The 'Clean Azure storage cache' scheduled task failed to clean the local Azure cache if the paths provided via the 'CMSAzureTempPath' or 'CMSAzureCachePath' keys used the '/' (forward slash) separator.

Saving a value in the 'Redirect on unpublish' field on a page's Content tab did not work for projects based on Refresh 12 (version 13.0.142), which had their database recreated using the database creation wizard (e.g., when installing the database after the installation process).

When inserting links into the Rich text editor component for the page and form builder, URLs containing encoded characters (e.g., spaces encoded as `%20`) were encoded again, which could break the URL in some cases.

Using content tree-based routing generated unnecessary SQL queries when 'URL format for multilingual sites' was set to 'Language prefix'. The database was only queried when a URL was accessed for the first time; all following requests for that same path were resolved using the cache.

Hotfix 13.0.187 contains internal infrastructure updates, and does not directly impact Kentico Xperience projects.

Staging task error messages displayed by the system after hotfixing to 13.0.181 now provide more details about the source of the issue.

The new staging logic introduced as part of the authorization bypass vulnerability fix in hotfix version 13.0.178 did not reflect the 'CMSAcceptAllCertificates' and 'CMSStagingAcceptAllCertificates' configuration keys.

If a form's output code included the '<fieldset>' HTML tag (for example added via a custom form builder section), an error occurred when attempting to select a file in a form field using the 'File uploader' component.

During startup, if the application failed to load a referenced assembly whose full file system path was longer than 100 characters, the application raised an unhandled event log-related exception 'Value cannot be longer than 100 characters. (Parameter 'eventCode')' instead of logging the original issue.

Accessing resources hosted in Amazon S3 occassionally resulted in unhandled IO exceptions, which could, for example, cause broken links to images and other resources on the live site.

An error occurred when executing certain scheduled tasks (e.g., 'Recalculate time zone') using the external Windows service.

Unused vulnerable dependency packages were removed from the Page builder and Form builder.

If a page type with inherited fields was imported without the parent type, the originally inherited fields were deleted when the imported type was configured to inherit fields from another type. Applying the hotfix removes the issue from the import process, but existing page types that were affected are not fixed. You need to import them again to ensure that fields behave correctly in this scenario.

When a form was added via the 'Form' page builder widget to a page in a right-to-left culture (for example Hebrew), the form failed to load after the live site application was restarted.

The Windows service that could be used to execute system scheduled tasks externally did not work after applying hotfix 13.0.130 or newer.

Using the 'MapStaticAssets' feature introduced in .NET 9 prevented the Page builder and Form builder from working. After applying the hotfix, the feature is supported.

The system incorrectly HTML encoded certain special characters, such as characters with an accent (á, é, ...), in error messages of form component validation rules. This issue only ocurred after applying hotfix 13.0.160 or newer.

Deleting an email feed (newsletter or email campaign) caused any recipients who were unsubscribed from the specific feed to become unsubscribed from all marketing emails and appear in the email marketing opt-out list. Applying the hotfix prevents the issue from occurring when deleting email feeds, but does not correct the unsubscription status of recipients that were affected.

When the inline toolbar was disabled in the rich text editor through custom configuration, the "Insert image" button in the "Quick Insert" toolbar did not work.

Hotfix 13.0.167 is the Kentico Xperience 13 Refresh 13 release, which represents a larger update than a standard hotfix. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

After selecting a variant as the winner for an A/B tested email, changes made during the test configuration to the variant's 'Preheader' property or 'Plain text' value weren't included in the email sent to the remaining recipients outside of the test group.

When updating a project from version 13.0.141 or older directly to 13.0.161 or newer, an error occurred during the hotfix procedure if the project's data contained one or more categories (defined in the Categories application). Such projects weren't updated correctly, and various category-related errors could occur.

If a media selector (for example a page field using the 'Media selection' form control) stored an image from a media library that was set to use direct paths and was placed in external storage, such as Microsoft Azure storage, the selector's dialog incorrectly displayed the 'Attachments' tab when opened instead of the 'Media libraries' tab.

When the rich text editor component was assigned to a page builder widget property, the 'Insert image' dialog in the editor could open outside of the visible area on the screen if the field’s content spanned more than the viewport height.

When users submit data via a form submission, this data can be mapped to the fields of the associated contact. After applying this hotfix, such actions can no longer be used to change the email address of the current contact. If the contact already has an email address stored in Xperience that doesn't match the new email value, all related field updates are performed for a different contact. Either an existing contact that matches the submitted email value is used, or a new contact is created. In these cases, the user’s associated contact remains unchanged, but any subsequent actions, such as 'Form submission' activity logging and marketing automation processes are performed for the “other” contact that matches the submitted email address.

Databases installed from Setup files hotfixed to version 13.0.155 or newer (via the advanced mode in the hotfix utility) were inconsistent with databases installed and hotfixed to their corresponding version from default Setup files provided by the installer. Most importantly, databases installed via this method were missing certain columns, which could lead to runtime errors in the application. Older versions of the Setup files are not affected. Applying the hotfix SQL script repairs the inconsistencies for databases created from version 13.0.155 Setup files. To fix the installation of new databases, the hotfix must be applied to the Setup files (advanced mode in the hotfix utility). Additionally, applying this hotfix rebuilds the 'View_CMS_Tree_Joined' view - any custom indexes on this view will be lost.

Some browser extensions could interrupt the authentication process between the administration and live site application, which prevented users from viewing certain parts of the administration, such as the preview mode of pages and the page builder or form builder interface.

When multiple categories (site or global) had the same name across multiple sites, updating the display name of one category incorrectly affected the 'CategoryNamePath' database values of the children of the other categories.

In extremely rare cases, using the automated testing support provided by the system could prevent the application from starting.

Hotfix 13.0.153 introduced an invalid 'Content Include' reference into the 'CMSApp.csproj' file, which prevented project deployment. Applying the hotfix removes the invalid reference from 'CMSApp.csproj'.

When more than 12 widgets were available in the Page builder widget selection dialog, widgets without a defined 'IconClass' had their names incorrectly trimmed.

An error occurred when installing the database for a project created from setup files that were updated to hotfix 13.0.80 or newer. This hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility). If you wish to fix the issue for a previously installed project, apply the hotfix to your setup files, and then copy the 'SQL.zip' file from 'Kentico\13.0\Webinstaller\Web\CMS\App_Data\Install' in your setup files and overwrite the same file in the project's 'CMS\App_Data\Install' folder.

Links to thumbnails of videos in media libraries incorrectly linked to the video files instead of the thumbnail images.

The hotfix replaces the usage of certain APIs used during Import/Export with more secure alternatives. This change does not impact the functionality of Import/Export in any way.

After applying the 13.0.147 hotfix, it was not possible to open the page preview in a new browser tab.

After applying the 13.0.147 hotfix, files uploaded through a form couldn't be downloaded on the Recorded data tab in the Forms application.

The 'SetFromCalculationRequest' method from the 'CMS.Ecommerce.DefaultDeliveryBuilder' implementation of the 'IDeliveryBuilder' interface did not reflect the 'itemSelector' parameter in its implementation.

Attempting to upload a file with a name that already exists in the media library resulted in an error if the original file had a thumbnail attached. This issue occurred only in media libraries mapped to Azure storage.

Cloning users with the 'Clone child objects' option enabled didn't clone the user's role assignments.

Media library files mapped to Azure blob storage could show incorrect file timestamps (creation and last modified dates) under certain circumstances.

The hotfix updates the WYSIWYG editor used by the administration interface to version 4.24.0.

The 'CMS.Base.ContextUtils' class was introduced into the public API. The class’s 'PropagateCurrent' and 'ResetCurrent' methods allow developers to propagate or clear the system’s ambient context, such as the database connection, when executing asynchronous or parallel code, for example using 'Task.Run'. See the hotfix instructions in the documentation for more information.

When running the Xperience administration and live site applications on different domains, 'SameSite=None' cookies must be configured to enable 'preview mode' and its related features like the page builder. The hotfix ensures the system cookies used for the preview mode have the 'Partitioned' attribute set. This way, the preview mode will remain functional in browsers that block third-party cookies. For example, the Google Chrome browser plans to block third-party cookies in Q3 2024.

The hotfix updates the 'Microsoft.Rest.ClientRuntime' dependency to version 2.3.24 and 'Jquery.Validation' dependency to version 1.19.5.

Custom HTML elements surrounding Page builder widget zones in the administration were incorrectly removed in certain cases. The issue was present only after applying hotfix 13.0.43 or later.

The hotfix updates the 'Nuget.Packaging' dependency to version 5.11.6.

Retrieving data via REST with hash parameter authentication and having the 'Allow sensitive fields for administrators' setting enabled always returned HTTP 401 (Unauthorized) and logged a null reference exception to the event log.

The semicolon character was not set as the default value of the 'Options value separator' setting in the Form builder for the 'Radio buttons', 'Drop-down list' and 'Multiple choice' selector form components.

The HTML sanitizer in the Rich text editor component for page and form builder removed all entered CSS '@media' rules. Additionally, if a '<style>' tag was added as an allowed HTML tag and content of the editor for rich text fields was rendered in the page or form builder, the '<style>' tag was removed from the resulting HTML content.

Fixed a vulnerability in the Page and Form builder dependencies.

Usage of deprecated DOM mutation events triggered warnings in the browser console in certain parts of the Page builder UI. The events were replaced by the 'MutationObserver'. This change does not impact the existing public API.

Hotfix 13.0.142 is the Kentico Xperience 13 Refresh 12 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

An option selected in the 'Multiple choice' selector form component was not persisted in the system if the option's value contained a semicolon.

Selector form components (e.g., 'Radio buttons', 'Drop-down list' or 'Multiple choice') didn't display their options correctly if the option text contained a semicolon. If you want to use semicolons in the options text, configure a different separator using the new 'Options value separator' setting in the Form builder (or using the new 'DataSourceValueSeparator' property when adding editing components in code).

<p>The hotfix introduces a feature to improve the protection of image file request endpoints. See the hotfix instructions in the documentation for more information.</p>

A form set to reload after submission was repeatedly wrapped by an additional 'div' element after each refresh (form submission or a failed field validation). This occurred only when the use of JQuery was disabled for the form and page builder by setting the 'CMSBuilderScriptsIncludeJQuery' key to 'false'.

The hotfix temporarily hides the security notification displayed by the WYSIWYG editor used by the administration interface.

Accessing a former URL of a page with a query string parameter caused a loop of redirects and resulted in an error.

The scroll bar was not available in the Page selector editing component used in a widget when the page selected as root had a large number of subpages.

The hotfix updates the following NuGet dependencies: 'Microsoft.IdentityModel.JsonWebTokens' to version 6.35.0, 'System.IdentityModel.Tokens.Jwt' to version 6.35.0, 'System.Data.SqlClient' library to version 4.8.6, 'Nuget.Packaging' library to version 5.11.5, and 'Microsoft.AspNet.Identity.Owin' library to version 2.2.4.

When implementing page templates with a custom model, it was not possible to manually pass data to the template view using ViewBag or ViewData.

Widgets with very long names were displayed incorrectly in the page builder widget selection dialog after applying hotfix 13.0.131 (Kentico Xperience 13 Refresh 11).

The system did not serve the minified 'systemFormComponents.min.js' file correctly in the page builder scripts for the Form widget.

The Salesforce integration was extended to support OAuth 2.0 authorization flows that require the Proof Key for Code Exchange (PKCE) Extension. This option can now be enabled in the configuration of the connected Salesforce App.

The hotfix updates the WYSIWYG editor used by the administration interface to version 4.22.1 as a prevention against vulnerabilities present in older versions.

The hotfix updates the Froala editor to version 4.1.4. For example, the editor is used in the 'Rich text' page builder widget.

The 'Recently used widgets' section of the page builder widget selection dialog could display incorrect results after using the dialog's search feature.

The section selection dialog in the Page and Form builder interface was displayed incorrectly if the total number of available sections was more than 12.

Resizing images inserted into the editor for rich text fields did not work correctly. Additionally, resizing options for images from the web were incorrectly hidden after applying Refresh 10 (hotfix version 13.0.115 and later).

The widget selection dialog in the Page builder interface was displayed incorrectly if the total number of available widgets was more than 12.

Hotfix 13.0.131 is the Kentico Xperience 13 Refresh 11 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

The hotfix updates the 'HtmlSanitizer' dependency of the 'Kentico.Xperience.AspNetCore.WebApp' and 'Kentico.Xperience.AspNet.Mvc5' packages from version 5.0376 to 8.0.723.

When managing contacts within a marketing automation process that had a large number of steps (15 and more), the 'Move to specific step' action did not display all available steps correctly.

The error "Could not load file or assembly 'Microsoft.Extensions.FileProviders.Abstractions, Version=3.1.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60' or one of its dependencies" could occur when importing pages with certain configurations using the 'Kentico Xperience Import Toolkit'. To fix this issue, you must apply the hotfix to Kentico setup files.

The hotfix removes .NET Core 3.1 support from all Kentico libraries used to develop ASP.NET Core live site projects. When upgrading ASP.NET Core live site projects that target .NET Core 3.1, you must first retarget to .NET 6.0 (the current minimum supported version) and then update the Xperience NuGet packages.

If a 'gif' file was retrieved and resized on an ASP.NET Core live site project, the image was not displayed and an error occurred. After applying the hotfix, resizing of gif images is still not supported, but the original file is displayed even when resize parameters are applied.

If a contact group had one or more accounts assigned, the 'Contacts' tab in the Contact groups application could display contacts who did not actually belong to the group. The issue only affected the contact group UI, not features working with the contacts in the group (e.g., automation or email marketing).

The Instructions.html file provided with a package submitted for translation did not contain information about the user who submitted the request. This also resulted in event log errors when working with the submission.

If a localization expression was added into the 'Form display name' field of a form, the value was not resolved in the form selector displayed by the 'Form' widget in the page builder UI.

On projects that contained a very large number of pages and had the alternative URLs feature enabled, performance issues and timeouts could occur when adding new pages or alternative URLs. Applying the hotfix improves the performance of the alternative URL collision check, which mitigates these issues.

The hotfix updates the SkiaSharp dependency of the 'Kentico.Xperience.ImageProcessing.KX13' library from version '2.88.3' to '2.88.6'.

The system incorrectly calculated daylight savings time shifts for time zones in the southern hemisphere (e.g., Canberra, Melbourne, Sydney). The issue impacted, for example, scheduled publishing of content.

