Release announcements, helpful tips, and community discussion


Cerb (8.3.2) is a maintenance update released on March 21, 2018. It includes 19 minor features and fixes from community feedback covering the 8.3 update. You can follow these instructions to upgrade.

  • [Mail] Added a better error message when attempting to reply from a group/bucket with an invalid sender address. An email address should only be assigned to a group/bucket OR a worker. In some environments, the same address was used by both, and the 8.3 migration assigned the address to only the worker. Going forward, this with give precedence to groups/buckets.

  • [Records/Merge/Roles] Fixed an issue with permissions when merging records.

  • [Records/Tickets/Roles] Fixed an issue with merge permissions on ticket profiles.

  • [Security/Project Boards] On project boards, card templates are now only able to display sanitized HTML. This removes scripting. You can use Cerb HTML5 markup to open peeks, searches, etc.

  • [Workspaces/Export] When exporting a workspace tab with worklists, the worklists now properly include the params_required_query field.

  • [Bots/Interactions] When using Cerb’s HTML5 markup to enable bot interactions on a DOM element, interaction parameters are now provided with a single data-interaction-params attribute. The value is a URL-encoded query string of parameters. Previously, each parameter was provided as a separate data-bot-interaction-param-* attribute, which was cumbersome.

  • [Developers/Plugins] When using DevblocksPlatform::purifyHTML(), a new $allow_cerb_markup argument allows Cerb’s HTML5 markup in the result, while stripping all scripting and other disallowed content.

  • [Bots/Prompts] In bot interactions, fixed an issue with the ‘Prompt with images’ action where the (+) button and placeholder options ran together.

  • [Security/Attachments] Implemented an allowlist for attachments that can be displayed in the browser. Everything else will be downloaded, even when ‘Open in browser’ is selected from the download menu.

  • [Bots/Interactions] Admins no longer see worker-owned bot interactions in their menus.

  • [Bots/Debug/Export] Fixed a bug when exporting bots from the /debug menu. If any of a bot’s behaviors had an invalid event, the entire bot was skipped.

  • [Bots/UX/Help] In the bot scripting help popup, there are now links to the official documentation which contain much more information on the topic.

  • [Security/Dashboards] On dashboards, custom HTML widgets can no longer run arbitrary scripts. They are limited to basic HTML and Cerb’s HTML5 attributes. For more complex use cases, switch to ‘Bot behavior’ widgets, which are far more capable and reusable.

  • [Dashboards/Bots] On dashboards, ‘Bot behavior’ widgets can now pass configurable input parameters to the behavior. This makes bot-powered dashboard widgets far more reusable. For instance, a YouTube video widget could prompt for a video ID, while securely embedding the video behind the scenes. This also works for Twitter profile/list feeds, Google Maps, etc.

  • [Security/Platform] Improved the cross-site request forgery (CSRF) protection for all requests. In addition to the session token, the origin and referer headers are compared. This helps mitigate when a token is compromised (e.g. via XSS), but the CSRF request is coming from a third-party domain.

  • [Profiles/Custom Fieldsets] Fixed an issue with custom fieldsets and record links on profiles. If a record included a custom fieldset with a blank record link (of certain types), the rest of the record could be prevented from loading.

  • [Mail/Relay/Performance] Fixed an issue that prevented the proper caching of worker email addresses in mail relays.

  • [Workspaces/Worklists] Fixed an issue on custom worklists where changes to the legacy required filters didn’t update for the current worker.

  • [Extras] Added a cerb-package-exporter.php script to install/extras/impex for exporting entire tickets (meta, messages, attachments) as packages for import into other Cerb instances.