Hotfix Instructions - Xperience 13 Source Code

Hotfixes enable you to fix problems and apply updates to your Kentico Xperience instance. You can view the list of fixed bugs on the Kentico DevNet portal.

To obtain source code hotfixes, please use the Kentico Client Portal.

The instructions on this page apply only to the source code version of Xperience. For standard installations, please see Hotfix Instructions - Xperience 13.

Note

Always back up your project files and database before applying a hotfix.

To successfully complete the hotfix, your administration project, database and live site project must all be updated to exactly the same version. See Applying the hotfix and its subsections for details.

Xperience 13 Refresh releases

Kentico Xperience 13 Refreshes are released in the form of hotfixes. Follow the standard hotfix instructions described on this page to apply Refreshes to your project.

Release

Hotfix

Additional information

Refresh 1

13.0.16 or newer

Instructions and manual steps

Release notes

Refresh 2

13.0.31 or newer

Instructions and manual steps

Release notes

Refresh 3

13.0.43 or newer

Release notes

Refresh 4

13.0.52 or newer

Release notes

Refresh 5

13.0.64 or newer

Release notes

Refresh 6

13.0.73 or newer

Release notes

Refresh 7

13.0.83 or newer

Instructions and manual steps

Release notes

Refresh 8

13.0.94 or newer

Release notes

Refresh 9

13.0.104 or newer

Release notes

Refresh 10

13.0.115 or newer

Release notes

Refresh 11

13.0.131 or newer

Release notes

Refresh 12

13.0.142 or newer

Release notes

Table of Contents

Installing the hotfix

  1. Run the Hotfix_<version>_src.exe file.
  2. Go through the hotfix installation procedure.

By default, the installer places the hotfix into the C:\Program Files\Kentico\<version>\Hotfix<version> folder.

Applying the hotfix

To apply the hotfix to websites that use a local source code development instance, use the following general process:

  1. Hotfix the source code instance by running the Hotfix Utility. See: Hotfixing your source code project
  2. Update the Xperience code within your live site application to the matching hotfix version. See: Hotfixing the live site application
  3. Test that the hotfixed local website works correctly.
  4. Redeploy the project files to your production environment (using your preferred publishing process).
  5. Apply the hotfix SQL script to your production database. See: Hotfixing your production database
  6. To display all features in the Xperience administration correctly, clear the cache in your browser (and ensure the same for all other administration users).

Hotfixing Microsoft Azure applications

If your website is hosted on Microsoft Azure, the recommended hotfix process is the same as outlined above. First apply the hotfix to a local instance, then redeploy to Azure and run the hotfix SQL script against your production database.

Hotfixing your source code project

Note: For further information, see: Upgrading and hotfixing an instance

  1. Run Kentico Hotfix Utility (Hotfix.exe) from the location where you installed the hotfix (C:\Program Files\Kentico\<version>\Hotfix<version> folder by default).

  2. Select your project folder using the Browse button or type in the path to the project manually.

  3. Use the utility to back up your project files and/or database (or skip these steps if you already have backups).

  4. Select which components you want to update. Click Switch to advanced mode if you wish to change the settings.

    • Source files – all files in the source code, except for the administration web project in the CMS folder

    • Setup files – the Xperience installer and external utilities (which are separate from the web project)

    • SQL script – the database structure and data

    • Kentico Xperience files – the administration project files in the CMS folder

      We recommend updating all components. To successfully complete the hotfix, you need to update the files of your web project and apply the SQL script to the database.

  5. Choose a method of taking the project offline and back online.

  6. Click Next to start the update procedure.

  7. After the update finishes, click Next to view any problems that may have occurred and the instructions to solve them.

    Errors that can commonly occur are conflicts with customized files. By default, the hotfix does not overwrite modified files (unless you enable the Overwrite all files option in advanced mode):

    • For each conflict with a customized file, the process creates the new version of the file with the .new extension. You need to manually transfer your customizations to the new files and then replace the original ones.
    • Customized files that would have otherwise been deleted remain in the file system, with an added .deleted extension.
  8. Open the solution in Visual Studio and Rebuild the solution.

  9. Access the URL of your Xperience administration application in a browser (opening the live site is not sufficient).

    • When handling the first request, the system performs certain tasks required to complete the hotfix. Processing of the first request may take longer than usual.

Preparing the hotfixed project files manually

If you do not wish to go through the user interface of the Hotfix Utility, you can create the hotfixed project files manually using the command line. For example, this can be useful if you wish to integrate the hotfix into a more complex scripted procedure.

  1. Navigate to the location where you installed the hotfix (C:\Program Files\Kentico\<version>\Hotfix<version> folder by default).

  2. Run Hotfix.exe from the command line with the /deploy and /path parameters:

    • Use the /path parameter to specify the location where the utility creates the update files. Use a relative path (folder in the location where the utility was executed) or absolute path (any location on a local disk).

    Example: Hotfix.exe /deploy /path=Deploy

    Creates a folder named Deploy in the directory from which the utility was executed, and copies all files and folders necessary for updating a source code project to the given hotfix version.

  3. Copy the update files created by the Hotfix Utility into your Xperience project (overwrite the original files).

    • If you have previously modified some of the project files, DO NOT OVERWRITE these files. You need to compare the modified files with the new versions and make appropriate changes manually.
  4. Open DeletedFiles.xml in the update file directory and delete all of the listed files from your web project (you can prepare a batch file to automate the process).