If a visitor accessed a former URL of a page on a site with one or more domain aliases, the system always used the site's main domain name when redirecting to the current URL. After applying the hotfix, former URL redirects preserve the currently active domain name.

Visitors who had a preferred language different than the site's default content culture set in their browser were not able to change the culture on the home page under special circumstances (enabled content tree-based routing, language prefix URL format, hidden language prefixes for default culture URLs, visitor's culture set to automatic).

Depending fields of a field with a drop-down form control that had the 'Allow edit value' property enabled were not refreshed when the value in the drop-down changed.

Object filtering for objects of the 'cms.settingskey' and 'cms.settingscategory' types was not being processed correctly, which caused the system to ignore filtering directives targeting these objects in 'repository.config' files.

It was not possible to submit a form containing the 'File uploader' component when the component was set as 'Required' and at the same time hidden by a visibility condition that depended on the value of another field.

Import of contacts from a CSV file in the Contact management application failed if an imported value exactly matched the maximum allowed length for the given contact field. For example, the problem occurred when importing a text value 50 characters long into the 'ContactJobTitle' field, which allows 50 characters.

In certain rare cases, an error (null reference exception) occurred when deleting Info objects with enabled hash table caching. Such an error could interrupt the flow of threads, etc. For example, the problem could occur in certain cases when the system merged (and deleted) contacts.

A dependency conflict error occurred when running scheduled tasks using the external Windows service. The issue occurred only after installing hotfix 13.0.110 or newer.

The media files selector for page builder components had limited performance due to loading all files within a folder every time it was opened. After applying this hotfix, media files are cached and pagination was introduced to improve the performance.

White images with a transparent background were not visible in the selection dialogs of the media files and attachment selectors for page builder components. After applying the hotfix, images are displayed with a subtle border in the selection dialogs.

Hotfix 13.0.115 is the Kentico Xperience 13 Refresh 10 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

When attempting to copy any widget in the page builder interface containing invalid or deprecated HTML (e.g., a 'Rich text' widget with HTML inserted using the 'Code View' feature), errors were logged in the JavaScript console and the widget was not copied. After applying the hotfix, the widget is copied, but a preview thumbnail is not available when inserting the widget.

Fields with a very long label text were displayed incorrectly in the Form builder interface. After applying the hotfix, long label texts break to a new line instead of appearing under the field's input component.

Calling `MembershipContext.AuthenticatedUser` within the live site application could have returned the anonymous 'public' user instead of the currently signed-in user. The issue occurred if the 'KenticoEventLog' application logger's 'LogLevel' was set to 'Information' or lower (more verbose) via the application settings (e.g., within appsettings.json).

After saving a form data record on the 'Recorded data' tab in the Forms applications, stored values were always cleared for hidden form fields (e.g., fields with their 'Visibility' set to 'Never'). This caused lost data in scenarios where hidden form fields were filled in using custom code or other form components.

A dependency conflict error occurred when installing any NuGet package into the 'CMSApp' administration project. The issue occurred only after installing hotfix 13.0.110 or newer.

It was not possible to dynamically set and update the values of component properties based on other properties, e.g., clearing a dependent field when the value of a property set as dependency changes. See the hotfix instructions for more information.

The 'Alternative URLs' functionality in the 'Rewrite' mode did not work when using minimal APIs to initialize the application.

Usages of the deprecated 'onKeyPress' event were replaced with the 'onKeyDown' event in the code of the system's page builder components. This change does not impact the existing public API.

The A/B test variant selection dialog in the Pages application did not work. The issue occurred only on new projects created using the updated installer released for Kentico Xperience 13 Refresh 9 (released March 23, 2023).

If a non-required field of a Salesforce object (for example a Salesforce lead) had an empty value, an error occurred when retrieving data from entities of this type. For example, this could occur when synchronizing data from Salesforce leads to Xperience contacts or when retrieving data using the 'SelectEntities' Salesforce integration API.

The HTML sanitizer in the Rich text editor component for the page and form builder, introduced in hotfix 13.0.89, removed HTML tags from the content even if the tags were allowed in the editor configuration. This hotfix introduces new configuration keys to customize the set of allowed tags and attributes. See the hotfix instructions for more information.

When previewing unpublished pages using the 'Show preview' feature on the 'URLs' tab in the Pages application, links to other unpublished objects (e.g., page attachments) did not resolve correctly.

Forms with a validation rule or visibility condition that depended on another field did not work correctly in preview mode or when using a 'Show preview' link. When the form was refreshed due to a field dependency, it disappeared (on sites using the ASP.NET Core development model) or the "Antiforgery token validation failed" error occurred (on ASP.NET Framework MVC 5 sites).

Media files usage tracking did not correctly track files from media libraries with the 'Use direct path for files in content' setting enabled. The issue only occurred if the media library was mapped to external storage.

Changes made to content always generated Azure search tasks even if no Azure search indexes existed in the system.

Scrolling did not work correctly in the Page selector dialog for page builder component properties. The issue occurred after applying hotfix 13.0.105 or newer.

After applying hotfix 13.0.91 or newer, the 'Redirect to URL' field of the 'After the form is submitted' options on a form's General tab did not allow values starting with the URL fragment character (#). This prevented redirects to a specific anchor on the page containing the form, using e.g., '#success' as the redirect value.

Resized images (e.g., retrieved from media libraries) were not displayed on the live site for Linux deployments of ASP.NET Core projects. To resolve the issue, developers need to install the 'Kentico.Xperience.ImageProcessing.KX13' NuGet package into the live site project. The package uses the 'SkiaSharp' library to process images. Deployments on Windows servers are not affected by this issue. See the hotfix instructions for details.

Media files usage tracking did not work for custom tables that were created using an existing database table with a primary key column named differently than 'ItemID'. Errors occurred when the custom table's items were added or updated.

It was not possible to use the Salesforce integration API in the code of live site applications with the ASP.NET Core development model. A 'NotSupportedException' occurred when creating the 'SalesForceClient' object.

The 'GlobalObjects.BizForms[form class name].Items' macro cached the form data without using the correct cache dependencies. As a result, the values in the returned collection were not refreshed if the form's data records were updated between resolutions of the macro.

If an unsupported image type (e.g., an SVG file) was uploaded to a media library, an error was displayed when editing and saving the file's metadata (i.e., the file's name, title or description). Additionally, staging of such files did not work. After applying the hotfix, such files are still not supported as images, but editing of file metadata and staging works correctly.

The user-defined table type 'Type_OM_OrderedIntegerTable_DuplicatesAllowed' used by the Xperience database installation scripts was not defined correctly. In rare cases, this could have caused issues when recalculating online marketing activities.

Bounced email monitoring didn't work if the POP3 settings had the 'Authentication type' set to 'OAuth 2.0' and the 'Password' setting was empty. After applying the hotfix, the password is no longer validated in this scenario, since it is not used for OAuth authentication.

Hotfix 13.0.104 is the Kentico Xperience 13 Refresh 9 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

Images added in the 'Code View' mode of the 'Rich text' widget's editor using the 'url()' CSS function were not displayed on the live site or in the page builder.

In the 'Pending pages' application, the 'Navigate to page' preview button did not work correctly for users with certain special characters in their username (e.g., an '@' sign). The action resulted in a 403 error.

Under certain circumstances, an error could occur when emptying the Objects recycle bin. For example, the issue could occur when emptying a recycle bin that contained items deleted by a user that no longer existed.

The context of the current page was not preserved correctly if it was accessed via the 'IPageDataContextRetriever' service within a custom middleware component, which could break other functionality that relied on the page context. This could result in invalid page builder requests and prevent certain functionality from working, e.g., switching page templates.

On ASP.NET Core sites, page builder widgets that had output caching disabled consumed unnecessary memory, and the application did not clear this memory correctly.

The hotfix utility incorrectly added file references ('Content Include' statements) for sample site assets to the project file of the Xperience administration project (CMSApp.csproj). To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility). After applying this hotfix, the utility no longer adds the unnecessary references. However, if the CMSApp project already contains the references from previous hotfix applications, they will not be deleted. You can remove the extraneous files manually - see the hotfix instructions for a full list.

When using setup files with hotfix 13.0.94 (Refresh 8) or newer applied, attempting to run the hotfix utility from the command line with the '/deploy' parameter did not work and resulted in an error. To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

Search indexes did not index the content of the 'Rich text' page builder widget correctly. The last word of a paragraph and the first word of the next paragraph were not separated and were indexed together as one word (i.e., "lastfirst" instead of "last" and "first").

After applying hotfix 13.0.81, 'frame-ancestor' CSP directives set in custom code (e.g., via a custom middleware) could collide with the CSP set by the system. After applying this hotfix, the system automatically overrides all custom CSP directives with the required configuration.

Decimal values set for the reCAPTCHA v3 'Score Threshold' or the 'Minimum confidence' setting for Image recognition were interpreted incorrectly in certain cultures, depending on the culture's decimal separator character. For example, the problem could prevent reCAPTCHA validation from working correctly if the score threshold value was set under a different UI culture than the content culture of the page containing the resulting form. After applying the hotfix, stricter requirements are applied to the format of 'double' type setting values - thousand separators are no longer supported.

After applying hotfix 13.0.85, the system could generate search indexing tasks that were not required by any index. This hotfix optimizes the process of generating search indexing tasks to limit the number of redundant tasks.

The hotfix updates many project files to the SDK-style format. This change only affects customers with source code projects. See the source code hotfix instructions to learn about the potential impact on your code base.

The WebApp.sln solution displayed warnings related to version conflicts of the System.Text.Json and Azure.Core assemblies.

An error occurred when searching in the Settings application if one of the search results belonged to the 'reCAPTCHA v2' or 'reCAPTCHA v3' settings category. The issue occurred after applying hotfix 13.0.94 (Refresh 8).

The hotfix introduces new 'CMS.EmailEngine.ISmtpClientFactory' API that enables developers to modify the configuration of the system's SMTP client. This API is primarily intended for advanced environments with specific requirements.

When a site's Administration domain name was set with at least one uppercase letter and the 'Enforce lowercase URLs' settings was enabled, the domain was not recognized due to case comparison, which prevented certain features in the administration from working. For example, the problem affected the Page and Form builder or the Preview functionality of pages.

Kentico Xperience instances hosted in Linux environments could encounter exceptions when accessing resources from the Amazon S3. This would occur, for example, when accessing media library files stored in the Amazon S3.

Under certain conditions, the system may not have always indexed the latest published changes to page builder content that modified the resulting HTML output of the page. This issue affected indexes of the 'Pages' type whose 'Data source for indexing' was set to either 'HTML output' or 'Both' (where a web crawler was used to index HTML content).

The scheduler feature used only the main domain name and presentation URL of a site when attempting to process scheduled tasks in local environments. This caused the scheduler to not function correctly for applications run using a specific port (e.g., when launched using IIS Express), making it difficult to test custom scheduled task implementations. The hotfix introduces two new configuration keys that facilitate local scheduled task development. See the hotfix instructions for details.

Hotfix 13.0.94 is the Kentico Xperience 13 Refresh 8 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

The HTML sanitizer in the Rich text editor component for the page and form builder removed 'href' attributes containing 'mailto' links from <a> tags. The issue occurred after applying hotfix 13.0.89 or newer.

The hotfix optimizes application memory usage when using the search results highlighting API.

On instances containing two or more sites with the same culture, the 404 response returned after accessing a URL slug without an existing page was incorrectly cached, which caused a 404 response on other sites where a page with the same URL slug existed.

The 'Content' tab in the 'Pages' application incorrectly prompted users with an "Unsaved changes" dialog when leaving the page even when there were no actual changes to page content. The issue occurred when the page contained macro expressions with string parameters inside rich text content.

Hotfix 13.0.89 introduced HTML sanitization of content in the Rich text editor component for the page and form builder. This sanitization can result in modified or broken HTML code, for example when adding content via the editor's Code View option (see the hotfix instructions for details). After applying this hotfix, the sanitization additionally allows 'ID' and 'data-*' attributes.

The title of the file selection dialog was not displayed correctly due to a missing resource string, for example when selecting the file for a new form control in the Form controls application.

Values containing macro expressions were rejected as invalid when added to the 'Redirect to URL' field of the 'After the form is submitted' options on a form's General tab. The issue was caused by validation introduced after applying hotfix 13.0.75 or newer.

Installing the database directly to an Azure SQL server could result in a connection timeout error for database tiers with lower performance.

Calling `MembershipContext.AuthenticatedUser` within the live site application always returned the anonymous 'public' user instead of the currently signed-in user. The problem could also affect other parts of the system's functionality that used this API internally. The issue occurred after applying hotfix 13.0.86 or newer.

Calling the 'IPageDataContextRetriever.TryRetrieve' method resulted in an unhandled exception if the page data context could not be initialized, instead of returning a false value.

Hotfix 13.0.84 incorrectly removed support for .NET Core 3.1 from the Xperience NuGet packages. The change made it impossible to upgrade projects targeting .NET Core 3.1 to the Refresh 7 release. This hotfix returns support for .NET Core 3.1 back into the Xperience NuGet packages.

On multilingual sites with content tree-based routing enabled and the 'URL format for multilingual sites' setting set to 'Domain', the system incorrectly cached the 404 response returned when a visitor accessed a URL slug that was not available for any page in the selected culture. The cached 404 response was then returned when accessing the same URL slug under the domain of a culture where the page existed. The problem persisted until the application's cache was cleared. This issue occurred after applying hotfix 13.0.74 or newer.

Cache invalidation didn't work correctly for the data of linked pages retrieved and cached using the 'IPageDataContextRetriever' API. As a result, changes made to a page were not reflected for linked pages until the application's cache was cleared.

For projects targeting .NET 6.0, using the Thai (th-th) content culture for a site caused the live site to crash with an unhandled 'OutOfRangeException' error.

Page, Path, Media and Attachment selectors for page builder components did not preserve any order of the selected items. After applying the hotfix, the items are stored in the order in which they were selected.

In certain scenarios, the first request after an application start incorrectly set the site's content culture for subsequent visitors (the culture was incorrectly detected and cached based on the 'Accept-Language' request header). For example, the problem occurred for the site's default culture when using content tree-based routing with language prefixes and the 'Hide language prefix in default culture URLs' setting enabled.

If the Rich text editor for the page builder had a custom toolbar configuration with the 'toolbarInline' option disabled, enabling the 'toolbarSticky' option didn't work. The toolbar didn't remain displayed at the top of the editing area when scrolling down in the content.

