v1.0.473

Security Improvements

• Improved password reset flow by no longer throwing an error message if the provided email address doesn't exist in the system.
• Tightened up the permission checking logic by requiring strict type matches.
• Removed xml from the list of default allowed extensions to upload, can be added back through the configuration if required.

v1.1.2

NOTE: As of v1.1.2, the core maintainer team has left October CMS and forked the project into Winter CMS.

UX/UI Improvements

• Fixed issue where the browser's number increment/decrement control would cover up the placeholder text in type: number inputs when hovered over or focused on.
• Added ability to select the default backend locale when running the winter:install command
• Added ability for CMS editor to auto detect which editor should be used based on file type, bringing the editor in line with the documented feature.
• Added the List Behavior's new perPageOptions config property to the default stub for scaffolding new controllers.
• Fix support for browser-based validation of checkboxes and radio options

API Changes

• Added support for the {colorpicker} field in the Dynamic Syntax parser.
• The availableColors attribute can now be specified for colorpicker type variables in the Dynamic Syntax parser.
• Added new getRelationTypeDefinitions and getRelationTypeDefinition methods to models to query relationship definitions through methods as opposed to interacting with the relation properties directly.
• The "Customize" button is now disabled for all themes that are not the currently active theme.
• Added registerOwnerAlias($owner, $alias) to the NavigationManager to add aliases for given owners of registered menu items.
• Added registerPermissionOwnerAlias($owner, $alias) to the AuthManager to add aliases for given owners of registered permissions.
• Added registerOwnerAlias($owner, $alias) to the SettingsManager to add aliases for given owners of registered setting items.
• Added support for using the sort_order_column property on a model implementing the Winter\Storm\Database\Behaviors\Sortable behavior to define the name of the sort order column as constants cannot be defined on classes dynamically.
• Added ability to control the auto-detaching behavior of BelongsToMany relationships by setting detach (default true) on the relationship definition.

Bug Fixes

• Fixed a duplicate AJAX call being fired when using the "Apply" or "Clear" buttons in a group filter.
• Fixed an exception thrown on viewing or logging into the Backend when attempting to load the backend localization files of a missing theme.
• Fixed issue where /0 would return the result from /.
• Fixed issue where plugins with external dependencies referenced in their migration files would fail to install correctly via the plugin:install CLI command while installing normally in a web environment.
• The listAllDirectories() method in the MediaLibrary helper now correctly excludes paths and directories that are specified in the storage ignore rules configuration.
• Fixed issue where field options specified using a static method in the form of options: "\Path\To\Class::staticMethod" were not receiving the Form widget instance or the Field widget instance as per the documentation.
• Fixed issue introduced in Laravel 5.7 where eager loading File relationships on PostgreSQL would fail with the message "Varchar <> Integer comparison is not allowed".
• Fixed issue where having safeMode enabled when editing a CMS CompoundObject with different line endings from the user's browser (i.e. \r vs \r\n) would cause the safe mode protection to unnecessarily trigger (preventing any changes to non-protected properties from being saved) because the user's browser would modify the original line endings.
• Fixed an issue with integers being used as keys for the options in the checkbox list.
• Fixed an issue with syncing belongToMany relationships introduced in v1.1.1.
• Fixed an issue where the user-provided password for the default admin account during winter:install was not being respected and was instead always being set to a random string of characters as if no password had been provided.
• Fixed an issue where the ImageResizer was always provided absolute URLs instead of respecting the value of cms.linkPolicy.
• Reverted previous fixes to the BelongsToMany relationship related to conditions and scopes being defined during detach() as they were causing more problems than they solved.
• Added a default value of SQLite to the database options question of the winter:install command so that --no-interaction will work.
• Fixed a breaking change in how empty route parameters with default values are handled that was introduced in v1.0.466
• Fixed an issue where fields that use dependsOn to depend on another field that is itself dependent on other fields wouldn't be triggered when the first field was updated through the dependsOn functionality.