  5. Open the solution in Visual Studio and perform the following steps:

    1. Click Show all files at the top of the Solution Explorer.
    2. Locate and select all newly added files.
    3. Right-click one of the selected new files and click Include in Project.
    4. Rebuild the solution.

Hotfixing the live site application

In addition to applying the hotfix to your Xperience source code project (see above), you also need to update the Xperience code used by your live site (MVC) application:

  1. Open your live site application in Visual Studio.
  2. Right-click your web project in the Solution Explorer and select Manage NuGet Packages.
  3. Update the Kentico.Xperience.AspNet.Mvc5 or Kentico.Xperience.AspNetCore.WebApp NuGet package to the version that matches the applied hotfix.

Hotfixing your production database

Update your production database as the last step in the hotfix process, after you test the hotfix locally. This ensures minimum downtime for your live site while avoiding loss of data.

The hotfix version of the database must match the version of the web project, so you need to perform the update together with the redeployment of the hotfixed project files.

Note: On websites that contain a very large amount of data (particularly pages), the database hotfix process can be very resource intensive. You may need to temporarily scale up the performance of your database server and/or increase the database connection timeout.

To update your production database, manually execute the hotfix database scripts (for example using SQL Management Studio). The script files are located in the SQL folder of your hotfix installation directory.

  • If you do not use separated databases – run Hotfix_separated.sql first and then Hotfix_default.sql.
  • If you use separated databases – run Hotfix_separated.sql on the separated database and Hotfix_default.sql on your main database.
  • Note: The script files may be empty if the given hotfix does not require any SQL scripts for the related tables (skip the file in these cases).

Once the database update is complete, you need to access the URL of your Xperience administration application in a browser (opening the live site is not sufficient). When handling the first request, the system performs certain tasks required to complete the hotfix. Processing of the first request may take longer than usual.

After your administration application loads up, open the Event log application to validate that the hotfix procedure was completed successfully. Check for the presence of any error events with the HotfixProcedure Source.

After applying the hotfix

All users who work with the Xperience administration interface should clear the cache in their browsers after applying the hotfix. Otherwise, some features in the administration interface may not be displayed correctly.

After applying the hotfix to a development instance that has continuous integration enabled, you need to run complete serialization for all objects to recreate the content of the CIRepository folder (use the Continuous integration application in the Xperience administration interface). Apply the hotfix separately for each instance in your development environment. After one developer commits the hotfixed changes to the source control, other developers CANNOT commit or load changes until they apply the hotfix to their own instance.

Updating setup files and external utilities

Hotfixes provide bug fixes for all files related to the Xperience installation, which includes the installer and other external utilities, such as Kentico Installation Manager and Kentico Service Manager.

To update these files and utilities, you need to apply the hotfix to the setup files:

  1. When running the hotfix utility, click Switch to advanced mode in the Change confirmation step.
  2. Select the Setup files checkbox.
  3. Click Next.
  4. In the Running applications step, stop any applications that are currently running from the setup files.
  5. Click Next and continue through the rest of the hotfix procedure.

The hotfix makes any required changes to the files in the directory where you installed your Xperience setup files.

Additional notes and workarounds

13.0.5

  • (Added feature) Media libraries – The hotfix allows media libraries to use the direct file path in URLs when adding links to files in Xperience content (instead of permanent media file URLs). For example, direct file URLs may be desired for media files placed in external storage (such as Microsoft Azure Blob storage). The option can be configured when editing individual media libraries on the General tab. The URL format applies in the following scenarios:
    • Adding media files using the Rich text widget in page builder content

    • Adding media files using the editor for page fields based on the the Rich text editor form control

    • Selecting media files in page fields based on the Media selection form control

      Note: Files accessed through a direct path are not handled by the Xperience system – no permission or security restrictions are enforced and image resizing is not applied. Additionally, direct file links may become broken in certain deployment scenarios if your instances each use a different location or container for media files.

      Important

      After applying hotfix 13.0.5, you may encounter an error when creating new media libraries.

      To fix the problem, either apply hotfix 13.0.9 or newer, or alternatively re-sign macros using the System application in Macros -> Signatures.

13.0.10

  • Filesystem handling for ASP.NET Core applications on Linux – The hotfix addresses a number of filesystem-related issues encountered when hosting ASP.NET Core live site applications in Linux environments. The issues were primarily caused by a dependency on Windows-like filesystem conventions, so mostly impacted features reliant on Input/Output operations. The following is a non-exhaustive list of affected features: media library operations (insert, modify, delete), smart search (running indexing tasks, index rebuilds), web farm synchronization, scheduler functionality run on the live site.

    The hotfix additionally introduces a new approach for detecting absolute and relative paths on Unix-like filesystems. This applies only to ASP.NET Core applications hosted on Linux. Since both relative and absolute paths on Unix-like filesystems begin with a forward slash (‘/’), Xperience cannot determine whether a path segment is absolute or relative. For example, this is important when determining the location of media library content, or in general whenever it is necessary to prepend relative path fragments with the physical path to the web application.