A new 'Settings -> Content -> Media -> Enable media files usage tracking' setting was introduced, which makes it possible to disable the media files usage search index. Disabling the index can improve performance for projects where viewing media file usage is not required.

Getting the URL of a media file using the 'IMediaFileUrlRetriever.Retrieve' API always generated the file's 'DirectPath' URL, even when it was not required or used. When storing media files on Azure storage, this resulted in unnecessary requests to Azure.

When the 'CMSMVCResolveRelativeUrls' configuration key was set to 'false' for the live site application, selector dialogs for page builder component properties did not work. For example, if a widget had a property using the Page selector component, attempting to select a page displayed an empty dialog.

Hotfix 13.0.83 is the Kentico Xperience 13 Refresh 7 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

For system resource strings containing formatting parameters (e.g. 'Hello, {0}.'), overriding the string in the Localization application or a custom resource file caused errors if the new value had a different number of formatting parameters. After applying the hotfix, a warning is instead logged to the Event log when the system attempts to use such resources.

An error occurred when installing new projects from setup files that were updated to hotfix 13.0.80 or 13.0.81. To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

The hotfix updates the used Froala editor to version 4.0.14. For example, the editor is used in the 'Rich text' page builder widget.

The cookie policy detection mechanism, which shows a notification message in cases where page builder content cannot be displayed due to blocked third-party cookies, had an incorrect 'X-Frames-Options' header set for the response. This combination of the header and its value is now deprecated in modern browsers. After applying the hotfix, the 'content-security-policy' header is used instead to provide the same security measures.

Many email services are deprecating support of basic authentication via a username and password (for example Microsoft Exchange Online). The hotfix introduces an alternative way to connect to email servers using OAuth 2.0 token-based authorization. OAuth support covers both SMTP servers and mail servers for monitoring bounced emails (using POP3). By default, the system includes an OAuth provider for Microsoft Exchange Online - other services require implementation of a custom provider. The hotfix adds the 'MailKit 3.3.0' NuGet package to both the administration and live site projects, which may cause conflicts if your projects contain custom functionality using other versions of this package. See the hotfix instructions for details.

If a user's screen was kept locked past the session expiration configured for the administration application, the 'Unlock' and 'Sign Out' buttons did not work, and a full page refresh was necessary.

The Bootstrap JavaScript library used in the administration interface was updated to v3.4.1 due to security vulnerabilities contained in the previous version.

Errors were logged into the system's event log when requests were aborted by a client (i.e., when the application canceled a task). This could result in a large number of unnecessary errors in certain environments. The issue occurred after applying hotfix 13.0.68 or newer.

If the application had a separated database for on-line marketing data, running mass actions for contacts in the 'Contact groups' or 'Scoring' application caused the system to generate large and ineffective queries. This could lead to performance issues on sites with a large number of contacts, for example after starting an automation process for all contacts in a group.

For pages whose page type did not have the 'URL' feature enabled, the Preview mode in the Pages application displayed empty content and a JavaScript error occurred. After applying the hotfix, a message explaining the situation is displayed instead.

Custom 'IDataProvider' implementations were not used for all database operations performed by the system. For example, certain activity logging actions did not reflect such customizations. After applying the hotfix, all database operations use the custom data provider, with the exception of actions that occur when separating or rejoining the on-line marketing database.

Automation processes with 'Process recurrence' set to 'If the same process is not already running' or 'If the process has not run before' could incorrectly start multiple times for the same contact if actions that triggered the process were performed repeatedly within a short time period.

Using numeric values that differ only in the first digit (e.g., 100, 200, 300) in the 'Radio buttons' form component's options generated input elements with identical IDs. As a result, users were unable to switch between the options. After applying the hotfix, a unique string is appended to each input's ID. The issue occurred after applying hotfix 13.0.70 or newer.

If the 'WithPageUrlPaths' parametrization method was used for DocumentQuery API calls together with a restricted list of retrieved data columns (e.g., using the 'Columns' method), the system did not automatically include required columns from the 'PageUrlPath' table, which could lead to errors.

On sites with content tree-based routing enabled, the system encountered performance issues when executing multiple requests to non-page routes (e.g., 'getattachment' or 'getmedia' file requests). This was noticeable, for example, when displaying thumbnails in the media file selector. The performance issues were caused by excessive database queries and cache entries.

Hotfix 13.0.73 is the Kentico Xperience 13 Refresh 6 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

The editing interface for custom scheduled tasks never displayed the 'Use external service' property.

Views of pages with a running A/B test generated an unnecessary number of 'cacheurltopagemapper' keys in the application cache when the page URL contained differences in the query string. After applying the hotfix, the cache key contains only the page URL without the query string.

On sites with content tree-based routing enabled, the system encountered performance issues when executing multiple requests to non-page routes (e.g., media library files or custom API endpoints). This was noticeable, for example, when displaying thumbnails in the media file selector. The performance issues were caused by excessive database queries and cache entries created for each non-page request. Note: This fix causes page builder errors in certain cases, for newly created pages or after changing a page's URL. We recommend applying a newer hotfix or refresh.

The media files usage tracking feature used up a significant portion of the available memory on sites with large amounts of data that could contain media files (pages, custom tables, or other system objects). The issue occurred when rebuilding and updating the 'Media files usage' local search index used by the feature. The hotfix improves the processing performance and reduces the memory usage of the index.

When consent agreements are added via the 'IConsentAgreementService' API, the system caches the agreement objects. If an agreement was then revoked using the 'IConsentAgreementInfoProvider' API, the agreement status was not flushed from the cache correctly. The hotfix ensures correct cache invalidation for 'IConsentAgreementInfoProvider' actions, however in most scenarios we recommend adding and revoking consent agreements via 'IConsentAgreementService'.

Using spaces in the values of the 'Radio buttons' form component generated elements with IDs containing spaces, which violates the HTML5 specification. After applying the hotfix, spaces are replaced by underscores in element IDs.

In special cases, recalculations used to update dynamic contact groups caused gaps in the identity column (primary key) of the 'OM_ContactGroupMember' database table. On sites with very heavy traffic, this could lead to overflow errors and contacts were not added to contact groups correctly. The problem occurred in cases where a contact group condition contained a custom macro rule with a registered macro rule translator returning a query with an OR operator.

The system incorrectly streamed data into the application memory when serving non-HTML content. This could lead to heavy memory allocation when returning large files or other types of data in action results. For example, the problem occurred for the default file handlers, such as '/getresource' and '/getmedia' or for custom endpoints that returned file content. The hotfix optimizes this type of memory usage for ASP.NET Core projects. Additionally, the hotfix introduces the 'DisableUrlResolutionAttribute', which developers can use to disable memory allocation for custom controller actions that return non-HTML content (e.g., PhysicalFileResult).

The 'Check Spelling' feature in the 'Full' toolbar of the administration's rich text editor no longer works and causes the editor to freeze, which can lead to lost content changes. The hotfix removes the option from the editor, as the third-party plugin responsible for the feature is deprecated and has reached end-of-life. The SCAYT (Spell Check As You Type) feature remains without changes.

When viewing files in the Media library application, URLs containing the direct file path were encoded incorrectly and the displayed URL was invalid. For example, the problem affected files in media libraries using Azure Storage. The issue occurred after applying hotfix 13.0.64 (Refresh 5).

If the administration application was unexpectedly restarted while processing an integration task, the task was indefinitely evaluated as running, which prevented further integration tasks from being processed.

If the UI personalization feature was enabled, the 'Contacts' view mode on the 'Process' tab of a process in the Marketing automation application was not accessible for users without the 'Administrator' privilege level (even if the user's roles had sufficient permissions and the corresponding element allowed in the UI personalization settings).

Thumbnail images could not be uploaded for media library files when using Microsoft Azure Blob storage. The issue occurred after applying hotfix 13.0.10 or newer.

Marketing automation processes with 'Time-based' triggers could get stuck when the trigger started the process for a large number of contacts. A stuck process remained in an action step (such as 'Send marketing email) and did not continue for the given contact.

Default cache dependencies were not configured automatically when loading pages using the 'IPageRetriever' service in cases where the developer enabled caching without explicitly setting the 'Dependencies' of the 'IPageCacheBuilder' expression. After applying the hotfix, the service automatically adds the default dependencies for the cached data (default dependencies include the retrieved pages and their page types).

Changes made to the 'System -> Files -> Check attachments permissions' setting were not reflected on the live site until the application's cache was cleared.

Hotfix 13.0.64 is the Kentico Xperience 13 Refresh 5 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

Authentication hash parameters generated for REST service URLs with the HTTPS schema were invalid. The resulting requests failed to authenticate and returned the 401 Unauthorized status code.

When using the Import toolkit utility to add a new culture version to an existing page, the import incorrectly replaced one of the page's existing culture versions instead of creating a new version. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

If a marketing email recipient viewed an email in a client that blocked images used for open tracking, and then clicked on a tracked link in the email content, the system logged the open statistic for the email, but didn't log the 'Opened marketing email' activity for the given contact. This could lead to marketing data inconsistencies between the email statistics and the activity log. After applying the hotfix, email open activities are logged when the action is recognized through a link click (depending on the site's consent requirements and the cookies stored in the browser where the recipient opens the link).

Selecting a file in a media selection dialog that was limited to a specific media library made it impossible to select files in other media dialogs that were limited to a different library. For example, the problem could occur when editing pages with two fields based on the 'URL selector' form control, each with a different media library selected in the form control's 'Available site libraries' setting.

For pages with fields based on the 'Rich text editor' form control, notifications about unsaved changes were incorrectly displayed twice on the 'Content' tab in the Pages application.

Moving a page to another location in the content tree did not clear the page's original parent from the cache.

Products (SKUs) with very long names were displayed incorrectly when creating or editing orders in the 'Orders' application.

When using the 'IPageRetreiver' API to load and cache page content, the caching did not work in cases where the expiration period was not directly specified in the code, and the system's default 'Cache content (minutes)' setting had a value of 60 or more minutes.

In certain cases, the system licensing incorrectly evaluated web farm availability for localhost environments, causing synchronization issues. The problem could occur in setups containing only domain-specific licenses.

On ASP.NET Core sites with external authentication (e.g., Azure AD) enabled for the entire live site, authentication didn't work correctly for virtual context URLs in the administration. As a result, related parts of the administration, such as the Preview mode of pages and the page or form builder interface, did not work unless users were already authenticated on the live site.

When using the 'Automatic' web farm mode, deleting a 'Healthy' or 'Transitioning' web farm server via the 'Web Farms' application caused synchronization issues within the environment. After applying the hotfix, it is no longer possible to delete 'Healthy' and 'Transitioning' web farm servers if using the 'Automatic' mode. Only servers with the 'Not responding' status can be deleted.

In rare cases, an exception that occurred when launching the Scheduler Windows service masked a different exception, resulting in a misleading error message logged in the Windows Event Viewer. To fix the problem for new installations in the future, also apply hotfix 13.0.60 or newer to your Xperience setup files.

Automatic generating of alternative text for images using the Microsoft Azure Computer Vision image recognition did not work for images inserted into the content of a 'Rich text' widget in the page builder interface. The problem only occurred when the 'Enable on-line marketing' setting was disabled.

Localization of a form's 'After the form is submitted' values ('Display text' or 'Redirect to URL') using resource strings on the 'General' tab of the form's editing interface did not work correctly. When the form was displayed on the live site using the 'Form' widget, the English version of the text was always displayed instead of using the current page's culture.

If the 'WithPageUrlPaths' parametrization method was used for DocumentQuery API calls together with a restricted list of retrieved data columns (e.g., using the 'Columns' method), the system did not automatically include the 'NodeSiteID' column, which is required for certain scenarios. For example, this could lead to errors when retrieving the absolute URL of the loaded pages.

If the Rich text editor for the page builder had a custom toolbar configuration with the 'toolbarInline' and 'toolbarVisibleWithoutSelection' options enabled, the cursor jumped unexpectedly to other occurrences of the editor when working with multiple editors on the same page. For example, the problem could occur on pages containing multiple 'Rich text' widgets. The hotfix updates the used Froala editor to version 4.0.8.

The 'Dynamic text' dialog in the Rich text editor component for the page builder didn't work in certain cases. The problem occurred on pages containing multiple editors (e.g., several 'Rich text' widgets in the page builder), if the 'Enable on-line marketing' setting was disabled.

The cache debug did not correctly process certain types of cache items related to objects available only on the side of the live site application. As a result, these cache items were missing on the 'Live site' tab of the cache debug in the administration.

Automated unit tests created using the 'Kentico.Xperience.Libraries.Tests' NuGet package did not work in projects targeting the latest .NET 6.0 release. Running tests inheriting from the 'CMS.Tests.UnitTests' base class resulted in an error.

If the 'WithPageUrlPaths' parametrization method was used for DocumentQuery API calls together with a restricted list of retrieved data columns (e.g., using the 'Columns' method), the system did not automatically include required page columns, which could lead to errors.

Video or audio multimedia files inserted into rich text page fields were not displayed correctly on the website. The problem affected pages fields based on the 'Rich text editor' form control when media was added via the 'Insert image or media' or 'Quickly insert media' button. The generated markup contained the deprecated '<object>' element, which is no longer supported by current browsers.

The 'Generate preview link' button on the Properties > URLs tab in the Pages application did not work correctly and could not be used to invalidate the previous preview link for the page.

After editing the properties of a page template for pages under workflow with check-in/check-out enabled, the changes were not displayed immediately on the Page tab in the Pages application after the page was saved. The problem was caused by incorrect clearing of cached template property values, and the page was displayed correctly on the live site or after a full reload in the administration.

The validation process for media library folder names was too complex and could cause the administration interface to freeze. The problem occurred when creating a folder in a media library if the folder name was long and contained invalid characters.

The hotfix improves the performance of 'Buy X Get Y' discounts with buy conditions based on product sections. The evaluation of such discounts was slow for shopping carts containing a large number of products.

Alternative URLs of a page didn't work correctly after the URL slug was changed for one of the page's ancestors in the content tree. The original cached alternative URLs were not invalidated correctly, so the problem persisted until the application's cache was cleared.

The default value of form components was initialized incorrectly. This caused an error for form components that had a non-nullable data type (e.g., value types such as 'int' or 'bool') in cases where a default value was not assigned.

If a product had multiple culture versions, certain properties, such as the 'Product name', 'Description' and 'Short description' couldn't be cleared to an empty value for the non-default culture. The product incorrectly used the value from the default culture version instead of the empty value.

