Hotfix Instructions - Xperience 13
Hotfixes enable you to fix problems and apply updates to your installation of Kentico Xperience. You can download hotfix packages and view the list of fixed bugs on the Kentico DevNet portal.
If you have the source code version of Xperience, please see Hotfix Instructions - Xperience 13 Source Code.
Note
Always back up your project files and database before applying a hotfix.
To successfully complete the hotfix, your administration project, database and live site project must all be updated to exactly the same version. See Applying the hotfix and its subsections for details.
Xperience 13 Refresh releases
Kentico Xperience 13 Refreshes are product updates released in the form of hotfixes. Follow the standard hotfix instructions described on this page to apply Refreshes to your project.
Release | Hotfix | Additional information |
Refresh 1 | 13.0.16 or newer | |
Refresh 2 | 13.0.31 or newer | |
Refresh 3 | 13.0.43 or newer | |
Refresh 4 | 13.0.52 or newer | |
Refresh 5 | 13.0.64 or newer | |
Refresh 6 | 13.0.73 or newer | |
Refresh 7 | 13.0.83 or newer | |
Refresh 8 | 13.0.94 or newer | |
Refresh 9 | 13.0.104 or newer | |
Refresh 10 | 13.0.115 or newer | |
Refresh 11 | 13.0.131 or newer | |
Refresh 12 | 13.0.142 or newer |
Table of Contents
- Xperience 13 Refresh releases
- Table of Contents
- Installing the hotfix
- Prerequisites
- Applying the hotfix
- After applying the hotfix
- Updating setup files and external utilities
- Additional notes and workarounds
- 13.0.5
- 13.0.10
- 13.0.16 (Xperience 13 Refresh 1)
- 13.0.25
- 13.0.31 (Xperience 13 Refresh 2)
- 13.0.32
- 13.0.38
- 13.0.42
- 13.0.43 (Xperience 13 Refresh 3)
- 13.0.45
- 13.0.50
- 13.0.52 (Xperience 13 Refresh 4)
- 13.0.58
- 13.0.64 (Xperience 13 Refresh 5)
- 13.0.67
- 13.0.68
- 13.0.72
- 13.0.73 (Xperience 13 Refresh 6)
- 13.0.80
- 13.0.82
- 13.0.83 (Xperience 13 Refresh 7)
- 13.0.85
- 13.0.89
- 13.0.94 (Xperience 13 Refresh 8)
- 13.0.95
- 13.0.100
- 13.0.104 (Xperience 13 Refresh 9)
- 13.0.107
- 13.0.110
- 13.0.113
- 13.0.115 (Xperience 13 Refresh 10)
- 13.0.125
- 13.0.130
- 13.0.131 (Xperience 13 Refresh 11)
- 13.0.133
- 13.0.140
- 13.0.142 (Xperience 13 Refresh 12)
- 13.0.147
- 13.0.148
- 13.0.159
- 13.0.162
- 13.0.165
- Fixed bugs
Installing the hotfix
- Download the installer for the required hotfix version from the Kentico DevNet portal.
- Run the Hotfix_<version>.exe file.
- Go through the hotfix installation procedure.
By default, the installer places the hotfix into the C:\Program Files\Kentico\<version>\Hotfix<version> folder.
Prerequisites
You can only apply the hotfix to complete Xperience administration projects that use the standard folder structure (the solution file, GlobalAssemblyInfo.cs, the CMS and Lib sub-folders). For example, the hotfix cannot be applied to administration deployments of the CMS folder.
Applying the hotfix
Use the following general process to apply the hotfix (we do not recommend attempting to directly hotfix your live production site):
Set up a local instance of your site (including the web project files and database).
- You can either maintain a permanent local development instance, or get backups of your production site’s web projects and database for each hotfix.
Hotfix the local administration instance by running the Hotfix Utility. See: Hotfixing your local project
- Remember that you need to Rebuild the project’s solution in Visual Studio.
Update the Xperience code within your live site application to the matching hotfix version. See: Hotfixing the live site application
Test that the hotfixed local website works correctly.
Redeploy the project files to your production environment (using your preferred publishing process).
Apply the hotfix SQL script to your production database. See Hotfixing your production database
To display all features in the Xperience administration correctly, clear the cache in your browser (and ensure the same for all other administration users).
Hotfixing Microsoft Azure applications
If your website is hosted on Microsoft Azure, the recommended hotfix process is the same as outlined above. First apply the hotfix to a local development instance, then redeploy to Azure and run the hotfix SQL script against your production database.
