Release notes for Magnolia CMS 6.3.5

LTS release • Delivered on February 21, 2025 • Changelog: 15689

Magnolia 6.3.5 is primarily a bug-fixing and security release that delivers critical security fixes and breaking changes in FreeMarker directives, content rendering, and in the configuration of the Content Translation Extended module.

We keep the details of the security fixes private in line with our security policy. Contact our Support team if you need more information.

Breaking changes

The improvements and fixes shipped with this release have also introduced the following breaking changes.

Security hardening of template scripts

Content is available in template scripts via templating functions and, for the most part, automatically encoded. Before this release, we identified some directives that weren’t compliant with this security encoding. To fix this, escaping content to enable encoding is now set by default for all directives.

You can run the following Groovy script to identify whether your template scripts are affected. If you’re affected, you can disable the encoding fixes by setting the new magnolia.templating.escaping property to compatibility. See Configuration management for more details.

Alternatively, you can update the template scripts to use the new encoded content.

MAGNOLIA-9563 Inconsistency in encoding content via templating functions and renderer

import info.magnolia.objectfactory.Components;
import info.magnolia.resourceloader.ResourceOrigin;
import info.magnolia.resourceloader.util.ResourcePredicates;
import java.util.regex.Pattern;

PATTERNS = [Pattern.compile("cmsfn.(contentByPath|contentById|nodeByPath|nodeById|search|simpleSearch)"),
            Pattern.compile("searchfn.(searchPages|searchContent)"),
            Pattern.compile("catfn.(getCategories|getRelatedCategories|getContentByCategory|getCategoryNodeByName)")]

origin = Components.getComponent(ResourceOrigin.class);
resources = origin.find("/", ResourcePredicates.pathMatchesGlob("/**/*.ftl")).toList();
for (resource in resources) {
    if (searchIn(resource) > 0) {
        println resource.getPath();
    }
}


def searchIn(resource) {
    def count = 0
    resource.openReader().withCloseable { reader ->
        reader.eachLine { line ->
            PATTERNS.each{ PATTERN ->
                def matcher = PATTERN.matcher(line)
                while (matcher.find()) count++
            }
        }
    }
    return count
}

Content Translation Extended module config

The release of the Content Translation Extended module 4.1.0 on January 27, 2025 entails breaking changes in the configuration of the module.

Click to see the new configuration for use with Magnolia 6.3.5.

The configuration is now located under the translationProviders node. Make sure that you move your existing translation provider configuration to the correct path.

modules
├── content-translation-support-ext-<service-name>
├── config
├── translationProviders
│   └── <service-name>TranslationProviderConfigFile.yaml
...

Example for DeepL:

modules
├── content-translation-support-ext-deepl
├── config
├── translationProviders
│   └── deeplTranslationProviderConfigFile.yaml
...

Improvements

MAGNOLIA-9581 Optimized index of the mgnlVersion workspace. This helps reduce the disk footprint and CPU usage on version actions.

Requires re-indexing of the mgnlVersion workspace to take effect.

Bug fixes

MAGNOLIA-9540 Indexing configuration: mgnl:contentNode should be included in primary type aggregates

For more, see Website indexing configuration file.
MAGNOLIA-9554 Imported content may end up not being publishable
MAGNOLIA-9557 ObservationBasedDelayedExecutor can cause lock contention
MGNLDAM-1595, MGNLIMG-399 Assets with Japanese name throw PathNotFoundException on download and preview
MGNLUI-9098 Export action forces browser reload in Firefox and Safari
MGNLUI-9129 Editing a user on the Security app removes the password, making login impossible

Miscellaneous

ADMINCTR-579, MGNLCE-411 Retire Contacts app in Magnolia 6.3

Third-party library updates

This release comes with third-party library updates, see the Magnolia Third-party library BOM 6.3.5.

Notable updates

BUILD-1319 Update json-smart to 2.5.2
BUILD-1321 Update Netty to 4.1.118.Final or later

Updated modules

Modules bundled with this release.

Admincentral 6.3.3
Categorization 3.0.1
Community Edition 6.3.5
DAM 4.0.5
Definitions App 3.0.4
Demo Projects 6.3.5
DX Core 6.3.5
Imaging 4.0.1
Magnolia 6.3.5
Templating Essentials 3.0.1
Third-party library BOM 6.3.5
Third-party library BOM for Extensions 6.3.5
UI 6.3.5

Unbundled modules

Unbundled modules released since Magnolia 6.3.4.

AI Accelerator module
- Version 2.2.0-beta1 (technical preview) was released on February 11, 2025. For more information, see the changelog.
- Version 2.1.1 was released on February 3, 2025. For more information, see the changelog.
Content Translation Extended module 4.1.0 was released on January 27, 2025. The 4.0.x branch won’t receive any further updates. For more information, see the changelog.
Marketing Automation module 2.0.1 was released on February 5, 2025. For more information, see the changelog.
SSO module 4.0.2 was released on February 7, 2025. For more information, see the changelog.

Acknowledgements

The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better.

Feedback

DX Core