Refresh (April 18, 2024)

version 29.0.0

New features

Content hub folders
The Content hub application now allows users to create a hierarchy of folders for organizing content items. The purpose of folders is to help efficiently navigate through content items in the administration interface. However, these folders cannot be used to control content delivery or filter content on the live website.

Mass publishing in Content hub
The Content hub application now supports mass publishing of content items.

Scope content items offered by content item selector by reusable field schemas
The content item selector UI form component can now filter content items according to assigned reusable field schemas. Content item selectors configured via the field editor can now select the Allowed reusable field schema option. For model-driven forms such as widget property dialogs, implement the IReusableFieldSchemasFilter interface and assign it using the ContentItemSelectorComponent attribute. See the content item selector documentation for an example.

When retrieving fields scoped by reusable field schemas via content item query, use the OfReusableSchema parameterization.

When retrieving fields scoped by reusable field schemas via GraphQL, use inline fragments to access the properties of the underlying type. See, Retrieve headless items.

Ordering in the content item and headless item selectors
The selectors now support a drag-and-drop ordering mechanism for easily reordering linked items, preserving the selected order. Both the minimum and maximum number of selectable items can now also be set. This new feature enables a substantial change in the approach to content modeling, as you can now use reusable content items instead of pages without URLs to model strictly-ordered hierarchies, including website navigation. This new approach helps declutter the website channel content tree and promotes better reusability of your content model.

Content item code name generation API
Developers can now use the CMS.ContentEngine.IContentItemCodeNameProvider API to generate globally unique code names for content items programmatically.

Updated automapping support for reusable field schema
This update introduces the option to specify which model class a given content type referenced under a reusable field schema maps to when using IContentQueryExecutor.GetMappedResult<TModel> or IContentQueryResultMapper.Map.

// Maps content types of type 'Laptop.CONTENT_TYPE_NAME' from the collection of items
// referenced by the 'IComputer' schema to the 'Laptop' model class.
[MapContentTypeReferenceTo(Laptop.LAPTOP_CLASS_NAME, typeof(Laptop))]

// Maps content types of type 'Desktop.CONTENT_TYPE_NAME' from the collection of items
// referenced by the 'IComputer' schema to the 'Desktop' model class.
[MapContentTypeReferenceTo(Desktop.DESKTOP_CLASS_NAME, typeof(Desktop))]

// Other content types map to the 'Computer' model class

// Property representing reusable field schema references
public IEnumerable<IComputer> Computers { get; set; }

When no mapping preferences are specified, the system defaults first to the type of the property representing the reusable schema and finally to the type registered via RegisterContentTypeMappingAttribute.

Expanded reusable field schema data type support
Fields defined for reusable field schemas can now use the following data types:

  • Content items – content item references (content item selector)
  • Media files – media library files (media file selector)
  • Object code names and global identifiers (GUIDs) – references to objects managed by the system (object selector)
  • Pages – web page references (page selector)
  • Taxonomy – a collection of tags that belong to taxonomies (tag selector)
  • Time interval
  • Unique identifier (GUID)

Expanded email data type support
Fields defined in content types for emails can now use the following data types. The data types are also supported by macros in email templates.

  • Media files
  • Object code names
  • Object global identifiers
  • Pages
  • Time interval
  • Unique identifier (GUID)

Create pages and folders directly in the content tree
Users can now create new pages and folders directly in the content tree of website channel applications.

Updates and changes

  • Code generators – Interfaces generated for reusable field schemas now contain the code name of the schema under the REUSABLE_FIELD_SCHEMA_NAME constant.
  • Content item API
    • Web page content items retrieved via content item query now contain the identifier of their corresponding website channel in the WebPageItemWebsiteChannelId property.
    • Parts of the content item creation API (CreateContentItemParameters, CreateWebPageParameters, and CreateFolderParameters) were extended with additional overloads that no longer require the code name parameters explicitly and instead use IContentItemCodeNameProvider internally to generate one. See the reusable content item page and API examples for usage examples.

New object types for CI/CD

The update introduces the following object types, which are supported by the Continuous Integration and Continuous Deployment features. Consider updating the repository.config files of your CI/CD repositories, particularly when using the <IncludedObjectTypes> allowlist for object type filtering.

  • cms.contentfolder – stores folders used to organize items in the Content hub application. Required for all projects to ensure that the content hub works correctly.

Breaking changes

Content hub URLs
The URLs of administration UI pages for managing individual items in the Content hub application newly include a segment representing the location of the given item. The location value can either be the ID of the folder containing the given item (highlights the folder in the content hub tree) or the all constant (displays the item under “All content items”, is valid for all items).

URL path format: /admin/content-hub/<language>/<location>/list/<item ID>/<UI page>
Example: /admin/content-hub/en/all/list/19/content

Resolution: Update any stored or hardcoded URLs targeting content item admin UI pages to include the location segment. Use the all location to preserve full backward compatibility.

If you have any admin UI customizations that generate links to content item UI pages, add the location parameter to your IPageUrlGenerator.GenerateUrl calls (the order of the URL parameters is significant). Use the ContentHubSlugs.ALL_CONTENT_ITEMS constant to generate “All content items” links, which are valid for any content item.

// Service obtained using dependency injection
private readonly IPageUrlGenerator pageUrlGenerator;


pageUrlGenerator.GenerateUrl<ContentItemEdit>(languageName, ContentHubSlugs.ALL_CONTENT_ITEMS, contentItemId.ToString());

If you need to generate links that preserve the currently selected folder when linking within the Content hub application, use the PageParameter attribute to retrieve and bind the folder parameter from the URL.

[PageParameter(typeof(StringPageModelBinder), typeof(ContentHubFolder))]
public string FolderId { get; set; }

Then add the retrieved value to the GenerateUrl parameters in place of the ContentHubSlugs.ALL_CONTENT_ITEMS constant.

Regular email rescheduling permissions
In order to reschedule the sendout of regular emails in email channel applications, users must now belong to a role with the Send email permission for the given application.

Resolution: Add the Send email permission to all roles that need to be able to configure when regular emails are sent.

.Internal namespace API changes

Certain parts of the public API could not safely be used by developers, because they contained members from .Internal namespaces, which are not allowed for public use. These inconsistencies were fixed by moving API members between .Internal and public namespaces, or in certain cases by making members obsolete.

The following list covers impactful changes for public API scenarios – members that were moved from an .Internal namespace to a public one. To resolve potential issues in your code, remove the .Internal suffix from the given namespaces in using statements.

  • From CMS.Automation.Internal to CMS.Automation
  • From CMS.Base.Internal to CMS.Base
    • HttpCacheability, HttpCacheRevalidation – used by properties of CMS.Base.Routing.CMSActionResult, the base class of the system’s HTTP handler return type.
  • From CMS.DataEngine.Internal to CMS.DataEngine
    • GuidItem – used as an argument of CMS.DataEngine.SqlHelper.BuildGuidTable.
    • StringItem – used as an argument of CMS.DataEngine.SqlHelper.BuildStringTable.
  • From CMS.Headless.Internal to CMS.Headless
  • From Kentico.Content.Web.Mvc.Internal to Kentico.Content.Web.Mvc
    • ComponentFilterRegistrar – type used in the page template and form component filtering API.
    • FormAfterSubmitModeEnum – enum type representing possible actions after a user submits a form using the Form Page Builder widget. Not used in common scenarios, but could be required for certain Form widget customizations.

Newly obsolete API

Info provider interfaces in the CMS.ContactManagement namespace were replaced by the generic IInfoProvider<TInfo> provider and made obsolete.

  • IAccountContactInfoProvider
  • IAccountInfoProvider
  • IAccountStatusInfoProvider
  • IContactRoleInfoProvider
  • IContactStatusInfoProvider
  • IContactInfoProvider
  • IVisitorToContactInfoProvider
  • IContactGroupInfoProvider
  • IContactGroupMemberInfoProvider

Fixed issues

  • Artificial Intelligence – Content items with custom fields of type Text assigned exclusively via reusable field schemas were unavailable when selecting items as the content source in the Generate with AI dialog for a field using the generate email content AI feature.
  • CI/CD – The Continuous Integration repository didn’t correctly maintain the latest state of content item relationships (references to other content items via the Content items data type) that were edited via the admin UI. Instead, for all operations done through the admin UI that modify content item relationships (adding and removing content items via the content item selector), the repository maintained the state immediately preceding the latest operation. Relationships assigned programmatically via the API were unaffected. After applying this refresh update, projects using CI/CD should follow the steps outlined in the update instructions to get their repository to the correct state.
  • Content hub – Attempting to edit a nonexistent content item via the content item edit page (e.g., by directly accessing the edit page URL with invalid parameters) returned an HTTP 500 error instead of the system error page.
  • Content item API – The LinkedFrom and Linking content item query parameterization methods returned a NullReferenceException when the provided content type didn’t exist. The exception type was changed to ArgumentException, which is more suitable for the reported error.
  • Content management – The cascade publishing dialog didn’t prevent selection of linked content items that would then fail to publish due to workflow restrictions. The issue occurred for items under workflow if the current user didn’t belong to a role that was allowed to work with the last step in the workflow.
  • Languages
  • Pages
    • The value of the CacheVaryByConstants.ROUTE_URL_SLUG constant was incorrect. The constant stores the name of the route parameter that holds the URL slug value for page routes, and can be used to vary the output cache of pages based on their URLs.
    • When directly publishing new pages with one or more Content item selector fields, a TaskCanceledException error occurred and was displayed in the system’s event log. However, the error did not prevent the page from being published or cause any functional issues.
  • Rich text editor – When using the Insert link → Web URL option of the rich text editor with content spanning the entire height of the content editing area, the pop-up for entering the URL was anchored to the bottom of the page and could not be filled out.
  • User interface – The text of certain action confirmation messages in the administration was adjusted to be more accurate.

Hotfix (April 11, 2024)

version 28.4.4

Fixed issues

  • Taxonomies – The placeholder that appears in the taxonomy tree when creating tags in the Taxonomies application was displayed incorrectly in certain circumstances.

Hotfix (April 4, 2024)

version 28.4.3

Fixed issues

  • Page Builder – Custom HTML elements surrounding Page Builder widget zones in the administration were incorrectly removed in certain cases.
  • Security – Regular users with the Create permission for the Users application were allowed to assign the Administrator role to newly invited users.

Hotfix (March 28, 2024)

version 28.4.2

Fixed issues

  • CI/CD – After separately updating the databases of multiple instances synchronized via CI/CD from versions 22.0-26.6 to version 27.0 or later, the system could no longer match existing Former URLs during CD restore. This led to duplicate Former URL entries in the target database after running the restore command. The hotfix also deletes any already existing Former URL duplicates in the project database.

  • UI form components – Properties for the minimum and maximum number of selected tags for the TagSelectorComponent editing component were introduced.

  • Xperience Portal – The status of custom channel domains with invalid DNS records was incorrectly displayed as Error instead of Validation failed.

  • The following visual defects were fixed:

    • Exceedingly long content item names could overflow on the Content tab.
    • Exceedingly long language names could overflow in the language selector.
    • A validation message in the Rename content item dialog was not displayed correctly.
    • The tag selector dialog incorrectly expanded certain tags in the tag tree.

Recommended manual steps for self-hosted environments

Some deployment environments, like Azure Web Apps, don’t provide a persistent file system. This can potentially lead to a loss of binary files like media libraries, content item assets, or files uploaded via the Upload file form component when redeploying the application, swapping slots, switching servers, etc. The possible loss can be prevented by mapping and storing the files in persistent shared file storage like Azure Blob or Amazon S3.

Therefore, if you:

  • Use self-managed deployments in environments without a persistent file system (e.g., Azure Web Apps )
  • Don’t have the following folders mapped to shared storage:
    • ~/assets folder containing content item assets and media library files
    • ~/BizFormFiles folder containing files uploaded from users using the Upload file form component (if you use Forms with the given component)

We recommend taking the following actions:

  1. Add mappings for the unmapped folders.
  2. Obtain the files from the unmapped folders in your deployed project and manually upload them to the shared storage. Depending on your deployment environment you might be able to access the files directly on the file system. If this isn’t possible, you can download the files manually (e.g., the files uploaded through forms are stored in each form’s submissions).

Hotfix (March 22, 2024)

version 28.4.1

Fixed issues

  • General – An error occurred when building version 28.4.0 projects using the .NET 8.0 Target framework. This also prevented NuGet package updates to 28.4.0 for projects targeting .NET 8.0.

Refresh (March 21, 2024)

version 28.4.0

New features

Taxonomies support

Taxonomies provide users with the option to tag content. Tags can be assigned to individual pieces of content for multiple purposes including but not limited to modeling relationships, categorization, and organization and classification of data. Example uses include:

Query content items without specifying content type names

In previous versions of Xperience, retrieving content items via content item query required explicitly stating the content item type as a parameter of the ForContentType method. Any implementation that relied on dynamic item selection (e.g., via selector components) often had to restrict its functionality to a predefined set of content page or resort to various workarounds due to this limitation.

This release extends content item query with options to query content items without prior knowledge of their type. The available parameterization alternatives include:

  • Assigned reusable field schemas – selects items from content types with the specified reusable schema assigned. Selection can be further limited using conventional WHERE conditions.
  • Content item identifiers, GUIDs, or code names (for website pages) – selects items that match the provided collection of identifiers (e.g., via the Page selector component).
  • A list of content types – selects items that match the provided content type names. Doesn’t require repeated ForContentType calls.

The new querying API is available via the ForContentTypes method on ContentItemQueryBuilder. See Reference - Content item query for details.

Enhancements to content item query result mapping

The process of mapping database data returned by content item queries to objects used by the live site was updated to address the requirements introduced by the querying improvements outlined above.

The existing implementation using IContentQueryExecutor.GetResult<TModel> (GetWebPageResult for pages) requires developers to pattern-match based on content type names and assign appropriate models matching the data. This is especially noticeable when working with result sets comprised of multiple content types:

// Mapping a result set containing multiple content types
await contentQueryExecutor.GetResult<IContentItemFieldsSource>(builder, dataContainer =>
    // Pattern-matching to suitable model classes
      case Coffee.CONTENT_TYPE_NAME:
          return contentQueryResultMapper.Map<Coffee>(dataContainer);
      case Event.CONTENT_TYPE_NAME:
          return contentQueryResultMapper.Map<Event>(dataContainer);
          throw new Exception("Attempting to map an unknown type.");

While useful for advanced use cases, this approach leads to unnecessary boilerplate code in the majority of common scenarios. It also relies on prior knowledge of content types comprising the result set.

This version update introduces new query execution API – IContentQueryExecutor.GetMappedResult<TModel> (GetMappedWebPageResult for pages). This API abstracts the mapping function present in GetResult<TModel> and directly returns saturated model classes.

For result sets comprised of a single content type, you now omit the mapping function entirely and call:

var builder = new ContentItemQueryBuilder();

// 'GetMappedWebPageResult' directly returns an enumeration of types specified by the generic parameter
IEnumerable<Article> articles =
            await contentQueryExecutor.GetMappedWebPageResult<Article>(builder);

Result sets that are comprised of two or more content types or that retrieve objects based on reusable field schemas can also omit all pattern-matching within the mapping logic and work directly with instances of the corresponding model classes:

var builder = new ContentItemQueryBuilder();
// Uses the newly introduced API to retrieve multiple content types
builder.ForContentTypes(query =>
    query.OfContentType(Article.CONTENT_TYPE_NAME, Blog.CONTENT_TYPE_NAME);

// Gets a mixed collection of articles and blogs.
// The 'TModel' generic in GetMappedWebPageResult must cast the result set to a type shared by all models.
// This example uses 'IContentItemFieldsSource' - implemented by all generated model classes - as the shared type.
IEnumerable<IContentItemFieldsSource> result =
        await executor.GetMappedWebPageResult<IContentItemFieldsSource>(builder);

// Gets all articles
List<Article> articles = result.OfType<Article>().ToList();
// Gets all blogs
List<Blog> blogs = result.OfType<Blog>().ToList();

The system determines which model class to instantiate for each content type based on the RegisterContentTypeMapping attribute used to annotate model classes. The attribute is, by default, present in all generated classes. Each content type can be associated with exactly one model class via the attribute. To use the GetMappedResult methods in existing projects, regenerate all model classes to ensure the attribute is present in all models.

Additionally, as part of these changes, IContentQueryResultMapper and IWebPageQueryResultMapper, used by the mapping logic within GetResult<TModel>, were unified to offer identical functionality for all content item types (reusable, pages). Going forward, we recommend using IContentQueryResultMapper for all custom mapping operations. Related scenarios covered in the documentation were updated to reflect the new recommendation.

UI form components

  • You can now provide multiple dependency fields to a form component configurator, enabling you to create more complex rules and conditions for your editing components. For example:

                                  new[] { nameof(FirstDependencyField), 
                                          nameof(SecondDependencyField) })]
  • Developers can now access the ContentTypeID and IsSecured properties in IWebPagePanelItemModifier implementations, making it possible to disable pages in the Page selector form component based on their content type and access privileges. For example:

      public class SecuredArticlePagesPanelItemModifier : IWebPagePanelItemModifier
          public WebPagePanelItem Modify(WebPagePanelItem pagePanelItem, WebPagePanelItemModifierParameters itemModifierParams)
              string contentTypeCodeName = DataClassInfoProvider.GetClassName(itemModifierParams.WebPageMetadata.ContentTypeID);
              // Disables selection of secured pages of the 'acme.article' type
              if (string.Equals(contentTypeCodeName, "acme.article", System.StringComparison.OrdinalIgnoreCase) && itemModifierParams.WebPageMetadata.IsSecured)
                  pagePanelItem.SelectableOption.Selectable = false;
                  pagePanelItem.SelectableOption.UnselectableReason = "Cannot select secured 'acme.article' pages";
              return pagePanelItem;


  • CRM – The Xperience by Kentico CRM integration was updated to support bi-directional synchronization between contacts in Xperience and Leads or Contacts in the connected CRM.