Hotfixing your local project
Note: For further information, see: Upgrading and hotfixing an instance
Run Kentico Hotfix Utility (Hotfix.exe) from the location where you installed the hotfix (C:\Program Files\Kentico\<version>\Hotfix<version> folder by default).
Select your administration project folder using the Browse button or type in the path to the project manually.
Use the utility to back up your project files and/or database (or skip these steps if you already have backups).
Select which components you want to update. Click Switch to advanced mode if you wish to change the settings.
Kentico Xperience files – the files of your administration project
Setup files – the Xperience Installer and other external utilities (which are separate from the web project)
SQL script – the database structure and data
We recommend updating all components. To successfully complete the hotfix, you need to update the files of your web project and apply the SQL script to the database.
Choose a method of taking the project offline and back online.
Click Next to start the hotfix procedure.
After the update finishes, click Next to view any problems that may have occurred and the instructions to solve them.
Errors that can commonly occur are conflicts with customized files. By default, the hotfix does not overwrite modified files (unless you enable the Overwrite all files option in advanced mode):
- For each conflict with a customized file, the process creates the new version of the file with the .new extension. You need to manually transfer your customizations to the new files and then replace the original ones.
- Customized files that would have otherwise been deleted remain in the file system, with an added .deleted extension.
Open the Xperience solution in Visual Studio and Rebuild the solution.
Access the URL of your Xperience administration application in a browser (opening the live site is not sufficient).
- When handling the first request, the system performs certain tasks required to complete the hotfix. Processing of the first request may take longer than usual.
Preparing the hotfixed project files manually
If you do not wish to go through the user interface of the Hotfix Utility, you can create the hotfixed web project files manually using the command line. For example, this can be useful if you wish to integrate the hotfix into a more complex scripted procedure.
Navigate to the location where you installed the hotfix (C:\Program Files\Kentico\<version>\Hotfix<version> folder by default).
Run Hotfix.exe from the command line with the /deploy and /path parameters:
- Use the /path parameter to specify the location where the utility creates the update files. Use a relative path (folder in the location where the utility was executed) or absolute path (any location on a local disk).
Example: Hotfix.exe /deploy /path=Deploy
Creates a folder named Deploy in the directory from which the utility was executed, and copies all files and folders necessary for updating to the given hotfix version.
Copy the update files created by the Hotfix Utility into your Xperience web project’s root folder (including the CMS and Lib folders, and GlobalAssemblyInfo.cs file). Overwrite the original files.
- Do NOT copy and overwrite the CMS\CMSApp.csproj file.
- If you have previously modified some of the project files, do NOT overwrite these files. You need to compare the modified files with the new versions and make appropriate changes manually.
Open DeletedFiles.xml in the update file directory and delete all of the listed files from your web project (you can prepare a batch file to automate the process).
Open the Xperience solution in Visual Studio.
Click Show all files at the top of the Solution Explorer.
Locate and select all newly added files under the CMSApp project.
- Tip: Identify the new files by using a differencing or merging tool to compare your CMSApp.csproj file with the one from the update files.
Right-click one of the selected new files and click Include in Project.
Rebuild the solution.
Hotfixing the live site application
In addition to applying the hotfix to the Xperience administration application (see above), you also need to update the Xperience code used by your live site (MVC) application:
- Open your live site application in Visual Studio.
- Right-click your web project in the Solution Explorer and select Manage NuGet Packages.
- Update the Kentico.Xperience.AspNet.Mvc5 or Kentico.Xperience.AspNetCore.WebApp NuGet package to the version that matches the applied hotfix.
Hotfixing your production database
Update your production database as the last step in the hotfix process, after you test the hotfix locally. This ensures minimum downtime for your live site while avoiding loss of data.
The hotfix version of the database must match the version of the web project, so you need to perform the update together with the redeployment of the hotfixed project files.
Note: On websites that contain a very large amount of data (particularly pages), the database hotfix process can be very resource intensive. You may need to temporarily scale up the performance of your database server and/or increase the database connection timeout.
To update your production database, manually execute the hotfix database scripts (for example using SQL Management Studio). The script files are located in the SQL folder of your hotfix installation directory.
- If you do not use separated databases – run Hotfix_separated.sql first and then Hotfix_default.sql.
- If you use separated databases – run Hotfix_separated.sql on the separated database and Hotfix_default.sql on your main database.
- Note: The script files may be empty if the given hotfix does not require any SQL scripts for the related tables (skip the file in these cases).
Once the database update is complete, you need to access the URL of your Xperience administration application in a browser (opening the live site is not sufficient). When handling the first request, the system performs certain tasks required to complete the hotfix. Processing of the first request may take longer than usual.