Hotfix 13.0.52 is the Kentico Xperience 13 Refresh 4 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

It was not possible to edit widget properties via the configuration dialog (cogwheel icon). Attempting to save any changes resulted in an HTTP 403 (Forbidden) error. This issue only occurred when the live site was deployed in Linux environments.

Under rare circumstances, accessing the 'License keys' application resulted in an error, making it impossible to manage product licenses.

The system's reCAPTCHA form component did not support communication via the TLS 1.3 protocol. If the live site application was configured to use TLS 1.3, forms containing the reCAPTCHA component could not be submitted and the component itself returned a 'The reCAPTCHA server is unavailable' validation error.

It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., 'myazuresearchservice.search.windows.net'). The majority of commercial search services are hosted on the 'search.windows.net' domain. However, certain Azure subscription types, such as Azure Government, host search services under different domains. The hotfix introduces a new 'CMSAzureSearchDnsSuffix' configuration key that allows you to specify the domain where your search services are hosted, overriding the default system behavior. See the hotfix instructions for details.

Dependency injection was not supported when developing personalization condition type classes for page builder widgets. After applying the hotfix, the constructor of condition type classes inheriting from the 'ConditionType' base class can have parameters (e.g., instances of services registered in the project's DI container). The hotfix does not add dependency injection support in controller classes that implement custom configuration dialogs for personalization conditions (inheriting from 'ConditionTypeController').

After a role with assigned users was updated and synchronized through staging, the event log on the target server contained confusing 'Remove user from role' entries. The problem only affected the event log and the users were not actually removed from the role.

Script tags placed in the markup of page and form builder components (for example widgets) were rendered without attributes in most cases when the component was displayed in the builder interface or the live version of the page. For example, this could break scripts using the ' type="module" ' attribute.

If a widget zone's name (identifier) was added or changed in the code of a page builder section, new pages with the section displayed an unnecessary warning, even though the page didn't contain any widgets that could be affected by the change. The problem occurred if the updated section was the default option for an editable region on the page or its template.

Copying a product page with multiple culture versions incorrectly created a redundant copy of the related SKU object for every culture version. After applying the hotfix, only one SKU is created for the product page copy and shared by all culture versions.

In ASP.NET Core projects, an error occurred when using dependency injection to get instances of services with a Scoped lifetime within the constructors of certain Xperience API classes. For example, the problem affected General selector data providers ('IGeneralSelectorDataProvider' implementations), Object selector Where condition providers, form components, page template or form component filters, and 'ICacheVaryBy' implementations.

If a media library file or page attachment contained non-ASCII characters in its name, accessing the file through a permanent link ('~/getmedia' or '~/getattachment' URL) resulted in an error. The problem occurred only on sites using the ASP.NET Core development model.

When a page on an ASP.NET Core site was accessed under an alternative URL with the 'Alternative URLs mode' configured to 'Rewrite', any query string parameters present in the URL became duplicated (e.g., '?utm_source=xxx' transformed into '%3futm_source=xxx?utm_source=xxx') and a redirection loop occurred.

Changes of the 'Show in menu' flag on the 'Properties > Navigation' tab of pages weren't saved. The issue occurred only after applying hotfix 13.0.39 or newer.

Image thumbnails in the 'Media files selector' for page builder component properties could overflow the borders of the selector field due to incorrect CSS z-index values.

Under special circumstances, it was possible to select more items than allowed by the set limit in certain selectors for page builder component properties. The problem could occur if a user performed the selection while additional items were also being loaded for pagination in the selector.

If a macro was placed into the default value of a field with the 'Date & Time' data type in a module class (or its Alternative form), the value was not resolved correctly in the resulting administration interface form for users with a non-English UI culture.

On sites running behind a proxy server or another service that masks the application's original domain (e.g., Azure Application Gateway), the smart search crawler used for page types with a 'HTML output' search data source did not work correctly. JWT token validation failed, which resulted in logged errors and only content available for public users was indexed. The hotfix fixes the issue for ASP.NET Framework (MVC 5) sites. For ASP.NET Core sites, Forwarded Headers Middleware needs to be set up for the project. See the hotfix instructions for details.

After a page chosen in the 'Page' or 'Path' selector components was deleted from the site, the selector automatically removed it without displaying any information. After applying the hotfix, the selectors display a "Missing page" warning in this scenario. The issue affected instances with hotfix 13.0.43 (Refresh 3), which allows selection of multiple pages for these selectors.

The 'Page selector' dialog for page builder component properties had a potentially misleading tooltip for the button that selected all pages on the current level. The hotfix updates the tooltip to provide more accurate information.

Accessing media library files using the direct file path did not work correctly in certain scenarios on sites using the ASP.NET Core development model. The issue occurred only after applying hotfix 13.0.44.

When working with the marketing automation process generated by the sentiment analysis demo on the Dancing Goat sample site, an error occurred if the 'Analyze sentiment' custom step was manually added to the process. The error prevented further work in Design mode for the process.

When creating new products representing a 'Bundle', the 'Remove from inventory' property was always saved with the 'Remove bundle only' value, even if a different option was selected.

On ASP.NET Core sites, page attachments that were stored on the file system in a custom folder (configured as a virtual path in the 'Settings -> System -> Files -> Files folder' setting) were not loaded and returned a 404 Not Found error if the 'Settings -> System -> Performance -> Redirect files to disk' setting was enabled.

Hotfix 13.0.43 is the Kentico Xperience 13 Refresh 3 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

It was not possible to run Xperience-specific isolated integration tests (derived from the 'IsolatedIntegrationTests' class) in Linux environments due to database connection issues. The hotfix introduces a new 'CMSTestIsolatedAltConnectionString' configuration key that allows test projects to connect to databases running in Linux environments. See the hotfix instructions for details.

The screen lock functionality did not activate if the screen lock interval was configured to a period longer than 15 minutes.

The system stopped sending emails in rare cases when an SMTP server did not return any response. Emails remained stuck in the email queue with the 'Sending' state. On instances with only one SMTP server configured, this scenario could fully block sending of emails.

If an image tag was manually inserted in the 'Code View' of the Rich text editor component, an error occurred when using the 'Replace' option for the image. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.

The Rich text editor for the Page Builder did not allow customization of the 'Insert Link' dialog. The 'linkAttributes' toolbar option was not reflected by the system.

Links generated by the 'Url.Action' and 'Html.ActionLink' methods on MVC sites had invalid URLs for pages that used page templates. The problem could occur if the methods were called directly in a page template view or in the code of a layout used by the page.

Radio button or checkbox lists in the administration interface were not styled correctly and could overflow if there was a very large number of options. For example, the problem could occur when displaying filters based on E-commerce product options.

The sentiment analysis feature did not work in cases where all wrapping HTML tags were removed from the content of a page field based on the 'Rich text editor' form control.

The Form Builder was incorrectly configured to detect the default invariant culture when running on Linux environments. As a result, attempts to access the Form Builder interface resulted in an error in certain cases (ArgumentNullException). The issue occurred only after applying hotfix 13.0.14 or newer.

An error occurred when retrieving files using Xperience handlers on ASP.NET Core sites with certain non-English default content cultures (e.g., Arabic). For example, the issue occurred for permanent URLs of media library files based on the 'getmedia' handler, such as '/getmedia/0140bccc-9d47-41ea-94a9-ca5d35b2964c/image.jpg'.

The image resizing settings configured in 'Settings > System > Files > Image resizing' were not applied to images uploaded as page attachments using the 'Attachment selector' or 'Rich text editor' component. For example, the problem occurred when a file was uploaded through a page builder widget property using one of the given form components.

If the UI personalization feature was enabled, the 'Properties > Navigation' tab in the Pages application was not accessible even if the corresponding element in the UI personalization settings was allowed for a user's role.

The image resizing settings configured in 'Settings > System > Files > Image resizing' were not applied to images uploaded using the 'Media files selector' or 'Rich text editor' component. For example, the problem occurred when a file was uploaded through a page builder widget property using one of the given form components.

When the 'Rich text editor' was assigned to a property of a form component or section, the editor interface incorrectly displayed the 'Select' option for links and 'Replace' option when editing images. These options are not supported in the form builder and caused an error when clicked. After applying the hotfix, the unsupported options are hidden when the rich text editor is used within the form builder.

On instances with hotfix 13.0.25 or newer applied, A/B tests incorrectly logged visits of the tested page and conversions for visitors who had not given consent to be tracked as contacts (did not accept on-line marketing cookies). This could impact the conversion statistics of A/B tests in a misleading way. After applying the hotfix, visits and conversions are logged only for contacts included in the A/B test. If a visitor gives consent after viewing the tested page for the first time, visits and conversions are logged only after they revisit the page.

Macro rules didn't work correctly if they had a parameter with a 'Field caption' that contained the '&' character. When such rules were added to a condition, the condition was only saved as macro code without the rule interface. Additionally, any macro rule translators registered to optimize the rule's performance were not applied.

When installing hotfix 13.0.37, certain files were incorrectly marked and detected as customized, which prevented the hotfix from fully applying changes (manual resolving of the affected code was required). Apply hotfix 13.0.38 or newer to correctly fix issues from the previous hotfix.

Dependency injection was not supported when developing filters for page templates or form components. After applying the hotfix, the constructor of filter classes implementing 'IPageTemplateFilter' or 'IFormComponentFilter' can have parameters (e.g., instances of services registered in the project's DI container). Such filters must be registered into the corresponding filter collection using the 'Add<FilterClassType>' method, with the filter class as the generic type parameter.

Actions in the page builder and form builder interface that opened confirmation dialogs did not work when using version 92.0.4515 or newer of the Chrome browser. For example, the problem occurred when deleting widgets and sections, or after canceling changes in a properties dialog. The following error was logged into the browser console: "A different origin subframe tried to create a javascript dialogue. This is no longer allowed and was blocked."

When using the 'Display text' option in the 'After the form is submitted' setting on a form's 'General' tab with localized text, the entered text was incorrectly subjected to HTML encoding before being displayed on the live site (e.g., the '<' character was transformed into '&lt').

Staging synchronization tasks for custom table items were always logged for all sites in the system, even when the 'CMSStagingLogGlobalObjectsOnlyForAssignedSites' configuration key was enabled. After applying the hotfix, the tasks are logged only for sites to which the parent custom table of the modified item is assigned.

The 'Edit > Page' and ' Preview' tabs of the Pages application incorrectly required the 'Modify' permission for pages (i.e., the 'Content' module or specific page types). These tabs displayed blank content for users with only 'Read' and 'Browse tree' permissions.

The object and general selector components with multiple item selection did not work correctly in page builder widget personalization dialogs. If one of these selectors was assigned as the editing component of a personalization condition type property, selecting a value for the property resulted in a broken personalization dialog.

The 'UserInfoProvider.GetUserName' method could cause a null reference exception in certain scenarios where the processed user did not exist. This could lead to errors when calling user-related API in custom code, for example the 'UserRoleInfoProvider.DeleteUserRoleInfo' method.

Editing and saving a link within the content of the Rich text editor component did not work unless the existing link was cleared beforehand. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.

When adding a link to images within the content of the Rich text editor component, the link URL could not be typed manually. Pasting the link or selecting an item to link worked correctly. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.

With replication of contacts into SalesForce leads enabled, data was not correctly transferred to SalesForce for merged contacts (when a merged contact was updated or a new contact was created and merged into an existing contact). The issue also incorrectly prevented such contacts from being replicated in the future.

Dependency injection was not supported when developing data provider classes that load and prepare items for the General selector component. After applying the hotfix, the constructor of data provider classes implementing 'IGeneralSelectorDataProvider' can have parameters (e.g., instances of services registered in the project's DI container).

Custom toolbar configurations for the Rich text editor were not applied when the component was used in a page builder widget. The problem occurred after applying hotfix 13.0.31 or 13.0.32 (Refresh 2).

When a page was accessed under an 'Alternative URL' with the system configured to redirect to the main page URL, any query string parameters present in the URL became duplicated (e.g., '?utm_source=xxx' transformed into '?utm_source=xxx?utm_source=xxx').

Azure search index update tasks generated by the system for stand-alone SKUs incorrectly contained data that could trigger an index update for a page with an identical ID as the stand-alone SKU. Such index updates were unnecessary, since stand-alone SKUs are not tied to pages and updates never lead to changes in any page objects.

In hosting environments that dynamically adjust the number of instances (e.g., autoscaling in Azure App Services), deactivated web farm servers always remained in the system with the 'Not responding' status for 24 hours. This could cause performance problems and heavy database load due to large numbers of unnecessary synchronization tasks generated after scaling down the number of servers. The hotfix adds the option to adjust the interval for which web farm servers stay in the 'Not responding' status before being deleted. To change the default interval of 24 hours, set the new 'CMSWebFarmNotRespondingInterval' configuration key to the required number of minutes, e.g., '60' for 1 hour.

If a page builder component property used the object or general selector with multiple item selection, unselecting an item triggered the evaluation of visibility conditions incorrectly, which resulted in a broken state of the selector. The issue occurred only after applying hotfix 13.0.25 or newer.

The 'Rich text editor' component displayed the preview of its content incorrectly when used in a page builder configuration dialog (for example assigned as the editing component of a widget property). The issue only occurred after applying hotfix 13.0.31 (Refresh 2).

When the 'CMSMediaLibraryDisplayOnlyImportedFiles' configuration key (an internal key provided via support to specific customers) was set to true, ordering the list on the 'Files' tab of the media library editing interface based on the 'Modified' column resulted in an error.

If an administration form field used the 'Calendar' form control and had a visibility condition depending on another field, datetime macros placed into the field's default value were incorrectly resolved into the English (en-US) culture instead of the user's selected UI culture. This could lead to inconsistencies or date format errors. For example, if a page type field used the Calendar form control, with the '{%DateTime.Now%}' macro as the default value, the problem could occur when a user with the 'English - United Kingdom' UI culture created a new page of the given type.

The button for performing sentiment analysis of rich text or text area fields didn't have a tooltip (on the Content tab of the Pages application).

Hotfix 13.0.31 is the Kentico Xperience 13 Refresh 2 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

The 'Use URLs with trailing slash' setting for sites with content tree-based routing only applied to URLs generated for pages by the system. Page URLs with a different trailing slash state were not redirected based on the selected option.

On sites with a defined Administration domain alias, an error occurred when viewing parts of the administration based on virtual context URLs, for example the Preview mode of pages and the page builder or form builder interface. The issue only affected instances with hotfix 13.0.29 or newer applied.