  • MiniProfiler – New external module that integrates Xperience by Kentico applications with MiniProfiler. This integration allows developers to optimize database queries and reduce load times. For more information, see the Xperience by Kentico MiniProfiler GitHub repository.

  • Tag Manager – The Xperience by Kentico Tag Manager integration was updated to provide support for the following additional code snippets:

  • Zapier – New external module that enables you to create automated workflows, or “Zaps,” that can trigger actions across different platforms based on events that occur in Xperience by Kentico. For example, you can trigger actions in Zapier when a new contact is created or a content item’s workflow step changes. In the other direction, you can set up actions in Xperience that are triggered by “Zaps” from other applications – store external data as a form submission or change the workflow step of a content item. This integration empowers users to streamline repetitive tasks, synchronize data, and improve productivity without requiring any coding knowledge. The integration is currently in preview, with full support coming soon. For more information, see the Xperience by Kentico Zapier GitHub repository.

Updates and changes

  • Content types and reusable field schemas – Improved duplicate column name detection was added to content type and reusable field schema fields. Content type field names must be unique within the content type and across all reusable field schemas. Reusable schema field names must be unique across all reusable schema and content type fields.

  • Database table API – New CMS.DataEngine.Provider<TInfo> API for directly accessing IInfoProvider<TInfo> instances in code where dependency injection is not possible.

  • Security – Antiforgery cookies used by the admin UI are now generated with the secure attribute. We recommend clearing the cookies for your administration project domain after applying the refresh update to ensure the new cookie configuration is used.

  • Website development – The RoutedWebPage type was extended by a new property containing the GUID of the currently accessed page. Developers can use this data to retrieve the page and access its content fields. For example, when developing widgets or other Page Builder components, RoutedWebPage data for the current page is accessible via ComponentViewModel.Page.

New object types for CI/CD

The update introduces the following object types, which are supported by the Continuous Integration and Continuous Deployment features. Consider updating the repository.config files of your CI/CD repositories, particularly when using the <IncludedObjectTypes> allowlist for object type filtering.

  • cms.taxonomy – stores taxonomies, i.e., collections of related tags.
  • cms.tag – stores individual taxonomy tags that can be used to organize content.

Newly obsolete API

Info provider interfaces in the following namespaces were replaced by the generic IInfoProvider<TInfo> provider and made obsolete.


  • IActivityInfoProvider
  • IActivityTypeInfoProvider


  • IAttachmentForEmailInfoProvider
  • IEmailAttachmentInfoProvider
  • IEmailInfoProvider


  • IEmailBounceInfoProvider
  • IEmailConfigurationInfoProvider
  • IEmailLinkInfoProvider
  • IEmailStatisticsInfoProvider
  • IEmailStatisticsHitsInfoProvider
  • IEmailTemplateInfoProvider
  • IEmailSubscriptionConfirmationInfoProvider
  • IEmailMarketingRecipientInfoProvider
  • ISendConfigurationInfoProvider
  • IRecipientListSettingsInfoProvider


  • IResourceInfoProvider


  • IBizFormInfoProvider
  • IFormFeaturedFieldInfoProvider
  • IBizFormRoleInfoProvider


  • ITrackedWebsiteInfoProvider

Fixed issues

  • Content hub – A selected content item’s Properties panel didn’t show the content item’s type under Information.

  • SaaS environment:

    • The Cloudflare CDN cache was not purged after deployment for projects with more than 30 domains in the environment.

    • The channel domain dropdown was not fully visible in the Deployments application when a project contained a large amount of channels.

    • Status monitoring was added for the following regions:

      • Canada Central
      • East Asia (Hong Kong)
      • Germany West Central
      • Japan East
      • North Europe (Ireland)
      • UAE North
  • Selector UI Form component Data source value separator option (added in version 28.3.1)

    • The semicolon character was not set as the default value of the Data source value separator option in the UI for the Dropdown selector and the Radio group Admin UI form components, as well as for the Radio buttons, Drop-down list, and Checkboxes Form Builder form components.
    • The Data source value separator option displayed an unresolved resource string value.
  • User interface – Very long workflow or workflow step names were displayed incorrectly in various parts of the administration UI.

Hotfix (March 14, 2024)

version 28.3.3

Fixed issues

  • Rich text editor – The HTML sanitizer used in the Rich text editor removed all entered CSS @media rules.

Updates and changes

  • Website content – Special characters in page URLs are now displayed in their decoded, user-friendly versions in the URL section on the Content tab.

Hotfix (March 7, 2024)

version 28.3.2

Fixed issues

  • Code generators – When generating code for a binding class that relates objects of the same object type, the code generator produced uncompilable code containing two identically named variables. After applying the hotfix, column names are used as variable names to ensure uniqueness for bindings that target the same object types.

Hotfix (February 29, 2024)

version 28.3.1

New features

  • Form components – The Dropdown selector and the Radio group component Admin UI form components as well as the Radio buttons, Drop-down list and Checkboxes Form Builder form components didn’t display their options correctly if the option text contained a semicolon. If you want to use semicolons in the value or text of the options, configure a different separator using the new Data source value separator setting in the UI (or using the new DataSourceValueSeparator property when adding the components in code).

Fixed issues

  • Security – Fixed a vulnerability in the Page and Form Builder dependencies.
  • Workflow
    • When creating a new content item via the Content item selector component, the Create new item dialog incorrectly allowed users to directly Publish the new item even if the given content type was under page workflow.
    • If the API was used to directly create a published or archived content item, and the item’s content type had a workflow assigned, some of the new item’s metadata was set incorrectly (the ContentItemLanguageMetadataContentWorkflowStepID column in the ContentItemLanguageMetadata table).

Refresh (February 22, 2024)

version 28.3.0

New features


  • New workflow feature that allows you to define the life cycle for pages, reusable content items, headless items and emails. Each workflow consists of one or more custom steps between the default Draft and Published steps. This helps ensure the quality of content by setting up a reviewing and approval process tailored specifically for your organization. See Workflows.

Artificial intelligence

  • New AI feature for fields using the Rich text editor form component, which allows users to refine selected pieces of text (make text shorter, improve spelling and grammar, etc.).

Image file endpoint protection

  • New feature that allows improved protection of the media library image file endpoint (getmedia) for requests with resize parameters. When this feature is enabled, a validation hash is required for any image file requests with resize query string parameters. This feature is enabled for new installations by default. See Image file request protection for more information.
  • Note: If image endpoint protection is enabled for an existing project updated from a previous version, you need to update certain media file URLs in your content to ensure that the content is displayed correctly.


  • Azure AI Search – An external module that enables you to create Azure AI Search indexes for the content of pages from a website channel’s content tree using a code-first approach. The module is distributed as a NuGet package. For more information, see the Xperience by Kentico Azure Search GitHub repository.

Newly obsolete API

  • Provider interfaces in the CMS.DataProtection namespace were replaced by the generic IInfoProvider<TInfo> provider and made obsolete. Affected interfaces:
    • IConsentInfoProvider
    • IConsentArchiveInfoProvider
    • IConsentAgreementInfoProvider
  • Provider interfaces in the CMS.MacroEngine namespace were replaced by the generic IInfoProvider<TInfo> provider and made obsolete. Affected interfaces:
    • IMacroIdentityInfoProvider
    • IUserMacroIdentityInfoProvider
    • IMacroRuleCategoryInfoProvider
    • IMacroRuleMacroRuleCategoryInfoProvider
    • IMacroRuleInfoProvider

Updates and changes

  • Added a unique index on the ContentItemLanguageMetadata database table that consists of:

    • ContentItemLanguageMetadataContentItemID
    • ContentItemLanguageMetadataContentLanguageID
    • ContentItemLanguageMetadataLatestVersionStatus
  • SaaS environment

    • Automatic predeployment backups are now available not only for the PROD environment, but also for QA and UAT.
    • The Memory utilization alert is now triggered when the total memory usage of your deployed projects reaches 90% instead of 80%.

Fixed issues

  • Contact management – The Email bounces column in contact listings incorrectly displayed “OK” for contacts without a known email address. After the updated, a dash is displayed instead for such contacts.
  • Content items – All public methods of IContentItemManager, except for GetContentItemMetadata and GetContentItemLanguageMetadata, now check that the content item identifier provided as input refers to a reusable content item. The purpose of IContentItemManager is to facilitate manipulation with reusable content items. The fact that it allowed users to work with other types of content items was an oversight that could lead to data inconsistencies. To work with web page items, use IWebPageManager.
  • Headless tracking – If a new custom activity type was created or an existing type’s code name was changed, the headless tracking API didn’t reflect the change until the application’s cache was cleared.
  • Modules – Attempting to create new fields without database columns in UI forms without first specifying their data type resulted in an unhandled exception instead of failed form validation.
  • Page Builder – The scroll bar was not available in the Page selector editing component when used in widget properties if the page selected as root had a large number of subpages.
  • Security – The System.IdentityModel.Tokens.Jwt package (transitive dependency) was updated to the latest version.
  • SaaS environment – In certain rare cases, the Cloudflare CDN firewall blocked the upload of media library files.
  • User interface – The tile view of the applications list in the administration displayed an incorrect number of applications per row.
  • UI form components - The Object code names selector component incorrectly allowed users to specify object types without a dedicated code name column.

Hotfix (February 15, 2024)

version 28.2.3

Fixed issues

  • Admin UI authentication – The ExpireTimeSpan property of AdminIdentityOptions.AuthenticationOptions was not being reflected when set via the AdminIdentityOptions object. For example:


    With the corresponding appsettings.json section:

      "AdminIdentityOptions": {
          "Authenticationoptions": {
              "ExpireTimeSpan": "06:00:00"

    Instead, the property was only configurable via its encapsulating AdminAuthenticationOptions type. The hotfix ensures correct behavior and also logs a warning to the event log if it detects that the ExpireTimeSpan value is being set via AdminAuthenticationOptions.

  • CI/CD – An error occurred when restoring a CI/CD repository of a project with a different default language than English into a database different than the one from which the repository was stored.

  • Code generators – Since version 28.2.0, generating provider classes and interfaces for object types via the code generator utility was not possible. The problem was caused by the --with-provider-class parameter, added in 28.2.0, which was not being correctly reflected.

  • Security – The hotfix updates the ‘Microsoft.Data.SqlClient’ library to version 5.1.5.

Hotfix (February 8, 2024)

version 28.2.2

Fixed issues

  • Deployment to the SaaS environment – The Continuous Deployment configuration file of new projects for SaaS deployment (installed with the --cloud parameter) was missing the necessary configuration to ensure reusable field schema deployment to the SaaS environment. To fix this issue for existing projects, download the Kentico.Xperience.Templates package from this hotfix, create a new boilerplate project and copy the generated Continuous Delivery configuration file from the $CDRepository folder to your project.

Hotfix (February 1, 2024)

version 28.2.1

New features

  • UI form components – You can now deploy your projects without the Xperience by Kentico administration when you make use of form component configurators. This is now possible after registering each form component configurator under an identifier via the RegisterFormComponentConfigurator assembly attribute, and then using the FormComponentConfiguration attribute with its new Identifier property.

Fixed issues

  • AI – When generating content for an email field, the AI panel displayed incorrect text for the quick refinement options below the generated text.
  • CI/CD – Separately updating the databases of multiple instances synchronized via CI/CD from versions 22.0-26.6 to version 27.0 or later resulted in an inconsistent state of page URL GUIDs. This led to duplicate key errors during subsequent CI/CD restore operations, as the synchronized URLs had non-matching GUIDs. The hotfix only prevents the GUID inconsistencies when updating project databases to version 28.2.1 or newer (the issue is not resolved for projects where the inconsistencies are already present).
  • Content types – When adding reusable field schemas in the Content types application, the checkbox in the side panel did not toggle to display a checkmark - indicating successful selection of a schema for addition - unless the checkbox element was selected directly. The schema field was still added after confirmation. After applying the hotfix, the checkbox toggles correctly even if a different area of a schema is selected in the listing.
  • User interface – The Save button displayed when editing headless items had an incorrect color schema.

Refresh (January 25, 2024)

version 28.2.0

New features

Reusable field schemas

  • Reusable field schemas enable the reuse of a collection of content type fields across multiple content types. A common use case is grouping a set of functionally related fields that often need to be duplicated across content types. For example, for search engine optimization purposes or social networking. See Reusable field schemas.
  • Reusable field schemas also introduce a new type of code file primitive – reusable schema interfaces. Each interface encapsulates fields defined by its corresponding schema. The code generator now supports generating these files via the --type ReusableFieldSchemas parameter. Generated content type classes implement these interfaces as needed based on the set of assigned reusable field schemas. See Generate code files for system objects.

Headless content preview

  • It’s now possible to retrieve headless items in their latest available version when using an API key with the appropriate Access type.
  • After setting up the Preview URL, you can now easily navigate to your preview environment straight from a headless channel application using the Preview button.

Headless tracking

  • Headless tracking enables developers to track contacts and log activities for the audience of external content channels, such as mobile apps, single-page applications, etc. Xperience then serves as a central hub where you can monitor contacts and analyze activities for all connected websites and channels. See Headless tracking.

Website development

  • The RoutedWebPage type was extended by new properties containing further information about the language, content type and website channel of the currently accessed page. Developers can use this data to retrieve the page and access its content fields. For example, when developing widgets or other Page Builder components, the RoutedWebPage ComponentViewModel.Page.

Content management

  • The Content hub application now supports bulk deletion of content items. Select the set of content items to delete via selectors on the left-hand side of the listing.
  • Image thumbnails displayed in the user interface (e.g., in asset selector, content hub) now have a chessboard pattern as a background to improve the visibility of white images with a transparent background.


  • Regular emails sent to subscribed recipients now support one-click unsubscribe. The system automatically includes the List-Unsubscribe-Post and List-Unsubscribe headers in regular emails. If a recipient uses one-click unsubscribe, the resulting request is handled in the same way as a standard unsubscribe link in email content.

Admin UI customization

  • UI listing pages – Listing UI pages can now be extended with commands that apply to multiple items from the listing via the PageConfiguration.MassActions property.

File system providers

  • Amazon S3 – New configuration option that controls whether Amazon S3 file system mappings fall back to the original local folder if a requested file cannot be found in Amazon S3. This fallback can cause issues when deploying files using the Continuous Deployment restore process, for example during deployment to the SaaS environment. Developers can configure the option using the introduced EnableFallbackToLocalFileSystem property of AmazonStorageOptions. The default values are true for self-managed projects and false for SaaS deployments.

      using Kentico.Xperience.AmazonStorage;
      var builder = WebApplication.CreateBuilder(args);
      builder.Services.AddKentico( ... );
      // Disables the fallback to the local file system
      builder.Services.Configure<AmazonStorageOptions>(options => options.EnableFallbackToLocalFileSystem = false);


  • CRM – An external module (a starter kit) that simplifies the integration of Xperience by Kentico with CRM software. The module also contains two packages that directly integrate Xperience by Kentico with Microsoft Dynamics 365 Sales and Salesforce Sales Cloud CRM. The integration enables sending form submissions from Xperience to the CRM as leads and checking synchronization status in the Xperience administration. The starter kit and two integrations are distributed as NuGet packages. See the Xperience by Kentico CRM GitHub repository for details.
  • Tag Manager – An external module that allows marketers and editors to author and embed custom tags or code snippets into website channels. The module supports Google Tag Manager code snippets out of the box. The module is distributed as a NuGet package. See the Xperience by Kentico Tag Manager GitHub repository for details.

Updates and changes

Code generators

  • The --type All parameter used to generate code files for all supported objects in the system is now marked obsolete. Running the code generator utility with this parameter produces a warning in the output. The parameter’s behavior remains unchanged. However, it doesn’t support generation for reusable fields schemas introduced in this release and will output invalid code in projects that make use of this new feature. Use a combination of the existing parameters to generate equivalent output.
  • Code generators now provide the option to generate object type (module class) code files without the corresponding I*Provider and *Provider classes via the --with-provider-class class parameter. The parameter defaults to true – if not provided, object type classes are generated with their corresponding providers. If set to false, only the *Info class is generated. This option was added to support the use of the generic IInfoProvider<TInfo> provider class instead of dedicated providers per object type. See Info class managers.

Data types

  • The Date and Long integer number data types are now available for the fields of content types for emails.

Headless channels

  • Domains that are allowed for Cross-Origin Resource Sharing (CORS) by headless channel GraphQL endpoints can now be configured in the administration using the new Settings > Content > Headless > Allowed origins setting. This setting overrides allowed domains set through the CMSHeadless.CorsAllowedOrigins key in your application’s configuration file (appsettings.json by default) or the HeadlessOptions.CorsAllowedOrigins option in your project’s startup file (Program.cs). See Retrieve headless content.

Page Builder

  • The Vue.js framework used in the Page and Form Builders was updated to version 3.

Xperience Portal

  • The DNS record configuration of custom channel domains in Xperience Portal now supports IPv6 AAAA records for apex domains.

Fixed issues

  • Content hub – The Properties → Information → Published status was displayed incorrectly for published content items. The issue occurred on versions 28.1.0 and newer.

  • Content item API - The behavior of column data retrieval via the GetValue and TryGetValue methods was unified for nullable and non-nullable types. If the methods do not find the requested column, they return the specified default value instead. Prior to this version, the methods returned null for nullable types and raised a NullReferenceException for non-nullable types. Developers could encounter this behavior when manually mapping the result of content item queries from IContentQueryDataContainer objects.

  • Headless API

    • Improved the error messages returned for various invalid states in GraphQL queries for retrieving headless channel content.
    • Null values were not accepted as valid for optional arguments of GraphQL query fields in headless content retrieval requests.
    • When retrieving linked headless items via GraphQL, the items were retrieved in a different order than they were displayed in the Headless item selector.
  • Headless items – Improved UI texts and tooltips in the Headless item selector.

  • Forms – Calling BizFormItemProvider.GetItem terminated with a database exception for any combination of parameters. As a result, it was not possible to, for example, preview submitted form data via the Forms application. This issue was introduced in version 28.1.1.