After your administration application loads up, open the Event log application to validate that the hotfix procedure was completed successfully. Make sure the log contains Start and Finish events for the hotfix application, and check for any error events with the HotfixProcedure Source.
After applying the hotfix
All users who work with the Xperience administration should clear the cache in their browsers after applying the hotfix. Otherwise, some features in the administration interface may not be displayed correctly.
After applying the hotfix to a development instance that has continuous integration enabled, you need to run complete serialization for all objects to recreate the content of the CIRepository folder (use the Continuous integration application in the Xperience administration interface). Apply the hotfix separately for each instance in your development environment. After one developer commits the hotfixed changes to the source control, other developers CANNOT commit or load changes until they apply the hotfix to their own instance.
Updating setup files and external utilities
Hotfixes provide bug fixes for all files related to the Xperience installation, which includes the installer and other external utilities, such as Kentico Installation Manager and Kentico Service Manager.
To update these files and utilities, you need to apply the hotfix to the setup files:
- When running the hotfix utility, click Switch to advanced mode in the Change confirmation step.
- Select the Setup files checkbox.
- Click Next.
- In the Running applications step, stop any applications that are currently running from the setup files.
- Click Next and continue through the rest of the hotfix procedure.
The hotfix makes any required changes to the files in the directory where you installed your Xperience setup files.
Additional notes and workarounds
13.0.5
- (Added feature) Media libraries – The hotfix allows media libraries to use the direct file path in URLs when adding links to files in Xperience content (instead of permanent media file URLs). For example, direct file URLs may be desired for media files placed in external storage (such as Microsoft Azure Blob storage). The option can be configured when editing individual media libraries on the General tab. The URL format applies in the following scenarios:
Adding media files using the Rich text widget in page builder content
Adding media files using the editor for page fields based on the Rich text editor form control
Selecting media files in page fields based on the Media selection form control
Note: Files accessed through a direct path are not handled by the Xperience system – no permission or security restrictions are enforced and image resizing is not applied. Additionally, direct file links may become broken in certain deployment scenarios if your instances each use a different location or container for media files.
Important
After applying hotfix 13.0.5, you may encounter an error when creating new media libraries.
To fix the problem, either apply hotfix 13.0.9 or newer, or alternatively re-sign macros using the System application in Macros -> Signatures.
13.0.10
Filesystem handling for ASP.NET Core applications on Linux – The hotfix addresses a number of filesystem-related issues encountered when hosting ASP.NET Core live site applications in Linux environments. The issues were primarily caused by a dependency on Windows-like filesystem conventions, so mostly impacted features reliant on Input/Output operations. The following is a non-exhaustive list of affected features: media library operations (insert, modify, delete), smart search (running indexing tasks, index rebuilds), web farm synchronization, scheduler functionality run on the live site.
The hotfix additionally introduces a new approach for detecting absolute and relative paths on Unix-like filesystems. This applies only to ASP.NET Core applications hosted on Linux. Since both relative and absolute paths on Unix-like filesystems begin with a forward slash (‘/’), Xperience cannot determine whether a path segment is absolute or relative. For example, this is important when determining the location of media library content, or in general whenever it is necessary to prepend relative path fragments with the physical path to the web application.
By default, the system uses the following process to detect the path type:
- The system receives a path fragment. For example: /media/mediagallery/image.jpg
- If the path is prefixed with the physical path to the web application (stored in the SystemContext.WebApplicationPhysicalPath property), the path is treated as absolute. If not, the system checks whether the first two folders in the path exist on the filesystem starting from the root (taking the first two folders produced the least false positives during extensive testing). For the example above, the system tests for the existence of: /media/mediagallery
- If the first two folders in the path do not exist, the path is treated as relative. If the first two folders exist, the path is treated as absolute.
You can override this behavior by adding the CMSUnixRootedPathPrefixes configuration key to the Core application. Adding the key disables the process described above. Instead, the key needs to contain a semicolon-delimited list of all path prefixes (e.g., /etc/, /var/, /mnt/share/) the system should treat as absolute. The list must be case-sensitive.
appsettings.json"CMSUnixRootedPathPrefixes": "/etc/;/var/;/mnt/share/",
Only use the CMSUnixRootedPathPrefixes configuration key if your project contains non-standard filesystem mapping (e.g., for media library files), or if you encounter issues with the built-in path type detection mechanism. The default functionality covers all expected cases and filesystem configurations.