On instances containing multiple sites hosted on a single application with shared resources (e.g., using the same Azure Web Apps service or a shared application pool on an IIS server), switching between sites in the administration caused errors for virtual context URLs, for example when viewing pages in Preview mode, editing pages using the page builder, or editing forms in the Form builder interface.

The hotfix updates the authentication functionality for virtual context URLs used in the administration interface when previewing or editing live site pages. The minor changes ensure a higher level of security.

Page fields based on the 'Rich text editor' form control were displayed incorrectly in cases where the field was disabled for editing. For example, the problem could occur on the 'Content' tab for pages under workflow with the 'Published' status.

Attempting to retrieve files hosted on external storage via Xperience handlers (e.g., 'GetAzureFile.aspx') resulted in a HTTP 404 Not Found error. This issue only occurred on ASP.NET Core applications hosted on Linux.

When using the former URLs functionality for pages on a site with content tree-based routing, the system did not preserve query string values when redirecting visitors from former URLs to the current ones.

Getting URLs for image variants of page attachments by calling the 'WithVariant' extension method for 'IPageAttachmentUrl' objects did not work, and the original unmodified attachment URL was returned.

For pages with a name longer than the maximum allowed alias length of 50 characters, the system could in certain cases generate a page alias value ending with the replacement character for forbidden URL characters (a hyphen by default). This character was removed on subsequent saves of the page, which could lead to inconsistencies, for example when staging the page to another server. After applying the hotfix, page aliases are always generated without the replacement character at the end.

Page builder component properties using the object or general selector with multiple item selection triggered the evaluation of visibility conditions after the selection of the first item. As a result, it was not possible to select multiple items and the dialog did not close properly. The issue occurred only after applying hotfix 13.0.23 or newer.

The Xperience administration project contained an old version of the 'System.Text.Json' assembly in its Lib folder, which could cause assembly version conflicts. Applying the hotfix removes the obsolete assembly (the correct version is already provided via an installed NuGet package).

Pages with a running A/B test displayed variants inconsistently to visitors who had not given consent to be tracked as contacts (did not accept on-line marketing cookies). After applying the hotfix, the system assigns a page variant and stores it into the new 'CMSVarAB<name>' cookie even for visitors who are not tracked as contacts. This cookie is only used to keep content consistent and does not enable any tracking or logging of conversions.

For pages under workflow with content locking enabled, fields using the 'Rich text editor' form control did not save changes in certain cases after performing a 'Check in' action. The problem occurred only if the editing form was refreshed after the changes were made in the rich text editor, for example by uploading an attachment file into a different page field.

An error occurred when retrieving media files from Azure storage on ASP.NET Core sites hosted in environments where the live site and administration applications used cultures with different date and time formatting (e.g., 'en-US' for the administration and 'cs-CZ' for the live site).

When the 'CMSMediaLibraryDisplayOnlyImportedFiles' configuration key (an internal key provided via support to specific customers) was set to true, the list on the 'Files' tab of the media library editing interface only displayed the first page of files. Any additional pages contained an empty list of files.

If a Tooltip was specified when assigning an editing component to a property used in the page builder, it was not displayed in the resulting property configuration dialog for certain types of editing components (e.g., selectors or Rich text).

The input elements of form fields generated by the system's default 'Form' widget did not have the 'input-validation-error' class assigned when the submitted value was not valid (either due to failed validation rules or an empty value in required fields).

The hotfix updates the 'System.Text.Encodings.Web' package to version 4.7.2 for .NET Framework (MVC 5) projects.

Page builder component properties using the object or general selector did not trigger evaluation of visibility conditions. When the property value was changed, the visibility conditions of other depending properties were not re-evaluated. To ensure that this functionality works properly, apply hotfix 13.0.25 or newer.

The object selector for page builder components was displayed incorrectly when the field was focused without clicking, for example by using the 'Tab' key to navigate the widget properties dialog.

File and directory operations (media file manipulation, attachment upload, etc.) sometimes resulted in an error if the manipulated resource was stored on a UNC path (e.g., \\host-name\share-name\file-path). The issue occurred only after applying hotfix 13.0.10 or newer.

The search in the Pages application did not work correctly when using the '(SQL search)' option. The results always displayed all pages regardless of the search phrase.

System emails based on the 'Membership - Change password request', 'Membership - Password reset confirmation' and 'E-commerce - Automatic registration' email templates were sent with an incorrect culture in certain scenarios. Localization macros placed into the templates were resolved into a default culture (English) instead of the user's current content culture on the site.

The 'CacheHelper.EnsureKey' API method did not work correctly if the cache key parameter was not fully in lower case (the key was touched even if it was already present in the application's cache). After applying the hotfix, the cache key parameter processing is no longer case-sensitive and existing cache keys are detected correctly.

If continuous integration was enabled and a site's 'Routing mode' setting was switched to a different option, an error could occur when restoring the updated 'Page URL path' objects to the database.

The 'User account for crawler' property was not displayed when editing smart search indexes of the 'Pages' type (for both Local and Azure indexes). The issue affected instances with hotfix 13.0.16 (Refresh 1) or newer applied.

When editing a page type in the Page types application on the General tab, the default 'Small icon' and 'Large icon' images displayed after switching the 'Page type icon' property to 'Images' mode were missing.

Automated tests created using the 'Kentico.Xperience.Libraries.Tests' NuGet package did not work in projects targeting ASP.NET Core 5. Running tests inheriting from the provided base classes, such as 'CMS.Tests.UnitTests', resulted in an error.

In rare cases, web farm task execution became stuck due to a deadlock that occurred during cache invalidation. This caused synchronization issues between the administration and live site applications.

The system did not display the page template selection dialog when creating new pages in the Pages or Products application for page types representing a product (when at least one page template was registered for these product page types).

An error occurred when adding page builder editable areas to views on an ASP.NET Core site via the 'EditableAreaAsync' extension method, if the 'EditableAreaOptions' parameter was not specified. The issue occurred only after applying hotfix 13.0.16 (Refresh 1).

When localizing text fields in the administration's 'Localize field' dialog, the 'Use existing resource key' option was only available for users with the Global administrator privilege level. After applying the hotfix, the option can also be used by editors with the 'Localize strings' permission for the 'Localization' module.

For sites running under a Free edition license, attempting to change the 'Default content culture' on the General tab of the site editing interface resulted in an unhandled error.

URLs generated by the 'ViewInBrowserUrl' macro that allow recipients to view marketing emails in a browser did not work when shared on certain external platforms, for example Facebook or Facebook Messenger. Opening the URL resulted in an "Access denied" error.

If a page builder widget on an ASP.NET Core site had output caching enabled (using the 'AllowCache' property of the 'RegisterWidget' attribute), and the widget's implementation was not based on a view component, an error occurred when rendering the widget in an editable area that allowed caching.

Automated unit testing of page template filters was not possible due to internal API. Applying the hotfix makes the constructors of the 'PageTemplateDefinition' and 'PageTemplateFilterContext' classes public.

On sites that used 'Custom' routing mode, setting values without a starting slash ('/') for the 'URL pattern' of page types resulted in invalid URLs for the given pages. For example, such URLs could cause errors in the administration's page selectors. After applying the hotfix, the system automatically processes URL patterns with a starting slash if one is missing in the entered value.

When editing a page type in the Page types application on the General tab, the 'Page type icon' property was always initially displayed in 'Font icon class' mode, even if the 'Images' mode was previously selected and an image file was uploaded. This could cause users to unintentionally overwrite the icon when saving the page type properties.

Setting the logging verbosity ('LogLevel' property) for the 'KenticoEventLog' application logger in ASP.NET Core projects to anything lower than 'Warning' (i.e., 'Trace,' 'Debug,' or 'Information') lead to errors when editing pages in the page builder interface.

Hotfix 13.0.16 is the Kentico Xperience 13 Refresh 1 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

In certain cases, the system incorrectly returned a 404 (Not Found) error when attempting to access administration URLs ending with an extension (e.g., custom '.aspx' handlers or UI templates). The issue occurred only after applying hotfix 13.0.10 or newer.

Typing in fields within page builder properties dialogs triggered unnecessary reloads of the editing form. This could cause loss of entered text characters and other user experience issues, particularly in the case of slower connections.

If a different UI culture than English ('en-US') was selected for the administration on an ASP.NET Core site, text within the page and form builder interface was not resolved correctly in certain cases.

The Xperience assemblies incorrectly used the specific hotfix number in their patch version, for example '13.0.10'. This could lead to compatibility problems for referencing custom assemblies and require generating of unwanted binding redirects. After applying the hotfix, the assembly version is fixed as '13.0.13', including future hotfixes.

The system incorrectly handled locking of zip files (for example the '\App_Themes\Default\Images\Images.zip' package), which could block certain deployment scenarios for the administration application.

The macro tree and autocomplete help incorrectly offered macros under the 'Email' entity, even when editing marketing email templates of a type other than 'Email' (Subscription, Unsubscription, Double opt-in). Such macros only resolve in the content of marketing emails based on templates of the 'Email' type, and are hidden for other templates after applying the hotfix.

Switching the culture in the Pages application caused an error if the selected culture used a Presentation URL with a different domain. The problem occurred on multilingual sites where the 'URL format for multilingual sites' setting was set to 'Domain', and a matching 'Visitor culture' was assigned to one of the site's domain aliases.

If a selector form component, for example 'Radio buttons', 'Drop-down list' or 'Multiple choice', was assigned in the code of a form field using the 'EditingComponent' attribute and one of its 'DataSource' options had an empty value, e.g., ";(none)", this option was not displayed after the resulting form was refreshed, for example when the form evaluated a visibility condition. The issue only occurred on ASP.NET Core sites.

The calendar date and time selector in the administration interface was displayed with incorrect background styling when used to select a time range between two dates (for example when the 'From' and 'To' selector was opened above Web analytics report graphs).

The hotfix addresses a number of filesystem-related issues encountered when hosting ASP.NET Core live site applications in Linux environments. The issues were primarily caused by a dependency on Windows-like filesystem conventions, so mostly impacted features reliant on Input/Output operations. The following is a non-exhaustive list of affected features: media library operations (insert, modify, delete), smart search (running indexing tasks, index rebuilds), web farm synchronization, scheduler functionality run on the live site. See the hotfix instructions for more information.

When accessing pages that contained resized images (e.g., from media libraries), it was possible to encounter 'System.ArgumentException: Parameter is not valid' errors when rendering certain resized images. This issue only affected Linux deployments of ASP.NET Core projects.

The 'Search fields' tab in the Page type editing interface was only available for page types that had the 'URL' feature enabled. After applying the hotfix, the search configuration is displayed for all page types that have either custom fields or the 'URL' feature. The change allows searching for page items that hold content, but do not need their own URL.

Files or other resources containing a special character in their name were not loaded correctly when viewing content within the page builder interface, preview mode or the form builder in certain cases. The system incorrectly calculated the hash for the resource's URL. For example, the problem could affect files with special characters in their name added through a page builder widget using the media selector dialog.

If long content (multiple paragraphs) was entered into the Rich text editor for the page builder, adding a new line caused the page to scroll down to the bottom of the widget content. The hotfix resolves the issue by updating the used Froala editor to version 3.2.6.

The 'Radio buttons' form component was styled and displayed incorrectly when used in a page builder configuration dialog (for example assigned as the editing component of a widget property).

Custom plugins registered for the Rich text editor page builder component were ignored due to incorrect initialization.

The culture selector in the Pages application did not display all options on sites with more than 13 assigned cultures.

When cloning forms, the maximum length of the new form's 'DB table name' was not validated correctly and allowed values that were too long. This could lead to inconsistencies with the resulting form.

An error occurred when creating a new media library after applying hotfix 13.0.4 or newer. The problem was caused by incorrectly signed macros, and can be fixed by applying hotfix 13.0.9, or alternatively by re-signing macros in the system.

If a product bundle was automatically added to a customer's shopping cart as part of a 'Buy X Get Y' discount, the system incorrectly inserted two of each item included in the bundle.

When a marketing automation process was automatically initiated by a trigger of the 'Time-based' type, contacts going through an 'If/Else' step got stuck even though they met the step's condition. The process remained in the 'Pending' state for the contact and could not finish.

Applying a previous version 13 hotfix to the Kentico Xperience setup files added incorrect versions of certain installation files and templates. As a result, new projects created using the hotfixed installer had an invalid database and did not work correctly To fix the problem, you need to apply hotfix 13.0.8 or newer to the setup files.

Changing the order of certain global objects resulted in an error after applying hotfix 13.0.7. For example, the issue could affect custom object types or custom tables with an order column.

On ASP.NET Core sites, an instance of the 'IDataProtectionProvider' service was always required on application startup. This could cause slower application start and errors when developing isolated integration tests if a mock instance of this service was not created for every test.

If a custom object type was stored outside of the default database (e.g., in a separated database for on-line marketing data), the system used an incorrect database connection when updating the order or ID path for the given objects, resulting in an error. For example, the problem occurred when displaying such objects in the administration using the UniGrid control and attempting to change the order of objects.

Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.

The cookie level of the system's 'KenticoCookiePolicyTest' cookie (used to detect the 3rd party domain blocking policy of a browser) was too high. This could result in incorrectly displayed error messages in the Xperience administration, e.g. in the page builder interface.

Applying hotfix 13.0.4 caused errors in the administration application and prevented the project from compiling.

The hotfix allows media libraries to use the direct file path in URLs when adding links to files in Xperience content (instead of permanent media file URLs). For example, direct file URLs may be desired for media files placed in external storage, such as Microsoft Azure Blob storage. The option can be configured when editing individual media libraries on the 'General' tab. The configured URL format applies when adding links to media files in the rich text editor (using the page builder widget or when editing rich text page fields) and via page fields based on the 'Media selection' form control.

If certain characters (for example a ` grave accent) were used in the 'URL slug' of a page, the value could no longer be changed and an error occurred when viewing the page in the administration interface and on the live site.

Azure search indexes of the 'Pages' or 'Pages crawler' type did not update after a page included in the index was updated (and a corresponding search task was processed).

Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.

Changes made to the 'Enable smart search indexing' setting ('Settings' application -> System -> Search) were only reflected after application restart.

On ASP.NET Core sites that used content tree-based routing, pages configured to require authentication did not redirect public visitors to the site's sign-in page. The 401 Unauthorized response was returned instead.

The properties dialog in the page builder interface prevented 'mouseup' and 'mousedown' button events from propagating. As a result, any form components that registered listeners for such events did not work correctly in the dialog when assigned to properties.