  • Media libraries – The error message displayed when attempting to upload files with non-allowed extensions to media libraries was updated to contain accurate information.

  • Modules – An error occurred when attempting to delete a category in the field editor of a module class UI form. For example, the problem could occur when editing a UI form of a customizable system class in the Modules application.

  • Page Builder

    • The widget and section selection dialog in the Page Builder interface was displayed incorrectly in certain cases. After applying the update, the dialog dimensions and layout are better modified to match the screen dimensions and the number of displayed items.
    • The system did not serve the minified ‘systemFormComponents.min.js’ file correctly in the Page Builder scripts for the Form widget.
  • Page templates

    • The Microsoft Application Insights client-side telemetry script was re-added to the Dancing Goat project template (kentico-xperience-sample-mvc) after being accidentally removed in version 27.0.0.
    • When implementing page templates with a custom model, it was not possible to pass data to the template view using ViewBag, ViewData or TempData.
  • Pages

    • The URL section on the Content tab was incorrectly expanded by default on existing pages.
    • After collapsing and subsequently expanding the URL section on the Content tab with an empty URL slug field, the UI did not display the validation error message.
    • After discarding changes made on the Content tab, the headers of form categories would disappear.
  • Reusable content – When a content item was linked from two different fields of another content item and the user attempted to remove the reference from one of the fields, the system did not correctly remove the reference, leaving the item linked in both fields.

  • SaaS environment – An error occurred when accessing the root of a SaaS environment domain that didn’t have a valid website channel running (e.g., a website channel domain before package deployment or a custom email channel service domain). Now the system displays an appropriate message without any errors.

  • UI form components – Expendable form categories containing fields with dependencies unexpectedly collapsed after such fields were changed.

  • User interface

    • The header of action columns in listing pages was missing the background. As a result, listing headers overlapped with the Actions text.
    • When using the binding UI page template, the confirmation dialog for removing items from the binding was hidden behind the editing side panel in some cases.
    • The dialog for a new language variant added in the content hub was missing a caption and description.
    • In certain rare cases, the system could incorrectly display a confirmation dialog when selecting actions in listing pages that did not have a confirmation dialog defined.

Hotfix (January 11, 2024)

version 28.1.2

Fixed issues

  • Content types – It was incorrectly possible to remove a content type from a channel’s Allowed content types using the selector side panel, even if items of the given type already existed under the channel.
  • Rich text editor – On Linux environments (e.g., Azure App Service), projects using the .NET 8 framework could encounter an error when the system attempted to display a rich text editor form component.
  • Update procedure – When updating projects from version 27.0 (any hotfix version) to version 28.0.0 or later, the database update could fail unexpectedly if it encountered certain Page Builder configurations with slight inconsistencies.

Hotfix (January 4, 2024)

version 28.1.1

New features

  • Microsoft Azure Storage – New configuration option that controls whether Azure Storage file system mappings fall back to the original local folder if a requested file cannot be found in Azure Storage. This fallback can cause issues when deploying files using the Continuous Deployment restore process, for example during deployment to the SaaS environment. Developers can configure the option using the introduced EnableFallbackToLocalFileSystem property of AzureStorageOptions. The default values are true for self-managed projects and false for SaaS deployments.

      using Kentico.Xperience.AzureStorage;
      var builder = WebApplication.CreateBuilder(args);
      builder.Services.AddKentico( ... );
      // Disables the fallback to the local file system
      builder.Services.Configure<AzureStorageOptions>(options => options.EnableFallbackToLocalFileSystem = false);
  • Headless channels – New CorsAllowedHeaders configuration option, which can be used to restrict which HTTP headers are allowed for content retrieval requests against headless channel GraphQL endpoints. If not set, all headers are allowed by default. See Retrieve headless content to learn more.

Updates and changes

  • The Froala Editor that provides the Rich text editor in Xperience was updated to version 4.1.4. This fixes a potential XSS vulnerability in the editor. See the Froala Changelog for details.
  • Data types – The Content items data type is now available when modeling object types in custom module classes. Note that the system doesn’t maintain the referential integrity of objects linked via this data type. Custom code must account for the referenced objects no longer existing or being otherwise invalid.

Fixed issues

  • Former URLs – If a page was moved to a different position under the same parent, any former URLs of the page that contained the current parent’s URL slug were deleted.
  • Admin UI external authentication – The ‘@’ character in the usernames of administration users synchronized via external authentication providers (Auth0, Okta, Active Directory) was incorrectly replaced by underscore ‘_’ characters.
  • Pages
    • After publishing a page in the Page Builder view mode of a website channel application, the page’s status icon in the content tree wasn’t updated correctly.

    • If a page field was set as required and used the Rich text editor form component, the following issues could occur when editing the page in the Content view mode of a website channel application:

      • The rich text editor component disappeared if the field was saved and validated with an empty value.
      • A validation error was not displayed under the field when attempting to directly publish the page with an empty value in the rich text field.
  • Settings – Changes to settings made via the Settings application were not saved under certain circumstances.
  • Headless channels – The API endpoint of headless channels didn’t support CORS preflight requests, which could cause requests to be blocked by CORS policy.

Refresh (December 14, 2023)

version 28.1.0

You can read a blog post by Sean Wright for a brief introduction of this refresh.

New features

Headless channels

  • This release introduces a production-ready version of the headless API feature. With headless channels, you can now securely retrieve content using HTTP requests and GraphQL, and consolidate your applications, services or external websites into the Xperience ecosystem.
  • Headless channel management describes how to set up and configure headless channels.
  • Headless content explains how to prepare and edit the content available for headless channels.
  • Retrieve headless content is a developer resource dedicated to retrieving Xperience content using GraphQL.

Content management

  • Cascade publishing – When publishing a page, content item, email or headless item that links to other reusable content items, the system now displays a list of all unpublished linked items. Users can select individual linked items and publish them together with the main item. See Content hub for more information.

Code generators

  • Code files generated for reusable content types now implement the IContentItemFieldsSource interface. The interface can be used as the unifying type to access system fields from a collection of multiple content types, or register extension methods that are available for all generated classes. See Generate code files for system objects.


  • Email templates – Added support for displaying links to pages referenced via Pages content item fields within email templates. See Email templates for more information.

SaaS environment

  • A new Level 1 project tier is now available for Xperience Portal projects. See Licenses for more information about the available project tiers.
  • When downloading a backup of an application’s storage and files, you can now access and download the backup via the AzCopy or Azure Storage Explorer tools instead of downloading a possibly very large zip file.
  • Support for the following SaaS deployment regions was added: Germany West Central, Japan East, UAE North, Canada Central, North Europe (Ireland) and East Asia (Hong Kong).
  • Xperience Portal now displays the version of the Xperience application for all deployments.


  • Content item query – A new IncludeTotalCount parametrization method for content item query was added. The method ensures that every retrieved item stores the total number of items, regardless of pagination applied by the Offset method. The total count can be accessed by calling GetTotalCount() on any item retrieved by the query. See Reference - Content item query.
  • A new interface IWebPageFolderRetriever was added to allow developers to retrieve folders from the content tree of website channels.

Newly obsolete API

  • CMS.IO.Directory.PrepareFilesForImport and CMS.IO.AbstractDirectory.PrepareFilesForImport – the methods were not intended for public use.

Updates and changes

  • Content types – A content type that is allowed in a channel can no longer be removed from the channel if any content items of that type already exist under the channel. Also, when updating to this version, all missing relationships between content types and channels are automatically added.

Updated best practices

Fixed issues

  • Admin UI customization – The support for admin JS module development over HTTPS that was introduced in version 28.0.0 did not work with the default ASP.NET Core development certificate due to a misconfiguration.
  • Admin UI
    • The Select all checkbox could behave incorrectly under certain circumstances.
    • The media library and page selector side panels used incorrect scrolling behavior in certain cases.
  • Project templates – In the Dancing Goat project template the Page builder displayed wrong language variant for linked items when a language fallback was applied.
  • Page Builder – Pages in Page Builder and Preview mode whose language was retrieved using the IContentLanguageRetriever interface were in the fallback language instead of the preferred language if fallbacks were applied.

Hotfix (December 7, 2023)

version  28.0.3

Fixed issues

  • Code generators – The class form definitions for content types were incorrectly changed during the update process. As a result, the code generators did not work correctly after the update in certain cases.

Hotfix (November 30, 2023)

version  28.0.2

Fixed issues

  • Data types

    • It was not possible to work with the Object code names, Object global identifiers, and Object IDs data types in projects without the Kentico.Xperience.WebApp package (e.g., console applications).
    • The Object global identifiers data type, available for custom object types (in custom modules) and system classes since version 27.0.0, is now also available when modeling web page and reusable content types. Note that the system doesn’t maintain the referential integrity of objects linked via this data type. Custom code must account for the referenced objects no longer existing or being otherwise invalid.
  • Xperience Portal

    • The channel domain management page under Channels and Domains in Xperience Portal displayed a misleading alert message if the user had insufficient permissions to add or edit domains (i.e., users with the Developer role).
    • If the channel limit was exceeded for a project in Xperience Portal, the alert message shown in the Channels application didn’t correctly display the number of allowed channels.
    • An error occurred in certain cases when revalidating channel domains in Xperience Portal.
  • Forms – The ~/BizFormFiles folder storing files uploaded via form fields using the Upload file form component wasn’t mapped to Azure Blob storage in projects installed for deployment to the SaaS environment. The hotfix only resolves the issue for new projects created after updating project templates. To add the mapping to existing projects, call MapAzureStoragePath($"~/BizFormFiles"); in the default StorageInitializationModule.cs file.

      protected override void OnInit()
          if (Environment.IsQa() || Environment.IsUat() || Environment.IsProduction())

Hotfix (November 23, 2023)

version  28.0.1

Fixed issues

  • Pages – The Discard action was incorrectly available for pages in the initial Draft state (after creating a new page or a new version of an archived page).
  • Admin UI customization – If the ModuleInitParameters parameter was passed to the base.OnInit() call when writing the code of an admin UI customization module (inheriting from AdminModule), an exception occurred on application startup.

SaaS environment update (November 21, 2023)

version 28.0.0 (NuGet packages not released for this update)

Updates and changes

Refresh (November 16, 2023)

version 28.0.0

New features


  • .NET 8 support – Xperience by Kentico version 28.0.0 fully supports project development on .NET 8.


  • When creating a new language variant of a page or content item, it is now possible to copy content from an existing language variant.

Page templates

  • The Preset page template feature was restored. Preset templates allow content editors to save the Page Builder configuration and content of existing pages that are based on a template. The resulting templates can then be used as a starting point for new pages.
  • TemplateViewModel and TemplateViewModel<TPropertiesType> classes were introduced to allow developers to pass a custom model to the page template’s view.


  • Email templates – The content types for which an email template is allowed can now be configured directly when editing individual templates in the Email templates application.

Website development

  • When accessing the current page in various website development scenarios, the API now provides RoutedWebPage objects, which contain the code name of the page’s content type in addition to the page ID and language. Developers can use this data to retrieve the page and access its content fields. For example, when developing widgets or other Page Builder components, the RoutedWebPage data for the current page is accessible in ComponentViewModel.Page.

Rich text editor


  • Module classes now support service resolution via IServiceProvider in initialization code, using the new OnInit(ModuleInitParameters) override. Additionally, the OnPreInit(ModuleInitParameters) override allows access to the application’s IServiceCollection, e.g., to configure the application’s startup options. See Run code on application startup .

Content modeling

  • This release changes the accessibility of the Pages and Object code names data types.
    • Pages – this data type is now available when modeling web page and reusable content types, and object types (in custom modules). Fields of this data type store references to web pages.
    • Object code names – this data type is now available when modeling web page and reusable content types , custom object types (in custom modules) and when extending system object types. Fields of this data type store references to other objects in system via object code names.Note that the system doesn’t maintain the referential integrity of objects linked via these data types. Custom code must account for the referenced objects no longer existing or being otherwise invalid.

Admin UI authentication

Admin UI customization

  • Custom JavaScript modules can now be developed in SSL-enabled environments when using the Proxy mode. To enable SSL, add the UseSSL property to the module configuration in your Xperience instance. See Prepare your environment for admin development.

Breaking changes – API

  • The ITreeNode interface was removed. The interface was not functionally connected to any system logic. It was an accidental remainder from the switch to the new content modeling approach introduced by version 27.0.0.
  • The IPageBuilderConfigurationSourceLoader and PageBuilderConfigurationSource types were moved to the Kentico.PageBuilder.Web.Mvc.Internal namespace and are not intended for public use.

Newly obsolete API

The following API members were marked obsolete, to be removed in one of the future releases:

  • The IRoutedWebPage and IWebPageDataContext types used when getting information about the current page are now obsolete. Use RoutedWebPage and WebPageDataContext instead.
  • The ActivityLoggingAPI and ActivityLoggingScript extension methods for registering activity logging scripts in page views are now obsolete. Use the new ActivityLoggingScriptV2 method instead. The method has optional parameters that allow you to enable or disable logging scripts for page-related activities and custom activities.
  • The following properties of the ObjectTypeInfo class are no longer used by the system:
    • ModuleName
    • AssemblyNameColumn
    • SizeColumn
    • MimeTypeColumn
    • ResourceIDColumn
    • DependsOnIndirectlyAfter upgrading, your custom object type classes may output warnings related to these properties. Manually remove the offending code or regenerate the affected classes using the code generator.
  • The update obsoletes the following API members related to the content model used prior to version 27.0.0 and which are no longer actively used by the system:
    • FieldBase.External
    • FieldBase.IsInherited
    • IField.External
    • IField.IsInherited
    • FormCategoryInfo.IsInherited
  • The following properties were made obsolete with no replacement:
    • FormFieldInfo.GetResolvedDefaultValue
    • FormFieldInfo.SetResolvedDefaultValue
    • FormInfo.AddFormCategory
    • FormInfo.CombineWithForm
    • FormInfo.EnsureDefaultValues
    • FormHelper.EnsureDefaultValues
    • FormHelper.GetOriginalFileName
    • FormHelper.GetGuidFileName

Fixed issues

  • Activities – If a custom activity was logged from client-side code directly on page load, two separate anonymous contacts were created for new visitors (one with the custom activity, the other with the system’s default page visit activities). To fix the issue, developers need to register updated activity logging scripts using the new ActivityLoggingScriptV2 extension method.

  • AI – Email subject suggestions generated by the AI feature were in some cases displayed in a different language than the one set for the email channel after requesting adjustments via the quick refinement buttons or the manual text prompt.

  • Channels – Validation for the maximum number of allowed characters was missing for the domain inputs offered when creating or editing channels.

  • CI/CD – Content item references were not restored properly in the CD Create mode, leaving the database inconsistent.

  • Content types – In certain rare cases when creating content types, the system could return an error if the code name of the newly created content type matched the database table name of an already existing, previously renamed content type.

  • Content item API – When fields of the Content item asset data type did not have Required set and were left unpopulated, retrieving content items with such fields resulted in an exception. After the update, the retrieval API correctly returns null.

  • Contact management – The Birthday and Country/State fields are now displayed when editing a contact’s profile in the Contact management application.

  • Emails

    • Subscription confirmation and unsubscription links didn’t work if the recipient’s email address contained certain special characters (for example ‘+’),
    • If a contact belonged to a recipient list and their email address was later deleted, an error occurred for each such contact when sending a Regular email to the recipient list. After the fix, contacts without an email address are skipped when sending emails, without causing any errors.
  • Email templates – Leading and trailing whitespace characters in the names of email templates weren’t trimmed correctly in certain parts of the administration UI.

  • Forms

  • General – The application could reach the preset limit on the number of database connections under heavy traffic (e.g., during a load test).

  • Media libraries – An error occurred in certain cases when renaming a folder in a media library in the Media libraries application.

  • Pages – The Current URL or New URL fields displayed an incorrect URL value when creating a new language variant of a page that already existed in the fallback language.

  • Project templates

    • Certain sample widgets included in the Dancing Goat project template contained cross-site scripting vulnerabilities.
    • Sample sites based on the Dancing Goat project template didn’t preserve the currently selected language when redirecting users after sign-in, registration or sign-out. The English variant of the site’s home page was always opened. The issue is only resolved for new projects created after updating project templates.
  • Rich text editor – Images or links added in the rich text editor weren’t created correctly if the selected content item asset contained an apostrophe ( ’ ) in its file name. This could result in missing images or broken links on the live site or in sent emails.

  • User interface

    • The “select all” checkbox above selectable lists of items in the administration UI behaved incorrectly in cases where the list contained both selected and not selected items. After the fix, the checkbox either selects all items if none are currently selected, or clears the selection of all items.
    • The text of object “name” field labels was unified throughout the administration to match the “Object name” and “Code name” format.
    • Some object creation pages in the administration UI had missing page titles.

Hotfix (November 9, 2023)

version  27.0.4

Fixed issues

  • Recipient lists – When editing the approval or unsubscribe settings of a recipient list, an error occurred when saving the dialog after a different Thank you page or Goodbye page was selected while the Send (un)subscription confirmation option was disabled. Additionally, the selected confirmation email wasn’t cleared correctly if the Send (un)subscription confirmation option was disabled.

Hotfix (November 2, 2023)

version  27.0.3

Fixed issues

  • Cross-site tracking – Cross-site tracking didn’t work correctly if the website channel linked to the tracked site had its Default cookie level set lower than Visitor.

  • Field editor – Fields with a data type that cannot be set as Required (e.g., Binary, Content items, Content item asset) couldn’t be saved and created if the Display in editing form option was disabled.

  • Pages – The Current URL and New URL fields of pages in website channel applications were not displayed and updated correctly in certain scenarios (e.g., when creating a new language variant of a page).

  • Project templates – Projects installed with the --cloud parameter had incorrect Azure Blob storage folder mappings for media library files in the StorageInitializationModule class. The issue is only resolved for new projects created after updating project templates.