    By default, the system uses the following process to detect the path type:

    1. The system receives a path fragment. For example: /media/mediagallery/image.jpg
    2. If the path is prefixed with the physical path to the web application (stored in the SystemContext.WebApplicationPhysicalPath property), the path is treated as absolute. If not, the system checks whether the first two folders in the path exist on the filesystem starting from the root (taking the first two folders produced the least false positives during extensive testing). For the example above, the system tests for the existence of: /media/mediagallery
    3. If the first two folders in the path do not exist, the path is treated as relative. If the first two folders exist, the path is treated as absolute.

    You can override this behavior by adding the CMSUnixRootedPathPrefixes configuration key to the Core application. Adding the key disables the process described above. Instead, the key needs to contain a semicolon-delimited list of all path prefixes (e.g., /etc/, /var/, /mnt/share/) the system should treat as absolute. The list must be case-sensitive.

    appsettings.json
    
    
    
      {
          "CMSUnixRootedPathPrefixes": "/etc/;/var/;/mnt/share/"
      }
    
    
      

    Only use the CMSUnixRootedPathPrefixes configuration key if your project contains non-standard filesystem mapping (e.g., for media library files), or if you encounter issues with the built-in path type detection mechanism. The default functionality covers all expected cases and filesystem configurations. 

  • Rich text editor – The hotfix updates the Rich text editor component for the page builder to use version 3.2.6 of the Froala WYSIWYG editor. The update resolves an issue where adding a new line caused the page to scroll down to the bottom of the rich text editor content (when the content was very long).

  • Search – The Search fields tab in the page type editing interface was only available for page types that had the URL feature enabled. After applying the hotfix, the search configuration is displayed for all page types that have either custom fields or the URL feature. The change allows searching for page items that hold content, but do not need their own URL.

13.0.16 (Xperience 13 Refresh 1)

  • For detailed information about the new features and changes in Xperience 13 Refresh 1, refer to the Release notes.

  • Source code – To ensure that source code projects work and compile correctly after applying the refresh, you need to install the AngleSharp NuGet package into the Search project (right-click the project in the Solution Explorer and select Manage NuGet Packages). The package version must be 0.14.0 (or newer).

  • Search – Applying the Refresh automatically converts all existing page search indexes to a new type that combines the original Pages crawler and Pages indexes. The data source for indexing (page HTML output and/or structured fields) can instead be configured separately for individual page types. See Defining local page indexes to learn more.

    • You need to manually Rebuild all page indexes.
    • We recommend validating the search configuration of your page types. Select an appropriate Data source for indexing and configure the new Index update trigger flag for individual fields to meet your exact search requirements.
    • If you have customized the search settings for page fields via the SKU or Page class, you need to manually set the new Index update trigger flag for the fields of this class.

13.0.25

  • A/B testing – Pages with a running A/B test displayed variants inconsistently to visitors who had not given consent to be tracked as contacts (did not accept cookies of the Visitor or All level). When visitors who are not tracked as contacts view an A/B tested page after applying the hotfix, the system assigns a page variant and stores it into the new CMSVarAB<A/B test name> cookie. This cookie is only used to keep content consistent and does not enable any tracking or logging of conversions.

13.0.29

  • Source code – Compilation of the source code solution results in an error due to duplicated files in the Kentico.Content.Web.Mvc project. To fix the issue:
    1. Open the solution’s CMSSolution/Mvc/Kentico.Content.Web.Mvc/Authentication folder.
    2. Move the following files to the CMSSolution/Mvc/Kentico.Content.Web.Mvc/Preview folder and overwrite the duplicated files with the same name:
      • KenticoVirtualContextAuthenticationController.cs
      • VirtualContextAuthentication.cs

13.0.31 (Xperience 13 Refresh 2)

  • For detailed information about the new features and changes in Xperience 13 Refresh 2, refer to the Release notes.
  • Source code – To ensure that source code projects work and compile correctly after applying the refresh, you need to add the TextAnalytics.Azure project to the solution.
    1. Navigate to the CMSSolution/Libraries/ContentManagement folder in the Solution Explorer.
    2. Right-click the folder and select Add -> Existing Project.
    3. Select TextAnalyticsAzure.csproj (in the CMSSolution/TextAnalytics.Azure folder).
    4. Rebuild your solution.

13.0.32

  • Web farms – In hosting environments that dynamically adjust the number of instances (e.g., autoscaling in Azure App Services), deactivated web farm servers always remained in the system with the Not responding status for 24 hours. See Troubleshooting web farms. This could cause performance problems and heavy database load due to large numbers of unnecessary synchronization tasks generated after scaling down the number of servers. The hotfix adds the option to adjust the interval for which web farm servers stay in the Not responding status before being deleted. To change the default interval of 24 hours, set the new CMSWebFarmNotRespondingInterval configuration key to the required number of minutes, e.g., 60 for 1 hour.

    appsettings.json
    
    
    
      "CMSWebFarmNotRespondingInterval": 60,
    
    
    
      
    web.config
    
    
    
      <add key="CMSWebFarmNotRespondingInterval" value="60" />
    
    
    
      

13.0.38

  • API – Dependency injection was not supported when developing page templates filters and form component filters. After applying the hotfix, the constructor of filter classes implementing IPageTemplateFilter or IFormComponentFilter can have parameters (e.g., instances of services registered in the project’s DI container). When registering such filters into the corresponding filter collection, you must use the Add<FilterClassType> method, with the filter class as the generic type parameter.

