Merge branch 'release/1.10.20'

CHANGELOG.md

@@ -1,3 +1,10 @@
+# v1.10.20
+## 09/01/2021
+
+3. [](#bugfix)
+    * Fixed regression `Argument 4 passed to Grav\Plugin\Form\TwigExtension::prepareFormField() must be of the type array` [#2177](https://github.com/getgrav/grav-plugin-admin/issues/2177)
+    * Fixed `X-Frame-Options` to be `DENY` in all admin pages to prevent a clickjacking attack
+
 # v1.10.19
 ## 08/31/2021
 

blueprints.yaml

@@ -1,7 +1,7 @@
 name: Admin Panel
 slug: admin
 type: plugin
-version: 1.10.19
+version: 1.10.20
 description: Adds an advanced administration panel to manage your site
 icon: empire
 author:

classes/plugin/Router.php

@@ -67,6 +67,6 @@ class Router extends ProcessorBase
         $this->stopTimer();
 
         // Never allow admin pages to be rendered in <frame>, <iframe>, <embed> or <object> for improved security.
-        return $response->withHeader('X-Frame-Options', 'NONE');
+        return $response->withHeader('X-Frame-Options', 'DENY');
     }
 }

themes/grav/templates/forms/fields/fieldset/fieldset.html.twig

@@ -54,7 +54,7 @@
 
               {% if field.fields %}
                   {% for child_name, child in field.fields %}
-                      {% set child = prepare_form_field(child, child_name, field.name, key) %}
+                      {% set child = prepare_form_field(child, child_name, field.name, {key: key}) %}
                       {% if child %}
                         {% set default_layout = 'text' %}
                           {% if child.type == 'key' or child.key == true %}