Rich text editor – The hotfix updates the Rich text editor component for the page builder to use version 3.2.6 of the Froala WYSIWYG editor. The update resolves an issue where adding a new line caused the page to scroll down to the bottom of the rich text editor content (when the content was very long).
Search – The Search fields tab in the page type editing interface was only available for page types that had the URL feature enabled. After applying the hotfix, the search configuration is displayed for all page types that have either custom fields or the URL feature. The change allows searching for page items that hold content, but do not need their own URL.
13.0.16 (Xperience 13 Refresh 1)
For detailed information about the new features and changes in Xperience 13 Refresh 1, refer to the Release notes.
Search – Applying the Refresh automatically converts all existing page search indexes to a new type that combines the original Pages crawler and Pages indexes. The data source for indexing (page HTML output and/or structured fields) can instead be configured separately for individual page types. See Defining local page indexes to learn more.
- You need to manually Rebuild all page indexes.
- We recommend validating the search configuration of your page types. Select an appropriate Data source for indexing and configure the new Index update trigger flag for individual fields to meet your exact search requirements (by default, the system automatically sets the Index update trigger flag to keep the same behavior of page indexes as before the Refresh).
- If you have customized the search settings for page fields via the SKU or Page class, you need to manually set the new Index update trigger flag for the fields of this class.
13.0.25
- A/B testing – Pages with a running A/B test displayed variants inconsistently to visitors who had not given consent to be tracked as contacts (did not accept cookies of the Visitor or All level). When visitors who are not tracked as contacts view an A/B tested page after applying the hotfix, the system assigns a page variant and stores it into the new CMSVarAB<A/B test name> cookie. This cookie is only used to keep content consistent and does not enable any tracking or logging of conversions.
13.0.31 (Xperience 13 Refresh 2)
- For detailed information about the new features and changes in Xperience 13 Refresh 2, refer to the Release notes.
13.0.32
Web farms – In hosting environments that dynamically adjust the number of instances (e.g., autoscaling in Azure App Services), deactivated web farm servers always remained in the system with the Not responding status for 24 hours. See Troubleshooting web farms. This could cause performance problems and heavy database load due to large numbers of unnecessary synchronization tasks generated after scaling down the number of servers. The hotfix adds the option to adjust the interval for which web farm servers stay in the Not responding status before being deleted. To change the default interval of 24 hours, set the new CMSWebFarmNotRespondingInterval configuration key to the required number of minutes, e.g., 60 for 1 hour.
appsettings.json"CMSWebFarmNotRespondingInterval": 60,
web.config<add key="CMSWebFarmNotRespondingInterval" value="60" />
13.0.38
- API – Dependency injection was not supported when developing page templates filters and form component filters. After applying the hotfix, the constructor of filter classes implementing IPageTemplateFilter or IFormComponentFilter can have parameters (e.g., instances of services registered in the project’s DI container). When registering such filters into the corresponding filter collection, you must use the Add<FilterClassType> method, with the filter class as the generic type parameter.
13.0.42
- Unix/Linux – It was not possible to run Xperience-specific isolated integration tests (derived from the IsolatedIntegrationTests class) in Linux environments due to database connection issues. The hotfix introduces a new CMSTestIsolatedAltConnectionString configuration key that allows test projects to connect to databases running in Linux environments. See Creating isolated integration tests for details.
13.0.43 (Xperience 13 Refresh 3)
- For detailed information about the new features and changes in Xperience 13 Refresh 3, refer to the Release notes.
13.0.45
- Search – On sites running behind a proxy server or another service that masks the application’s original domain (e.g., Azure Application Gateway), the smart search crawler used for page types with a HTML output search data source did not work correctly. JWT token validation failed, which resulted in logged errors and only content available for public users was indexed. The hotfix fixes the issue for ASP.NET Framework (MVC 5) sites. For ASP.NET Core sites, you instead need to set up Forwarded Headers Middleware for the project.
13.0.50
Azure Search – It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., myazuresearchservice.search.windows.net). By default, the system assumes your Azure Search services are hosted on the search.windows.net domain (true for the majority of commercial subscriptions). Search requests for Azure indexes are generated using this suffix and the provided search service name. However, certain Azure subscriptions or licenses host search services under a different domain. For example, Azure Government subscriptions use the search.azure.us domain. The hotfix introduces the new CMSAzureSearchDnsSuffix configuration key, which allows you to change the suffix used by the system when generating Azure search requests.
appsettings.json"CMSAzureSearchDnsSuffix": "search.azure.us",
web.config<!-- Configures the system to generate requests in format: myazureservice.search.azure.us --> <add key="CMSAzureSearchDnsSuffix" value="search.azure.us" />
13.0.52 (Xperience 13 Refresh 4)
- For detailed information about the new features and changes in Xperience 13 Refresh 4, refer to the Release notes.