Security Improvements

• Tightened up the Twig SecurityPolicy. Calling insert(), update(), delete() methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead.
• Added a new config value (app.trustedHosts) to protect against host header poisoning. The following values can be used: true will allow only the naked and www versions of app.url as trusted hosts, the default of false will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns.
• Session identifiers are now invalidated on logging out instead of just flushed.

Translation Improvements

• Improved Slovakian translation.
• Improved Hungarian translation.
• Improved Brazilian Portuguese translation.
• Improved Dutch translation.
• Improved French translation.

Community Improvements

• Added a new EventFake class to provide mocking and testing services for events in unit tests.
• Fixed the order of parameters in the docblock for the mailer.beforeAddContent event.

Dependencies

• Updated Pikaday to 1.8.2
• Updated wikimedia/less.php to ~3.0
• PHP 8 is now supported
• Switched back to the source repository for the wikimedia/composer-merge-plugin as Composer 2.0 support has fully arrived. Update your composer.json files to require "wikimedia/composer-merge-plugin": "~2.0.1"

v1.0.472

NOTE: As of v1.0.472, the core maintainer team has left October CMS and forked the project into Winter CMS.

UX / UI Improvements

• Fix support for browser-based validation of checkboxes and radio options

API Changes:

• Added registerOwnerAlias($owner, $alias) to the NavigationManager to add aliases for given owners of registered menu items.
• Added registerPermissionOwnerAlias($owner, $alias) to the AuthManager to add aliases for given owners of registered permissions.
• Added registerOwnerAlias($owner, $alias) to the SettingsManager to add aliases for given owners of registered setting items.

Security Improvements

• Tightened up the Twig SecurityPolicy. Calling insert(), update(), delete() methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead. Backported from v1.1.2.
• Added a new config value (app.trustedHosts) to protect against host header poisoning. The following values can be used: true will allow only the naked and www versions of app.url as trusted hosts, the default of false will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns.
• Session identifiers are now invalidated on logging out instead of just flushed.

v1.1.1

UX/UI Improvements

• Adjusted winter:fresh to remove the demo plugin even when the demo theme has already been removed.
• Allowed for the "fancy" breadcrumb widget to be styled based on custom branding colors specified in the "Customize back-end" settings.
• System will now throw an exception with a helpful error message if image resizing fails because an unsupported cache driver is being used (i.e. array).
• Switched the order of the "Install plugins" & "Install themes" buttons to match the order of the tabs on the actual install page
• Plugins that are already present in the local system and also exist in the marketplace will no longer be re-downloaded when a Project ID is attached.
• The plugin management page will now reload after making changes that would affect which plugins are currently active.
• Custom messages can now be provided for bulk deletions in Lists, defined by the deleteMessage property for successful deletions, and noRecordsDeletedMessage property for when no deletions occurred due to missing selections or an altered list query not returning any applicable records.

