Merge branch '5.9' into 6.x

# Conflicts:
#	CHANGELOG-WIP.md
#	src/config/app.php
#	src/services/Entries.php
#	yii2-adapter/legacy/services/Gql.php

Author: riasvdv

CHANGELOG.md

@@ -16,6 +16,7 @@
 - Fixed a bug where it wasn’t possible to copy/paste nested entries within Matrix fields set to the inline-editable blocks view mode, for unpublished owner elements. ([#18185](https://github.com/craftcms/cms/pull/18185))
 - Fixed a bug where custom fields’ checkboxes weren’t getting removed from field layouts’ “Card Attributes” lists when removed from the layout.
 - Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8)
+- Fixed an XSS vulnerability. (GHSA-7pr4-wx9w-mqwr)
 
 ## 5.8.21 - 2025-12-04
 
@@ -28,10 +29,10 @@
 - Fixed a bug where relation fields weren’t handling `:empty:`/`:notempty:` element query params properly if the field had multiple instances within a field layout. ([#18092](https://github.com/craftcms/cms/pull/18092))
 - Fixed a bug where user preferences were being respected for users who formerly had access to the control panel.
 - Fixed a bug where nested entries could be reordered when their owner element was resaved programmatically. ([#18121](https://github.com/craftcms/cms/pull/18121))
-- Fixed RCE vulnerabilities. (GHSA-255j-qw47-wjh5, GHSA-742x-x762-7383)
-- Fixed an SSRF vulnerability. (GHSA-x27p-wfqw-hfcc)
-- Fixed a DoS vulnerability. (GHSA-v64r-7wg9-23pr)
-- Fixed an information disclosure vulnerability. (GHSA-53vf-c43h-j2x9)
+- Fixed RCE vulnerabilities. ([GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5), [GHSA-742x-x762-7383](https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383))
+- Fixed an SSRF vulnerability. ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc))
+- Fixed a DoS vulnerability. ([GHSA-v64r-7wg9-23pr](https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr))
+- Fixed an information disclosure vulnerability. ([GHSA-53vf-c43h-j2x9](https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9))
 
 ## 5.8.20 - 2025-11-18
 

resources/templates/graphql/schemas/_edit.twig

@@ -35,7 +35,7 @@
 
             <li>
                 {{ checkbox({
-                    label: props.label,
+                    label: raw(props.label|md(inlineOnly=true, encode=true)),
                     name: 'permissions[]',
                     value: permissionName,
                     checked: checked,
@@ -101,7 +101,7 @@
         </div>
     {% endfor %}
 
-    <hr/>
+    <hr>
     <h2>{{ 'Choose the available mutations for this schema:'|t('app') }}</h2>
 
     {% for category, catPermissions in schemaComponents.mutations|filter %}
@@ -113,6 +113,19 @@
         </div>
     {% endfor %}
 
+  <hr>
+  <h2>{{ 'Choose optional features available to this schema:'|t('app') }}</h2>
+
+  <div class="user-permissions">
+    {{ permissionList(schema, {
+      'directive:parseRefs': {
+        label: '{name} directive'|t('app', {
+          name: '`@parseRefs`',
+        }),
+        warning: 'Provides read-only access to user data and most content.',
+      },
+    }) }}
+  </div>
 
 {% endblock %}
 

resources/translations/cy/app.php

@@ -592,7 +592,10 @@ public function nth(int $n, array|string $columns = ['*']): ?ElementInterface
             return $eagerResult->first();
         }
 
-        return $this->query->skip(($this->offset ?: 0) + $n)->first($columns);
+        /** @var ?ElementInterface $element */
+        $element = $this->query->skip(($this->offset ?: 0) + $n)->first($columns);
+
+        return $element;
     }
 
     /**

src/Database/Queries/ElementQuery.php

@@ -203,7 +203,7 @@ private function defineSources(string $elementType, string $context): array
                 continue;
             }
 
-            $source['sites'] = collect($source['sites'] ?? [])
+            $source['sites'] = collect($source['sites'])
                 ->map(function (int|string $siteId) {
                     if (! is_string($siteId)) {
                         return $siteId;
@@ -215,6 +215,7 @@ private function defineSources(string $elementType, string $context): array
 
                     try {
                         return Sites::getSiteByUid($siteId)->id;
+                        /** @phpstan-ignore catch.neverThrown */
                     } catch (SiteNotFoundException) {
                         return null;
                     }

src/Element/ElementSources.php

@@ -598,7 +598,7 @@ public function getTableData(
         $usages = $this->allEntryTypeUsages();
 
         foreach ($entryTypes as $entryType) {
-            $label = $entryType->getUiLabel();
+            $label = Html::encode($entryType->getUiLabel());
             $chipCellContent = Html::beginTag('div', ['class' => 'inline-chips']).
                 Cp::chipHtml($entryType, [
                     'labelHtml' => Html::a($label, $entryType->getCpEditUrl(), [

src/Entry/EntryTypes.php

@@ -69,8 +69,7 @@ public static function t($category, $message, $params = [], $language = null): s
     /**
      * @inheritdoc
      * @template T
-     * @param class-string<T>|array|callable $type
-     * @phpstan-param class-string<T>|array{class:class-string<T>}|callable():T $type
+     * @param class-string<T>|array{class:class-string<T>}|array{__class:class-string<T>}|callable():T $type
      * @param array $params
      * @return T
      */

yii2-adapter/legacy/Craft.php

@@ -382,7 +382,7 @@ public function actionEdit(?ElementInterface $element, ?int $elementId = null):
         $notice = null;
         if ($element->isProvisionalDraft) {
             $notice = fn() => $this->_draftNotice();
-        } elseif ($element->getIsRevision()) {
+        } elseif ($isRevision) {
             $notice = fn() => $this->_revisionNotice($element::lowerDisplayName());
         }
 

yii2-adapter/legacy/controllers/ElementsController.php

@@ -346,6 +346,8 @@ public static function createFullAccessSchema(): GqlSchema
             $traverser($group);
         }
 
+        $schema->scope[] = 'directive:parseRefs';
+
         return $schema;
     }
 

yii2-adapter/legacy/helpers/Gql.php

@@ -390,7 +390,7 @@ public function getSchemaDef(?GqlSchema $schema = null, bool $prebuildSchema = f
                 'typeLoader' => TypeLoader::class . '::loadType',
                 'query' => TypeLoader::loadType('Query'),
                 'mutation' => TypeLoader::loadType('Mutation'),
-                'directives' => $this->_loadGqlDirectives(),
+                'directives' => $this->_loadGqlDirectives($schema),
             ];
 
             // If we're not required to pre-build the schema the relevant GraphQL types will be added to the Schema
@@ -1540,21 +1540,25 @@ private function _registerGqlMutations(): void
     /**
      * Get GraphQL query definitions
      *
+     * @param GqlSchema|null $schema
      * @return GqlDirective[]
      */
-    private function _loadGqlDirectives(): array
+    private function _loadGqlDirectives(?GqlSchema $schema): array
     {
         /** @var class-string<Directive>[] $directiveClasses */
         $directiveClasses = [
             // Directives
             FormatDateTime::class,
             Markdown::class,
             Money::class,
-            ParseRefs::class,
             StripTags::class,
             Trim::class,
         ];
 
+        if (in_array('directive:parseRefs', $schema->scope)) {
+            $directiveClasses[] = ParseRefs::class;
+        }
+
         if (!Cms::config()->disableGraphqlTransformDirective) {
             $directiveClasses[] = Transform::class;
         }