Joomla! 5.4.2

muhme · muhme · commit 8b3241bd6ee6 · 2025-12-20T19:18:56.000+01:00
diff --git a/administrator/language/en-GB/install.xml b/administrator/language/en-GB/install.xml
@@ -3,7 +3,7 @@
 	<name>English (en-GB)</name>
 	<tag>en-GB</tag>
 	<version>5.4.2</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>
diff --git a/administrator/language/en-GB/langmetadata.xml b/administrator/language/en-GB/langmetadata.xml
@@ -2,7 +2,7 @@
 <metafile client="administrator">
 	<name>English (en-GB)</name>
 	<version>5.4.2</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>
diff --git a/administrator/manifests/files/joomla.xml b/administrator/manifests/files/joomla.xml
@@ -6,8 +6,8 @@
 	<authorUrl>www.joomla.org</authorUrl>
 	<copyright>(C) 2019 Open Source Matters, Inc.</copyright>
 	<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
-	<version>5.4.2-rc2-dev</version>
-	<creationDate>2025-12</creationDate>
+	<version>5.4.2</version>
+	<creationDate>2026-01</creationDate>
 	<description>FILES_JOOMLA_XML_DESCRIPTION</description>
 
 	<scriptfile>administrator/components/com_admin/script.php</scriptfile>
diff --git a/administrator/manifests/packages/pkg_en-GB.xml b/administrator/manifests/packages/pkg_en-GB.xml
@@ -3,7 +3,7 @@
 	<name>English (en-GB) Language Pack</name>
 	<packagename>en-GB</packagename>
 	<version>5.4.2.1</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>
diff --git a/api/language/en-GB/install.xml b/api/language/en-GB/install.xml
@@ -3,7 +3,7 @@
 	<name>English (en-GB)</name>
 	<tag>en-GB</tag>
 	<version>5.4.2</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>
diff --git a/api/language/en-GB/langmetadata.xml b/api/language/en-GB/langmetadata.xml
@@ -2,7 +2,7 @@
 <metafile client="api">
 	<name>English (en-GB)</name>
 	<version>5.4.2</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>
diff --git a/installation/language/en-GB/langmetadata.xml b/installation/language/en-GB/langmetadata.xml
@@ -2,7 +2,7 @@
 <metafile client="installation">
 	<name>English (United Kingdom)</name>
 	<version>5.4.2</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<copyright>(C) 2005 Open Source Matters, Inc.</copyright>
 	<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
diff --git a/language/en-GB/install.xml b/language/en-GB/install.xml
@@ -3,7 +3,7 @@
 	<name>English (en-GB)</name>
 	<tag>en-GB</tag>
 	<version>5.4.2</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>
diff --git a/language/en-GB/langmetadata.xml b/language/en-GB/langmetadata.xml
@@ -2,7 +2,7 @@
 <metafile client="site">
 	<name>English (en-GB)</name>
 	<version>5.4.2</version>
-	<creationDate>2025-12</creationDate>
+	<creationDate>2026-01</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>
diff --git a/libraries/src/Filter/InputFilter.php b/libraries/src/Filter/InputFilter.php
@@ -9,6 +9,7 @@
 
 namespace Joomla\CMS\Filter;
 
+use enshrined\svgSanitize\Sanitizer;
 use Joomla\CMS\String\PunycodeHelper;
 use Joomla\Filter\InputFilter as BaseInputFilter;
 
@@ -489,4 +490,39 @@ protected function stripUSC($source)
 
         return preg_replace('/[\xF0-\xF7].../s', "\xE2\xAF\x91", $source);
     }
+
+    /**
+     * Internal method to strip a tag of disallowed attributes - extended to filter SVG content
+     *
+     * @param   array  $attrSet  Array of attribute pairs to filter
+     *
+     * @return  array  Filtered array of attribute pairs
+     *
+     * @since 5.4.2
+     */
+    protected function cleanAttributes(array $attrSet)
+    {
+        // Do the heavy lifting in the upstream library
+        $attrSet = parent::cleanAttributes($attrSet);
+
+        // Decode and check base64-encoded svgs
+        return array_map(
+            function ($attribute) {
+                // Check for presence of relevant tags
+                if (!preg_match('/"data:.*svg.*;base64,(.*)"/U', $attribute, $matches)) {
+                    return $attribute;
+                }
+
+                // Extract SVG
+                $svg = base64_decode($matches[1], true);
+
+                // Sanitize svg
+                $sanitizer = new Sanitizer();
+
+                // Replace content
+                return str_replace($matches[1], base64_encode($sanitizer->sanitize($svg)), $attribute);
+            },
+            $attrSet,
+        );
+    }
 }
diff --git a/libraries/src/Version.php b/libraries/src/Version.php
@@ -66,15 +66,15 @@ final class Version
      * @var    string
      * @since  3.8.0
      */
-    public const EXTRA_VERSION = 'rc2-dev';
+    public const EXTRA_VERSION = '';
 
     /**
      * Development status.
      *
      * @var    string
      * @since  3.5
      */
-    public const DEV_STATUS = 'Development';
+    public const DEV_STATUS = 'Stable';
 
     /**
      * Code name.
@@ -90,15 +90,15 @@ final class Version
      * @var    string
      * @since  3.5
      */
-    public const RELDATE = '20-December-2025';
+    public const RELDATE = '6-January-2026';
 
     /**
      * Release time.
      *
      * @var    string
      * @since  3.5
      */
-    public const RELTIME = '18:01';
+    public const RELTIME = '16:00';
 
     /**
      * Release timezone.
diff --git a/plugins/content/pagebreak/tmpl/toc.php b/plugins/content/pagebreak/tmpl/toc.php
@@ -25,7 +25,7 @@
             <?php $class = $listItem->active ? ' active' : ''; ?>
             <li class="py-1">
                 <a href="<?php echo Route::_($listItem->link); ?>" class="toclink<?php echo $class; ?>">
-                    <?php echo $listItem->title; ?>
+                    <?php echo htmlspecialchars($listItem->title, ENT_QUOTES, 'UTF-8'); ?>
                 </a>
             </li>
         <?php endforeach; ?>
diff --git a/plugins/content/pagenavigation/tmpl/default.php b/plugins/content/pagenavigation/tmpl/default.php
@@ -28,7 +28,7 @@
             <span class="visually-hidden">
                 <?php echo Text::sprintf('JPREVIOUS_TITLE', htmlspecialchars($rows[$location - 1]->title)); ?>
             </span>
-            <?php echo '<span class="icon-chevron-' . $direction . '" aria-hidden="true"></span> <span aria-hidden="true">' . $row->prev_label . '</span>'; ?>
+            <?php echo '<span class="icon-chevron-' . $direction . '" aria-hidden="true"></span> <span aria-hidden="true">' . htmlspecialchars($row->prev_label) . '</span>'; ?>
             </a>
     <?php endif; ?>
     <?php if ($row->next) :
@@ -37,7 +37,7 @@
             <span class="visually-hidden">
                 <?php echo Text::sprintf('JNEXT_TITLE', htmlspecialchars($rows[$location + 1]->title)); ?>
             </span>
-            <?php echo '<span aria-hidden="true">' . $row->next_label . '</span> <span class="icon-chevron-' . $direction . '" aria-hidden="true"></span>'; ?>
+            <?php echo '<span aria-hidden="true">' . htmlspecialchars($row->next_label) . '</span> <span class="icon-chevron-' . $direction . '" aria-hidden="true"></span>'; ?>
             </a>
     <?php endif; ?>
     </span>