API Changes

• The initial seeding process for empty databases no longer uses a default password; instead a secure random password is generated and reported in the console. If you need to change the admin account password run php artisan winter:passwd admin NewPasswordHere
• The winter:env command is now privileged and will run even if plugins are failing to boot.
• A new syntax for specifying the available options for field types that use the options property is now available: \Path\To\Class::staticMethodName will use the array returned by calling the static method \Path\To\Class::staticMethodName() as the options
• The noRecordsMessage configuration value to specify a message when a list is empty can now be specified for list-type widgets in the Relation controller.
• CMS pages that are hidden (only accessible to logged in backend users) will now be automatically removed from RainLab.Pages menus.
• session.same_site now defaults to Lax instead of null and any invalid configurations will be automatically corrected to the default value of Lax. See #5293 for a detailed breakdown.
• Added new removeSideMenuItems() helper method to NavigationManager, which can quickly remove one or more side menu items for a specific owner and menu.
• The app locale at the time of a message's entry onto the queue is now stored with the message on the queue as _current_locale.
• Added support for $query->selectConcat(array $parts, string $as) to concatenate an array of parts into a single column/attribute $as.
• Added support for the upsert($values, $uniqueBy, $updateColumns) QueryBuilder method added in Laravel 8.x which allows for bulk updates or inserts at the database level.
• Added separate backend.manage_own_editor permission to allow users to manage their own personal editor preferences without being able to modify the global ones.
• Added new media_path() helper function to return the fully qualified path to the media directory.
• Added new Storage::identify($disk) method to identify the name of the disk configuration used to instantiate the given disk instance.
• Template blocks in Backend templates are now correctly terminating the output buffering used. Block processing uses layers of output buffering to determine applicable block content, however, a particular scenario occurred where subsequent blocks were not rendered due to content in between two blocks cancelling another layer, causing issues with further blocks. The block functionality will now capture the content in between blocks and hold it until the final content is generated, keeping the correct layer intact so that subsequent blocks are kept in the right location. See https://github.com/wintercms/library/pull/517 for more information.
• Added new Winter\Rain\Database\Behaviors\Sortable behavior that mirrors the functionality of the Winter\Rain\Database\Traits\Sortable trait except with the ability to dynamically attach it to models at runtime allowing for third-party plugins to be extended with the functionality.
• Themes can now register localization keys to be used only on the backend using a similar file structure to plugins & modules. Ex: themes/mytheme/lang/en/lang.php contains 'ga_api_key' => 'Google Analytics API Key', referenced by themes.mytheme::lang.ga_api_key.
• Quick actions can now be defined in the top-right of the Backend. Quick actions act as shortcuts to common actions, such as previewing the website. See https://github.com/wintercms/winter/pull/5344 for more information.

Bug Fixes

• Fixed issue where displaying protected file thumbnails with a width or height set to nothing would fail.
• Fixed issue where URLs to resized images were not being properly URL encoded
• Fixed an issue introduced in Build 1.1.0 where plain Twig templates couldn't be loaded through the {% include 'path' %} or {{ source(path) }} Twig functions.
• Fixed issue introduced in build 1.0.458 where non-grouped repeaters with minimum items specified via the minItems option did not pre-fill the repeater with the minimum items.
• Fixed issue where the ImageResizer would attempt to process image types that it couldn't handle instead of just passing them through untouched.
• Fixed issue where resized images were not correctly identified as already having been resized when atomic (blue/green) deployment strategies are used in conjunction with files being stored on the local filesystem in a shared symlinked storage folder.
• Fixed issue where the media manager would not display a folder that a contained a filename with characters that are considered invalid by the MediaLibrary class (i.e. '+', various unicode characters).
• Fixed issue where resized images with spaces in their filenames would not pass the resizer validation checks because the target URL would be decoded three times instead of the intended two.
• If a model's dateFormat includes microseconds (.u) or milliseconds (.v) but a given value provided to an attribute that is cast as a date does not include that information, then the date casting logic will now automatically add the appropriate number of zeros to the end of the provided date value for it to be accepted when parsing the provided value according to the defined dateFormat for the model. This fixes an issue with databases that have .u or .v in date columns that are managed by the datepicker in the backend which doesn't support sending micro or milliseconds.
• Fixed a long-standing issue where returning a redirect to a file in response to an AJAX request in order to get the browser to download the file wouldn't stop displaying the AJAX loading indicator.
• Fixed the uploads_path() helper.
• Fixed support for AWS S3 as a source for the ImageResizer.
• Fixed issue where backend administrators list could not be filtered by "Is superuser?" filter on SQL Server due to that database engine not supporting literal boolean values.
• Fixed adjacent block placeholders not working in Backend templates - the initial block is rendered, but the subsequent block is ignored. See API change above regarding block termination for more information.
• Fixed issue where an exception is thrown when scanning template content for mail templates and layouts that have been orphaned by a disabled or removed plugin. This prevented plugins such as the Translate plugin from scanning messages correctly.
• Fixed issue where models with guarded properties were failing to allow attributes that don't have a corresponding column to be processed in events (for example, the "data" attribute in the File model).
• Fixed issue with the included http_build_url() polyfill where the current and replacement URLs couldn't be passed as strings.
• Fixed issue where having multiple belongsToMany relationships defined and differentiated by the conditions property would cause one of the relationships to be wiped out on saves of a separate relationship. See wintercms/winter#4952 for more information.
• Fixed issue where paths provided to the theme:sync command were too loosely matched, which could lead to files that weren't intended to be synced being synced anyways.