13.0.42

  • Unix/Linux – It was not possible to run Xperience-specific isolated integration tests (derived from the IsolatedIntegrationTests class) in Linux environments due to database connection issues. The hotfix introduces a new CMSTestIsolatedAltConnectionString configuration key that allows test projects to connect to databases running in Linux environments. See Creating isolated integration tests for details.

13.0.43 (Xperience 13 Refresh 3)

  • For detailed information about the new features and changes in Xperience 13 Refresh 3, refer to the Release notes.

13.0.45

  • Search – On sites running behind a proxy server or another service that masks the application’s original domain (e.g., Azure Application Gateway), the smart search crawler used for page types with a HTML output search data source did not work correctly. JWT token validation failed, which resulted in logged errors and only content available for public users was indexed. The hotfix fixes the issue for ASP.NET Framework (MVC 5) sites. For ASP.NET Core sites, you instead need to set up Forwarded Headers Middleware for the project.

13.0.50

  • Azure Search – It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., myazuresearchservice.search.windows.net). By default, the system assumes your Azure Search services are hosted on the search.windows.net domain (true for the majority of commercial subscriptions). Search requests for Azure indexes are generated using this suffix and the provided search service name. However, certain Azure subscriptions or licenses host search services under a different domain. For example, Azure Government subscriptions use the search.azure.us domain. The hotfix introduces the new CMSAzureSearchDnsSuffix configuration key, which allows you to change the suffix used by the system when generating Azure search requests.

    appsettings.json
    
    
    
      "CMSAzureSearchDnsSuffix": "search.azure.us",
    
    
    
      
    web.config
    
    
    
      <!-- Configures the system to generate requests in format: myazureservice.search.azure.us -->
      <add key="CMSAzureSearchDnsSuffix" value="search.azure.us" />
    
    
      

13.0.51

  • Source code – To ensure that source code projects compile correctly, you need to manually perform the following steps after applying the hotfix:
    1. Navigate to the FormEngine project in the solution (under Libraries/Platform/BaseModules).

    2. Select the project to edit the FormEngine.csproj file.

    3. Update the <!-- Full framework references --> section to include a reference to the System.Net.Http assembly:

      
      
      
       <!-- Full framework references -->
       <ItemGroup Condition="'$(TargetFramework)' == 'net48'">
           <Reference Include="System.Web" />
           <Reference Include="System.Net.Http" /> <!-- Reference added for hotfix 13.0.51 -->
       </ItemGroup>
      
      
       
    4. Save the changes and rebuild your solution.

13.0.52 (Xperience 13 Refresh 4)

  • For detailed information about the new features and changes in Xperience 13 Refresh 4, refer to the Release notes.
  • Source code – To ensure that source code projects work and compile correctly after applying the refresh, you need to add the ComputerVision.Azure project to the solution.
    1. Navigate to the CMSSolution/Libraries/ContentManagement folder in the Solution Explorer.
    2. Right-click the folder and select Add -> Existing Project.
    3. Select ComputerVision.Azure.csproj (in the CMSSolution/ComputerVision.Azure folder).
    4. Rebuild your solution.

13.0.55

Skip the 13.0.55 instructions if you are applying hotfix 13.0.57 or newer.

  • Source code – To ensure that the security update in the hotfix works correctly, perform the following steps in your source code project after applying the hotfix:
    1. Navigate to the MediaLibrary project in the solution (under Libraries/ContentManagement).
    2. Open the Files folder.
    3. Right-click the XSS.xslt file, select Properties and set the Build Action to Embedded resource.
    4. Save the changes and rebuild your solution.

13.0.57

  • Source code – To ensure that the security update in the hotfix works correctly, perform the following steps in your source code project after applying the hotfix:
    1. Navigate to the DataEngine project in the solution (under Libraries/Platform/CoreAndData).
    2. Open the Files folder.
    3. Right-click the XSS.xslt file, select Properties and set the Build Action to Embedded resource.
    4. Save the changes and rebuild your solution.

13.0.58

  • The hotfix updates the Froala WYSIWYG editor (for example used in the Rich text widget) to version 4.0.8.

13.0.64 (Xperience 13 Refresh 5)

  • For detailed information about the new features and changes in Xperience 13 Refresh 5, refer to the Release notes.

13.0.67

  • WYSIWYG editor – The Check Spelling feature in the Full toolbar of the administration’s rich text editor no longer works and causes the editor to freeze, which can lead to lost content changes. The hotfix removes the option from the editor, as the third-party plugin responsible for the feature is deprecated and has reached end-of-life. If you require spell checking, use an external browser plugin or enable the SCAYT (Spell Check As You Type) feature in the editor, which remains without changes.

13.0.68

  • Performance – The system incorrectly streamed data into the application memory when serving non-HTML content. This could lead to heavy memory allocation when returning large files or other types of data in action results. For example, the problem occurred for the default file handlers, such as /getresource and /getmedia or for custom endpoints that returned file content. The hotfix optimizes this type of memory usage for ASP.NET Core projects. Additionally, the hotfix introduces the DisableUrlResolutionAttribute, which developers can use to disable memory allocation for custom controller actions that return non-HTML content (e.g., PhysicalFileResult).