The search in the 'Media files selector' dialog for page builder components did not work in certain browsers (for example Firefox), and the displayed media files were not filtered.

Localization (e.g., via the system's ResHelper class) did not work and resulted in an error in projects targeting .NET Core 5.

On ASP.NET Core sites, the system generated malformed links to static files displayed under preview mode (in the 'Pages' application or when viewed via a generated preview URL). The issue occurred only for files placed outside the application's web root (/wwwroot folder). Most commonly affected were media library files, which are by default stored in a dedicated site folder outside the application's web root.

Disabling the 'Rebuild site search indexes' option in the 'Objects selection' step of the import wizard did not work correctly, and the option always persisted as enabled after switching to a different object category.

Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form in certain cases.

Added a tip box with an introduction video for the 'Email marketing' application.

The 'Email queue' application incorrectly required the 'Modify email queue' permission to 'Refresh' the queue. After applying the hotfix, the 'Read email queue' permission is sufficient to refresh the queue.

The hotfix introduces new 'CMS.EmailEngine.ISmtpClientFactory' API that enables developers to modify the configuration of the system's SMTP client. This API is primarily intended for advanced environments with specific requirements.

Many email services are deprecating support of basic authentication via a username and password (for example Microsoft Exchange Online). The hotfix introduces an alternative way to connect to email servers using OAuth 2.0 token-based authorization. OAuth support covers both SMTP servers and mail servers for monitoring bounced emails (using POP3). By default, the system includes an OAuth provider for Microsoft Exchange Online - other services require implementation of a custom provider. The hotfix adds the 'MailKit 3.1.1' NuGet package to both the administration and live site projects, which may cause conflicts if your projects contain custom functionality using other versions of this package. See the hotfix instructions for details.

The Bootstrap JavaScript library used in the administration interface was updated to v3.4.1 due to security vulnerabilities contained in the previous version.

If the application had a separated database for on-line marketing data, running mass actions for contacts in the 'Contact groups' or 'Scoring' application caused the system to generate large and ineffective queries. This could lead to performance issues on sites with a large number of contacts, for example after starting an automation process for all contacts in a group.

Form validation provided by the 'reCAPTCHA' form component on MVC sites could be bypassed in certain scenarios.

The hotfix improves the performance of 'Buy X Get Y' discounts with buy conditions based on product sections. The evaluation of such discounts was slow for shopping carts containing a large number of products.

It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., 'myazuresearchservice.search.windows.net'). The majority of commercial search services are hosted on the 'search.windows.net' domain. However, certain Azure subscription types, such as Azure Government, host search services under different domains. The hotfix introduces a new 'CMSAzureSearchDnsSuffix' configuration key that allows you to specify the domain where your search services are hosted, overriding the default system behavior. See the hotfix instructions for details.

Saving a page with a large amount of page builder content could fail in certain cases. The problem was caused by deadlocks that could occur when saving large page builder configurations due to incorrect processing of asynchronous requests.

The form component selection dialog in the form builder interface was positioned incorrectly when adding fields to very long forms that required scrolling.

The system stopped sending emails in rare cases when an SMTP server did not return any response. Emails remained stuck in the email queue with the 'Sending' state. On instances with only one SMTP server configured, this scenario could fully block sending of emails.

When creating new products representing a 'Bundle', the 'Remove from inventory' property was always saved with the 'Remove bundle only' value, even if a different option was selected.

Actions in the page builder and form builder interface that opened confirmation dialogs did not work when using version 92.0.4515 or newer of the Chrome browser. For example, the problem occurred when deleting widgets and sections, or after canceling changes in a properties dialog. The following error was logged into the browser console: "A different origin subframe tried to create a javascript dialogue. This is no longer allowed and was blocked."

The 'UserInfoProvider.GetUserName' method could cause a null reference exception in certain scenarios where the processed user did not exist. This could lead to errors when calling user-related API in custom code, for example the 'UserRoleInfoProvider.DeleteUserRoleInfo' method.

Sending of emails to an event's attendees on the 'Send email' tab in the Events application did not work correctly. In certain cases, emails were not generated for all of the event's attendees and errors could occur.

System emails based on the 'Membership - Change password request', 'Membership - Password reset confirmation' and 'E-commerce - Automatic registration' email templates were sent with an incorrect culture in certain scenarios. Localization macros placed into the templates were resolved into a default culture (English) instead of the user's current content culture on the site.

Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.

Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.

Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form correctly. For example, this could result in broken links to pages on Portal Engine sites. The issue occurred only after applying hotfix 12.0.79 or newer.

When the same site was imported more than once to the same instance, the site root pages had the same values in the 'DocumentWorkflowCycleGUID' field, which could lead to errors and incorrect behavior. For example, creating new pages could result in page template retrieval errors. Applying the hotfix ensures unique GUID values for future imports, but does not fix existing sites with this issue.

Form fields on Portal Engine sites using the 'HTML5 input' form control lost CSS classes assigned through the field 'CSS styles' properties when a postback occurred on the page (for example after the form was submitted and validation failed).

The folder tree area of the 'Media files selector' dialog for page builder components was too narrow, which could make it hard to read long or nested media folder names. The hotfix updates the design of the dialog to improve visibility in the folder tree.

Due to changes in the Facebook API and related permissions, the functionality for publishing content to Facebook pages may stop working. To use the feature, you need to apply the hotfix and manually update your Facebook app. Ensure that your app has the 'pages_manage_posts', 'pages_read_user_content' and 'read_insights' permissions, upgrade the Facebook API Version to 'v8.0', and generate a new page access token for your Facebook app in Kentico.

Marketing automation processes could get stuck on 'Wait' steps and licensing errors were logged. The problem occurred in cases where the background scheduled task handling the wait step was executed in the context of a site with a license edition lower than EMS (on instances with multiple sites using different license editions).

Cleaning of archived emails with attachment files was inefficient, and could potentially lead to timeout issues if the database contained a large number of archived emails with an attachment.

Payments using the default PayPal provider resulted in a validation error if the order used a gift card with a value higher than the total price of all purchased items (only applies to cases where payment was still necessary after calculating the order's final price with shipping and tax).

Running an MVC site with the Small Business license edition resulted in license limitation errors. After applying the hotfix, Small Business licenses support web farm synchronization and the errors no longer occur.

If the system was configured to store file binary data on the file system, staging tasks did not synchronize these files for object-related meta files. For example, the problem could affect product images assigned to SKUs.

The 'reCAPTCHA' form control and MVC form component only processed the current content culture as a 2 character ISO code, which could cause the reCAPTCHA to display in the incorrect culture. For example, the problem could occur on sites using the 'zh-HK' Chinese culture, which displayed the reCAPTCHA in the 'zh-CN' culture instead.

Page update staging tasks generated after adding or modifying a related page from another site did not synchronize the relationship change to target servers. After applying the hotfix, staging supports synchronization of relationships between pages on different sites.

An error occurred when using the Advanced export feature for email marketing link click statistics with the 'Export raw database data' option enabled and all data columns selected.

If a web analytics log file for exit page candidates contained invalid or malformed data, processing failed and prevented logging of all web analytics statistics. After applying the hotfix, such files are deleted and processing of other analytics logs continues.

An error occurred when rolling back to a previous version of a page type with one or more child page types (i.e. page types that inherit fields).

The 'Print' functionality in the Reporting application did not work on sites with the 'Kentico CMS Base' or lower license editions.

When caching the output of controller actions using the ASP.NET output caching, the page builder did not load in the 'Pages' application for pages displayed through the cached actions. Instead, only a preview of the cached page was displayed. This problem occurred in special scenarios, for example, when caching based on specific parameters defined in the 'VaryByParam' property.

On sites hosted in Azure or behind a reverse proxy server, an error occurred in the administration interface when viewing pages in Preview mode or the page builder for pages whose node alias path contained non-ASCII characters. The virtual context URLs used by these features had escaped characters when obtained from the remote server, resulting in a non-matching hash.

Domains containing a port number were not correctly registered as belonging to the domain for which a license was issued. This caused issues with the system's web farm functionality.

Cleaning of archived emails could fail in cases where the scheduler was configured to run in request-based mode and the administration site did not receive regular traffic. This could lead to buildup of sent emails and cause intervals of heavy database load.

When editing page fields based on the 'Rich text editor' form control, the system incorrectly handled virtual URLs in the 'poster' attribute of 'video' tags (added through the editor's Source mode). After saving such a URL into the content, subsequent edits loaded a relative URL resolved according to the application path of the administration application. Re-saving the field could cause the poster URL to become invalid, for example if the live site was running with a different application path than the administration.

The visibility condition and validation rule components of the system's 'Form builder' feature contained a memory leak. Sites making heavy use of these components experienced severely heightened memory utilization, eventually resulting in an application crash.

If content added through the page builder (for example using a text editor widget) included absolute URLs with a domain matching the current site's Presentation URL, the URLs became broken after resaving the content. The system resolved such URLs into internal virtual context URLs ('/cmsctx/...') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, such absolute URLs are modified to relative URLs after being saved, and the system correctly handles the virtual context URL conversions. The fix does not address any existing broken links - these need to be fixed and resaved manually.

It was not possible to set a static 'id' attribute for the 'form' HTML element of forms placed using the system's default 'Form' widget. By default, the system always generated a random 'id' for each form to prevent multiple forms with identical identifiers from being placed on a single page. After applying the hotfix, you can suppress this behavior by setting the 'id' attribute via the 'FormWidgetRenderingConfiguration.FormHtmlAttributes' property. However, note that this sets the same 'id' attribute for ALL form widget instances. As a result, having more than one form per page is not supported under this configuration.

Payments using the default PayPal provider resulted in a validation error if the order contained a note longer than 165 characters. After applying the hotfix, order notes that exceed this number of characters are trimmed before being sent to PayPal.

Free shipping offers with a 'Minimum order amount' were incorrectly evaluated without subtracting any applied order discounts from the checked order price. Note that after applying the hotfix, orders will no longer qualify for free shipping if their price does not meet the minimum amount after subtracting an order discount.

Certain scenarios did not work correctly if the 'URL pattern' of page types on MVC sites contained a page path macro that could resolve into a value with multiple URL segments, such as the 'NodeAliasPath' field. For example, detection of alternative URL conflicts did not work for the resulting pages. After applying the hotfix, the system handles such macros if they are the only value placed into the URL pattern.

An error occurred in the language version comparison mode of the Pages application for users whose username contained certain special characters, such as a backslash (typically for users created via external authentication).

The system generated individual smart search indexing tasks for each page associated with a given product (SKU object) every time the product was modified. This occurred even for pages not included under any smart search indexes. After applying the hotfix, the system generates a single smart search task per SKU modification that processes all pages related to the product.

Users created via external authentication whose username contained certain special characters could encounter an error when viewing pages in the Pages application, for example in Preview mode or in the page builder edit mode on the 'Page' tab. After applying the hotfix, the virtual context URLs used to display such content store the GUID of the current user instead of the username.

The 'Checkbox' form component's 'Text' property did not support localization macro expressions.

The system did not generate a valid callback URL for external authentication providers if the site was running on a domain with a non-standard port number (different than 80 for HTTP, 443 for HTTPS). This resulted in an endless chain of redirects between the application and the authentication provider.

If a custom form component using the React JavaScript library was assigned to a property of a page builder component (widget, section, etc.), click events (onclick) did not work in the resulting properties dialog. After applying the hotfix, click events of React components are triggered correctly in page builder property configuration dialogs.

Registration emails sent when a new user registered on a Portal Engine site through the 'Registration form' or 'Custom registration form' web part did not have the correct culture in certain scenarios. Localization macros placed into registration email templates (e.g. 'Membership - Registration' or 'Membership - Registration confirmation') were resolved into a default culture (English) instead of the user's current content culture on the site.

When a folder was mapped to another location using the file system provider API, moving or copying of files from the local file system into the mapped folder did not work correctly in certain scenarios. For example, if a media library folder was mapped to Azure Blob storage, the system did not create files when using the import feature to add media files into the given folder.

Kentico API that relied on static contexts, such as 'SiteContext', 'ContactManagementContext', or 'CMSActionContext', did not work and returned empty values when called within custom asynchronous (async) methods. After applying the hotfix, the contexts correctly persist their values within async code.

Staging tasks of the 'Break ACL inheritance' type were not logged correctly when the change was triggered by incoming synchronization from another server (typically in environments with 3 or more connected staging servers).

License keys containing domain names shorter than four characters were not recognized by the system.

When utilizing the 'Shipping option selection' web part in the checkout process on a Portal Engine site, an error occurred if a customer selected a shipping option and then later switched back to the default '(Please select)' item. After applying the hotfix, the web part no longer displays the '(Please select)' item after selecting and saving a valid shipping option. The problem occurred after applying hotfix 12.0.35 or newer.

If using a database server with relatively low-tier performance (for example an Azure SQL database with 400 DTUs) and sending extremely large numbers of emails, cleaning of archived emails could fail and potentially lead to buildup of sent emails, and even performance issues or crashes on the website. To fix the issue, either scale up the database, increase the database connection timeout, or lower the batch size for archived email deletion by adding the new 'CMSEmailDeleteBatchSize' key to the project's web.config file. The key's default value is 2000.

If a page type had a field based on the 'Department roles selector' form control, the field's data was not correctly synchronized through staging tasks when a page was created or updated.

If a page type inherited a system 'Page field' from a parent page type (for example the 'DocumentShowInSiteMap' field), code generated for the page type incorrectly included a property representing the system field (such properties are redundant, as system fields are already available in the base 'TreeNode' class). After applying the hotfix, system fields are never included in classes generated for page types.

The 'Live site' button in the application list did not work correctly if certain special characters were included in the 'Presentation URL' of an MVC site.

On sites running under heavy load, evaluation of Buy X Get Y discounts could result in an error, leading to incorrect or inconsistent results. For example, such problems could occur after adding discount-related products to the shopping cart on a high-traffic website.

The 'Preview' tab in the 'Products' application on MVC sites was incorrectly displayed for products without an available live URL (for example products whose page type did not have a URL pattern configured). The problem occurred after applying hotfix 12.0.53 or newer.

Updating system user objects via the MVC site (as part of account detail updates, password resets, and similar operations) automatically generated the user's 'FullName' property by concatenating the existing first and last name values. For example, this could override all customizations made to the user's full name on the side of the administration interface. After applying the hotfix, the full name is automatically generated upon user creation and only updated if the system detects that the original automatically generated full name is still being used.

