Log message:
www/php-concrete-cms: update to 9.3.2

9.3.0 (2024-05-16)

New Features
* Support for the brand-new marketplace found at market.concretecms.com,
  featuring auto-connect, free trials on Concrete SAAS, Composer support for
  packages, a modern website and much more.
* Added support for webp images as the default thumbnail type when Concrete
  auto-generates thumbnails (thanks parasek)
* Added lazy loading as an option for the Image block (thanks parasek)
* Added an option to keep file manager folders at the top of the list of
  contents (instead of intermingled with files) (thanks hissy)
* When deleting user groups, users are now presented with an option as to
  what to do with child groups. (thanks mlocati)
* Make thumbnails generated by Image Helper SEO-friendly (thanks parasek)
* Atomik is now built on Bedrock 1.5 (Bootstrap 5.3)
* Dashboard theme is now built on Bedrock 1.5 (Bootstrap 5.3)

Behavioral Improvements
* Added a config value to toggle default behavior of "Keep Live Version
  Approved"-Toggle-Button (thanks marcokuoni)
* Added a confirm dialog box when cancelling out of the in-page rich text
  editor (thanks Mesuva)
* If users are prompted to save the username and password on install, the
  proper credentials will be saved for the admin user (thanks mlocati)
* Add attribute key handle next to attribute key name in the page type
  composer form add dialog (thanks parasek)
* Allow for setting/altering the User Logged by the Logging Service (Thanks
  haeflimi)
* File manager detail page now reloads when the file is swapped (thanks
  mlocati)

Bug Fixes
* Fixed: CKEditor Maximize plugin breaks editing when used in a dialog
  (thanks mlocati)
* Bug fixes and improvements to Boards (thanks marcokuoni)
* Fixed blank screen that showed when adding blocks to the composer page
  type form on first load (thanks parasek)
* Fixed bug where custom styles applied to a global area didn't work.
* Fixed: When a page is re-edited, topics in the child level of the topic
  attribute disappear (thanks hissy)

Backward Compatibility Notes
* There has been some refactoring to the core class loaders and autoloaders.
  If you work with the autoloader directly or have extended the built-in
  Symfony autoloader classes, verify your changes work properly.
* The core themes now rely on Bootstrap 5.3 (Bedrock 1.5).

Developer Updates
* Significant improvements to the core autoloaders (thanks mlocati)
* The Dashboard and CMS are now using Bedrock 1.5 (built from Bootstrap 5.3)
  as their basis.  This should be minimally invasive, but if some third
  party packages are not displaying properly, please verify that their
  markup conforms to Bootstrap 5.3.
* Removing trailing / from HTML header elements (thanks marcokuoni)
* Developers can now specify CLI shortcuts for fields added to their tasks,
  when they're run via the CLI (thanks KnollElias)

9.3.1 (2024-05-17)

Behavioral Improvements
* 9.3.0 automatically checked and configured a canonical URL on
  installation, in order to improve marketplace connection reliability.
  This is not actually necessary, as initial marketplace connections do not
  require a canonical URL to function, so this behavior has been reverted to
  pre-9.3.0.
* When encountering a problem downloading a package, we now report the error
  in a nicer presentation.
* If the saving of remote data in a Concrete Site data object in the
  marketplace fails, it will fail silently and log the error, instead of
  outputting it.

Bug Fixes
* Fixed error when visiting the Dashboard Extend package under PHP 7.
* Fixed some minor marketplace connection errors when not running in UTC.
* Fixed bug where package showed up as ready to download from the
  marketplace even when it was already installed

9.3.2 (2024-05-28)

Bug Fixes
* Fixed errors where copying a package after downloading it from the
  marketplace would throw an error under certain conditions.
* Moving a stack from Orphan Blocks into the page 500 (thanks JohnTheFish)
* Fixed: Stacks, Containers and Scrapbook blocks makes longer block cache
  than block cache setting (thanks hissy)
* Fixed bug where boolean page attributes that are checked by default show
  up as checked even if they have previously been saved unchecked (thanks
  hissy)
* Fixed error when using workflow under certain conditions in PHP 8+ (thanks
  pszostok)
* Fixed: If you use advanced log configuration to set your own logger for
  Channels::META_CHANNEL_ALL, this logger gets applied to all core channels.
  Therefore you cannot set this at the same time as customising a specific
  core channel (thanks bikerdave)

Developer Updates
  Updated scssphp/scssphp to a newer version, tweaking some output of the
  theme customizer (thanks mlocati)

Log message:
Drop support for php80 (PHP 8.0).

Log message:
www/php-concrete-cms: update to 9.2.8

9.2.8 (2024-04-02)

Bug Fixes

* Fixed bug where c5:info console command would fail when run on a Concrete
  webroot if that webroot was not yet an installed Concrete site.