13.0.58
- The hotfix updates the Froala WYSIWYG editor (for example used in the Rich text widget) to version 4.0.8.
13.0.64 (Xperience 13 Refresh 5)
- For detailed information about the new features and changes in Xperience 13 Refresh 5, refer to the Release notes.
13.0.67
- WYSIWYG editor – The Check Spelling feature in the Full toolbar of the administration’s rich text editor no longer works and causes the editor to freeze, which can lead to lost content changes. The hotfix removes the option from the editor, as the third-party plugin responsible for the feature is deprecated and has reached end-of-life. If you require spell checking, use an external browser plugin or enable the SCAYT (Spell Check As You Type) feature in the editor, which remains without changes.
13.0.68
Performance – The system incorrectly streamed data into the application memory when serving non-HTML content. This could lead to heavy memory allocation when returning large files or other types of data in action results. For example, the problem occurred for the default file handlers, such as /getresource and /getmedia or for custom endpoints that returned file content. The hotfix optimizes this type of memory usage for ASP.NET Core projects. Additionally, the hotfix introduces the DisableUrlResolutionAttribute, which developers can use to disable memory allocation for custom controller actions that return non-HTML content (e.g., PhysicalFileResult).
Exampleusing System.IO; using Microsoft.Extensions.FileProviders; using Kentico.Web.Mvc; ... [DisableUrlResolutionAttribute] public ActionResult Index() { PhysicalFileProvider? fileProvider = new PhysicalFileProvider(Directory.GetCurrentDirectory()); IFileInfo? file = fileProvider.GetFileInfo("./large_file.txt"); HttpContext.Response.Headers.Add("Cache-Control", "no-store"); return PhysicalFile(file.PhysicalPath, "application/octet-stream", file.Name, true); }
DisableUrlResolutionAttribute disables resolution of relative URLs, and should not be added to endpoints that return HTML content from Xperience.
13.0.72
Security – Visitors can potentially submit forms containing malicious HTML values. By default, form notification and autoresponder emails do not encode displayed field values. This can lead to potential HTML injection if the recipient’s email client is configured to display HTML content. The hotfix adds a new CMSBizFormMailEncodeFields configuration key, which you can add to the project’s appsettings.json or web.config file. If set to true, autoresponder and notification emails encode the values of the submitted form’s fields. Add the key to both your live site and administration projects.
appsettings.json"CMSBizFormMailEncodeFields": true,
web.config<add key="CMSBizFormMailEncodeFields" value="true" />
13.0.73 (Xperience 13 Refresh 6)
- For detailed information about the new features and changes in Xperience 13 Refresh 6, refer to the Release notes.
13.0.80
- Email engine – Many email services are deprecating support of basic authentication via a username and password. A notable example is Microsoft Exchange Online, which begins disabling basic authentication after October 1, 2022 (see Deprecation of Basic authentication in Exchange Online). The hotfix introduces an alternative way to connect to email servers using OAuth 2.0 token-based authorization. OAuth support covers both SMTP servers and mail servers for monitoring bounced emails (using POP3).
To use OAuth authentication for an email server, you need to prepare credentials in Xperience and generate an access token. For detailed information, see OAuth for email servers.
By default, the system includes an OAuth provider for Microsoft Exchange Online. Other services require implementation of a custom provider.
Applying the hotfix hides obsolete settings related to the protocol (Is SSL) and authentication mechanism of the email server connection. The new email implementation automatically uses the most secure protocol (HTTPS) and authentication mechanism (NTLM, SCRAM, MD5, Plain, etc.) supported by the email server.
MailKit NuGet package
The hotfix adds the MailKit 3.3.0 NuGet package to both the administration and live site projects. This may cause conflicts if your projects contain custom functionality using other versions of this package. In this case, you may need to delay the hotfix and adjust your custom implementation to be compatible.
13.0.82
- The hotfix updates the Froala WYSIWYG editor (for example used in the Rich text widget) to version 4.0.14.
13.0.83 (Xperience 13 Refresh 7)
- For detailed information about the new features and changes in Xperience 13 Refresh 7, refer to the Release notes.
13.0.85
- Media files – A new Settings → Content → Media → Enable media files usage tracking setting was added, which allows administrators to enable or disable the media files usage search index. Disabling the index can improve performance for projects where viewing media file usage is not required. After applying the hotfix, configure the setting according to your project requirements and preferences.