    Example
    
    
    
      using System.IO;
      using Microsoft.Extensions.FileProviders;
    
      using Kentico.Web.Mvc;
    
      ...
    
      [DisableUrlResolutionAttribute]
      public ActionResult Index()
      {
          PhysicalFileProvider? fileProvider = new PhysicalFileProvider(Directory.GetCurrentDirectory());
    
          IFileInfo? file = fileProvider.GetFileInfo("./large_file.txt");
          HttpContext.Response.Headers.Add("Cache-Control", "no-store");
    
          return PhysicalFile(file.PhysicalPath, "application/octet-stream", file.Name, true);
      }
    
    
      

    DisableUrlResolutionAttribute disables resolution of relative URLs, and should not be added to endpoints that return HTML content from Xperience.

13.0.72

  • Security – Visitors can potentially submit forms containing malicious HTML values. By default, form notification and autoresponder emails do not encode displayed field values. This can lead to potential HTML injection if the recipient’s email client is configured to display HTML content. The hotfix adds a new CMSBizFormMailEncodeFields configuration key, which you can add to the project’s appsettings.json or web.config file. If set to true, autoresponder and notification emails encode the values of the submitted form’s fields. Add the key to both your live site and administration projects.

    appsettings.json
    
    
    
      "CMSBizFormMailEncodeFields": true,
    
    
    
      
    web.config
    
    
    
      <add key="CMSBizFormMailEncodeFields" value="true" />
    
    
    
      

13.0.73 (Xperience 13 Refresh 6)

  • For detailed information about the new features and changes in Xperience 13 Refresh 6, refer to the Release notes.

13.0.80

  • Email engine – Many email services are deprecating support of basic authentication via a username and password. A notable example is Microsoft Exchange Online, which begins disabling basic authentication after October 1, 2022 (see Deprecation of Basic authentication in Exchange Online). The hotfix introduces an alternative way to connect to email servers using OAuth 2.0 token-based authorization. OAuth support covers both SMTP servers and mail servers for monitoring bounced emails (using POP3).
    • To use OAuth authentication for an email server, you need to prepare credentials in Xperience and generate an access token. For detailed information, see OAuth for email servers.

    • By default, the system includes an OAuth provider for Microsoft Exchange Online. Other services require implementation of a custom provider.

    • Applying the hotfix hides obsolete settings related to the protocol (Is SSL) and authentication mechanism of the email server connection. The new email implementation automatically uses the most secure protocol (HTTPS) and authentication mechanism (NTLM, SCRAM, MD5, Plain, etc.) supported by the email server.

      MailKit NuGet package

      The hotfix adds the MailKit 3.3.0 NuGet package as a dependency to both the administration and live site projects. This may cause conflicts if your projects contain custom functionality using other versions of this package. In this case, you may need to delay the hotfix and adjust your custom implementation to be compatible.

  • Source code – To ensure that source code projects work and compile correctly after applying the hotfix, you need to install the MailKit package into the EmailEngine project (right-click the project in the Solution Explorer and select Manage NuGet Packages). The package version must be 3.3.0.

13.0.82

  • The hotfix updates the Froala WYSIWYG editor (for example used in the Rich text widget) to version 4.0.14.

13.0.83 (Xperience 13 Refresh 7)

For detailed information about the new features and changes in Xperience 13 Refresh 7, refer to the Release notes.

Source code

To ensure that source code projects compile correctly after applying the refresh, you need to manually change the target framework for the following projects from ASP.NET Core 3.1 to .NET 6: 

  • AspNetCore.Platform
  • Kentico.Membership
  • Kentico.Web.Mvc
  • Kentico.Web.Mvc.Proxies
  • Kentico.Content.Web.Mvc
  • Kentico.Content.Web.Rcl
  • Kentico.OnlineMarketing.Web.Mvc

This requirement is temporary and will be fixed within the next couple of hotfix releases.

To change the target framework, follow these steps individually for each project:

  1. Open the project’s .csproj file.
  2. Search for all occurrences of the following string: netcore3.1
  3. Replace all occurrences with: net6.0
    • The string can occur in various MSBuild conditions and properties such as TargetFrameworks and ProjectReference. For this reason, providing exact step-by-step instructions is not feasible.
  4. Save the changes.

The solution is now compilable.

13.0.85

  • Media files – A new Settings → Content → Media → Enable media files usage tracking setting was added, which allows administrators to enable or disable the media files usage search index. Disabling the index can improve performance for projects where viewing media file usage is not required. After applying the hotfix, configure the setting according to your project requirements and preferences.

13.0.89

  • Rich text editor – To improve security of the Rich text editor component for the page and form builder, the hotfix introduces sanitization of the content’s HTML code, performed by the HtmlSanitizer NuGet package.

    Breaking change

    The sanitization may result in modified or broken HTML code, for example when adding content via the editor’s Code View option. To learn which HTML tags and attributes are allowed, see the default options described in HtmlSanitizer.

    Later hotfixes update the HTML sanitization:

  • Source code – To ensure that source code projects compile correctly after applying the hotfix, you need to install the HtmlSanitizer NuGet package into the Kentico.Content.Web.Mvc project (right-click the project in the Solution Explorer and select Manage NuGet Packages). The package version must be 5.0.376.