Security Improvements

• The admin account password is now securely randomly generated during the initial seeding process for empty databases and is reported in the console. If you need to change the admin account password run php artisan winter:passwd admin NewPasswordHere
• Tightened up the default permissions granted to the "Publisher" system role out of the box
• Improved handling of custom editor styles to prevent HTML injection
• Locked down the Twig sandbox even more to prevent allowing users with access to Twig templates from defining and running PHP code

Translation Improvements

• Improved Taiwanese translation
• Improved French translation
• Improved Slovenian translation
• Improved Russian translation
• Improved Italian translation
• Improved Dutch translation
• Improved German translation

Dependencies

• The Composer merge plugin was temporarily cloned to the WinterRain GitHub organization to resolve an issue with Composer 2.0 support.

v1.0.471

Community Improvements

• Fixed a bug with the marketplace build server that required a bump in the version number.

v1.0.470

API Changes

• The Winter\Storm\Database\Attach\File model now uses "fillable" attributes as opposed to "guarded" attributes to control mass assignment. If you extend the File (or the main System\Models\File) model to provide additional fields, you must now copy the "fillable" attributes to your extension and add any additional fields to this definition (backported from 1.1.0)

Bug Fixes

• Temporarily fixed an issue with existing code-bases that abuse the Twig engine by loading template files in unsupported ways (.js / .svg files rendered as partials through {% partial %}, {% include %}, or $this->renderPartial()). NOTE: This hotfix will not be available in Build 1.1.x so existing code still needs to be fixed to not use those unsupported file types.
• Fixed an issue introduced in Build 1.0.469 where plain Twig templates couldn't be loaded through the {% include 'path' %} or {{ source(path) }} Twig functions
• Fixed issue introduced in a security update to Laravel 5.5 where models with guarded properties were failing to allow attributes that don't have a corresponding column to be processed in events (for example, the "data" attribute in the File model). (backported from 1.1.1)

Security Improvements

• Tightened up the default permissions granted to the "Publisher" system role out of the box (backported from 1.1.1).
• Locked down the Twig sandbox even more to prevent allowing users with access to Twig templates from defining and running PHP code (backported from 1.1.1).

v1.1.0

NOTE: This build contains a number of changes made as a part of the upgrade from Laravel 5.5 LTS to 6.x LTS, it is highly recommended that you review the upgrade guide to ensure you aren't affected.

UX/UI Improvements

• Added new "sensitive" field widget that provides a revealable password field for forms.
• Finished implementing the php artisan winter:util purge uploads console command that purges invalid files (Files that don't have a matching entry in system_files) and empty directories from the uploads directory. This only works on uploads stored on the local disk for now.
• Added built in support for easy and fast resizing of images with three new Twig filters (| resize(width, height, options), | imageWidth, | imageHeight) and a new backend List column type (image). See https://github.com/wintercms/winter/pull/5231 for more information.
• The SMTP port field in the Mail Settings page will be pre-filled with the default port depending on the encryption type selected, if it is using a standard port. Custom ports will not be overwritten.
• Added a link to the backend in the demo theme header menu to make it easier for new users to find the backend.