  • Routing – Routes registered for specific website channels didn’t work correctly in cases where multiple RegisterWebPageRoute attributes were added for a single content type, but different website channels.

  • Security

    • Fixed a cross-site scripting vulnerability caused by improper sanitization of content item asset file names.
    • Fixed an issue that, under extremely specific conditions, allowed unauthenticated actors access to the emails of users registered in the administration interface.
  • UI form components – If a Page selector  was limited to a section of the content tree, the selection dialog didn’t work correctly in environments with multiple website channels.

Hotfix (October 26, 2023)

version  27.0.2

Fixed issues

  • Emails – If fields with the Date and time, Decimal number or Floating-point number data types were placed into an email template, the value was not resolved according to the Formatting culture of the language set for the email channel.

  • Routing – Validation of URL collisions between the URL slugs of pages and the code names of language didn’t work correctly in certain cases.

  • UI form components

    • Some form components didn’t correctly display the value saved for the associated field under specific conditions. For example, the icon selector used when editing a content type always showed No icon selected after the General tab was reloaded.
    • The URL selector UI form component allowed users to select a page even when the field was placed outside of a website channel. After applying the hotfix, the selection functionality is disabled in this scenario, and the component only provides a text field for inserting URLs manually.

Hotfix (October 19, 2023)

version  27.0.1

New features

  • API – Asynchronous versions of services used to retrieve cache dependencies for linked content items were introduced: IWebPageLinkedItemsDependencyRetriever and ILinkedItemsDependencyRetriever. The new interfaces are IWebPageLinkedItemsDependencyAsyncRetriever and ILinkedItemsDependencyAsyncRetriever.
  • Emails – Added a new ForPreview property to the Email selector UI form component, which controls whether the selector allows emails without a published version (false by default).

Updates and changes

Fixed issues

  • Content hub – It was not possible to upload assets with uppercase characters in file extensions, e.g., image.PNG.

  • Content items

    • When using content item query to retrieve items with a Content item asset field, an exception was thrown if the field was empty (no file uploaded). This could cause an error on the live site. After applying the hotfix, empty content item asset fields return a null value – the retrieval still needs to be handled correctly by developers to avoid null reference exceptions.
    • If a Content item selector field was used to create and directly publish a linked content item, using the Publish action for the original content item didn’t save the added link (if changes were not previously saved using the Save action).
  • AI – Selecting Cancel in the AI panel while generating content for an email field could in some cases result in an error.

  • CI/CD – Continuous Integration generated unnecessary changes when the primary language of any website channel was updated. After applying the hotfix, only changes to the edited website channel object are generated.

  • Emails

    • Emails that did not have a published version yet (i.e., emails with the initial Draft status) could be selected in the administration’s email selectors, for example when configuring an autoresponder for a form. Attempting to send an unpublished email results in an error.
    • The Last updated time of emails wasn’t set correctly when the email’s content or settings were updated.
    • Content types for emails incorrectly had the ClassWebPageHasUrl column set to true in the CMS_Class database table.
  • Languages – The Data protection application didn’t preserve the language selected previously in another application (e.g., Content hub).

  • Modules – It was possible to edit the General configuration of fields without database representation in the UI forms of system modules. Such changes could could cause errors in the administration.

  • Performance

    • Projects with large numbers of content items and linked items (multiple thousands and more) generated excessively large queries when retrieving content linked item data, which could cause SQL errors on the live site.
    • Certain requests made by the Page Builder were not cached properly, which resulted in unnecessary database queries.
  • Page Builder – Editing component state configuration for Page Builder legacy selectors did not work correctly after applying the October refresh (version 27.0.0).

  • Project templates – The Program.cs file in the Boilerplate (kentico-xperience-mvc) project template contained commented code that was invalid. The hotfix fixes the issue only for new boilerplate projects created after updating project templates.

  • Rich text editor – It was possible to select images without a fallback language variant for the current language in the Insert image dialog in the rich text editor. After applying the hotfix, such images are not displayed in the dialog.

  • Routing

    • Former URLs were not created for untranslated variants of pages when the URL slug of their ancestor changed.
    • Creating a page with the URL slug identical to a code name of a language led to incorrectly generated former URLs for the page. The hotfix adds validation to ensure that URL slugs of pages are not identical to the code names of any language.
  • User interface

    • Buttons for saving, publishing and editing pages were not visible in website channel applications when viewed on a smartphone-sized display.
    • Validation errors were sometimes incorrectly displayed on administration pages with visibility conditions immediately after a previously hidden required field was made visible.
    • Improved UI texts and error messages in multiple locations across the administration interface, e.g., Content hub, Media libraries, and website channel applications.
  • Xperience Portal – When adding a new sending domain for an email channel in the Xperience Portal Channels application, the DNS records screen displayed incomplete domain name values.

Refresh (October 12, 2023)

Version 27.0.0

This Refresh release introduces major changes to content management and general content workflow in the system.

Updating is only supported for projects on version 26.6 (any hotfix version). If you are transitioning from an older version, you need to perform the update twice – first to version 26.6.0 and then to 27.0.0 or newer.

Content management changes

This release replaces the primary method of content composition and delivery – driven by pages (TreeNode objects), the Pages application, and the DocumentQuery content delivery API – with the concept of reusable and non-reusable content items and channels. The concept of first creating a content type template and defining custom fields via the field editor remains unchanged.

Reusable content items encapsulate pieces of structured data – pure content not burdened by any information specific to a content delivery method, such as additional formatting metadata. Reusable items represent content intended for use across multiple delivery methods. Individual reusable items can also reference other reusable items, up to an arbitrary depth, to create complex, multi-level structures.

Non-reusable content items consume reusable content items via reference and serve as the medium for delivery. Each non-reusable item is responsible for transforming the referenced reusable content by providing delivery-specific formatting and metadata. Non-reusable items are tightly coupled to channels.

Channels represent a medium through which information is delivered from the system to end-users. This release introduces two types of channels: Email and Website.

Email channels are a dedicated medium of communication to a specific audience. Each project may contain multiple email channels, focusing on different content strategies, languages and audience engagement techniques.

Website channels encapsulate websites managed by Xperience. Each channel is an independent entity with its own domain name configuration and content management. Channels store content in pages and linked content items.

With this release, there is no longer a single Pages application to encapsulate the majority of content management functionality. Instead, each existing channel has a dedicated application, which can be found under the Channels category in the Xperience administration.

See the following pages for a detailed introduction to the new functionality:


  • Content hub – introduces working with reusable content items.
  • Content item workflow – introduces the workflow of content items.
  • Pages – introduces working with website channels.
  • Emails – introduces working with email channels.



  • Content item API – provides a general overview of reusable content item management and content delivery APIs.
  • Content retrieval – introduces working with content delivery APIs in the context of web application development.
  • Content item database structure – an overview of the database entities composing the new content model.
  • Reference - Global system events – new events for reusable content items and web pages (non-reusable content items belonging to a website channel).
  • Email templates – explains how to create templates for emails, which are now based on content types.

Note that this list is not exhaustive. Many existing features had to undergo small changes to accommodate the new approach to content modeling. 

Channels instead of Sites

With the introduction of channels, the concept of grouping project-related data under a site (SiteInfo object) and the existence of site-specific objects was also removed. This should not pose a problem for existing projects, since previous Xperience by Kentico versions only supported a single site.

New features

Content management

  • Languages – Multilingual support for pages and content items was introduced. See Languages.
  • Support for running multiple websites managed by a single Xperience back-end. Documentation will be available soon.
  • Page templates – When registering Page templates for Page Builder, developers can now specify the content types for which the template is available without needing to implement template filtering (new ContentTypeNames property of the RegisterPageTemplate attribute).


  • Email channels – Emails in Xperience are now created and managed within email channels. Channels allow for clean separation of an organization’s emails, each focusing on a different content strategy or language. Every email channel has a unique sending domain, and its own application in the Xperience administration where users create and send emails.
  • Email content – The system now uses content types to define the fields available to marketers when creating emails. Email content types are tied with email templates, which contain macro placeholders that set the position of individual fields within the email content.
  • Email workflow – Emails with the Form autoresponder or Confirmation purpose now support basic Draft/Published workflow. This allows users to edit a new version of an email while the system still uses the previous published version. See Emails.
  • AI integration – Added an integration with Azure OpenAI Service, which allows users to generate content suggestions for email subjects and content fields. See Artificial intelligence features.
  • Email client configuration – The default SMTP and SendGrid email clients can now be configured separately for individual email channels, as well as system emails that are not related to a specific channel. See Email configuration.
  • Bounced email configuration – The bounced email tracking configuration for SMTP email clients can now be configured separately for individual email channels, as well as system emails. See Set up email tracking.
  • You can now set a shared sending domain for all system emails that are not created under a specific email channel (e.g., user registration, password reset, system notification emails). Use the SystemEmailOptions options class. See Email configuration.

Data protection

  • Consents – The Data protection application now allows users to create language variants of consent texts. See Consent management and Languages.

UI improvements

  • Users can now directly edit the names of pages, emails and content items by selecting an icon next to the item’s name in the editing form.

Administration UI users

  • The user registration and password reset email customization pattern, available via AdminIdentityOptions.EmailOptions was extended and simplified. The RegistrationEmailMessageProvider and ResetPasswordEmailMessageProvider options now contain a new OriginalMessage property that contains the default EmailMessage object sent by the system. You can now directly modify parts of this object instead of always having to construct the full EmailMessage when customizing these types of emails.

Administration UI development

  • Rich text editor – When creating custom Rich text editor configurations with the default Link plugin, developers can now configure which types of links are offered when the Insert link button is selected in the editor. If the pluginOptions configuration is omitted, all options shown below are used.

      "customPlugins": [
              "pluginName": "@kentico/xperience-admin-base/Link",
              "pluginOptions": {
                  "dropdownOptions": [
                      "linkOption": "asset",
                      "componentName": "@kentico/xperience-admin-base/AssetPanel"
                      "linkOption": "external"
                      "linkOption": "webpage",
                      "componentName": "@kentico/xperience-admin-websites/PageLink"
  • UI form components

    • New Email selector form component that allows users to select emails from an email channel. Use this new selector instead of the Object selector with the email configuration object type.
    • The Url format validation rule for UI form components provides new properties that can be enabled to also allow URL fragments starting with ‘#’ and query string values starting with ‘?’.
  • UI page templates – New binding UI page template that allows users to manage bindings, which represent many-to-many relationships between object types (*Info classes).

Breaking changes

  • Content types – Content type features are not available and were replaced with the Use for selector on the General tab.

    • Select Pages for content types meant for website channels.
    • Select Reusable content for content types in the Content hub.
    • Select Emails for content types meant for email channels.
  • Assets

    • Subfolders under the /assets folder for storing content item assets and media files are now always created with lower case names.
    • The file system folder structure for media library files no longer includes a folder matching the site code name (media libraries are now global).
  • Cookies

  • Event log – The “Error notification email address” (CMSSendErrorNotificationTo) and “Send email notifications from” (CMSSendEmailNotificationsFrom) settings – used to configure the sending of notification emails about events logged into the event log – have been removed. The system by default no longer sends any notification emails related to the event log. If you wish to implement a similar functionality, use event log writers.

  • Forms

    • Forms are now global objects (not related to a specific website channel).
    • The After form submission settings of forms (Display a message, Redirect to URL, Redirect to page) were moved from the form editing UI to properties of individual Form widgets. The Autoresponder settings remain in the form UI.
    • The reCAPTCHA form component no longer controls which reCAPTCHA version is displayed to the user. Instead, it uses the reCAPTCHA version configured by the website channel under which it is displayed.
  • Modules – It was possible to edit certain properties of fields in the UI forms of system modules and then delete the fields. Such changes could cause errors and inconsistencies in the administration.

  • Page Builder – Page Builder is no longer enabled via the content type Features tab. Instead, you must specify a collection of content type code names when enabling Page Builder for the project in the startup pipeline.

      features.UsePageBuilder(new PageBuilderOptions
          ContentTypeNames = new[]
              // Enables Page Builder for the 'LandingPage' and 'ContactsPage' content types
  • Rich text editor – The system’s Asset and Link plugins used in rich text editor configurations now use the xperience-admin-base namespace in their pluginName value. If you use custom configurations with these plugins, you need to update the values:

    • @kentico/xperience-admin-base/Asset
    • @kentico/xperience-admin-base/Link
  • Routing – The default location of Razor view files used by the basic mode of the content tree-based routing feature was changed from ~/Views/Shared/PageTypes/<viewfile> to ~/Views/Shared/ContentTypes/<viewfile>.

  • Page templates – Preset page templates were temporarily removed and will be added to the product soon.

  • Site domain aliases – Website domain alias configuration is now done via a code-driven approach utilizing the ASP.NET Core options pattern. See Website channel management.

Breaking changes – API

The following list covers breaking changes in frequently used API scenarios, but is not a comprehensive list of all API changes.

  • Data caching
  • Content item API
  • DocumentEngine replaced with ContentEngine and Websites projects.
    • Use generated content type classes to access page data instead of TreeNode.
    • Use IWebPageManager to manipulate pages instead of TreeNode methods.
    • The IPageDataContextRetriever service was replaced with the IWebPageDataContextRetriever and the returned object has changed.
  • Content retrieval
  • Activities
    • The IPagesActivityLogger service used to log page activities was replaced by IWebPagesActivityLogger. The methods of the service are now asynchronous and accept different parameters.
    • The CustomActivityData type used when logging custom activities has renamed properties to match the the new data structure of pages and languages.
  • Cross-site tracking
    • When configuring the cross-site tracking feature for the application, the ConsentSettings property of CrossSiteTrackingOptions now accepts an IEnumerable collection of CrossSiteTrackingConsentOptions objects instead of a single object. Add one object for every website channel where you wish to use the feature.
    • The kxt('consentdata'); function in cross-site tracking scripts now requires a languageName parameter instead of cultureCode . Set the parameter’s value to the code name of the language in which you want to load the consent texts.
  • Bounced email configuration – When configuring bounced email tracking for an SMTP email client, the SoftBounceLimit property is now available in a new BouncedEmailsGlobalOptions options class instead of BouncedEmailsOptions.
  • Content tree-based routing – The method for enabling the content-tree based routing feature for the application was renamed to UseWebPageRouting .
  • Cookies
    • The CookieHelper class is now obsolete. To work with cookies, use the newly added, non-static ICookieAccessor. Custom cookie registration is changing as well. Custom cookies now must be registered via the CookieLevelOptions options class on application startup. See  Cookies for more information.
  • Forms – Forms are now global objects, so the BizFormInfo class no longer contains the FormSiteID property.
  • Legacy MVC selector API
    • The following properties used by the legacy Content selector JavaScript API were renamed:

      • Page.nodeId → Page.identifier
      • Page.nodeAliasPath → Page.treePath
      • Page.nodeGuid → Page.guid
    • The following properties used by the legacy Page selector JavaScript API were renamed:

      • pageSelectorItem.nodeGuid → pageSelectorItem.webPageGuid
    • The following properties used by the legacy Page path selector JavaScript API were renamed:

      • pathSelectorItem.nodeAliasPath → pathSelectorItem.treePath
  • Page templates – Properties were renamed for PageTemplateDefinition, PageTemplateFilterContext and the RegisterPageTemplate attribute.

Newly obsolete API

  • AdminIdentityEmailOptions.DefaultFromAddress – use the SenderAddress property on the same object instead.
  • ConsentInfo.GetConsentText – use the new asynchronous ConsentInfo.GetConsentTextAsync method instead.
  • Cookies
    • CMS.Helpers.CookieHelper – use Kentico.Web.Mvc.ICookieAccessor instead. See Cookies for more information.
    • CMS.Helpers.CookieLevel – use the static properties from Kentico.Web.Mvc.CookieLevel instead. For example: Kentico.Web.Mvc.CookieLevel.Essential.Level
  • With the removal of DocumentQuery from the system, many supporting APIs were made obsolete with no replacement.

Fixed issues

  • Admin UI authentication

    • The hashing algorithm used for admin UI user passwords was enhanced for improved security. Existing user passwords remain compatible, but we recommend that you encourage all users to set new passwords (which will automatically use the new hashing algorithm).
    • An error occurred if a user attempted to sign in to the administration while being signed in as a member on the live site.
    • The authentication cookie used for the administration was unnecessarily set in every response to admin UI requests. After the fix, the authentication cookie is valid for 30 minutes (unless the user signs out or the account is disabled).
    • An error could occur in special cases when adding a new user in the Users application.
  • CI/CD

    • An error occurred when restoring CI/CD data if the changes included a modified module class or content type that had both added and removed fields, with the total number of fields remaining the same.
    • Changes of the Enable Continuous Integration setting were not applied immediately due to incorrect caching.
  • Contact groups – The Recalculate contact group button was displayed as active for users without the Update permission for the Contact groups application (an error occurred if the button was clicked).

  • Code generators – When generating code for fields with the Media files data type, the corresponding properties in the resulting class incorrectly had the string type instead of IEnumerable<AssetRelatedItem>.

  • Emails – The Send test email button in the Email queue application was incorrectly available for users without the Update permission for the application.

  • Form Builder – It was not possible to add form components with identifiers containing certain special characters (for example, to forms.

  • Field editor

    • The field editor incorrectly allowed creation of fields with the Required flag enabled, but Display in editing form disabled. This combination of field settings resulted in an error when saving the resulting editing form. Validation was added to prevent this configuration.
    • Creating a field with leading or trailing whitespace characters in the Field name caused errors and prevented editing of the field. After the fix, leading or trailing whitespace is automatically trimmed from the Field name.
    • Changing the Data type of an existing field could lead to inconsistent behavior or errors while selecting and configuring a new Form component for the field.
  • Installation – If the kentico-xperience-dbmanager utility was installed and used without one of the Xperience project templates, errors occurred while attempting to set the database connection string. After the fix, the utlity can handle such scenarios, and create the ConnectionStrings section is the appsettings.json file if it is missing.

  • Rich text editor – The Replace image functionality in the rich text editor didn’t work correctly.