The 'Form field selector' form control did not work when creating conditions in the macro rule designer. For example, it was not possible to select a field when configuring the parameter of the "Contact has filled in form field" macro rule.

Certain emails that were sent directly without going through the email queue incorrectly had their priority (importance) headers set by the system. For example, marketing email drafts were always sent out with low priority. After applying the hotfix, the priority is not set for any outgoing emails.

When creating or rebuilding smart search indexes of the 'Pages' type (local or Azure), not all pages were correctly included in the index if a processed batch of records contained only pages that were not published on the live site. For example, the problem could occur on sites with large sections of archived pages, containing more items than the 'Batch size' set for indexes.

If using a database server with relatively low-tier performance (for example an Azure SQL database with under 50 DTUs), timeout errors could occur when the system performed cleanup of web farm tasks, typically when the instance contained large synchronization tasks with binary data. This resulted in event log errors and potentially a buildup of web farm tasks in the database. To fix the issue, either increase the connection timeout for the database or lower the batch size for task deletion by adding the new 'CMSWebFarmTaskDeleteBatchSize' key to the project's web.config file. The key's default value is 500.

Notifications about unsaved changes did not work in the Pages application for users who had the 'Properties' tab hidden by the UI personalization feature.

Facebook authentication on Portal Engine sites did not respect the 'Require unique user emails' setting and could create user accounts with the same email address as an existing user in the system. After applying the hotfix, such conflicts result in the creation of a Kentico user account with an empty email address.

Localizing a form's 'After the form is submitted' or 'Submit button' text using resource strings (on the 'General' tab of the form's editing interface) did not work correctly for forms displayed on MVC sites using the 'Form' widget. The live site always displayed the English version of the text instead of using the current page's culture.

An error occurred when creating a translation submission that contained a linked page together with the link's original page. After applying the hotfix, translation submissions filter out link duplicates and only include the original page.

URL values stored in the properties of page builder widgets, sections or templates (either through the property configuration dialog or an inline editor) lost their '#' fragment component after resaving the page multiple times. This could result in broken anchor links.

Page visit conversions for A/B tests on MVC sites were not logged correctly for sites running on a URL without a virtual directory (i.e. hosted directly in the root of an IIS website).

Selection of roles from multiple different sites did not work correctly on the 'Security' tab of workflow or marketing automation steps. Selecting roles for one site incorrectly cleared the role selection made for other sites. After applying the hotfix, the site selector no longer appears above the role listing on the Security tab, but instead is part of the role selection dialog.

If a project used bundling for CSS files and was compiled with a 'Release' configuration (i.e. the <compilation> element's 'debug' attribute set to 'false' in the web.config file), links to assets in the CSS code (fonts, images, etc.) with a relative URL became broken when viewing pages in preview mode or the page builder interface.

If a page builder component's property (for example a widget property) used the 'Text area' editing form component, pressing the Enter key to add new lines within the resulting property configuration dialog did not work in the Firefox browser. The problem also affected any custom form components containing a 'textarea' tag.

Staging tasks generated after deleting all alternative URLs from a page on an MVC site did not work correctly (only if there were no remaining alternative URLs after the deletion). In these cases, the alternative URLs remained on target servers after synchronizing the corresponding 'Update page' staging task.

The system did not provide sufficient information for developers about errors originating from MVC form components when displayed as part of the widget properties dialog. After applying the hotfix, such errors are logged with full exception details into the system's event log.

The 'Custom registration form' web part did not validate the entered username value. If the specified username contained an invalid character, such as an apostrophe, an error occurred on the website.

If a website contained a very large number of pages (tens of thousands) of a certain page type, adding a new field to the page type with continuous integration enabled resulted in an SQL query that was too complex and an error occurred. After applying the hotfix, the system generates less complex queries for such scenarios, which minimizes the chance of SQL errors.

When managing products in the 'Products' application on a Portal Engine site, switching the language selector to create a new culture version of a product caused an error. The error only occurred after applying hotfix 12.0.53 or newer.

Updating or resetting user passwords on MVC sites (using Kentico's ASP.NET Identity integration) resulted in redundant database updates of the affected user object. Applying the hotfix reduces such updates, lowering the likelihood of potential database deadlocks occurring in this scenario.

Due to changes in the LinkedIn integration API, the LinkedIn company profile management functionality in Kentico did not work. After applying the hotfix, you additionally need to obtain the 'rw_organization_admin', 'r_organization_social' and 'w_organization_social' permissions for your LinkedIn app, which requires you to apply and be approved as a LinkedIn Partner. You also need to 'Reauthorize' all LinkedIn company profiles in your 'LinkedIn' application in Kentico. See the hotfix instructions for details.

An error occurred when submitting an MVC form containing the 'File uploader' form component if outgoing synchronization using the integration bus was enabled.

For products that were used within an existing order, deleting one culture version of the product page incorrectly disabled the 'Allow for sale' property of the given product (SKU), even if there were other culture versions. After applying the hotfix, products are disabled only if no remaining culture versions exist.

If a site's 'Default page' setting was configured to the 'Use domain root' option, the redirect to the root did not preserve the values of any wildcard parameters contained in the home page's URL. After applying the hotfix, the domain root redirect URL includes wildcard parameters in the query string.

If a page builder component (such as a widget) included scripts that used certain ECMAScript 5 features, an exception could occur in some scenarios when loading page builder scripts on pages containing the component. For example, the error could be encountered after installing the Kentico 'Rich text' inline editor widget. After applying the hotfix, the system no longer provides minification of page builder component scripts by default (we recommend adding custom minification of scripts in your project).

If a user only had permissions to manage certain types of staging tasks (page, object, data), without the 'Manage all tasks' permission for the Staging module, they could not view the details of a failed task on the corresponding tab in the 'Staging' application.

If reporting components (such as the 'DisplayReport.ascx' control) were used within custom pages, an error could occur while loading reports in certain scenarios and life cycle configurations. The errors occurred after applying hotfix 12.0.14 or newer.

The 'Preview' tab for products in the 'Products' application did not work on MVC sites due to incorrectly set Content Security Policy headers. The problem occurred only after applying hotfix 12.0.29 (Service Pack) or newer.

If the 'Default cookie level' setting was lower than 'Editor', the system did not correctly set certain editor cookies for administration interface users who did not pass through the default sign-in page (for example when signing in via external claims-based authentication, Windows authentication, or directly on the live site and then accessing an administration URL). The missing cookies prevented parts of the administration interface from working correctly, such as the marketing automation and advanced workflow designer.

The system did not provide sufficient information for developers about certain types of errors originating from MVC page builder components (widgets, sections, inline property editors, etc.). For example, no details were available for errors resulting from the Razor view code of components. After applying the hotfix, such errors are logged with full exception details into the system's event log.

It was not possible to view the details of failed incoming or outgoing integration bus tasks in the 'Integration bus' application. Attempts resulted in a JavaScript error being logged in the browser console.

Due to breaking changes in Facebook's API, the Facebook Insights reporting feature in Kentico (accessible via the 'Insights' tab when editing a page in the 'Facebook' Kentico application) displayed incorrect data. Moreover, as a result of these changes, 'Page fans' Insights reports no longer chart cumulative growth, but instead report daily fluctuations.

It was not possible to view A/B test details from the 'Pages' application in published projects (using the 'Manage A/B test' button).

The 'IsLast' transformation method did not return correct values in scenarios where the data used pagination. For example, the method did not return a 'true' value when the transformation was applied to the last item displayed by the 'Repeater' web part with paging enabled.

If an instance had multiple MVC sites and their presentation URLs contained the same base domain (for example with differences in the application path, e.g. 'domain.com' and 'domain.com/appPath'), the system in certain cases incorrectly used the site running on the less specific base domain as the current site. This affected both default functionality, and the result of 'SiteContext.CurrentSite' API calls in custom code. The problem occurred only after applying hotfix 12.0.41 or newer.

Permissions for uploading page attachments were evaluated incorrectly if the 'Insert link' or 'Insert image or media' dialog was used to upload attachments while creating a new page (before the page was saved for the first time).

In certain cases, the system redirected requests to an incorrect domain URL. For example, if a site used HTTPS URLs, enforcement of separate domains for cultures, and had a domain alias with a specified 'Visitor culture', the wrong language version was displayed when a page was accessed under the culture-specific domain. The problems occurred only after applying hotfix 12.0.35 or newer.

If a conversion was set for a campaign with the "any" option selected in the configuration (for example a 'Subscription to a newsletter' conversion for 'Any' newsletter), the contact demographics detailed report for the given conversion displayed empty data.

When the 'CultureSiteInfoProvider.IsSiteMultilingual' API method was called for the first time for a site, it always returned a false result (subsequent calls worked correctly).

If a Portal Engine site had a domain alias with a 'Redirect URL' value containing the '{%protocol%}' macro, the redirection did not work correctly for URLs using the 'https' scheme.

The administration interface URLs internally used in the Pages application for the preview and page builder editing mode of pages on MVC sites incorrectly had unlimited validity. After applying the hotfix, these URLs contain a timestamp parameter and expire after 8 hours by default. The expiration time can be adjusted by setting the 'CMSPreviewLinkExpiration' key to a specific number of minutes in the web.config file of the Kentico administration application.

When viewing pages on MVC sites through a preview URL (generated in the Pages application on the 'Properties -> General' tab), links to other pages incorrectly preserved the preview mode and the generated user context. After applying the hotfix, the 'href' attributes of such links no longer contain preview URLs and the links instead open the live site version of the targeted page.

The 'Kentico.Libraries' NuGet package contained unnecessary libraries (CMS.Synchronization.WSE3.dll, Microsoft.Web.Services3.dll and DotNetOpenAuth.dll). The libraries are no longer present after updating the package to version 12.0.46 or newer.

Links created using the editor were generated incorrectly if the link target was a page on a different Portal Engine site. The problem occurred only after applying hotfix 12.0.41 or newer.

If a link was created in page content using the editor and a '#' fragment component (e.g. anchor link) was manually added and saved to the URL, the fragment component was ignored when opening the link dialog again and lost upon subsequent save.

The system ignored search settings for page fields storing the content of widgets and editable regions ('DocumentContent' and 'DocumentWebParts'), which can be customized in the 'Modules' application -> 'E-commerce' -> 'Classes' tab -> 'SKU' -> 'Search' tab.

The 'U.S. phone number' form component did not correctly format United States phone numbers and logged errors into the browser console when rendered as part of a form.

The newsletter subscriptions listed in the 'Users' application on the 'Subscriptions' tab of a selected user were not correctly updated after the user unsubscribed from a newsletter.

Users with limited permissions were not able to create MVC pages with page builder support (i.e. page types with the 'Use Page tab' option enabled) in certain scenarios. An "Access is denied" error occurred if the user had sufficient permissions only for the content tree sub-section where the page was being created, but not for all parent pages.

If an MVC website was disabled by adding an 'App_Offline.htm' file to the project root, every request unnecessarily triggered initialization of the Kentico application (leading to redundant 'APPSTART' events in the system event log).

The system processed page URLs inefficiently when listing items in page selector dialogs (e.g., when copying, moving or linking pages), which could lead to performance issues. For example, such issues could occur on MVC sites if the pages listed in the dialog had URL patterns containing resource-intensive macros.

Scenarios where a custom event handler was used to set the 'RequestContext.IsSSL' property did not work correctly (for example when handling HTTPS requests in environments with a reverse proxy server and TLS/SSL acceleration). The problem occurred only after applying hotfix 12.0.35 or newer.

The 'Optimize local search indexes' scheduled task did not work.

If the value of an MVC widget property contained URLs in virtual relative format, and the property was edited and displayed using an inline editor, the URLs were not resolved correctly within the page builder interface (on the 'Page' tab of the Pages application). URLs within content on the live site were not affected and remained functional.

If the default 'Form' widget was "nested" within a custom MVC widget (displayed using the 'RenderAction' HtmlHelper method), a 404 error occurred when submitting the resulting form. The problem occurred only after applying hotfix 12.0.30 or newer.

Errors or "access denied" messages could occur in certain parts of the administration interface due to incorrect hash validation. For example, when attempting to edit a transformation or query from the web part properties dialog. The problem occurred only after applying hotfix 12.0.40 or newer.

Re-signing macros in 'System -> Macros -> Signatures' resulted in an error on instances installed as 'web site' projects and on precompiled deployments. The error occurred only after applying hotfix 12.0.37 or newer.

On instances with hotfix 12.0.12 or newer applied, customers with a filled in 'Tax registration ID' value were incorrectly exempt from tax for products with a tax class that had the 'Zero tax if tax ID is supplied' property disabled. Note that applying this hotfix corrects the default tax exemption, but also reverses the changes from 12.0.12 - custom tax exemptions added using an 'ICustomerTaxClassService' implementation apply only for products under a tax class with the 'Zero tax if tax ID is supplied' property enabled. If you have a custom tax exemption and wish to avoid this behavior, please contact Kentico support.

Editing a link to a content-only page from a different site using the WYSIWYG editor's 'Insert link' dialog incorrectly opened the 'Web' tab and displayed an external web link. After applying the hotfix, such links are correctly edited on the 'Content' tab.

The 'Collapsible panel' layout web part and widget did not display the image specified through the 'Collapsed image' and 'Expanded image' properties.

The 'Users' application incorrectly allowed only users with the 'Global administrator' privilege level to clone users (as well as perform 'Other actions', such as exporting users). After applying the hotfix, the actions are available for all users with sufficient permissions or at least the 'Administrator' privilege level.

Certain mouse button actions that occurred within modal dialogs in the page builder interface could incorrectly affect the interface outside of the dialog. Specifically, the 'mouseup' and 'mousedown' mouse button events were propagated to the dialog's parent elements.

Links to URLs containing a '#' fragment component (e.g. anchor links) were not handled correctly in preview mode and the page builder interface. Upon clicking, such links lead to invalid URLs, resulting in the 404 error.

When a file in a media library was renamed on instances running in a web farm environment, the system did not log synchronization tasks, so the file rename did not occur on other servers. The problem impacted media libraries on MVC sites, which utilize a web farm to synchronize changes to the file system of the MVC live site application.

Applying the hotfix database scripts resulted in an error if the target database used a different schema than 'dbo' (the default schema for Kentico databases). The error occurs for hotfixes 12.0.29 (Kentico 12 Service Pack) up to 12.0.39, and is resolved in newer versions.