API Changes

• Added new development configuration option develop.allowDeepSymlinks which allows for symlinks at any subdirectory level when generating a public URL from a local path.
• The System\Controllers\Settings controller now provides a formGetWidget method to retrieve the form widget used for Settings forms.
• The default password validation rules for Backend\Models\User and Winter\Storm\Auth\Models\User have been loosened by no longer having a max length since passwords are stored in the database as hashed values and the length of the input has no effect on the length of the output.
• winter:env will now use QUEUE_CONNECTION instead of QUEUE_DRIVER to refer to the queue connection when generating a .env file from the config files.
• The individual composer.json files for each of the Winter Rain library components have been removed as using individual components of the Winter Rain library is no longer supported.
• Support has been added for hasOneThrough relationships.
• Support has been added for the eloquent.retrieved Model event that Laravel added in 5.5.2.
• The app:name Artisan command was removed as Laravel removed it in L6 and Winter never really had a need for it.
• Added new public static method Model::flushDuplicateCache() to flush a given model's duplicate query cache during a request lifecycle.
• Added polyfill for the http_build_url() core PHP function.
• Added new php artisan create:theme $code scaffolding command.
• Added new Arr::undot() and array_undot helper methods / functions (transforms a flat, dot-notated array into a normal nested array)
• Added new config_path() helper function.
• Added new resolve_path() helper function that closely emulates the PHP realpath() function, but supports resolving paths for missing files and subdirectories. This is provided by the Winter\Rain\Filesystem\PathResolver helper class, which can resolve canonical paths and determine if given paths are within given directories.
• The Winter\Storm\Database\Attach\File model now uses "fillable" attributes as opposed to "guarded" attributes to control mass assignment. If you extend the File (or the main System\Models\File) model to provide additional fields, you must now copy the "fillable" attributes to your extension and add any additional fields to this definition.
• The Winter\Storm\Database\Attach\File model will now log exceptions when getThumb() fails in addition to generating the broken image file as the thumbnail as per existing behaviour.
• The Winter\Storm\Html\HtmlBuilder::limit() method now considers whitespaces and line breaks to be one character, regardless of the line break type or number of spaces. This ensures a consistent result across both Windows and Linux.
• Added File::isLocalDisk($filesystemAdapterDisk) method to check if the provided disk is using the Local Flysystem adapter. Winter\Rain\Database\Attach\File has switched it's internal method isLocalStorage() to using it, so if you are overriding that method you may be able to remove your overridden method implementation so long as your getDisk() method is returning the correct disk for your custom FileModel.
• Removed data-browser-validate from the default controller scaffolding files as HTML5 form validation does not play nice with anything beyond the most basic forms. Also removed from the System Settings backend forms.
• Plugin view & configuration files are now registered on protected routes even if the plugin doesn't have elevated permissions to run on those routes in order to support views and configuration being used in database migrations.
• Added getAllPlugins() method to the System\Classes\PluginManager class to retrieve all plugins detected on the system instead of just the enabled ones.
• Bound Illuminate\Foundation\Application to Winter\Storm\Foundation\Application in the application container to better support Laravel packages that typehint the Application class directly rather than the contract.
• Improved handling of Rule objects when used in validation - the message() method is now used to return a fallback message (optionally translated), and there is no need to specify a validate() method anymore.
• The winter:util set build command has been replaced with the winter:version command, which now does a more accurate build version check by comparing the Winter CMS installation files with a manifest kept on GitHub, and no longer queries the Winter CMS servers simply for the latest stable or edge build.
• Added a unique ID to the Filter widget container to support being targeted through the AJAX framework.