13.0.89
Rich text editor – To improve the security of the Rich text editor component for the page and form builder, the hotfix introduces sanitization of the content’s HTML code, performed by the HtmlSanitizer NuGet package.
Breaking change
The sanitization may result in modified or broken HTML code, for example when adding content via the editor’s Code View option. To learn which HTML tags and attributes are allowed, see the default options described in HtmlSanitizer.
Later hotfixes update the HTML sanitization:
- 13.0.92 – additionally allows ID and data-* attributes.
- 13.0.110 – allows developers to fully customize the set of allowed HTML tags and attributes. See Configuring the rich text editor for page builder.
13.0.94 (Xperience 13 Refresh 8)
- For detailed information about the new features and changes in Xperience 13 Refresh 8, refer to the Release notes.
13.0.95
Scheduler – The hotfix introduces two new configuration keys that facilitate the development and testing of scheduled tasks in local environments. When developing on local instances that run on specific ports, you need to use the following keys to set the full application URL to ensure correct scheduler functionality:
CMSSchedulerAdministrationUrl
Ensures the URL of the administration application for local scheduler development. Supply the full URL of the administration project in the format: <scheme><domain><port><virtual directory>
Add this key to the web.config file of the administration project:
Example - web.config<add key="CMSSchedulerAdministrationUrl" value="http://localhost:3000" />::newline::
CMSSchedulerPresentationUrl
Ensures the URL of the live site application for local scheduler development. Supply the full URL of the live site application in the format: <scheme><domain><port><virtual directory>
Add this key to the web.config or appsettings.json files of both the administration and live site projects:
Example - web.config<add key="CMSSchedulerPresentationUrl" value="http://localhost:5000" />::newline::
Example - appsettings.json"CMSSchedulerPresentationUrl": "http://localhost:5000",::newline::
For more information, see Scheduling custom tasks.
13.0.100
Hotfix – The hotfix utility incorrectly added file references (Content Include statements) for sample site assets to the Xperience administration project file (CMSApp.csproj) during each hotfix application. To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility). After applying this hotfix, the utility no longer adds the unnecessary references. However, if the CMSApp project already contains the references from previous hotfix applications, they will not be deleted. You can delete these references manually. You can find the full list of added files below for both MVC 5 and ASP.NET Core projects.
ASP.NET MVC 5<Content Include="DancingGoatMvc\media\CoffeeGallery\Bakery-And-Coffee.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Brew-Bar.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Cauca-Farmer.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Cherries.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Region.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Shop.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Triangle.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Colombia-Coffee.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Kona-Coffee.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Robusta.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\St-Helena-Coffee.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Thailand-Coffee.jpg" /> <Content Include="DancingGoatMvc\media\CoffeeGallery\Work-And-Coffee.jpg" /> <Content Include="DancingGoatMvc\media\EmailCampaigns\coffee-101-lesson-1.jpg" /> <Content Include="DancingGoatMvc\media\EmailCampaigns\coffee-101-lesson-2.jpg" /> <Content Include="DancingGoatMvc\media\EmailCampaigns\colombia-coffee-promotion.jpg" /> <Content Include="DancingGoatMvc\media\Graphics\banner-default.jpg" /> <Content Include="DancingGoatMvc\media\Graphics\colombia-coffee.jpg" /> <Content Include="DancingGoatMvc\media\Graphics\default-image-product.png" /> <Content Include="DancingGoatMvc\media\Graphics\hero-image.jpg" /> <Content Include="DancingGoatMvc\media\Graphics\Logos\logo-dancing-goat-inverted.png" /> <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\aerobie.png" /> <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\chemex.png" /> <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\Espro.png" /> <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\Hario.png" />
ASP.NET Core<Content Include="DancingGoatCore\media\CoffeeGallery\Bakery-And-Coffee.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Brew-Bar.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Cauca-Farmer.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Cherries.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Region.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Shop.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Triangle.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Colombia-Coffee.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Kona-Coffee.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Robusta.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\St-Helena-Coffee.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Thailand-Coffee.jpg" /> <Content Include="DancingGoatCore\media\CoffeeGallery\Work-And-Coffee.jpg" /> <Content Include="DancingGoatCore\media\EmailCampaigns\coffee-101-lesson-1.jpg" /> <Content Include="DancingGoatCore\media\EmailCampaigns\coffee-101-lesson-2.jpg" /> <Content Include="DancingGoatCore\media\EmailCampaigns\colombia-coffee-promotion.jpg" /> <Content Include="DancingGoatCore\media\Graphics\banner-default.jpg" /> <Content Include="DancingGoatCore\media\Graphics\banner2.png" /> <Content Include="DancingGoatCore\media\Graphics\colombia-coffee.jpg" /> <Content Include="DancingGoatCore\media\Graphics\default-image-product.png" /> <Content Include="DancingGoatCore\media\Graphics\hero-bg.jpg" /> <Content Include="DancingGoatCore\media\Graphics\hero-bg3.jpg" /> <Content Include="DancingGoatCore\media\Graphics\hero_image.jpg" /> <Content Include="DancingGoatCore\media\Graphics\Logos\logo-dancing-goat.png" /> <Content Include="DancingGoatCore\media\Graphics\Manufacturers\aerobie.png" /> <Content Include="DancingGoatCore\media\Graphics\Manufacturers\chemex.png" /> <Content Include="DancingGoatCore\media\Graphics\Manufacturers\Espro.png" /> <Content Include="DancingGoatCore\media\Graphics\Manufacturers\Hario.png" />
13.0.104 (Xperience 13 Refresh 9)
- For detailed information about the new features and changes in Xperience 13 Refresh 9, refer to the Release notes.