13.0.94 (Xperience 13 Refresh 8)

  • For detailed information about the new features and changes in Xperience 13 Refresh 8, refer to the Release notes.

13.0.95

  • Scheduler – The hotfix introduces two new configuration keys that facilitate the development and testing of scheduled tasks in local environments. When developing on local instances that run on specific ports, you need to use the following keys to set the full application URL to ensure correct scheduler functionality:

    CMSSchedulerAdministrationUrl

    Ensures the URL of the administration application for local scheduler development. Supply the full URL of the administration project in the format: <scheme><domain><port><virtual directory>

    Add this key to the web.config file of the administration project:

    Example - web.config
    <add key="CMSSchedulerAdministrationUrl" value="http://localhost:3000" />::newline::

    CMSSchedulerPresentationUrl

    Ensures the URL of the live site application for local scheduler development. Supply the full URL of the live site application in the format: <scheme><domain><port><virtual directory>

    Add this key to the web.config or appsettings.json files of both the administration and live site projects:

    Example - web.config
    <add key="CMSSchedulerPresentationUrl" value="http://localhost:5000" />::newline::
    Example - appsettings.json
    "CMSSchedulerPresentationUrl": "http://localhost:5000",::newline::

    For more information, see Scheduling custom tasks.

13.0.97

The hotfix updates many project files in the source code solution to the SDK-style format. Applying the hotfix replaces the affected existing project files. If you have any custom NuGet packages or projects referenced in the affected files, you will need to add the references again after applying the hotfix.

The following project files are affected:

  • *.Web.UI.csproj files
  • CMSMembershipProvider.csproj
  • DocumentWebServices.csproj
  • ModuleUsageTracking.csproj
  • Kentico.Glimpse.csproj
  • Kentico.Glimpse.Tests.csproj
  • SocialMarketing.csproj
  • Synchronization.WSE3.csproj
  • UIControls.csproj
  • URLRewritingEngine.csproj
  • VirtualPathProvider.csproj
  • WebApi.csproj
  • WebServices.csproj

Test projects: 

  • *.Web.UI.Tests.csproj files
  • AspNet.Platform.Tests.csproj
  • BasicCreators.Tests.csproj
  • ContactManagement.Tests.csproj
  • ContinuousIntegration.Interprocess.Base.Tests.csproj
  • ContinuousIntegration.Tests.csproj
  • DocumentEngine.Synchronization.Tests.csproj
  • DocumentEngine.Workflow.Tests.csproj
  • DocumentWebServices.Tests.csproj
  • FullApp.Tests.csproj
  • HttpHandlers.Tests.csproj
  • MarketingAutomation.Tests.csproj
  • ModuleUsageTracking.Tests.csproj
  • Newsletters.Tests.csproj
  • ResponsiveImages.Tests.csproj
  • SalesForce.Tests.csproj
  • Scoring.Tests.csproj
  • SharePoint.Tests.csproj
  • SocialMarketing.Tests.csproj
  • Synchronization.Base.Tests.csproj
  • TranslationServices.Tests.csproj
  • UIControls.Tests.csproj
  • URLRewritingEngine.Tests.csproj
  • VirtualPathProvider.Tests.csproj
  • WebApi.Tests.csproj
  • WebServices.Tests.csproj

13.0.100

Source code not compilable

Due to a background maintenance issue identified at the last second, the source code solution will not be compilable after applying hotfix 13.0.100.

To make the solution compile, place the following web.config file into ~/CMS/App_Data/Setup/WebConfig/net48/




<?xml version="1.0"?>
<configuration>  
    <appSettings />  
    <connectionStrings />  
    <system.web>    
        <customErrors mode="RemoteOnly">      
            <error statusCode="500" redirect="~/CMSMessages/Error.aspx" />    
        </customErrors>    
        <sessionState mode="InProc" timeout="20" />  
    </system.web>  
    <system.webServer>    
        <modules />  
    </system.webServer>
</configuration>


This fixes the compilation issues. However, tests that derive from the WebAppInstanceTests class will not be runnable (tests that require a running web app instance). This will be fixed in the following hotfix – 13.0.101. But note that official support for this test type was never intended to be made available.

Fixed issues

  • Hotfix – The hotfix utility incorrectly added file references (Content Include statements) for sample site assets to the Xperience administration project file (CMSApp.csproj) during each hotfix application. To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).  After applying this hotfix, the utility no longer adds the unnecessary references. However, if the CMSApp project already contains the references from previous hotfix applications, they will not be deleted. You can delete these references manually. Find the full list of unnecessary file references attached below for both MVC 5 and ASP.NET Core projects.

