We’ve just shipped v4.3.1, which includes several important security hardening fixes. Please read through the changes below, as a couple of them may require action depending on your setup.
🔒 Security Fixes
1. Restricted @php Blade directive in layouts
Default layouts no longer permit raw @php blocks, to prevent unsanitised input from being executed.
- Haven’t customised the default layout? No action needed — the update applies automatically.
- Have customised the default layout?
- Back up your current layout.
- Delete the existing default layout so the updated version can regenerate.
- Reapply your customisations on top of the new default.
2. Theme and mail layout editors now validate against raw PHP
The in-app theme/mail editors will now reject saves containing PHP code.
- If you need PHP in a theme or mail layout, edit the Blade files directly on disk instead of through the in-app editor.
3. Stripe webhooks now require a signing secret
Webhooks without a signing secret will fail validation and be rejected.
Action required if you use Stripe:
- Copy the webhook signing secret from your Stripe dashboard.
- Add it to the Stripe payment settings in your admin panel.
Upgrading
As always, please back up your site and database before upgrading. If you run into any issues, drop a reply below and we’ll help you out.
Thanks for being part of the community! 🙌