0.0. Sandbox is always enabled.')]
     public function enableTwigSandbox(bool $value = true): self
     {
-        app()->booting(fn () => Deprecator::log('generalConfig.enableTwigSandbox', 'Calling enableTwigSandbox() is deprecated. Sandbox is always enabled.'));
+        $this->enableTwigSandbox = $value;
 
         return $this;
     }

src/Config/GeneralConfig.php

@@ -15,6 +15,7 @@
 use CraftCms\Cms\Field\Contracts\MergeableFieldInterface;
 use CraftCms\Cms\Field\Contracts\SortableFieldInterface;
 use CraftCms\Cms\Support\Facades\I18N;
+use CraftCms\Cms\Support\Html;
 use CraftCms\Cms\Support\Query;
 use CraftCms\Cms\Translation\Locale;
 use GraphQL\Type\Definition\Type;
@@ -24,6 +25,7 @@
 use Throwable;
 use yii\base\InvalidArgumentException;
 use yii\db\Schema;
+use yii\helpers\Markdown;
 
 use function CraftCms\Cms\t;
 
@@ -377,11 +379,11 @@ public function getPreviewHtml(mixed $value, ElementInterface $element): string
         };
 
         if ($this->prefix) {
-            $formatted = $this->prefix.$formatted;
+            $formatted = Markdown::processParagraph(Html::encode($this->prefix)).$formatted;
         }
 
         if ($this->suffix) {
-            $formatted .= $this->suffix;
+            $formatted .= Markdown::processParagraph(Html::encode($this->suffix));
         }
 
         return $formatted;