Bug Fixes

• Improved stability of the FieldParser when parsing fields without the type property specified.
• Fixed issue where the QueryBuilder->remember() method did not properly support being passed DateTime instances for cache expiry.
• Fixed an issue introduced in Build 1.0.466 where asset files were unable to be created through the CMS section.
• Fixed issue where removing the currently sorted by column from the list's visible columns would cause an error.
• Fixed issue where not having the GD extension loaded would cause the process to exit with an error message instead of throwing an Exception.
• Fixed issue where non-compound use statements that were aliasing imported classes in CMS code sections (i.e. use Session as WinterSession) were no longer being included in the parsed PHP because of a bug fix in Build 1.0.468.
• Fixed issue introduced in Build 1.0.466 where BelongsTo relationships were unable to be updated using the RelationController behavior.
• Fixed issue where not specifying a thumbnailWidth (even when providing a thumbnailHeight) for the FileUpload FormWidget would cause it to default to 100x100.
• Fixed issue where unlinking a HasOne or BelongsTo relationship with the RelationController would not fully clear it from the view widget being displayed.
• Fixed issue where creating or adding a new record to a HasOne or BelongsTo relationship with the RelationController would not fully remove any existing relationship.
• Fixed issue introduced in Build 1.0.461 where all SystemExceptions would be logged twice to the EventLog.
• Fixed an exception that would be thrown when editing Mail Templates if any partials recorded in the database were no longer provided by the plugin due to it being removed or disabled.
• Fixed issue where a JS exception would be thrown if attempting to load a page with tabs where the hash part of the URL contained a /.

Translation Improvements

• Improved Spanish translation.
• Improved Russian translation.

Community Improvements

• Added the Laravel framework dependency to each of the core modules to improve stability of existing composer installations
• The ftp and sftp storage drivers are now included with the core.
• The postmark mail driver is now included with the core.
• The Winter CMS and Storm Library are now tested against both Linux and Windows, PHP versions 7.2 to 7.4, to ensure that functionality works correctly across both supported operating systems.

Dependencies

• The Laravel framework has been added as a dependency to the core modules and library to improve the stability of existing Composer installations.
• The Assetic library is no longer an external dependency as the key functionality has been absorbed by the Winter Rain library.
• The Jenssegers/Date library is no longer an external dependency as the key functionality was included in Carbon 2.0 and Argon took over whatever small pieces were left behind.
• The unmaintained leefo/scssphp dependency has been replaced with scssphp/scssphp
• The unmaintained lessc.inc.php included dependency has been replaced with wikimedia/less.php

v1.0.469

API Changes

• .svg has been removed from the default list of allowed extensions for uploading for security reasons, will be re-added in Build 1.1.1 alongside sanitization to protect against XSS attacks. Use storage.media.defaultExtensions to override the default list of allowed extensions in order to re-add support for it at your own risk.
• $fileName was removed as a parameter for the Winter\Storm\Halcyon\Builder->delete() method as it wasn't actually being used internally and had no effect.
• Partials included via $this->renderPartial(), {% partial 'path/to/partial' %}, and {% include 'path/to/partial %} now properly block all extensions other than .htm by default.
• Attempting to load & render partials from outside of the theme using the CMS Twig engine will no longer work (note, this was never officially supported, it was a bug that it ever worked in the first place). If you are trying to render Twig from outside the theme you should always use the System Twig engine instead of the CMS one by calling \Twig::parse($templateContents, $templateVars);)

Bug Fixes

• Fixed issue where cookies that were generated at some point between pre-Laravel 5.5.* cookie security fix and the latest cookie security fixes in Build 1.0.468 could fail to be processed correctly.
• Fixed an issue where some SystemExceptions include unfiltered user input in the response to the browser, which would cause security researchers to think that they've found a XSS vulnerability which would then take resources to explain how it wasn't exploitable by just stripping any potential XSS from SystemException messages.

Security Improvements

• Fixed issue where the FileDatasource could be abused to load files outside of the intended location.
• Fixed issue where the Twig sandbox could be escaped allowing users with access to Twig templates to define and run PHP code.