  • Security – Fixed a potential cross-site scripting vulnerability in the Rich text editor configuration used for emails.

  • Update procedure – Under certain circumstances, the Xperience database update could end with the following error: “There is already an open DataReader associated with this Connection which must be closed first.

  • UI form components

    • If a form component had a custom data type (registered using DataTypeManager), fields using the component were not displayed in editing forms.
    • If the Radio button group UI form component was used for a required field, and the form was saved without changing the selected option, the component returned a null value instead of the preset default value.
    • The Media file selector UI form component could cause performance issues due to loading all files within a folder every time it was opened. After the fix, media files displayed in the selector are cached to improve performance.
  • Custom Admin UI – The ActionConfigurationExtensions.AddCommandWithConfirmation method’s confirmationDetail parameter was not reflected when configuring custom action buttons for the admin UI.

Hotfix (September 14, 2023)

version  26.6.1

Fixed issues

  • Media libraries – Updating existing media files incorrectly required users to have the Update permission for the Media libraries application. After applying the hotfix, media file updates require the Manage media library permission.

Refresh (September 7, 2023)

version 26.6.0

New features


  • Listing page filters
    • The state of listing filters in the administration now persists for the duration of each user’s browsing session.
    • The listing in the Event log application now provides a filter, which makes it easier for users to find relevant events or errors.
    • The listing filter in the Content hub application was extended to allow filtering based on the last update time of items.
  • UI form components – When assigning the Content item selector component to properties via the ContentItemSelectorComponent attribute, developers can now define which content types are selectable using an IContentTypesFilter implementation.

Fixed issues

  • Membership – The Xperience-specific implementation of ASP.NET Core Identity’s password reset functionality did not update member passwords when implemented.

Hotfix (August 31, 2023)

version  26.5.2

Fixed issues

  • Rich text editor – An error was displayed when interacting with the Rich text editor toolbar if the component was located in an editing form containing another field with the Date or Date and time data type.

Hotfix (August 17, 2023)

version  26.5.1

Fixed issues

  • Admin UI customization – When initializing client admin UI modules, the system could incorrectly load files not related to the bootstrapping process, resulting in errors during application startup.

Refresh (August 10, 2023)

version 26.5.0

New features

Content management

  • The list of items in the Content hub application now provides a filter, which allows editors to easily view only selected content types, or items with specific workflow statuses or authentication requirements.


  • Administration UI development – Developers can now create filters for UI listing page, which allow users to limit which objects are displayed according to specified criteria. Filters can be added to both custom listing pages and the default listing pages in the Xperience by Kentico administration UI. See Add a listing filter to learn more.
  • UI form components – New General selector UI form component, which allows users to choose items from any set of data defined by developers. The items offered by the selector can be of any type, including external data outside of Xperience.


  • Lucene search – An external module that integrates Xperience with the latest 4.8 beta version of Lucene.NET, enabling auto-indexing of content in Xperience based on application-local, code-defined search indexes and search results retrieval. See the project’s GitHub repository for details: xperience-by-kentico-lucene

Hotfix (August 3, 2023)

version 26.4.0 (NuGet packages not released for this update)

Fixed issues

  • Xperience Portal – Users with roles other than Tenant Administrator could not access project Settings within Xperience Portal.

Hotfix (July 20, 2023)

version 26.4.0 (NuGet packages not released for this update)

Fixed issues

  • Security – Certain parts of the Xperience Portal interface were potentially vulnerable to cross-site scripting.

Refresh (July 13, 2023)

version 26.4.0

New features

Xperience Portal

  • Backups – Users can now restore full backups of projects directly from Xperience Portal. See Manage SaaS deployments.

Content management

  • Users can now create media library folders directly in the selection dialogs provided by the rich text editor (Insert image, Insert link) and the Media file selector form component.

Fixed issues

  • Users – An error occurred when adding a new user in the Users application if the site configured in the Sites application was not running on the same domain as the administration.
  • Xperience Portal
    • Reports in the Metrics application were not loaded correctly during deployments to production environments (and for some time after the deployment finished).
    • Users with the Developer role were incorrectly allowed to cancel scheduled deployments to the Production environment.
    • If a new user was invited to join multiple Xperience Portal projects, the system sent a corresponding number of invitation emails with an account activation link. The link was only valid in the latest email. After the fix, the account activation link is only present in the first “Your account has been created” email.

Hotfix (July 7, 2023)

version 26.3.3

Fixed issues

  • Emails – The Send test email feature in the Email queue application used a fixed sender (from) address, which caused issues under certain configurations. The hotfix enables users to set the From address for test emails.

Hotfix (June 29, 2023)

version 26.3.2

Fixed issues

  • Continuous Deployment – The system performed unnecessary optimization of the file system repository after completing the Continuous Deployment store operation.

Hotfix (June 22, 2023)

version 26.3.1

Fixed issues

  • Data protection – The anti-forgery cookie for live site visitors (.AspNetCore.Antiforgery.<hash>) was incorrectly removed when tracking consent was revoked. This caused certain interactive elements on the site to be unusable (consent agreements, form submissions, etc.).

  • Security – Administration interface access permissions were not correctly checked for form component actions.

  • Saas environment

    • The Memory utilization alert was not fired for projects deployed in the SaaS environment.
    • Database usage was not monitored correctly when the active database was swapped for a production environment of a deployed project. This could prevent the DTU utilization alert from being fired.

Refresh (June 15, 2023)

version 26.3.0

New features

Content management

  • Media libraries
    • Content editors are now able to rename folders in media libraries and edit the metadata of media library files, such as title or description.


  • UI form components – A new UI form component was introduced to enable safe displaying of links within forms in the administration interface.

Fixed issues

  • Page Builder – When attempting to copy any widget in the Page Builder interface containing invalid or deprecated HTML (e.g., a Rich text widget with HTML inserted using the Code View feature), errors were logged in the JavaScript console and the widget was not copied. After applying the refresh, the widget is copied, but a preview thumbnail is not available when inserting the widget.
  • Emails – Tracking of bounced emails, as well as delivered email and spam report statistics didn’t work for projects deployed to the SaaS environment. The issue also caused errors in the system’s Event log.

Hotfix (June 8, 2023)

version 26.2.2 (NuGet packages not released for this update)

New features

  • Xperience Portal – New Alerts application in Xperience Portal, which notifies about potential problems with projects deployed in the SaaS environment. For example, an alert is fired if a deployed project is unresponsive for over 15 minutes. The system also sends notification emails to Xperience Portal users when an alert is fired. Users can enable or disable the email notifications for specific alert severity levels.

Fixed issues

  • SaaS environment – The Event log in the Monitoring application of Xperience Portal was flooded with scheduler-related errors (“An attempt was made to access a socket in a way forbidden by its access permissions.“).

  • Xperience Portal

    • Time values in the Deployment history of projects in Xperience Portal were set incorrectly in certain cases. This could prevent the deployments from being displayed in chronological order.
    • The Terms of Service (ToS) acceptance screen was displayed incorrectly if a ToS update occurred while a user had the Deployments application open in Xperience Portal.
    • When hovering over charts in the Monitoring → Metrics application, values of 0 were incorrectly displayed as “(no data)”. After the update, values equal to 0 are displayed as “0.00”, and “(no data)” is only displayed if the underlying value is null.
    • Reports in the Metrics application were not loaded when the deployed project was under heavy load. After the update, the DTU report in the Metrics application no longer detects and identifies which database is active or inactive (two databases are used for production deployment environments). Instead, the databases are always named xperience_blue and xperience_green. The active/inactive status of the databases can be interpreted from the values in the DTU report.

Hotfix (June 1, 2023)

version 26.2.2

Fixed issues

  • Field editor – The Field comparison validation rule couldn’t be added to content type fields in the Content types application.

Hotfix (May 25, 2023)

version 26.2.1

Fixed issues

  • Contact management – When deployed to Azure Web Apps, the application generated unnecessary anonymous contacts when processing requests from the environment’s bot services (Application Insights, Always On). For example, the issue occurred on projects deployed to the SaaS environment.
  • Media libraries
    • When a media library folder was deleted, the change wasn’t synchronized to other instance of the application when using Auto-scaling support.
    • The system incorrectly checked the Delete permission for the Media libraries application when a user deleted a media library folder. After applying the hotfix, the Manage media library permission is required instead.
  • Settings – When a setting was updated in the Settings applications, the system did not immediately reflect the changed value.
  • SaaS environment
    • The Event log in the Monitoring application of Xperience Portal was flooded with scheduler-related errors (“An attempt was made to access a socket in a way forbidden by its access permissions.“).
    • The hotfix introduces new UseKenticoCloud middleware that must be added to all projects intended for SaaS deployment. All new projects installed with the --cloud parameter contain the middleware by default. For existing SaaS projects under development, the middleware must be added manually (to the Program.cs file by default). See Configure new projects for the required middleware order.

Refresh (May 18, 2023)

version 26.2.0

New features

Digital marketing

  • Emails
    • The system can now track bounces and delivery rates for emails of the Regular type, as well as bounces for individual contacts in recipient lists. This allows you to identify addresses that do not correctly receive emails, which helps keep your recipient lists healthy and protects your sender reputation. For more information, see Set up email tracking and Send regular emails to subscribers.
    • Marketers can now manually trigger a Refresh in the Statistics view of emails, which immediately recalculates and displays statistics for the given email.
    • New Unsubscribe rate statistic for Regular emails. Shows the percentage and exact number of recipients who used the email’s unsubscribe link.
    • New Spam reports statistics for Regular emails, available when using SendGrid to send emails. Shows how many recipients marked the email as spam in their email client.
    • New Send email permission for the Emails application, which can be assigned to administration user roles. This permission is required to send or schedule emails of the Regular type. To preserve functionality for existing roles, the update automatically grants the Send email permission to all roles with the Update permission for the Emails application.

Updates and changes

  • Emails – Recipient lists for regular emails are no longer managed in the Contact groups application. Instead, the new Recipient lists application provides a separate management UI for this purpose.
    • To preserve functionality, the update automatically copies all permissions that existing administration user roles have for the Contact groups application, and grants them for the new Recipient lists application.
  • Contact management – The Contact groups and Recipient lists applications no longer allow contacts to be manually removed from the group or list. The option to remove contacts was misleading – the contact list is recalculated automatically based on the contact group’s condition or managed by subscriptions and unsubscriptions for recipient lists.

Fixed issues

  • Rich text editor – On administration pages containing multiple Rich text editor components, certain toolbar options (Insert image, Insert link, Insert Dynamic Text, Insert Double Opt-In Link) didn’t work correctly and could interact with the wrong instance of the editor. The issue could also affect custom plugins registered for the rich text editor. If you have custom plugins, review the updated documentation and make sure your plugins are registered correctly.
  • Page Builder – Scrolling did not work correctly in the Page selector editing component dialog when using the compatibility mode of Page Builder.
  • Admin UI components – Selecting content items via the Content item selector component resulted in duplicate selection if the checkbox was used to select individual items.
  • Database table API – The system persisted incorrect Info object state in its cache in cases where a database transaction failed and was rolled back. For example, if a database transaction updating a MediaFileInfo object failed, the database state was not updated, but the updated state persisted in the system cache. This lead to data inconsistency between the application and the database, and could cause a subsequent Get operation to obtain incorrect data (when retrieved from the system cache).

Hotfix (May 11, 2023)

version 26.1.3

Fixed issues

  • Admin UI components – It wasn’t possible to enter values consisting only of zeros (e.g., ‘00.0’) into numeric inputs, such as the Number input form component.
  • Object types – The hotfix removes the ability to define object type fields of the Pages and Content items data types. Fields of these data types were incorrectly available to object type classes for a brief period, but their support was never intended. Note that already created object type classes making use of these data types remain unaffected. However, the system is not prepared to handle them correctly, and certain features, such as code generators, produce incorrect results. This change does not impact content types in any way.
  • Security – Page preview URLs were vulnerable to reflected XSS attacks due to improper processing. The vulnerability was exploitable only by authenticated users.

Hotfix (May 4, 2023)

version 26.1.2

Fixed issues

  • Administration UI – Replaced usage of the deprecated onKeyPress event with the onKeyDown event in the client code of administration components. This change does not impact the existing public API.

Hotfix (April 27, 2023)

version 26.1.1

Fixed issues

  • UI form components – Validation errors weren’t displayed correctly in certain cases when using the Field comparison validation rules for UI form components in the administration.
  • Xperience Portal – The Application health report in the Metrics application wasn’t loaded and displayed correctly in certain cases, particularly after selecting the Last 30 days time period.

Refresh (April 20, 2023)

version 26.1.0

New features

Digital marketing

  • Activities – Added support for custom activity logging from client-side code. This allows tracking of basic interactions with important page elements, for example clicks of “call to action” buttons or links. See Custom activities.
  • Forms – Individual featured fields can now be hidden from the dialog that appears when adding fields in the Form Builder. This allows users to filter out featured fields that are not relevant for their forms.

Content management

  • Media libraries – Content editors are now able to move files between folders of a media library.

Xperience Portal


  • New Field comparison validation rules for UI form components. The rules are available for integer, decimal, floating-point number and string type fields, and allow comparisons with other fields of the same data type.

Fixed issues

  • Emails – An error occurred when attempting to delete a recipient list containing one or more contacts.
  • Forms – The system performed unnecessary queries when loading and displaying the featured field options for new form fields.
  • User interface – Fixed inconsistent spacing between elements in the administration UI.
  • Deployment to the SaaS environment – The cms.role object type was missing in the default Continuous Deployment configuration file of new projects for SaaS deployment (installed with the --cloud parameter). As a result, role data wasn’t included in the deployment.
  • Xperience Portal
    • The date and time of the latest deployment for environments in Xperience Portal was displayed incorrectly in certain cases.
    • Storage account outages were not tracked correctly, and were not displayed correctly in the Monitoring > Outages application of Xperience Portal.

Hotfix (April 13, 2023)

version 26.0.3

Fixed issues

  • Cross-site tracking – The tracking snippet generated for tracked websites in the Cross-site tracking application did not contain the tracked site’s URL. This issue occurred after updating a project from an older version, and also for projects deployed to the SaaS environment.
  • Security – The roles of administration users could be modified without sufficient permissions in certain cases.

Hotfix (April 6, 2023)

version 26.0.2

Fixed issues

  • Rich text editor – Adding image links to rich text editor content did not work correctly when using the Insert link > Asset toolbar option.
  • Administration UI – If an error notification bar appeared within a modal dialog and the error text was very long, the dialog was incorrectly resized to fit the text.

Hotfix (March 31, 2023)

version 26.0.1

Fixed issues

  • Installation – The user-defined table type Type_OM_OrderedIntegerTable_DuplicatesAllowed used by the Xperience database installation scripts was not defined correctly. In rare cases, this could have caused issues when recalculating digital marketing activities.
  • Pages – When pages contained images in their rich text fields, a dialog notifying about unsaved changes was displayed when leaving the page, even if no changes were made.
  • Pages – The PageUrl.AbsoluteUrl property returned by the IPageUrlRetrieverService incorrectly cached the URL scheme (protocol) of the request under which the service was first called. For example, if the service was first called within a request with the HTTP scheme, all subsequest URLs in the AbsoluteUrl property were also returned with HTTP.
  • Forms – It was possible to submit forms without selecting a value in a Drop-down list field, even if the field was set as required.
  • Forms – The Form Builder interface was not correctly displayed as read-only for users without the Update permission for the Forms application.
  • Administration UI – If a selector component was used in a modal dialog, the selection side panel was displayed under the dialog and couldn’t be used. For example, the problem occurred when selecting a page in the Approval or Unsubscribe settings of a recipient list in the Contact groups application.
  • UI form components – The TextArea component did not correctly reflect the MinRowsNumber and MaxRowsNumber properties when only one of them was explicitly provided. That is, the text area did not display the specified minimum number of rows when only MinRowsNumber was provided and did not grow to the specified size when only MaxRowsNumber was provided.

Refresh (March 27, 2023)

version 26.0.0

New features


  • Xperience web applications now support registration and authentication using ASP.NET Identity.
  • New Members application for management of registered accounts.
  • Users can check which version of Xperience they are using via the newly added Product information icon displayed above the user menu in the administration interface.
  • The Xperience by Kentico source code is now available on the client portal for those who purchase it as part of their subscription.

Content management

Digital marketing

  • Contact management
    • Added support for defining custom activity types, which allows marketers to track any required action performed by contacts. Custom activities can by logged using the API or via cross-site tracking. See Custom activities.
    • Marketers can now enable or disable individual activity types in the Contact management application (applies to both default and custom activity types).
    • New Contact has performed activity with value condition type for contact groups.
  • Forms – The reCAPTCHA form component was updated to support reCAPTCHA v3. This version of reCAPTCHA provides frictionless validation without interrupting users. A score is calculated for each request, indicating whether an interaction is likely to be a bot or a valid human user.

Xperience Portal


  • The refresh introduces changes to confirmation dialogs that can be raised by listing and edit UI pages. Confirmation dialogs shown by these pages can now optionally contain forms (typically with a multi-choice or checkbox option), that can be used to control the behavior of the corresponding page command handlers.
  • New MaximumDoubleValue and MinimumDoubleValue validation rules for UI form components.

Breaking changes – API

  • PageFormSubmissionPageBase.GetFormComponents was made asynchronous and now returns Task<ICollection<IFormComponent>>. To recover from the breaking change:
    • await the method call and change the signature of the overridden method
    • pass a CancellationToken to the method call
  • IContentTypeFieldsProvider.GetFields was made asynchronous and now returns Task<ICollection<IFormFieldInfo>> . To recover from the breaking change:
    • await the method call and change the signature of the overridden method
    • pass a CancellationToken to the method call
  • The GetAssetPanelInitialPropertiesResult command result type used by RichTextEditorComponent was renamed to GetMultiSourceAssetPanelPropertiesResult .
    • The type’s Enabled property was renamed to AssetPanelEnabled.
  • The ReviewAndSendDialog UI page was moved from the Kentico.Xperience.Admin.Base.UIPages namespace to Kentico.Xperience.Admin.DigitalMarketing.UIPages.
  • The IPageManager interface, used to manage page hierarchy, was extended with an additional CheckSecurityMismatch method.