13.0.107
- Unix/Linux – Resized images (e.g., retrieved from media libraries or as page attachments) were not displayed on the live site for Linux deployments of ASP.NET Core projects. Deployments on Windows servers are not affected by this issue.
- The System.Drawing.Common package used for image processing is deprecated for Linux environments (see System.Drawing.Common only supported on Windows). To resolve the issue, developers need to install the Kentico.Xperience.ImageProcessing.KX13 NuGet package into the live site project. The package uses the SkiaSharp library to process images.
13.0.110
WYSIWYG editor – The HTML sanitizer in the Rich text editor component for the page and form builder, introduced in hotfix 13.0.89, removed various HTML tags from the content even if the tags were allowed in the editor configuration. This hotfix introduces new configuration keys to customize the set of allowed tags and attributes: CMSHtmlSanitizerAllowedTags and CMSHtmlSanitizerAllowedAttributes. For examples of usage, see Configuring the rich text editor for page builder.
Security – The hotfix updates and changes several third-party dependencies used by the system.
- Azure.AI.TextAnalytics was updated from 5.0.0 to 5.2.0.
- DocumentFormat.OpenXml was updated from 2.7.2 to 2.19.0.
- Microsoft.Owin and related packages were updated from 4.1.1 to 4.2.2.
- Microsoft.AspNet.Identity.Owin was updated from 2.2.1 to 2.2.3.
- Microsoft.AspNet.Identity.Core was updated from 2.2.1 to 2.2.3.
- Microsoft.CodeAnalysis.CSharp was updated from 2.10.0 to 3.11.0.
- Microsoft.VisualStudio.Web.CodeGeneration.Design was removed.
- Newtonsoft.Json was updated from 12.0.3 to 13.0.3.
- System.Drawing.Common was updated from 4.5.1 to 5.0.3.
- System.Runtime.CompilerServices.Unsafe was updated from 4.7.1 to 5.0.0.
- System.ServiceModel.Duplex was updated from 4.6.0 to 4.10.0.
- System.Security.Principal.Windows was updated from 4.7.0 to 5.0.0.
13.0.113
- Form components – It was not possible to dynamically set and update the values of component properties based on other properties, e.g., clearing a dependent field when the value of a property set as dependency changes. This hotfix introduces the ConfigureValues method of the FormComponentConfigurator base class that can be used to dynamically set the value of dependent component properties. For more information, see Configuring editing component state in builder configuration dialogs.
13.0.115 (Xperience 13 Refresh 10)
- For detailed information about the new features and changes in Xperience 13 Refresh 10, refer to the Release notes.
13.0.125
- Security – The hotfix updates the SkiaSharp dependency of the Kentico.Xperience.ImageProcessing.KX13 library from version 2.88.3 to 2.88.6.
13.0.130
- Security – The hotfix updates the HtmlSanitizer dependency of the Kentico.Xperience.AspNetCore.WebApp and Kentico.Xperience.AspNet.Mvc5 packages from version 5.0376 to 8.0.723.
13.0.131 (Xperience 13 Refresh 11)
- For detailed information about the new features and changes in Xperience 13 Refresh 11, refer to the Release notes.
13.0.133
- The hotfix updates the WYSIWYG editor used by the administration interface to version 4.22.1 to address vulnerabilities present in older versions.
- The hotfix updates the Froala WYSIWYG editor (for example used in the Rich text widget) to version 4.1.4.