Community Improvements

• Winter has moved to a slightly different versioning scheme, major changes such as Laravel framework upgrades will now be indicated by the "minor" version number, and the build / patch number will reset on every increment of the minor version number. Winter builds from initial conception to Laravel 5.5 EOL will be the v1.0.319 to v1.0.469 range, and the Laravel 6 upgrade will be v1.1.0. EOL branches will not be supported with bug fixes or feature additions, but will continue to have security issues IN winter CODE ONLY (i.e. security fixes for dependencies will not be included) fixed as they are reported to the core team through our Security Policy.

v1.0.468

UX/UI Improvements

• Added new Paragraph Formats option to the Editor Settings page, which allows you to control the available tags in the Paragraph Formats button.

API Changes

• The Encryptable trait now encrypts "empty" values correctly, such as the number zero and an empty string. The only value that is left unencrypted is a null value.
• Fixed docblocks in the Winter\Storm\Network\Http class that referred to the $options property as an array instead of the callable that is actually used

Bug Fixes

• Unit tests involving authentication are now namespaced to backend.auth, to prevent conflicts with other authentication libraries.
• Fixed "use statement with non-compound names has no effect" when attempting to import classes already in the root namespace (like facades) in the CMS PHP code section.
• Fixed a bug where the text entry of a taglist field would remain after the tag has been created.
• Resolved an issue where PHP max_input_vars limits would prevent "group" filters from working if they contained more options than max_input_vars would allow.
• Fixed support for ignoreTimezone in date and daterange filter scope types.
• Fixed issue with Arabic translation in the backend where Indic numerals were being used instead of Arabic numerals for the datepicker FormWidget which was confusing the serverside processing of date values.
• Fixed issue where an incorrect <textarea> tag definition broke the popup editor for stringList and text type fields in the Inspector.

Security Improvements

• Improved validation of encrypted cookies by locking cookie values to the cookie they were created for. See the security advisory for more information.

Translation Improvements

• Improved French translation.

Community Improvements

• Added note in config/cms.php for handling URL generation for uploaded files when using Winter in a subfolder installation.

v1.0.467

UX/UI Improvements

• Added docblocks to the controller scaffolding.
• Added support for decompiling nested compiled asset files when cms.decompileBackendAssets is enabled.
• Improved error handling for failed fileuploads

Bug Fixes

• Fixed bug introduced in 466 where :number stopped working in transChoice translation strings.
• Fixed bug introduced in 466 where it was impossible to upload images to the Media Library while on a page that included the AssetList widget.
• Fixed bug introduced in 466 where plugin dependencies wouldn't be loaded all of the time.
• Fixed bug where belongsToMany relationships with pivot data could not be added to through the RelationController if a custom order property was set on the relationship definition.
• Fixed empty tags being stripped in RichEditor (Froala) widget.
• Fixed bug where a field with @context in the name would completely break forms if it also utilized the dependsOn API other fields.
• Fixed bug introduced in 466 where backend throttle records were no longer recording the IP address correctly of authentication attempts.
• Fixed visual glitch on Inspector autocomplete dropdown fields
• Fixed an issue where using File()->fromUrl() on very long URLs would result in a filename that was too long for the database.
• Fixed issue where application bootstrappers could hard crash the application by throwing an exception that wouldn't be able to passed on to the user for them to resolve.
• Improve error handling for invalid counter properties on backend menu items.
• Fixed issue where the onSave() AJAX handlers of the FormController behavior weren't getting being affected by context-specific configuration values.
• Fixed issue where refreshing the entire form through JS would cause an issue because the toggleEmptyTabs delayed function would be run after the original form element it was targeting was replaced in the DOM
• Improved error message when attempting to fork an unforkable component (component without a default.htm partial)

Security Improvements

• Fixed security issue where content pasted into the Froala richeditor wasn't properly sanitized exposing users to self-XSS attacks from malicious websites when copying & pasting content into the editor.

Community Improvements

• Documented the Select field widget's dynamic option creation (tagging) feature.

Translation Improvements

• Improved the Polish translation.