Newly obsolete API

  • IPageManager.Move(TreeNode, TreeNode, PageDropPlacement) - use IPageManager.Move(PageMoveParameters) instead.
  • The refresh introduces changes to confirmation dialogs that can be raised by Listing and Edit UI pages (e.g., when invoking actions or saving changes).
    • The following properties from EditConfiguration were consolidated into EditConfiguration.SubmitConfiguration.

      • SubmitVisible
      • SubmitLabel
      • SubmitTooltipText
    • The following properties from EditTemplateClientProperties were consolidated into EditTemplateClientProperties.SubmitButton.

      • SubmitVisible
      • SubmitLabel
      • SubmitTooltipText
    • The following properties from Action (descriptor of interactive elements on listing UI pages) were consolidated into Action.ConfirmationDialog .

      • Confirmation
      • ConfirmationContent
      • ConfirmationDetail
      • ConfirmationButton
    • The following properties from ActionConfiguration were consolidated into ActionConfiguration.ConfirmationConfiguration.

      • Confirmation
      • ConfirmationContent
      • ConfirmationDetail
      • ConfirmationButton
  • ListingPage.GetRowsFromData was extended with a cancellation token parameter. The original method signature is now obsolete.

Removed obsolete API

The refresh releases removes all API marked Obsolete since version 22.0.0.

Updates and changes

  • Settings – The System → Files category and its Generate thumbnails setting are no longer displayed in the Settings application. The setting is always enabled by default.

  • Emails

    • The Sender name and Sender email properties can no longer be set immediately when creating new emails. These properties remain available in the Properties panel when editing existing emails.
    • The Properties panel of emails is now organized into two collapsible categories – General and Sender and recipients.
  • Contact management – The Status column is no longer displayed in the contact listing. This column is currently not used in Xperience by Kentico.

  • SendGrid integration – The system now uses a direct dependency on the SendGrid NuGet package (updated to version 9.28.1).

Fixed issues

  • Modules – Field settings related to data type integrity were not validated correctly in the editor for the UI forms of module classes. For example, the problem allowed invalid values for the number of digits and decimal places of Decimal number type fields in UI forms.
  • Administration – In certain cases, it was possible to submit values using disabled fields in the administration’s editing forms.
  • Content types – If the Display in editing form option was enabled in the field editor for a content type field with the Content items data type, an error occurred when configuring further properties for the field’s form component.
  • Xperience Portal security – Under certain circumstances, there was a risk an unauthorized third party could access and download backups of projects deployed in the SaaS environment.
  • Page Builder – Images added using the url() CSS function in the Code View mode of the Rich text widget’s editor were not displayed on the live site or in the Page Builder.
  • Project templates – When creating a SaaS environment deployment package for a project based on the Dancing Goat project template, content item asset files were incorrectly duplicated in the package (in both the standard asset folder and the Continuous Deployment repository). After the refresh, SaaS deployment packages created for new Dancing Goat project no longer include the ~/assets folder.
  • Deployment – Sites deployed without the administration crashed during the startup process (“Unable to resolve service for type Kentico.PageBuilder.Web.Mvc.Internal.IComponentPropertiesStorageProcessor“ exception).

Digital marketing

  • Emails
    • The editing dialog for double opt-in links in form autoresponder emails didn’t check for unsaved changes. After applying the refresh, a confirmation prompt is displayed when attempting to close the dialog with a modified link text or recipient list.
    • The content editor of form autoresponder emails displayed the placeholder for double opt-in links incorrectly if the link’s text contained special characters.
    • Some parts of the email UI remained active even if the overall editing interface was disabled, e.g., due to missing update permissions or when viewing a regular emails that was already sent out. For example, the problem affected the editing dialog for double opt-in links in form autoresponder emails, the email Plain text content editor, and certain header action buttons.
    • Pressing CTRL+F while focused in the Source code editor of email templates triggered the editor’s built-in search functionality, which was not intended. After applying the refresh, the browser’s standard “Find in page” functionality is prioritized.
    • Added a new friendly warning to inform users when attempting to send a regular email to an empty recipient list.
    • Improved UI and explanation texts for emails that were sent, but do not have any logged statistics.
  • Various usability improvements were made in the UI of the Emails, Email templates and Contact groups applications.

Rich text editor

  • Inserting of links in the rich text editor didn’t work correctly in certain cases in the Content view mode of the Pages and Emails applications.
  • If the rich text editor had a custom toolbar configuration with the imageReplace button, the button displayed a default Froala dialog instead of the system’s dialog for selecting images.
  • The rich text editor Insert image and Insert link dialogs did not work correctly when the rich text component was used to edit the property of a form component in the Form Builder.
  • When selecting a link to a page or content item in the rich text editor, the full toolbar was incorrectly displayed instead of just the link-related toolbar options.
  • On administration UI pages with a right-side panel, the panel didn’t close correctly if the user interacted with the rich text editor toolbar on the main editing page. For example, the problem could occur when editing emails in the Emails application.
  • The Insert image and Insert link dialogs in the rich text editor displayed the Media library selection tab even if there were no media libraries present in the system.

Hotfix (March 9, 2023)

version 25.0.2

Fixed issues

  • Content hub – When updating a Content item asset field in an existing content item and not publishing the item after, the original asset was displayed instead of the updated asset.

Hotfix (March 2, 2023)

version 25.0.1

Fixed issues

  • Administration interface – In certain cases, it was possible to submit values using disabled fields of admin UI forms.
  • MacOS – It was not possible to install the Xperience database on Apple devices equipped with the Apple silicon family of CPUs.
  • Rich text editor – The Insert image and Insert link dialogs in the rich text editor incorrectly displayed content items with a Content item asset field but no file uploaded. This could occur when a content type was created with an optional asset field.

Refresh (February 23, 2023)

version 25.0.0

New features

Content management

Digital marketing

  • Emails
    • Users can now preview and test the content of emails by sending a draft version.
    • New option to clone emails, which allows users to quickly create new emails based on the content and settings of existing emails.
    • The content editor now allows editing of double opt-in links placed into form autoresponder emails. This allows users to quickly update the text and recipient list set for existing links.
    • The Emails application now displays a status for emails of the Regular type (possible options are Draft, Scheduled, Sending and Sent).

Xperience Portal

  • Backups – Users can now manually create and download backups of applications deployed in the SaaS environment. Backups can be used to locally inspect or debug the application.

Breaking changes

  • Global events – When deleting objects, the system now checks for depending objects before triggering the Delete event (ObjectEvents or *Info.TYPEINFO.Events). If any depending objects exist, the event is not triggered at all.

Breaking changes - API

  • Application startup – IFeaturesBuilder interface members BeforeConfiguration  and AfterConfiguration were not intended to be used in custom code and were removed from the public API. Extension methods for this interface (e.g., UsePageBuilder ) are used to add types required by various Xperience features into the application’s IoC container.
  • The IDataQuery interface (CMS.DataEngine) contains two new methods:
    • GetAsyncEnumerableResult
    • GetScalarResultAsync

Obsolete API

  • Emails – The CMS.EmailEngine.EmailSender class is now obsolete. Use IEmailService to send emails (see the Email queue API example).

Updates and changes

Fixed issues

  • Role management – When using external authentication for the administration with the user synchronization frequency set to UserSynchronizationFrequency.Always, users with the Administrator role were incorrectly allowed to edit the role assignments of users managed by the external authentication provider.
  • Performance – The number of database queries called when loading the content of Page Builder widgets was optimized. The original performance issue occurred after updating to version 24.0.0.
  • Project templates – The sample site created by the Dancing Goat project template didn’t correctly handle situations where certain content items were deleted, which could result in errors on the live site.

Digital marketing

  • Emails
    • If the application crashed or was stopped while sending a regular email to recipients, the mailout remained stuck and didn’t recover after the application restarted.
    • The system created redundant anonymous contacts in certain cases when a user confirmed their email subscription by clicking a double opt-in link. For example, this could occur if the recipient opened the double opt-in link in a different browser than the one where the original subscription form was submitted. After applying the refresh, such anonymous contacts are automatically merged into the recipient’s main contact.
    • The Preview mode of emails incorrectly allowed links in the email content to be clicked, which could lead to inconsistent behavior. After applying the refresh, links are no longer active when clicked in the email Preview.
  • Cross-site tracking – Certain requests returned during cross-site tracking used an incorrect X-Frames-Options header. This combination of the header and its value is now deprecated in modern browsers. After applying the refresh, the content-security-policy header is used for this purpose.

Continuous Integration and Deployment

  • Continuous Integration – If an object was deleted, but the operation was stopped due to the existence of depending objects, the files representing the object and its dependencies in the Continuous Integration repository were removed even though the object was not actually deleted.
  • The XML files representing contact groups of the Recipient list type in the CI/CD repository incorrectly used 0 or 1 values for the ContactGroupIsRecipientList boolean property, which could cause inconsistencies. After applying the refresh, the property stores True or False values.

User interface

  • Disabled editing forms in the administration (e.g. due to missing update permissions) behaved inconsistently in certain cases. After applying the refresh, disabled editing forms always contain a warning message and have a disabled Save button with a tooltip.
  • UI form components
    • If a field based on the Object selector had a large number of items available and a value was already selected, the list of items loaded and displayed the first batch of items twice.
    • Fields based on the Number input form component incorrectly displayed null as their value when the value was empty.
    • If a field based on the Radio group component did not have a label assigned, the resulting UI page generated warnings in the browser console. For example, the problem occurred in the Review and send dialog for emails in the administration.
    • Fields based on certain form components did not display their tooltip (e.g. the Page selector or Content item selector).
  • Emails – If the send date or time of a regular email was changed in the Reschedule dialog and the sendout was then cancelled, the dialog was not refreshed correctly and the Cancel scheduled sendout button remained visible.
  • Content types – When adding a new content type field with the Content item selector form component, the Allowed content type option could not be configured until the field was saved.
  • Role management – If a user with the Administrator role unassigned this role from their own account, an Access denied notification was displayed even though the operation was valid and the role was unassigned.
  • Contact groups – When viewing the details of Recipient list contact groups, text in the Approval and Unsubscribe settings areas could overflow when viewed with a small display width.
  • The administration UI breadcrumbs didn’t correctly shorten text for objects with very long names.
  • Added missing spacing to certain selection dialogs.

Xperience Portal

  • The DevOps Engineer role did not have access to the Outages application in Xperience Portal.

Hotfix (February 16, 2023)

version 24.0.3

Fixed issues

  • Page Builder – Widgets that had output caching disabled consumed unnecessary memory and the application did not clear this memory correctly.
  • General – The application could reach the preset limit on the number of database connections under heavy traffic, e.g., during a load test. In the worst case, this could result in HTTP 502 Gateway errors.

New features

  • Admin UI authentication – The hotfix introduces new OnSigningIn and OnSigningOut events, which are invoked when users sign in or out of the Xperience administration. Both events are available under AuthenticationOptions.CookieEventsOptions when configuring AdminIdentityOptions. See Administration - Forms authentication for details.

Hotfix (February 9, 2023)

version 24.0.2

Fixed issues

  • Content items
    • On pages based on a page template, linked content items that were selected in a particular order were displayed in a random order when viewed on the live site.
    • Files stored as content item assets were served with an incorrect file name when downloaded on the live site.
  • Page Builder – After applying hotfix 24.0.1, it was not possible to publish pages that used Page Builder and contained sections without properties.

Hotfix (February 2, 2023)

version 24.0.1

Fixed issues

  • Roles – Modification of user-role assignments via the administration did not work correctly in certain cases. This issue occurred only after updating to version 24.0.0.
  • Performance – An unnecessary number of database queries was performed when loading the content of Page Builder widgets. This issue occurred after updating to version 24.0.0.

Refresh (January 26, 2023)

version 24.0.0

New features


Content management

  • Content item assets – Content item assets are a new type of content items that allow content editors to upload and store various types of files, for example, photos, pictures, sound files, videos, package files, presentations, or documents. You can reuse assets stored in the Content hub throughout the system. To create a new content item asset, create a content type with an Content item asset field.
  • Content item selector – Users are now able to select content items from the content hub in component properties.
  • Media libraries
    • Content editors are now able to upload a new version of media library files.
    • Content editors are now able to view media file information such as the GUID, Media URL, size, or image resolution.

Digital marketing

  • Emails
    • New functionality that allows marketers to send regular emails to groups of recipients. Visitors subscribe by submitting a form on the website. The form sends an autoresponder email with a double opt-in link, through which recipients finish the subscription process. See Send regular emails to subscribers.
    • The system now tracks and displays statistics for emails created in the Email templates and Emails applications, including the number of sent emails, email opens and clicked links. See Track email statistics.
  • Forms – Users can now edit the Code name of forms, which allows developers to work with more practical identifiers, e.g., when rendering forms in code as stand-alone widgets.
    • Changes of the form code name break existing forms placed onto pages via the Form widget. You need to reselect the form in these widgets after making such changes.
    • Changing the code name also automatically updates the form’s Class name. Such changes break existing code files generated for the form, and developers need to update or regenerate the code.

Xperience Portal

Breaking changes

Changes to assembly placement in NuGet packages

The CMS.AspNetCore.Platform assembly was moved from Kentico.Xperience.Core to the Kentico.Xperience.WebApp NuGet package and renamed to Kentico.AspNetCore.Platform.

For web applications, this change in not breaking – Kentico.Xperience.Web.App depends on the Kentico.Xperience.Core package.

However, for other types of applications (e.g., console or desktop applications), there is a possibility that your custom code called some code from the moved assembly. If you encounter breaking changes (compilation errors) in your projects after upgrading, you need to add the Kentico.Xperience.WebApp NuGet package to the affected projects.

Breaking changes – API

  • The UserInfo.Enabled property was fully removed, use UserInfo.UserEnabled instead.
  • The following members were removed from the content management API:
    • IPageTypeFieldsProvider  – use IContentTypeFieldsProvider instead.
    • IPageTypeFieldsProviderFactory – if this interface was used as a dependency, replace usages with IContentTypeFieldsProvider directly. The additional layer of abstraction introduced by the factory was removed completely.
    • PageType – there is no alternative. Implement a custom class to replace.
    • LoadAvailablePageTypesResult – there is no alternative. Implement a custom class to replace.
    • LoadAvailablePageTypesCommandArguments – there is no alternative. Implement a custom class to replace.
  • PageFormSubmissionPageBase  – the constructor now depends on IContentTypeFieldsProvider directly.
  • The CMS.AspNetCore.Platform namespace was renamed to Kentico.AspNetCore.Platform (also includes all subnamespaces).

Obsolete API

  • Data types – The AllowedObjectTypes property of DataType objects is now obsolete. Use the IsAvailableForDataClass  predicate instead .

Updates and changes


  • New CMS.EmailEngine.ISmtpClientFactory API that enables developers to modify the configuration of the system’s SMTP client (if using SMPT servers for mailout). This API is primarily intended for advanced environments with specific requirements.


  • Rich text editor – The ability to drag-and-drop content into the rich text editor UI form component was disabled. Use your operating system’s clipboard functionality instead.
  • Emails – The “Preheader” property of emails was renamed to “Preview text”. The corresponding placeholder in the source code of email templates is now
    . Applying the refresh automatically updates the placeholder in the source code of existing email templates.
  • Admin UI customization – UI pages for creating new objects (inheriting from the base class) no longer validate the editing form when the Change UI page command is executed. This prevents unnecessary validation errors while filling in parts of the create form.

Object types

This release changes the way hash table caching for object types is configured. In previous versions, the caching was configured by passing the HashtableSettings object via an optional constructor parameter to the object type’s I*InfoProvider implementation:

Hash table caching configuration using the provider class

public partial class MyObjectTypeInfoProvider : AbstractInfoProvider<MyObjectTypeInfo, MyObjectTypeInfoProvider>, IMyObjectTypeInfoProvider
    public MyObjectTypeInfoProvider()
            : base(MyObjectTypeInfo.TYPEINFO, 
                   new HashtableSettings
                            // Enables hash table caching over the identifier and code name
                            ID = true,
                            Name = true

From this version onward, this approach and the corresponding *InfoProvider constructor are obsolete. Instead, the caching is configured directly in the *Info data class via the InfoCache attribute:

Hash table caching configuration via the Info data class

[InfoCache(InfoCacheBy.ID | InfoCacheBy.Name)]
public partial class MyObjectTypeInfo : AbstractInfo<MyObjectTypeInfo, IMyObjectTypeInfoProvider>

If you are using hash table caching for custom object types, there are two ways to migrate to the new approach:

  1. Regenerate all custom object type classes using the code generator, which automatically ensures the new format. However, note that this will also require you to manually transfer all customizations made to the object type’s classes.
  2. Manually convert custom object type classes to the new approach:
    1. Remove the HashtableSettings parameter from the *InfoProvider constructor.
    2. Annotate the corresponding *Info class with the InfoCache attribute.
      1. Use the InfoCacheBy enum to determine the properties to cache by.
      2. (Optional) Use the InfoCachePriority enum to configure whether the cached items should expire.

Content hashes in admin UI script filenames

The file names of script files consumed by the Xperience admin UI now include a content hash (e.g., This change ensures that script files cached on the client are correctly invalidated when updating to a new version. In previous versions, the client browser usually defaulted to cached scripts even if the file contents were different, requiring users to refresh the browser cache (Ctrl+F5) to get the latest version (or wait for cache expiration).