    ASP.NET MVC 5
    
    
    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Bakery-And-Coffee.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Brew-Bar.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Cauca-Farmer.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Cherries.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Region.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Shop.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Coffee-Triangle.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Colombia-Coffee.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Kona-Coffee.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Robusta.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\St-Helena-Coffee.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Thailand-Coffee.jpg" />    
      <Content Include="DancingGoatMvc\media\CoffeeGallery\Work-And-Coffee.jpg" />    
      <Content Include="DancingGoatMvc\media\EmailCampaigns\coffee-101-lesson-1.jpg" />    
      <Content Include="DancingGoatMvc\media\EmailCampaigns\coffee-101-lesson-2.jpg" />    
      <Content Include="DancingGoatMvc\media\EmailCampaigns\colombia-coffee-promotion.jpg" />    
      <Content Include="DancingGoatMvc\media\Graphics\banner-default.jpg" />    
      <Content Include="DancingGoatMvc\media\Graphics\colombia-coffee.jpg" />    
      <Content Include="DancingGoatMvc\media\Graphics\default-image-product.png" />    
      <Content Include="DancingGoatMvc\media\Graphics\hero-image.jpg" />    
      <Content Include="DancingGoatMvc\media\Graphics\Logos\logo-dancing-goat-inverted.png" />    
      <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\aerobie.png" />    
      <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\chemex.png" />    
      <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\Espro.png" />    
      <Content Include="DancingGoatMvc\media\Graphics\Manufacturers\Hario.png" />
    
    
      
    ASP.NET Core
    
    
    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Bakery-And-Coffee.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Brew-Bar.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Cauca-Farmer.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Cherries.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Region.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Shop.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Coffee-Triangle.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Colombia-Coffee.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Kona-Coffee.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Robusta.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\St-Helena-Coffee.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Thailand-Coffee.jpg" />    
      <Content Include="DancingGoatCore\media\CoffeeGallery\Work-And-Coffee.jpg" />    
      <Content Include="DancingGoatCore\media\EmailCampaigns\coffee-101-lesson-1.jpg" />    
      <Content Include="DancingGoatCore\media\EmailCampaigns\coffee-101-lesson-2.jpg" />    
      <Content Include="DancingGoatCore\media\EmailCampaigns\colombia-coffee-promotion.jpg" />    
      <Content Include="DancingGoatCore\media\Graphics\banner-default.jpg" />    
      <Content Include="DancingGoatCore\media\Graphics\banner2.png" />    
      <Content Include="DancingGoatCore\media\Graphics\colombia-coffee.jpg" />    
      <Content Include="DancingGoatCore\media\Graphics\default-image-product.png" />    
      <Content Include="DancingGoatCore\media\Graphics\hero-bg.jpg" />    
      <Content Include="DancingGoatCore\media\Graphics\hero-bg3.jpg" />    
      <Content Include="DancingGoatCore\media\Graphics\hero_image.jpg" />    
      <Content Include="DancingGoatCore\media\Graphics\Logos\logo-dancing-goat.png" />    
      <Content Include="DancingGoatCore\media\Graphics\Manufacturers\aerobie.png" />    
      <Content Include="DancingGoatCore\media\Graphics\Manufacturers\chemex.png" />    
      <Content Include="DancingGoatCore\media\Graphics\Manufacturers\Espro.png" />    
      <Content Include="DancingGoatCore\media\Graphics\Manufacturers\Hario.png" />
    
    
      

13.0.104 (Xperience 13 Refresh 9)

  • For detailed information about the new features and changes in Xperience 13 Refresh 8, refer to the Release notes.

13.0.107

13.0.110

  • WYSIWYG editor – The HTML sanitizer in the Rich text editor component for the page and form builder, introduced in hotfix 13.0.89, removed various HTML tags from the content even if the tags were allowed in the editor configuration. This hotfix introduces new configuration keys to customize the set of allowed tags and attributes: CMSHtmlSanitizerAllowedTags and CMSHtmlSanitizerAllowedAttributes. For examples of usage, see Configuring the rich text editor for page builder.

  • Security – The hotfix updates and changes several third-party dependencies used by the system. 

    • Azure.AI.TextAnalytics was updated from 5.0.0 to 5.2.0.
    • DocumentFormat.OpenXml was updated from 2.7.2 to 2.19.0.
    • Microsoft.Owin and related packages were updated from 4.1.1 to 4.2.2.
    • Microsoft.AspNet.Identity.Owin was updated from 2.2.1 to 2.2.3.
    • Microsoft.AspNet.Identity.Core was updated from 2.2.1 to 2.2.3.
    • Microsoft.CodeAnalysis.CSharp was updated from 2.10.0 to 3.11.0.
    • Microsoft.VisualStudio.Web.CodeGeneration.Design was removed.
    • Newtonsoft.Json was updated from 12.0.3 to 13.0.3.
    • System.Drawing.Common was updated from 4.5.1 to 5.0.3.
    • System.Runtime.CompilerServices.Unsafe was updated from 4.7.1 to 5.0.0.
    • System.ServiceModel.Duplex was updated from 4.6.0 to 4.10.0.
    • System.Security.Principal.Windows was updated from 4.7.0 to 5.0.0.

13.0.113

  • Form components – It was not possible to dynamically set and update the values of component properties based on other properties, e.g., clearing a dependent field when the value of a property set as dependency changes. This hotfix introduces the ConfigureValues method of the FormComponentConfigurator base class that can be used to dynamically set the value of dependent component properties. For more information, see Configuring editing component state in builder configuration dialogs.

13.0.115 (Xperience 13 Refresh 10)

  • For detailed information about the new features and changes in Xperience 13 Refresh 10, refer to the Release notes.

13.0.125

  • Security – The hotfix updates the SkiaSharp dependency of the Kentico.Xperience.ImageProcessing.KX13 library from version 2.88.3 to 2.88.6.

