⬆️ Update BookStackApp/BookStack to v25.12.9

[renovate]

This PR contains the following updates:

Package	Update	Change
BookStackApp/BookStack	patch	v25.12.2 → v25.12.9

---

Release Notes

BookStackApp/BookStack (BookStackApp/BookStack)

v25.12.9: BookStack v25.12.9

Compare Source

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.9 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Alex Dan (@​windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.

Full List of Changes

• Updated page revision diffs to use content filtering.
• Updated preference change redirect with stronger origin checks.
• Updated application PHP dependencies.

v25.12.8: BookStack v25.12.8

Compare Source

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#​6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

v25.12.7: BookStack v25.12.7

Compare Source

This release specifically addresses a scenario, introduced in v25.12.4, where loading the editor of a page, last updated/created by a different user with blank content, would result in an error.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated page document handling to handle empty content instead of throwing an error. (#​6026)

v25.12.6: BookStack v25.12.6

Compare Source

This release specifically addresses issues introduced in v25.12.4, where drawings could become non-editable in certain scenarios due to content filtering rules.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated content filter to allow required drawio diagram attributes. (#​6026)

v25.12.5: BookStack v25.12.5

Compare Source

This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated filter caching folder handling to avoid server filesystem permission issues. (#​6023)

v25.12.4: BookStack v25.12.4

Compare Source

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@​Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.

v25.12.3: BookStack v25.12.3

Compare Source

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.3 has been released.

This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.

We strongly advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.

Additional Update Notices

• Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.

Full List of Changes

• Updated application PHP dependencies.
• Updated session-based API authentication to only be active for GET requests.
• Updated page content filtering to remove many common form elements & attributes.
• Updated translations with latest Crowdin changes. (#​5997)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.