All newly created custom admin UI modules (see Prepare your environment for admin development) automatically include content hashing. However, if your admin UI consumes any existing custom modules, and you wish to make use of the content hashing feature, you need to make the following changes:

  1. Update all @kentico packages to 24.0.0.

  2. Open the webpack.config.js of your module and follow the comments in the following snippet:

     const webpackMerge = require("webpack-merge");
     const baseWebpackConfig = require("@kentico/xperience-webpack-config");
     module.exports = (opts, argv) => {
       // Add the 'argv' parameter to the arrow function signature
       const baseConfig = (webpackConfigEnv, argv) => {
         return baseWebpackConfig({
           orgName: "acme",
           projectName: "web-admin",
           webpackConfigEnv: webpackConfigEnv,
           argv: argv,
       const projectConfig = {
         module: {
           rules: [
               test: /\.(js|ts)x?$/,
               exclude: [/node_modules/],
               loader: "babel-loader",
         // Add the output-clean:true setting    
         output: {
           clean: true
         devServer: {
           port: 3009,
       // Pass the added 'argv' parameter to 'baseConfig'
       return webpackMerge.merge(projectConfig, baseConfig(opts, argv));
  3. Rebuild the module.

The output file name now contains a content hash.

Xperience admin UI customizations boilerplate project converted to a .NET template

The Xperience admin UI customization boilerplate project (previously available for download on Prepare your environment for admin development) was converted to a .NET template. You can now install the project using dotnet new kentico-xperience-admin-sample . Afterwards, reference the created project from your Xperience application and work with it like before.

Fixed issues


  • Calling the IPageDataContextRetriever.TryRetrieve method resulted in an unhandled exception if the page data context could not be initialized, instead of returning a false value.
  • The API documentation for the WithPageUrlPaths DocumentQuery extension method was improved with additional remarks regarding the method usage.
  • Exceptions caused by cancelling asynchronous operations via cancellation tokens – as a response to a cancelled client request or application shutdown, for example – were incorrectly logged to the event log as errors (e.g., as System.OperationCancelledException).
  • Conventional MVC mechanism such as AuthorizeAttribute now work with the admin UI role-based access control model for routes registered behind /admin.

Content management

  • Content hub - Content items listed in the content hub are now by default ordered according to the Last modified column.
  • Content items – It was incorrectly possible to delete linked content items from “locked” pages that were in the published or archived workflow state.
  • Form Builder – Fixed various text overflow issues that could occur when entering long words in form component properties.
  • Headless API – Fixed issues caused by the tilda ‘~’ character in asset filenames.
  • Pages – When moving items with children via the content tree, the confirmation prompt for the move operation did not appear in certain cases.
  • Page Builder – If Cross-Site Request Forgery validation failed when submitting a form generated by the Form Page Builder widget, a “Cannot read property of null” error was logged in the browser console in addition to the expected HTTP 400 error code.

Digital marketing

  • Security – Modified the behavior of various permissions in relation to digital marketing applications.
    • Contact group edit (condition builder) can no longer be opened by users without Update permissions for the Contact groups application.
    • Deleting contacts from contact groups is now possible with Update permissions for the Contact groups application.
    • The Save button when editing emails in the Emails application is now disabled for users without Update permissions.
    • Deleting collected form submissions in the Forms application is now possible with Update permissions.


  • The Readme.txt file in the Dancing Goat and Boilerplate project templates contained an invalid link to the documentation.
  • Optimized the number of database queries required when checking user permissions in the admin UI.


  • When creating fields for module classes via the field editor, the Field name length wasn’t validated correctly by the UI, and very long values could result in an error.

UI form components

  • It was not possible to view more than the first 150 files in a selected media library via the Media file selector UI form component.
  • Pages selected within the Page selector form component cast a shadow incorrectly when dragged.
  • It was possible to clear a selection made using the Object selector even if the field was marked as required.
  • When the Object selector was placed in a side panel, selecting any action inside the selector caused the side panel to collapse.
  • Selecting a month or year in the DateTime input form component incorrectly saved the whole form.
  • The MinimumDecimalValueValidationRule and MaximumDecimalValueValidationRule validation rule attributes could not be used because the attribute constructor did not allow the decimal type as a valid attribute parameter type. The attribute constructors now accept double instead. Conversion to decimal is done by rounding to 15 significant digits using rounding to nearest (a limitation of the double input type).


  • Instances hosted in Linux environments could encounter exceptions when accessing resources from Amazon S3. This would occur, for example, when accessing media library files stored in Amazon S3.

User interface visual improvements

  • Opening a drop-down list in a component properties dialog sometimes caused the drop-down menu to overflow the dialog window.
  • For certain elements the ‘element is now focused’ blue border indicator was partially obscured or was rendered incorrectly.
  • Pages application
    • When changing page URL slugs on the URL tab in the Pages application, entering slugs longer than the width of the dialog window caused the input to stretch past the browser window.
    • When saving page URL slugs on the URL tab in the Pages application, the Save button now transitions to a disabled state to prevent multiple concurrent requests from being submitted.
    • Page URL slugs and other text longer than the width of the various page property dialogs (Information, URL) now break into multiple lines instead of disappearing past the browser window when longer than the available viewport space.
    • The design and appearance of certain elements in the content tree was updated to better match the admin UI look and feel.
    • When drag and dropping pages, the dragged pages are now hidden from their original position in the content tree instead of showing both at the original position and on the mouse cursor, possibly confusing users.
    • The content tree in the Pages application now better indicates possible placement when dragging and dropping pages.
  • Drop-down menus now close during a click-away action that targets an iframe with either the Page Builder, Form Builder, or page preview window.
  • The primary action button was not by default focused in interactive dialogs. Now, the primary action is always performed on enter (save, delete, confirm, etc.).
  • The confirmation dialog displayed when changing page templates now uses the same look and feel as other dialog windows in the admin UI.
  • The listing pages context menu, available via (…), was obscured by the listing container in special cases.
  • Implemented responsive drop-down menus that automatically adjust based on viewport and parent element width.
  • The application menu now overlays menus and panels that open from the right side of the interface (e.g., selector dialogs in the Pages application, configuration options in the Forms application) on displays where smaller viewport width causes overlaps.
  • Fixed the vertical alignment of button labels in the Safari browser.

Xperience Portal

  • The project expiration date displayed on the Dashboard in Xperience Portal incorrectly included the 30 day grace period for license renewals.
  • The Outages application in Xperience Portal only displayed project outage reports starting from the beginning of the month following the project deployment. For example, projects deployed 8/15/2022 could only view reports starting from 9/1/2022.
  • A JavaScript error was logged in the browser console when viewing the hash string salt value (DashboardProject info section) on displays with certain viewport widths.
  • A wrong type of error page was displayed for Not Found (HTTP 404) and other HTTP errors.
  • The format of the Account created and User added to project email notifications was not correct in case the first name of the user was unknown.
  • The deployments page may not have displayed correctly during an ongoing maintenance.

Hotfix (January 19, 2023)

version 23.0.9

Fixed issues

  • Admin UI customization – Searching using the listing template resulted in an error if a column of the listed object type was named after an SQL reserved keyword (e.g., Key). After applying the hotfix, the system escapes all column names in such queries, allowing search on listing templates to work as expected.

Hotfix (January 12, 2023)

version 23.0.8

Updates and changes

  • Security – The initial permission configuration for the sample Digital Channel Manager role was modified to reflect security best practices. This change only applies to the Dancing Goat and Boilerplate project templates installed from Kentico.Xperience.Templates version 23.0.8 and newer. In existing installations, we strongly recommend making the following change to the Digital Channel Manager role (if present in your project): remove the View permission for the Email Queue application.

Hotfix (January 5, 2023)

version 23.0.7

Fixed issues

  • SendGrid integration – The SendGrid integration failed to send emails with email addresses specified using advanced formats such as "display name" <user@host>. After applying the hotfix, the integration supports all email address formats allowed by the  System.Net.mail.MailAddress  class.
  • Event log – An error occurred when viewing the details of event log records without a description.

Updates and changes

  • Permissions – Only users with the  Administrator role can now change assigned roles via the Users →  edit a user → General tab.

New features

  • Email customization – New EmailMessage.Validate extension method that validates whether properties (From, Recipients, CcRecipients, etc.) of the CMS.EmailEngine.EmailMessage object are set correctly. The method is intended primarily for use when implementing  custom email clients.

Hotfix (December 15, 2022)

version 23.0.6

Fixed issues

  • Rich text editor – Hotfix 22.3.1 introduced HTML sanitization of content in the Rich text editor. This sanitization can result in modified or broken HTML code, for example, when adding content via the editor’s Code View option. After applying this hotfix, the sanitization additionally allows ID and data-* attributes, as well as href attributes containing mailto links in <a> tags.

Hotfix (December 8, 2022)

version 23.0.5

Fixed issues

Hotfix (December 1, 2022)

version 23.0.4

Fixed issues

  • Permissions – It was possible to modify existing forms via the Form Builder interface (Forms → edit a form → Form Builder tab) without possessing the Update permission for the Forms application. After applying the hotfix, the Update permission is required when making modifications to all forms.

Hotfix (November 24, 2022)

version 23.0.3

Fixed issues

  • Permissions – When adding images from a media library into the content of a Rich text widget in the Page Builder, the Insert image selection dialog didn’t work for users without the Administrator role. After applying the hotfix, media files in the dialog can be viewed, selected and uploaded by users with a role that has sufficient permissions for the Pages application.
  • Admin UI customization – API documentation was missing for the client API that enables developers to work with pages in in modal dialogs (useTemplateDialog()) , which was introduced in hotfix 23.0.1.

Hotfix (November 16, 2022)

version 23.0.2

Fixed issues

  • Permissions – Certain action buttons in the Pages and Content hub applications remained active, even if the user’s role did not have the required Create or Update permissions assigned for the given applications.
  • Permissions – Delete buttons for files in the Media libraries application remained active, even if the user’s role did not have the required Manage media library permission assigned for the application.
  • Field editor – Minor visual issues occurred within the field editor user interface in rare cases.

Hotfix (November 10, 2022)

version 23.0.1

Fixed issues

  • Continuous Deployment – Continuous Deployment didn’t include the data of binding object types when running the restore operation.
  • UI form components – If the Object selector UI form component was configured to select exactly one item, it was not possible to clear the selection once an object was selected.

New features

  • Admin UI customization – The hotfix introduces a new useTemplateDialog() hook for the client customization API that enables developers to set the properties of pages displayed within modal dialogs via UIPageLocation(PageLocationEnum.Dialog).

Refresh (November 7, 2022)

version 23.0.0

New features


  • Role-based access control for the Xperience administration – The refresh update introduces a permission model for the Xperience administration. The model handles only permissions for the user interface of the administration application – the visibility of applications, application elements, tabs, and pages. The added functionality consists of the following:

Digital marketing

  • Email management – Editors can now personalize emails created in the Emails applications by adding dynamic text to the content. When sending emails to specific recipients, the system replaces dynamic text with information known about the given recipient (First name, Last name or Email).

Content management

  • Headless API – A headless API for retrieving content items was released as a preview feature. Developers can now retrieve content items from Xperience using HTTP requests and the JSON data format. Check the related documentation to see the limitations related to the preview status of the feature.
  • Media libraries – Developers can now set the encoding quality used when resizing images retrieved from media libraries via a configurable options object. The configuration is provided as part of the implementation within the Kentico.Xperience.ImageProcessing NuGet package.
  • Algolia integration – An external module that allows you to create Algolia search indexes and index content types with the ‘Page’ feature in the Xperience content tree using a code-first approach. The integration also enables you to provide a search interface on the live site using .NET API, JavaScript API, or the InstantSearch.js JavaScript library. For more information, see the Algolia Search Integration GitHub repository.

Xperience Portal

  • Projects in Xperience Portal can now undergo planned scheduled maintenance. Certain features are unavailable for the duration of the maintenance. The maintenance intervals are planned by Kentico.
  • Uptime statistics for Xperience Portal projects, Deployment API, and deployment regions alongside downtime incidents are now available at

Breaking changes

  • During application startup, the system no longer automatically adds services related to session state and cross-origin resource sharing (CORS) to the service collection. Specifically, the IServiceCollection.AddKentico call no longer includes the following:
  • The following dependency of the Kentico.Xperience.WebApp package was updated:
    • HtmlSanitizer from version 7 . 1 . 542 to 8.0.601. The update includes several breaking changes: #365, #370
  • The following dependency of the Kentico.Xperience.Core package was updated:

Breaking changes – API

  • The following members were removed from the membership API. There is no provided alternative.
    • Removed properties:

      • RoleInfo.RoleIsDomain
      • UserRoleInfo.ValidTo
    • Removed constants:

      • RoleName.EVERYONE
      • RoleName.AUTHENTICATED

Breaking changes – Database

All changes in the database structure are automatically handled by Xperience during the update procedure. This information is provided to help you prepare in case you use custom code or scripts that rely on the original database structure.

  • The following database views were changed or removed:
    • View_CMS_UserRole_Joined was removed.
    • View_CMS_UserRole_MembershipRole_ValidOnly_Joined was removed.
    • The ValidTo column was removed from View_CMS_UserRoleMembershipRole.

Updates and changes

  • Forms – Emails that are assigned to the autoresponder of one or more forms can no longer be deleted.
  • The Froala WYSIWYG editor that provides the Rich text editor in Xperience was updated to version 4.0.15. See Froala Editor 4.0.15 for details.
  • User interface – The Properties → Metadata section in the UI of the Pages application was renamed to Information.

Fixed issues


  • UI components

    • Fields in the administration with a selector form component (e.g., Dropdown selector) did not save their value in special scenarios. The problem occurred if the field used a visibility condition, and also had an assigned configurator that dynamically populated the selection options.
    • If the Rich text editor had a custom toolbar configuration with the toolbarInline option disabled, enabling the toolbarSticky option didn’t work. The toolbar didn’t remain displayed at the top of the editing area when scrolling down in the content.
    • Entering a very long number into the Number input form component caused the value to be converted to scientific notation. After the update, only numbers between -2147483647 and 2147483647 can be entered.
  • Event log – The system’s event logging API was not thread-safe, causing, e.g., Parallel.ForEach calls that logged information into the event log to incorrectly terminate with an exception.

Content management

  • Page Builder – Page, Path, Media and Attachment selectors for the Page Builder legacy compatibility mode did not preserve any order of the selected items. After applying the update, the items are stored in the order in which they were selected.
  • Media library
    • WebP images uploaded to media libraries were stored and served with the wrong MIME type, and were not displayed correctly on the website.
    • Getting the URL of a media file using the IMediaFileUrlRetriever.Retrieve API always generated the file’s DirectPath URL, even when it was not required or used. When storing media files on Azure storage, this resulted in unnecessary requests to Azure.
    • When resizing images retrieved from media libraries, the image encoding quality was set to 100%, which could cause resized images to be larger in file size than the original. After the update, the default encoding quality is set to 80%.


  • If the form selected in a Form widget was later deleted, the widget’s configuration dialog displayed errors.
  • Deleting a form with an enabled autoresponder didn’t remove the internal automation process used to send the autoresponder emails.
  • The autoresponder options in the After form submission panel of the Forms application were not disabled correctly if the form was modified so that it no longer contained a field mapped to the Email contact attribute. The autoresponder options now need to be manually reconfigured if a properly mapped Email field is returned to the form.
  • The Country and State contact attributes were not available for mapping when configuring form fields. After the update, mapping to these attributes is supported for Text and Number fields. Text fields attempt to map country or state code name values, number fields work with country or state IDs.
  • Multiple clicks of a form’s submit button in quick succession could cause the system to send multiple autoresponder emails. After the update, clicked submit buttons are disabled until the request is processed.
  • Multiple clicks of action buttons in the options panel of the form administration UI could trigger multiple requests. After the update, a loading button is displayed after a click until the request is processed.

User interface

  • Pages

    • After attempting to save a conflicting URL slug for a page in the Pages application, the resulting error message disappeared immediately.
    • Fixed minor design issues in the Change template dialog in the Pages application, and added a Friendly warning with additional information.
  • Contact groups – Validation error messages in the contact group condition builder were duplicated when an invalid condition was submitted multiple times.

  • Emails – The Preheader field in the Properties of emails was missing a tooltip.

  • Forms

    • Horizontal scrollbars were displayed for fields in the Form Builder interface in certain cases on devices with a small display width.
    • The Form Builder interface displayed checkboxes with incorrect alignment in certain cases for Checkboxes fields.
    • Fields with very long label text were displayed incorrectly in the Form Builder interface.
  • Several minor issues with alignment, font size, spacing and shadows were fixed in the administration interface.

Xperience Portal

  • An error was logged to the browser console when selecting or clearing the checkbox for confirming DNS settings in the Site domains or SendGrid domains applications within Xperience Portal.

Hotfix (October 20, 2022)

version 22.3.2

Fixed issues

  • API – Creating a new media library (MediaLibraryInfo object) in code without HttpContext access resulted in an error. For example, the problem could occur when using the Xperience API in a console application.
  • Code generators – The system’s code generator created invalid code for objects (e.g., content types) with fields of the Pages and Media files data types.
  • Object types – An error occurred when using the object selector component with an object type that did not have the displayNameColumn configured in its Type info properties. The error affected fields created in the Field editor with the Object code names data type and form component, as well as code-driven properties decorated by the Object selector UI form component.

Hotfix (October 13, 2022)

version 22.3.1

Fixed issues

  • Infrastructure – Export of the Xperience database to a backup file failed due to changes related to content items (introduced in Refresh 22.3.0). As a result, it was also not possible to deploy applications to the SaaS environment.
  • Security – Administration input fields using the Rich text editor component were vulnerable to reflected XSS attacks. The hotfix ensures proper sanitization.
  • Content hub – After updating the name of a content item in the Content hub application, the administration’s breadcrumbs and navigation menu didn’t reflect the new name.
  • Admin UI customization – The client customization framework didn’t correctly load files from JavaScript modules built on non-Windows operating systems.
  • User interface – Improved input validation on the Features tab in the Content types application.

New features

  • Xperience Portal – The page displayed after new users finish setting up their Xperience Portal account and password now contains a button redirecting to the portal’s sign-in screen.

Refresh (October 6, 2022)

version 22.3.0

New features

  • Content hub – A new way of working with content was added. It is now possible to create content types (formerly page types) with a field configured to select content items. These linked content items can then be retrieved using the API. You can also manage existing content items in the Content hub application.