13.0.130

  • Source code – To ensure that source code projects compile correctly after applying the hotfix, you need to update the following NuGet packages throughout the solution:

    • System.Runtime.CompilerServices.Unsafe to version 6.0.0.
    • AngleSharp to version 0.17.1.
    • HtmlSanitizer to version 8.0.723.

13.0.131 (Xperience 13 Refresh 11)

  • For detailed information about the new features and changes in Xperience 13 Refresh 11, refer to the Release notes.

13.0.133

  • The hotfix updates the WYSIWYG editor used by the administration interface to version 4.22.1 to address vulnerabilities present in older versions.
  • The hotfix updates the Froala WYSIWYG editor (for example used in the Rich text widget) to version 4.1.4.

13.0.140

  • Form components – Selector form components (e.g., Radio buttons, Drop-down list or Multiple choice) didn’t display their options correctly if the option text contained a semicolon. If you want to use semicolons in the options text, configure a different separator using the new Options value separator setting in the Form builder (or using the new DataSourceValueSeparator property when adding editing components in code).
  • Security – The hotfix introduces a feature to improve the protection of image file requests with resize parameters. See Securing media libraries for more information.

13.0.142 (Xperience 13 Refresh 12)

  • For detailed information about the new features and changes in Xperience 13 Refresh 12, refer to the Release notes.

13.0.147

  • Cookies – When running the Xperience administration and live site applications on different domains, SameSite=None cookies must be configured to enable preview mode and its related features like the page builder. The hotfix ensures the system cookies used for the preview mode have the Partitioned attribute set. This way, the preview mode will remain functional in browsers that block third-party cookies. For example, the Google Chrome browser plans to block third-party cookies in Q3 2024.

13.0.148

  • API – The CMS.Base.ContextUtils class was introduced into the public API. The class’s PropagateCurrent and ResetCurrent methods allow developers to propagate or clear the system’s thread context, such as the database connection, when executing asynchronous or parallel code, for example using Task.Run. See Best practices for customization.
  • WYSIWYG editor – The hotfix updates the WYSIWYG editor used in the administration to CKEditor version 4.24.0. The update adds a license key into the editor’s configuration file. If you have customized the CMS\CMSAdminControls\CKeditor\config.js file, the hotfix doesn’t update the file directly, but creates a new version of the file with the .new extension. You need to manually transfer your customizations to the new file, and then replace the original.

13.0.159

  • Security – Due to the possibility of cross-site scripting (XSS) attacks, HTML will no longer be resolved in the Text field of the Checkbox form component and files with disallowed extensions are no longer supported in avatars.

13.0.162

  • Contact management – When users submit data via a form submission, this data can be mapped to the fields of the associated contact. After applying this hotfix, such actions can no longer be used to change the email address of the current contact. If the contact already has an email address stored in Xperience that doesn’t match the new email value, all related field updates are performed for a different contact. Either an existing contact that matches the submitted email value is used, or a new contact is created. In these cases, the user’s associated contact remains unchanged, but any subsequent actions, such as Form submission activity logging and triggering of automation processes, are performed for the “other” contact that matches the submitted email address.

13.0.165

  • Security - Cookies – In .NET Framework (MVC 5) projects, cookies set via CookieHelper.SetValue disregarded the requireSSL attribute configurable for the httpCookies web.config element.
    
      <httpCookies requireSSL="true" />
      
    To correct the issue, the hotfix introduces the following changes:
    • All overloads of CookieHelper.SetValue now reflect the requireSSL attribute, if set.

    • The following overload of CookieHelper.SetValue, responsible for suppressing the requireSSL configuration in .NET Framework projects (via the secure parameter which defaulted to false) was made obsolete:

      
        CookieHelper.SetValue(string name, string value, DateTime expires, string path = null, bool? httpOnly = null, string domain = null, SameSiteMode sameSiteMode = SameSiteMode.Lax, bool secure = false)
        

      The method was replaced with SetValue(CookieHelperValueSettingParameters parameters). The CookieHelperValueSettingParameters object contains the parameters from the obsolete method and can be used identically. For example:

      
        CookieHelper.SetValue(new CookieHelperValueSettingParameters {
                    Name = "CustomCookie",
                    Value = "CustomValue",
                    Expires = DateTime.Now.AddYears(1)
                });
        

      Note that due to shared code base, this method change also affects .NET Core projects. However, the functional behavior remains unchanged. Since .NET Core does not expose any global security settings for cookies, the value was always false by default.

    • Explicitly configuring CookieHelperValueSettingParameters.Secure when setting cookies overrides the configuration from the httpCookies element.

      
        CookieHelper.SetValue(new CookieHelperValueSettingParameters {
                    Name = "CustomCookie",
                    Value = "CustomValue",
                    Expires = DateTime.Now.AddYears(1),
                    SameSiteMode = SameSiteMode.None,
                    Secure = true
                });
        
    • If you do not wish to introduce the functional change related to the requireSSL atribute to your solution, you can revert the system to its previous behavior by adding the CMSIgnoreRequireSSLAttribute configuration key to the web.config of both the live site (MVC 5) and administration applications.

      web.config
      
        <configuration>
            <appSettings>
                <add key="CMSIgnoreRequireSSLAttribute" value="true"/>
            </appsettings>
        </configuration>
        

Fixed bugs

For a full list of bugs covered by the hotfix, open the Hotfixes page on DevNet and click Fixed bugs for the appropriate version.