13.0.140
- Form components – Selector form components (e.g., Radio buttons, Drop-down list or Multiple choice) didn’t display their options correctly if the option text contained a semicolon. If you want to use semicolons in the options text, configure a different separator using the new Options value separator setting in the Form builder (or using the new DataSourceValueSeparator property when adding editing components in code).
- Security – The hotfix introduces a feature to improve the protection of image file requests with resize parameters. See Securing media libraries for more information.
13.0.142 (Xperience 13 Refresh 12)
- For detailed information about the new features and changes in Xperience 13 Refresh 12, refer to the Release notes.
13.0.147
- Cookies – When running the Xperience administration and live site applications on different domains, SameSite=None cookies must be configured to enable preview mode and its related features like the page builder. The hotfix ensures the system cookies used for the preview mode have the Partitioned attribute set. This way, the preview mode will remain functional in browsers that block third-party cookies. For example, the Google Chrome browser plans to block third-party cookies in Q3 2024.
13.0.148
- API – The
CMS.Base.ContextUtils
class was introduced into the public API. The class’sPropagateCurrent
andResetCurrent
methods allow developers to propagate or clear the system’s thread context, such as the database connection, when executing asynchronous or parallel code, for example usingTask.Run
. See Best practices for customization. - WYSIWYG editor – The hotfix updates the WYSIWYG editor used in the administration to CKEditor version 4.24.0. The update adds a license key into the editor’s configuration file. If you have customized the CMS\CMSAdminControls\CKeditor\config.js file, the hotfix doesn’t update the file directly, but creates a new version of the file with the .new extension. You need to manually transfer your customizations to the new file, and then replace the original.
13.0.159
- Security – Due to the possibility of cross-site scripting (XSS) attacks, HTML will no longer be resolved in the Text field of the Checkbox form component and files with disallowed extensions are no longer supported in avatars.
13.0.162
- Contact management – When users submit data via a form submission, this data can be mapped to the fields of the associated contact. After applying this hotfix, such actions can no longer be used to change the email address of the current contact. If the contact already has an email address stored in Xperience that doesn’t match the new email value, all related field updates are performed for a different contact. Either an existing contact that matches the submitted email value is used, or a new contact is created. In these cases, the user’s associated contact remains unchanged, but any subsequent actions, such as Form submission activity logging and triggering of automation processes, are performed for the “other” contact that matches the submitted email address.
13.0.165
- Security - Cookies – In .NET Framework (MVC 5) projects, cookies set via
CookieHelper.SetValue
disregarded the requireSSL attribute configurable for thehttpCookies
web.config element.To correct the issue, the hotfix introduces the following changes:<httpCookies requireSSL="true" />
All overloads of
CookieHelper.SetValue
now reflect the requireSSL attribute, if set.The following overload of
CookieHelper.SetValue
, responsible for suppressing the requireSSL configuration in .NET Framework projects (via thesecure
parameter which defaulted tofalse
) was made obsolete:
CookieHelper.SetValue(string name, string value, DateTime expires, string path = null, bool? httpOnly = null, string domain = null, SameSiteMode sameSiteMode = SameSiteMode.Lax, bool secure = false)
The method was replaced with
SetValue(CookieHelperValueSettingParameters parameters)
. TheCookieHelperValueSettingParameters
object contains the parameters from the obsolete method and can be used identically. For example:CookieHelper.SetValue(new CookieHelperValueSettingParameters { Name = "CustomCookie", Value = "CustomValue", Expires = DateTime.Now.AddYears(1) });
Note that due to shared code base, this method change also affects .NET Core projects. However, the functional behavior remains unchanged. Since .NET Core does not expose any global security settings for cookies, the value was always
false
by default.Explicitly configuring
CookieHelperValueSettingParameters.Secure
when setting cookies overrides the configuration from the httpCookies element.CookieHelper.SetValue(new CookieHelperValueSettingParameters { Name = "CustomCookie", Value = "CustomValue", Expires = DateTime.Now.AddYears(1), SameSiteMode = SameSiteMode.None, Secure = true });
If you do not wish to introduce the functional change related to the requireSSL atribute to your solution, you can revert the system to its previous behavior by adding the
CMSIgnoreRequireSSLAttribute
configuration key to the web.config of both the live site (MVC 5) and administration applications.web.config<configuration> <appSettings> <add key="CMSIgnoreRequireSSLAttribute" value="true"/> </appsettings> </configuration>
Fixed bugs
For a full list of bugs covered by the hotfix, open the Hotfixes page on DevNet and click Fixed bugs for the appropriate version.