  • Email management – When creating emails in the Email templates and Emails applications, editors can specify the following new options:

    • Plain text content – Improves deliverability of emails. Some recipients may prefer plain text emails, and certain email clients only accept plain text.
    • Email preheader – The brief text that recipients see in their inbox after the email sender information and the subject line.
  • Xperience Portal – SaaS deployment uptime monitoring is now available in Xperience Portal. See Uptime monitoring.

  • Administration UI development

  • Forms – The listing in the Forms application contains a new column indicating whether the autoresponder is enabled for each form.

  • Contact groups – When viewing the contacts belonging to a contact group in the Contact groups application, users can now select contacts to open the given profile in the Contact management application.

  • The Text area UI form component for the administration provides new properties that allow configuration of the area’s minimum and maximum displayed height (number of rows).

Updates and changes

  • Rich text editor – When registering Rich text editor configurations, a display name needs to be specified for the configuration.
  • Field editor – Updated the names of certain field configuration options to better describe their purpose (Tooltip text and Text below the input).

Fixed issues


  • Running on a time zone with a large UTC offset caused unhandled errors in certain scenarios. For example, such errors could occur when logging event log records or when executing unit tests.
  • Field editor – Values entered into the Default value of fields were not validated in certain cases, and validation messages were displayed incorrectly.
  • Domain aliases of sites were not validated correctly and allowed duplicate domain name values for the same site.
  • The system had a dependency on the deprecated Microsoft.jQuery.Unobtrusive.Ajax package. The Page and Form Builder scripts no longer use the jquery.unobtrusive-ajax.js bundle, and the dependency was removed.
    • The related FormBuilderBundlesOptions.JQueryUnobtrusiveAjaxCustomBundleWebRootPath property in the API is now obsolete.

Content management

  • Content tree-based routing
    • If the page specified in Settings → URLs and SEO → Home page was deleted, the Pages application didn’t work and an error occurred.
    • The routing engine was vulnerable to CRLF Injection when performing redirects due to improper encoding of the URL query string.
  • When displaying selected pages in an administration UI form, the Page selector component incorrectly showed the published name of pages, even when a newer version (draft) of the page had a different name.

Digital marketing

  • Forms
    • The After form submission panel in the Forms application became broken and displayed an error if an email selected for the Autoresponder was later deleted.
    • The email selector in the After form submission panel incorrectly remained enabled even if the form didn’t contain a field mapped to the Email contact attribute.
  • Emails – Selecting the email name in the administration UI’s breadcrumbs incorrectly opened the email preview instead of the content editing view.

User interface

  • The layout of the Form Builder designer area was broken on devices with a small display width.
  • Dialogs and side panels (e.g., the options panel in the Forms application) incorrectly closed after the user performed certain actions outside of the dialog area, for example mouse wheel clicks or right-clicks. After applying the update, dialogs are only closed by primary interactions, i.e., left mouse button clicks.
  • The Icon selector form component was not disabled correctly, e.g., when viewing the editing form of a published or archived page.
  • When creating or editing fields in the Field editor, multiple scrollbars appeared in certain cases.
  • An accessibility warning was logged in the browser console when viewing administration pages containing the Password UI form component (e.g., on the sign-in or change password page).
  • Minor improvements of the administration interface were made, for example increased font size for certain text.

Project templates

  • The sample site created by the Dancing Goat project template contained several broken links to non existing pages.

Hotfix (September 29, 2022)

version 22.2.3

Fixed issues

  • Field editor – It was not possible the configure the Default value and Required status for fields of the following data types: Object code names, Object Guids, Pages, Media files
  • API – The AbstractTableManager.TableExists method returned false when the call terminated with an exception. After applying the hotfix, the method propagates the exception and correctly terminates.

Hotfix (September 22, 2022)

version 22.2.2

Fixed issues

  • Emails – When viewing the details of emails via the Email detail dialog in the Email queue application, labels identifying individual email properties displayed unresolved resource strings instead of the corresponding property names.
  • Domain names and domain aliases – It was not possible to register a domain name or alias starting with the www. prefix. This made it impossible to generate absolute URLs with the www. prefix to content managed by the system, as the URL generation API always prepended the URL with the site’s domain name, which resulted in URLs such as . After applying the hotfix, domain names starting with www. are allowed. Moreover, the hotfix fixes an issue that allowed users to register multiple identical domain aliases for a single domain.

Hotfix (September 15, 2022)

version 22.2.1

Fixed issues

  • Emails – The Preview mode for emails in the Emails application was modified to be more resilient against cross-site scripting attacks.
  • Field editor – When defining new fields via the field editor interface, the configuration of the field’s assigned UI form component was not persisted correctly in special cases. The problem occurred if the UI form component’s configuration options used components with UI page commands. Such options are disabled by default during initial field creation due to certain system limitations. However, the initial save of the field didn’t persist other configuration options that were available.

Updates and changes

Refresh (September 8, 2022)

version 22.2.0

New features

  • Introduced a new Modules application with the following functionality:
    • Support for creating and registering object types into the system. Object types contain metadata that describe the properties and behavior of database entities integrated into and leveraging certain Xperience features.
    • Support for extending system object types.
    • Support for entering macro expressions. Until now, macro expressions were used by the system in the background, but were not available to users. Currently, macros are usable when configuring the default values of object type fields via the Modules application.
  • Email management – New Email templates and Emails applications that allow users to prepare and edit the content of emails directly in the Xperience administration. See Emails for more information. Currently, such emails can only be used with form autoresponders.
  • Xperience Portal – Custom site domains and the SendGrid sender domain can now be assigned through Xperience Portal. See Domain names for SaaS deployment and SendGrid integration.
  • Integrations – Xperience offers an external module that integrates with the Disqus comment platform. The module contains a Disqus comments widget that provides the option to add a comment section to any page on your website. Disqus also offers advanced moderation tools, analytics and monetization options. The module is distributed as a NuGet package. For more information and detailed instructions, see the Xperience by Kentico Disqus Widget GitHub repository.
  • New Code editor UI form component for the administration. Provides a text editing area suitable for code, with support for syntax highlighting and line numbers.

Updates and changes

  • The original Emails application in the Xperience administration was renamed to Email queue. The new Emails application is now used to manage the content of emails. See Emails.

Fixed issues


  • After performing a project update, the system didn’t correctly detect differences in the minor and hotfix version number of the database and project packages. The application now fails to start and returns an error on startup when such a version difference is detected. You always need to update both project packages and the database when performing an update.

Content management

  • Rich text editor – When using the Code View of the Rich text editor to edit page content in the Pages application, changes were lost after saving the page. After applying the refresh, the editor automatically switches to the default WYSIWYG view after clicking anywhere outside of the editor area, including the page’s Save button, and changes are saved correctly.
  • Page Builder – Fixed minor vulnerabilities in the dependencies of Page Builder scripts.

User interface

  • Pages
    • Notifications about unsaved changes were not displayed correctly in the Pages application when attempting to move the page or its parent.
    • Deleting a page while editing another one prevented notifications about unsaved changes from being displayed.
  • Page types
    • After deleting a field in the Field editor within the Page types application, the configuration of the deleted field was incorrectly displayed instead of the values of the next field, which the field editor automatically expands.
    • The label text of the save button in the Field editor within the Page types application was unified to “Save”.
  • Forms – The General or After form submission options panel in the form editing interface was not hidden correctly after clicking into the Form Builder editing area.
  • Contact groups – The object selectors in contact group conditions were misaligned in certain cases.
  • Error messages displayed when attempting to delete an object with existing dependencies did not accurately describe the cause of the problem. For example, such errors occurred when deleting a page type with existing pages in the content tree.
  • Certain locations in the administration displayed unresolved resource string keys instead of the actual text (for example the descriptions of event log records related to page workflow status changes).
  • When working in a dialog within the Xperience administration, notifications and error messages were incorrectly displayed outside of the dialog in certain cases.
  • The explanation text for the Password component was not displayed correctly in some locations.
  • Certain inputs and selectors displayed incorrectly when they contained a very long text value.
  • When navigating between pages in listings within the administration, the screen didn’t scroll to the top of the page content.


  • When running the dotnet kentico-xperience-dbmanager CLI command with the --recreate-existing-database parameter, the database configuration was not preserved in certain scenarios (for example for Azure SQL databases).

Hotfix (September 1, 2022)

version 22.1.3

Fixed issues

  • Licensing – A licensing error prevented access to the administration if the cross-site tracking feature was enabled for the application with CrossSiteTrackingOptions configured, and the license key was missing or expired.
  • Rich text editor – For applications running on the domain root (without an application path), URLs of images and links placed into rich text editor content in the Page Builder interface became invalid after saving and publishing the page. Applying the hotfix does not fix existing broken URLs, but allows you to create correct links by re-saving and publishing the affected pages again.

Hotfix (August 26, 2022)

version 22.1.2

Fixed issues

  • Licensing – The administration dashboard didn’t work correctly when the license key had expired. As a result, users could not enter a new valid license.

Hotfix (August 19, 2022)

version 22.1.1

Fixed issues

  • Cross-site tracking – Calling the kxt('pagevisit'); function in cross-site tracking scripts generated an error in the browser console if the function’s optional onerror callback was not handled.

  • Infrastructure – The Kentico.Xperience.DbManager.dll library distributed as part of the Kentico.Xperience.DbManager NuGet package was missing a Microsoft Authenticode digital signature.

  • SaaS environment deployment – The Export-DeploymentPackage PowerShell script (provided as part of cloud project templates) created a malformed $StorageAssets directory within the resulting deployment package. The problem occurred for projects where an item in the directory had Copy to Output Directory set to a different value than Do not copy.

    To avoid the described issue for cloud projects created using an older version of the Kentico.Xperience.Templates package , update the package and recreate the project to obtain the newest version of the Export-DeploymentPackage script.

Refresh (August 12, 2022)

version 22.1.0

New features

  • Minimal APIs support – The system now supports application configuration using minimal APIs introduced in .NET 6.

    • Project templates from the Kentico.Xperience.Templates NuGet package were updated – newly created projects leverage the minimal API configuration model by default.
    • The legacy configuration model with separate program entry (Program.cs) and startup files (Startup.cs by default) remains fully supported, but its use is no longer recommended. All documentation and training materials now work with minimal APIs exclusively. To migrate your codebase to the new model, follow Migrate to the new minimal hosting model in ASP.NET Core 6.0 for framework code, and Configure new projects for Xperience-related code.
  • Page templates

    • Page templates can now be configured using custom properties.
    • Pages created using page templates that contain Page Builder content (widgets, sections) can now be saved as Preset templates and reused when creating other pages. Templates prepared by the developers (added via RegisterPageTemplate) are now referred to as Default templates. See Page templates.
    • When changing the Default page template of a page, users now have the option to transfer existing Page Builder content over from the current page, assuming editable areas in both the source and target template use matching identifiers. See the Implement page templates section on Page templates for Page Builder for developer documentation, and the Change templates of existing pages section on Page templates for business documentation.
  • Xperience Portal – The hash string salt value assigned to Xperience Portal projects is now visible in Xperience Portal , under the  Project info section of the project Dashboard . Previously, hash string salts were provided by Kentico alongside Xperience Portal projects using other channels.

  • User interface – The Xperience administration now uses an appropriately-themed dialog window when notifying users about interactive events (e.g., notifications about unsaved changes), instead of each browser’s default notification system.

Fixed issues

Content management

  • Pages
    • After a page was moved in the content tree in the Pages application, the right-side workspace was not updated and could incorrectly display outdated information (e.g., a page’s URL still reflected the previous position).
    • After discarding changes to a page in the Pages application, certain fields on the Content tab were not reverted to their previous values (not displayed correctly from the last published or archived version of the page).
    • When editing a page’s URL slug via Properties in the Pages application, the caption of the save button now reflects the workflow state of the page – Publish change for published pages, and Save change for unpublished or archived pages.
    • When editing a page’s URL slug via Properties in the Pages application, the Publish change button could disappear in rare cases.
  • Former URLs – Moving a page via drag-and-drop using the content tree in the Pages application incorrectly created a former URL for the page even when the page’s URL was not affected by the move operation (e.g., a reorder within the same section of the tree).

Digital marketing

  • Contact groups – Attempting to close the contact group condition dialog with unsaved changes now displays a warning prompt.
  • Cross-site tracking – The Website name column in the listing of tracked websites under Cross-site tracking → Tracked websites incorrectly displayed the tracked site’s code name instead of its display name.
  • Forms – The Form Builder interface could be displayed on different domains via an iframe (assuming certain conditions were met).

User interface

  • Admin UI form components
    • Text inside disabled Text area and Text input UI form components was not visible when using the Safari browser.
    • The asset selector UI form component didn’t display the “required” indicator (red asterisk) when the corresponding field was marked as required.
    • The object selector UI form component didn’t reflect the Tooltip and InactiveMessage properties.
    • The URL selector UI form component could under certain circumstances lose focus unexpectedly when manually editing its value.
    • The clickable area of checkbox components in the administration was increased.
  • UI field visibility conditions – The system incorrectly evaluated UI form component visibility conditions that made use of transitive dependencies. In these cases, the system failed to correctly reflect the values of certain fields based on their (in)visibility when evaluating the condition, which could result in incorrect visibility states. For example, assume field dependencies A → B → C, which implies that field C also depends on field A. Setting A to a value that hides B must also hide C (due to transitivity), which was not the case. After applying the fix, complex visibility conditions that depend on hidden fields use either the hidden field’s default value (if set) or an empty value.
  • Licensing – License expiration notifications were displayed incorrectly in certain cases.
  • Minor visual issues that could in certain cases appear throughout the administration interface across various browsers (listings and search inputs overflowing on smaller resolutions, incorrect shadows on certain elements, minor layout issues on specific pages, etc.).

Administration client code

  • The BarItemGroup component ([@kentico/xperience\-admin\-components]({target="_blank“}) generated the”Each child in a list should have a unique ‘key’ prop" warning in the browser console, for example when using the field editor in the Page types application.

Xperience Portal

  • The expiration date of the license key generated via the License key generator application in Xperience Portal can no longer be manually specified. License key expiration is now automatically managed by the portal – all generated keys are set to expire together with the validity of your Xperience subscription.
  • Xperience Portal password reset emails did not contain a password reset link if the user’s email address included uppercase characters.
  • In the Xperience Portal Deployments application, the Deploy to drop-down for selecting the target environment was incorrectly enabled even where there was no existing deployment in the source environment.
  • The link to the License Key Generator on the Xperience Portal Dashboard didn’t work.


  • If the Continuous Integration or Continuous Deployment command-line tools were run targeting a directory without a repository.config file, the processes got stuck and could only be terminated using a hard exit (Ctrl+C).
  • CI/CD commands returned a non-zero exit code in special cases even if the result was successful.

Project templates

  • When running the Dancing Goat project in Kestrel on Linux environments, accessing certain malformed images caused a complete shut down of the Kestrel hosting process, requiring a full application restart. The affected images were replaced. This change only applies to new projects created after updating the Kentico.Xperience.Templates NuGet package to version 22.1.0 or newer.

Database changes

  • The following database columns were removed. This was only a cleanup on the database level – the columns were no longer used by the system. 

    • CMS_Class table – ClassIsNavigationItem
    • CMS_Class table – ClassIsMenuItemType
    • CMS_Document table – DocumentShowInMenu

Hotfix (August 5, 2022)

version 22.0.4

Fixed issues

  • Cross-site tracking – Adding or revoking consent agreements using the kxt('consentagree', ...); and kxt('consentrevoke', ...); functions in cross-site tracking scripts incorrectly created an anonymous contact when the client’s browser blocked third-party cookies. In these cases, the contact was unnecessary and never contained any data, since tracking is not possible even if the visitor gives consent.

New features

  • Cross-site tracking – Functions in cross-site tracking scripts now provide an optional onerror callback, which allows custom handling for scenarios where cookies are blocked, as well as other error states. See Cross-site tracking .

Hotfix (July 29, 2022)

version 22.0.3

Fixed issues

  • Cross-site tracking
    • Checking the consent status of the current contact using the kxt('consentcontactstatus', ...); call in cross-site tracking scripts incorrectly created a new anonymous contact in cases where the visitor had not given consent to be tracked.
    • When a visitor accepted tracking consent on an external website, and then arrived on the main Xperience site, the system failed to detect the consent and didn’t automatically set an appropriate cookie level for the main site. After applying the hotfix, the cookie level specified during application startup via CrossSiteTrackingOptions is set automatically for tracked visitors from external sites, and the cross-site contact is merged with the contact representing the visitor on the main site.

Hotfix (July 22, 2022)

version 22.0.2

Fixed issues

  • Minor fixed issues without direct customer impact (e.g., improved confirmation message text for the database update CLI command).

Hotfix (July 15, 2022)

version 22.0.1

Fixed issues

  • Cross-site tracking – When using the default configuration, the cross-site tracking scripts attempted to reach a non-existing Kentico.CrossSiteTracking/Logger/LogCrossSiteAnalytics endpoint. This caused failed requests on the tracked site’s pages.
  • Contact groups – The recalculation warning displayed after editing a contact group’s condition behaved incorrectly. In certain cases, clicking the button didn’t immediately display the “loading” status, and the warning remained visible even after recalculation was triggered and successfully finished.
  • Forms – If validation failed for the Email or U.S. phone number fields when submitting a form, the validation error messages were displayed incorrectly (as unresolved resource string keys).
  • Licensing – The administration incorrectly displayed license expiration notifications when using an evaluation license. After applying the hotfix, expiration notifications only appear for full licenses.
  • Project templates – The Privacy page on the Dancing Goat sample site (kentico-xperience-sample-mvc project template) displayed an error if the data protection demo was not enabled in the Sample data generator application. The hotfix does not update existing sites, only new projects created based on the Dancing Goat template.

Xperience by Kentico (July 1, 2022)

version 22.0.0

The initial release of the Xperience by Kentico adopters program.