* Fixed bug where logout link in toolbar would not work when user was logged
  in as an editor who could not view the Dashboard (thanks ounziw)

Security Updates

* Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
  fixed it with commit 11988 Prior to the fix, a rogue administrator could
  put malicious javascript on the Concrete CMS color setting screen which
  would have would have been triggered by and affected users who accessed
  the color settings screen.  The Concrete CMS security team gave this
  vulnerability a CVSS v3.1 score of 2.0 with a vector of
  AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

  Thank you Rikuto Tauchi for reporting HackerOne 2433383.

* Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
  Filter and fixed it with commit 11988 for version 9 and commit 11989 for
  version 8.  Prior to the fix, a rogue administrator could add malicious
  code in the file manager because of insufficient validation of
  administrator provided data.  All administrators have access to the File
  Manager and hence could create a search filter with the malicious code
  attached.  The Concrete CMS security team gave this vulnerability a CVSS
  v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

  Thank you Guram (javakhishvili) for reporting HackerOne 949443

* Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
  fixed it with commit 11988 for version 9 and commit 11989 for version 8.
  Prior to the fix, a rogue administrator could insert malicious code in the
  custom class field due to insufficient validation of administrator
  provided data.  Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
  non alphanumeric characters in this CSS class.  The Concrete CMS security
  team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
  AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
  reporting HackerOne 918129.

* Created and fixed [CVE-2024-3180]
  (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
  could be executed by a rogue administrator adding malicious code to the
  link-text field when creating a block of type file.  Fixed with commit
  11988 for version 9 and commit 11989 for version 8.  The Concrete CMS
  security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
  vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
  for reporting HackerOne 903356

* Created CVE-2024-3181 Stored XSS in the Search Field.  Prior to the fix,
  stored XSS could be executed by an administrator changing a filter to
  which a rogue administrator had previously added malicious code.  The
  Concrete Team fixed this with commit 11988 for version 9 and commit 11989
  for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142

Log message:
www/php-concrete-cms: update to 9.2.7

* pkgsrc change: use PHP_BASE_VERS for dependency to PHP.

9.2.7 (2024-03-05)

Behavioral Improvements

* Improved display of certain UI elements when Concrete was used with
  non-Bedrock/Bootstrap themes.

* Back to Website button in Dashboard now uses the vanity URL instead of the
  cID URL (Thanks JohnTheFish)

* Add db charset and collation to environment report (thanks JohnTheFish)

Bug Fixes

* Fixed: Time selector in the calendar event dialog not showing all times.

* Fixed: Undefined array key "value"' in
  /concrete/attributes/date_time/controller.php under PHP 8.

* Fixed: Undefined array key 0' in
  /concrete/blocks/calendar_event/controller.php:224 under PHP 8.

* Fix pagination not working in clipboard side panel (thanks
  quentinnorbert0)

* Fix double encoding when displaying page template name (thanks
  quentinnorbert0)

* Fixed inability to clear date/time attributes using the built-in HTML
  datepicker clear link.

* Fixed bug when attempting to do an advanced search by time in the Logs
  (thanks Quentin-Gach)

* Fixed error where including an ampersand in your site name would cause it
  to be displayed as & in your site browser title.

* Fixed: Undefined property: Concrete\Block\Survey\Controller::$cID' in
  /concrete/blocks/survey/controller.php:206 under PHP 8.

* Fixed: Undefined variable $fID' in
  /concrete/single_pages/download_file.php:23 under certain conditions in
  PHP 8.

* Fixed error when attempting to log values that were non-scalar (thanks
  JohnTheFish)

Security Updates

* Fixed CVE-2024-2179 Stored XSS in the Name field of a Group type with
  commit 11965.  A rogue administrator could inject malicious code into the
  Name field of a Group type which might be executed when users visit the
  affected page because of insufficient validation of administrator provided
  data.  The Concrete CMS Security team scored this 2.2 with CVSS v3 vector
  AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N.  Concrete versions below 9 do not
  include group types so they are not affected by this vulnerability.
  Thanks Luca Fuda for reporting HackerOne 2383192.

Log message:
www/php-concrete-cms: add package version 9.2.6

Concrete CMS is successor of www/php-concrete5.

Concrete CMS

Concrete CMS is a web content management system designed for creating and
managing websites.  Its interface is user-friendly, catering to both novices
and experts.

Concrete is written in PHP and JavaScript and it pulls data from a MySQL
database.

In Concrete CMS, your website is structured as a hierarchy of pages
organized within a sitemap.  Each page adheres to a specific Page Type and
utilizes one of its associated Templates.  These Templates are PHP files
that combine standard HTML/CSS with dynamic Block Areas.  Within Block
Areas, you can insert Blocks, which range from basic HTML Text to advanced
interactive features like forms.  Block Areas can be further refined using
Layouts or Containers.  While Layouts simply split a block area into
columns, Containers are code-defined and can encompass additional markup and
styling.

* Files
* Users, Groups & Authentication
* Permissions & Workflow
* Attributes
* Packages