Release announcements, helpful tips, and community discussion


Cerb (10.2.3) is a maintenance update released on April 06, 2022. It includes 31 minor features and fixes from community feedback covering the 10.2 update. You can follow these instructions to upgrade.



  • [Automations/Scripting] In automation scripting, added a new |repeat(times) filter that repeats a string the given number of times. For instance, this is useful to render a 1-5 star rating in a sheet.

  • [Worklists/Workers] On worker worklists, added and calendar: quick search filters. Thanks to Flexibits for the feature request.


  • [Records/Search] On record worklist search queries, the set.timezone: filter now provides autocomplete suggestions.

  • [Dashboards/Widgets] Sheet widgets (on cards, profiles, and workspaces) can use the ${placeholder} syntax to sanitize untrusted user input in data queries. This is particularly useful for dashboard prompts.

  • [Worklists/Import] On worklists, improved error messages when importing CSV files.

  • [Support Center/Dependencies] In the Support Center portal, updated the jQuery dependency to 3.6.0.

  • [Portals/Bots] Conversational Bot portals now serve the jQuery dependency directly rather than linking to a third-party CDN. This improves privacy and makes it easier to enforce a stricter Content-Security-Policy.


  • [Automations/Record Changes] Fixed an issue in record.changed automations where the key expansion of record link custom fields in the was_record_ dictionary was replaced with the current values from the record_ dictionary. Thanks to @mryanb for reporting the issue.

  • [Automations/Mail/Routing] Fixed an issue in mail routing with the mailRouting.recipientRules automation. The bucket_name: input is now optional.

  • [Portals/Interactions/Sheets] In portals, fixed an issue with selecting from multiple sheet: elements in the same form: continuation.

  • [Records/Choosers] Fixed a bug with chooser fields in record editor popups, where the (+) create button remained hidden even after removing all selections. [#1639]

  • [Profiles/UX] On profile pages, a ‘Not found’ message is now displayed if the given record type isn’t an exact match. Previously, this displayed the header and footer with no content.

  • [Setup/UX] On setup pages, a ‘Not found’ message is now displayed if the given page doesn’t exist. Previously, this displayed the header, menu, and footer with no content.

  • [Records/Merge] Fixed an issue with merging records that have a ‘Record Links’ custom field. Thanks to @myranb for the report.

  • [Records/Search] Record search queries now return an error message on invalid set.timezone: filters.

  • [Records/Search] Fixed an issue in record search queries when searching for words made entirely of wildcard asterisks (*).

  • [PHP] Cleaned up more deprecation warnings in PHP 8.1.

  • [Worklists/Search] Fixed an issue when searching a worklist where a timeout when counting fulltext results could cause the remaining queries to hang until they also timed out.

  • [Records/Tickets] Fixed an issue where editing a ticket record from its card didn’t change the updated date.


  • [Security] Fixed an issue with insufficient input validation that could potentially modify queries.

  • [Security] Fixed an issue with path traversal (only possible for administrators).

  • [Platform/Security] Added a DEVELOPMENT_MODE_SECURITY_SCAN framework flag for suppressing certain error messages during a vulnerability scan. This makes it easier to surface legitimate issues.

  • [Security/Avatars] In the profile picture editor, added extra validation when fetching an image by URL.

  • [Security/Profiles] On record profile permalinks to messages, drafts, and comments, improved the sanitization of record IDs.

  • [Security] Disabled autocompletion on all password form inputs. Most browsers already do this, but doing it explicitly reduces false positives in vulnerability scanners.

  • [Security/Platform] The Devblocks ::dieWithHttpError() method now automatically HTML escapes error messages rather than relying on developers to do it. The new ::dieWithHttpErrorHtml() method allows manually escaped output in the rare occasions it is needed.

  • [Security/Website Interactions] In Website Interaction portals, the Content-Security-Policy no longer requires or allows the data: scheme for images. This was previously used for inline images in the stylesheet. The proactive stricter policy provides stronger protection against various XSS attacks.

  • [Security/Platform] Disabled routing support for the X-Rewrite-Url HTTP header. This could be used for cache poisoning. The header was used by older IIS web servers for URL rewriting. The IIS_WasUrlRewritten server variable should now be used instead. For migrations, legacy IIS support can temporarily be re-enabled using the APP_OPT_IIS_LEGACY_REWRITE option in the framework.config.php file (disabled by default).

  • [Security] The .htaccess-dist example for Apache now excludes the vendor directory from web access.

  • [Security/Templates] In the template service, tightened up the sandbox policy to only allow approved tags.

  • [Security/Portals/Bot Interactions] On bot interaction portals, the bubble icon is now served from a URL rather than a data: URI. This makes it easier to enforce a more strict Content-Security-Policy on third-party websites.