This issue has been fixed in both LocomotiveCMS Engine v3.2.1 and v3.1.2. If you running Engine v3.0, you should consider upgrading at least to v3.1.2.
This vulnerability was reported by the awesome folks at [Bugcrowd](🔗). Kudos to them!
## Features / Improvements
authentication system (Devise in Liquid). Read the introduction [Introduction](🔗)
new page property: display_settings. This allows to hide a page and its children from authors
new content entry field type: JSON. It only accepts a Hash.
add new languages: Catalan, Danish, Finnish, Italian, Japanese, Polish and Russian.
allow 2 new theme asset extensions: .ttc and .mp4
redesign the Wagon error page.
better error message if an error occurs in the action tag (server side JS)
the callAPI JS action returns now the status of the request
use the sass and uglifier gems to minify assets
minify assets when deploying a site with Wagon
new liquid global variable: http_method
new built-in JS method for the action liquid tag: redirectTo
## Issues solved
site locales are strings only (instead of symbols or strings).
fix issue #1196 (Required text field with markdown formatting causes validation error)
fix issue #1195 (validation errors on redirect_url for localized sites)
remove unlisted pages from sitemap and not visible content entries
host liquid variable was missing from 2.5.x
editable_elements in snippets don't break the cache anymore