If an external redirect was configured for the Kentico application (e.g., via IIS or the 'hosts' file) and the 'Force domain culture' setting was enabled, but the destination domain was not configured for the target site on the 'Domain aliases' tab in the 'Sites' application, attempting to access the site resulted in an uncaptured .NET error message being displayed to the visitor instead of the system error page.

After uploading a file into an MVC form field using the 'File uploader' form component, attempts to delete the file before submitting the form failed and resulted in an error.

Globally enforcing authorization over the entire MVC front-end (using the 'Authorize' attribute) resulted in errors when accessing the 'Form builder' tab of the 'Forms' application in the administration interface.

On Portal Engine sites using claims-based (WIF) authentication, URL query string parameters were lost when a user accessed a secured page, was redirected to sign in via the external identity provider, and then returned after successful authentication. After applying the hotfix, handlers of the 'SecurityEvents.AuthenticationRequested' global event include the full query string within the event arguments that provide the redirection URL.

If the 'Use site prefix for user names' setting was enabled, the system did not send notification emails to users whose account was locked due to password expiration or reaching the limit of invalid sign-in attempts. As a result, users could not access the password change or account unlock link in the email.

If a form on an MVC site contained a field using the 'File uploader' form component, an error occurred on the form's 'Code' tab in the 'Forms' application. It was not possible to generate item and provider code for the given form.

Macro expressions where multiple chained methods modified the data of an object collection did not work correctly in certain cases. For example, if a collection was first modified by the 'Filter' method and then the 'OrderBy' method was added, the original filtering was not applied to the resulting data.

For instances with the Kentico 12 Service Pack applied (hotfix 12.0.29 or newer), a licensing error occurred on pages created using the MVC page builder if the site's license edition was lower than EMS.

The 'Form field selector' form control did not work correctly. The control always saved the first field of the chosen form, regardless of the actual field selection in the second drop-down list.

When using the 'Kentico.Libraries.Tests' NuGet package to create automated tests, an error occurred when running tests if the 'NUnit' dependency package was manually updated to version 3.10 or newer. After applying the hotfix and updating the 'Kentico.Libraries.Tests' package to 12.0.38 or newer, tests are compatible with newer versions of the 'NUnit' package.

On instances with multiple target staging servers, synchronization tasks were incorrectly deleted in certain scenarios. When synchronizing tasks to all servers (with the '(all)' option selected in the server selector), tasks were fully deleted for all servers even if the synchronization was only successful for one of the servers.

Forms created using the MVC form builder did not display validation error messages correctly in certain scenarios. If a form was submitted and validation error messages were displayed, these messages disappeared when the form was refreshed (for example after further input triggered re-evaluation of a field's visibility condition).

Form fields using the 'File uploader' form component on MVC sites worked incorrectly with form notification emails. Such fields did not display the name of the uploaded file in the email content and the submitted files were not included as email attachments.

Re-signing macros in 'System -> Macros -> Signatures' could lead to licensing errors in the event log and invalid macros (for macro expressions related to features for which the instance's current license edition was insufficient).

Layout web parts located in a hidden web part zone were completely invisible in the editing interface. The editing handle of such web parts was hidden, and it was not possible to edit them.

The 'Parent object type' property of the 'Roles' application's 'Edit role' UI element was incorrectly set to 'A/B test (om.abtest).' This could have caused errors when adding child UI elements to the 'Edit role' element. Applying the hotfix sets the 'Parent object type' property to '(automatic).' Note that this will also overwrite any customizations made to the 'Edit role' element in your project.

It was not possible to select or drag and drop media files from the file system after opening the media files selector modal dialog. The problem occurred when the 'allowedExtensions' property was not specified in the 'options' parameter object of the 'modalDialog.mediaFilesSelector.open(options)' function.

In special cases, the system accumulated redundant records by repeatedly failing to delete the records from the 'CMS_WebFarmTask' database table.

Installing or updating the 'Kentico.AspNet.Mvc' NuGet package added an empty 'CMSConnectionString' <add> element to the 'connectionStrings' section in the web.config file, if it was not already present. This could cause errors in certain scenarios, for example when using an external connection string file specified via the 'configSource' attribute. The same problem could occur also for the 'appSettings' section with specified 'configSource', where the NuGet installation was adding the 'CMSHashStringSalt' app setting. Versions 12.0.35 and newer of the package no longer add the empty 'CMSConnectionString' and 'CMSHashStringSalt' elements when the 'configSource' attribute is present in their parent section. In case of external config sources, developers need to manually specify the 'CMSConnectionString' connection string and the 'CMSHashStringSalt' app setting in the external config files.

When the Kentico application was running behind a proxy server or some other service that masks the application's original domain (e.g., Azure Application Gateway), it generated certain requests with incorrect URLs. This caused errors in parts of the application (e.g., when uploading files into Media libraries). When hosting the Kentico application behind a proxy server, developers need to set the 'CMSUrlHost' web.config key (added by the hotfix) to the 'host' component of the proxy server's URL to ensure the application correctly generates request URLs. Please note that this configuration currently applies only for Portal Engine projects. See the hotfix instructions for more information.

The 'Customer detail' web part did not validate the uniqueness of entered email addresses for signed-in users. If the entered email address was already registered in the system (e.g., by another user), this could have resulted in two users with identical addresses (due to the way the system merged the submitted information with the internal user object).

In certain cases, when utilizing the web part-based checkout process on Portal Engine sites, a previously selected shipping option incorrectly persisted over multiple orders, even though the orders did not contain any shippable items. Furthermore, when using custom shipping carrier providers, removing all shippable items from an order after a shipping option has been selected resulted in an error in certain cases.

Kentico's ASP.NET Identity integration for MVC projects was tightly coupled with the default 'Kentico.Membership.User' class. Any changes to the 'User' class (e.g., added custom properties or additional logic) required a full re-implementation of the entire ASP.NET Identity integration. The hotfix expands the Kentico membership API by introducing the 'KenticoUserManager', 'KenticoUserStore', and 'KenticoSignInManager' types, which allow developers to seamlessly integrate custom user types derived from the default 'Kentico.Membership.User' class. See the hotfix instructions for more details.

When using the 'Image selection' and 'Media selection' form controls for the fields of pages under workflow, validation of the fields was executed incorrectly in certain cases. For example, if the field was set as required after an existing page was already published, the validation prevented users from subsequently creating a new version of the page.

After applying hotfix 12.0.29 or newer to the Kentico setup files, new web projects created using the hotfixed installer did not run or compile correctly (due to missing updates of the NuGet package 'packages.zip' archive). To fix the problem, you need to apply hotfix 12.0.33 or newer to the setup files.

It was not possible to precompile and publish (e.g., via the Visual Studio 'Publish' wizard) the Kentico project hotfixed to version 12.0.29 or higher due to incorrect file references. Applying the hotfix ensures no incorrect references exist in the project's .csproj file, allowing the publishing process to proceed without problems.

The 'New...' context menu in the Pages application incorrectly offered the option to create new pages as A/B test variants on MVC (content-only) sites. This option was not relevant, as the A/B testing feature on MVC sites does not use separate pages for variants.

When a registered user tried adding or configuring widgets on the Portal Engine live site, changes made inside the 'User personalization' widget zones were not saved. You could experience this issue if you installed the hotfix version 12.0.30 or 12.0.31.

Forms that contained fields with conditions whose evaluation required a server postback (e.g., fields with 'Has depending fields' enabled) lost focus on the currently selected field after the form was reloaded. After applying the hotfix, field selection persists through postbacks.

When a visitor arrived at a campaign's landing page via a link containing UTM parameters and accepted cookies via the 'Cookie law and tracking consent' web part, the visitor's cookie level and UTM parameters were not evaluated correctly. As a result, a page visit activity was not logged for the campaign's landing page.

The 'SearchParameters.PrepareForPages' method created a 'SearchParameters' object that forced a specific level of supported smart search syntax for search queries. This interfered with the smart search functionality, for example not allowing exact field searching to be performed (i.e., the syntax 'field:"searchquery"' was incorrectly processed). The hotfix introduces overloads for the 'SearchParameters.PrepareForPages' method that allow users to configure the levels of supported syntax per search request when creating the 'SearchParameters' object. See the hotfix instructions for details.

It was incorrectly possible to add and delete page variants of running MVC A/B tests. Deleting page variants mid testing could lead to loss of data and result in skewed test results.

An error occurred when trying to restore pages under certain types of advanced workflow from the recycle bin (if the workflow utilized wait steps or step timeouts). If the issue persists for pages created before the hotfix was applied, you need to manually delete scheduled tasks related to the given workflows in the 'Scheduled tasks' application on the 'System tasks' tab before restoring the pages.

An error occurred when using the REST service to set the value of a column with the GUID data type if the request data was in the JSON format.

When adding or configuring editor widgets in the Pages application on Portal Engine sites, changes made in the widget properties dialog were not saved in scenarios where the user opened the live site in another browser tab.

Pages created using the MVC page builder (i.e. containing sections and widgets) displayed an error on the live site if the MVC application's route collection did not contain a general default route with a controller and action parameter. The problem occurred after applying hotfix 12.0.29 (Service Pack).

When running an MVC site and the Kentico administration application on different domains, an error could occur when creating new pages of a content-only page type with the 'Show Page tab' setting enabled. The error was encountered if the 'UseResourceSharingWithAdministration()' feature was not enabled for the MVC application, and only after applying hotfix 12.0.29 (Service Pack). With hotfix 12.0.30 or newer, the cross-origin resource sharing feature is automatically enabled for all MVC projects.

Hotfix 12.0.29 is the Kentico 12 Service Pack, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Service Pack release notes linked at the top of this section.

The system incorrectly retrieved and displayed the file size value as 0B for very large media library files (for example in the 'Media libraries' application and media selection dialogs).

If checking of page permissions was enabled for attachment files ('System -> Files -> Check files permission' setting), the result of the permission evaluation was cached incorrectly. This could cause users to incorrectly be allowed (or unable) to access attachments based on the cached result.

On sites built using the MVC development model, 'Page visit' and 'Landing page' activities were incorrectly logged when viewing pages in the 'Pages' application of the administration interface. After applying the hotfix, page related activities are only logged on the live site.

If an email widget used in a marketing email was deleted, the email was then modified and saved, and the widget was later restored, it was not possible to send out the marketing email (the system did not detect the restoration of the widget and update the email to a sendable state).

If content added through the page builder (for example using a custom text editor widget) included URLs in virtual relative format, the URLs became broken after resaving the content on the 'Page' tab in the 'Pages' application. Relative URLs ('~/<resource path>') are resolved into virtual context URLs ('/cmsctx/.../<resource path>') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, virtual context URLs are reversed back into relative URLs before being saved. The fix does not address any existing broken links - these need to be fixed and resaved manually.

The 'Insert link' dialog, available in the editor for rich text fields on the 'Content' tab of content-only pages, incorrectly created page links with absolute URLs, including the site's scheme, domain and application path (i.e. the site's 'Presentation URL'). This could cause broken links when transferring content between different environments, for example using staging. After applying the hotfix, the editor creates page links with virtual relative URLs ('~/<link path>'). Additionally, the hotfix introduces an output filter that automatically resolves all relative URLs on the side of the MVC live site (based on the environment where the site is actually running). See the hotfix instructions for more information.

Properties of page and form builder components annotated with the 'EditingComponent' attribute were incorrectly validated against the database column size constraints specified in the constructor of the corresponding editing component's properties class. After applying the hotfix, the database column size constraint validation is performed only when submitting values via a form composed using the 'Form builder.'

When a package containing site-specific data was imported, the system forced the rebuild of all smart search indexes. This occurred for all imported objects and could result in long and unnecessary rebuild operations for large indexes. The hotfix disables the forced index rebuild and introduces a new 'Rebuild site search indexes' setting in the 'Objects selection' step of the import wizard, allowing users to determine whether an index rebuild is necessary for each individual import.

If a user subscribed to an entire report that had parameters and a filter, the resulting report status emails did not contain any data.

If the default 'Checkbox' component was assigned to a property of a personalization condition type (using the 'EditingComponent' attribute), the checkbox did not work correctly in the resulting configuration dialog when the condition type was selected while personalizing a page builder widget.

When a marketing email in an email feed of the 'Email campaign' type contained the 'IsInPersona' macro and was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group. The previously released 12.0.23 hotfix fixed the same issue, but only for email feeds of the 'Newsletter' type.

The 'Insert macro' dialog within the plain text editing interface for marketing emails did not offer context specific objects (for example 'Recipient' or 'Email'). The problem occurred only after applying hotfix 12.0.17 or newer.

Custom filters created for the 'Filter' web part were not loaded correctly on precompiled sites.

If a script or other resource was linked in the markup of an MVC page using a protocol-relative URL, the link URL was incorrectly modified and became broken when the page was viewed in preview mode or the page builder interface within the Pages application.

If a form field used the 'HTML5 input' form control, the 'Enabled condition' advanced field setting did not work. Such fields were always enabled even if the specified condition was not fulfilled.

Staging service authentication using X.509 certificates did not work on instances hosted as an Azure App Service (the system worked with a different certificate store location than the one used by certificates imported into Azure).

When a marketing email containing the 'IsInPersona' macro was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group.

Payments using the default Authorize.Net provider could fail due to an exceeded maximum length of requests generated by the system (in cases where the payment data contained long parameters, such as the names of shipping options, etc.). Additionally, the system did not resolve localization expressions in the parameters of the sent payment data.

The '~/CMSModules/Content/FormControls/Documents/SelectPath.ascx' control's selection dialog did not work if the control was placed into the markup of a web form or user control and its 'EnableSiteSelection' property was set as an attribute.

When the 'URL selector' form control was configured to display the Media tab and a media library 'Starting path' was also specified, it was not possible to select media files from subfolders if the given library was mapped to Azure storage.

If a customer set both the shipping and billing address during checkout on a Portal Engine site (via a page containing the 'Customer detail' and 'Customer address' web parts), and then later returned to the given checkout step to update one of the addresses, the changes were not saved.

The system did not send password reset emails in cases where the user's email address matched the address of another user account that was disabled.

When utilizing a web farm setup together with the integration bus, a single integration task could be processed by multiple web farm servers (usually when the environment experienced heavy load). For example, this could result in duplicates of the processed object being created in the connected external system.

When the 'Allow switch sides' setting was cleared and a 'Relationship name' was specified in the advanced editing control settings of a page type field that used the 'Related pages' form control, the resulting field did not allow adding of related pages from sites other than the current site.

Double opt-in, subscription, and unsubscription confirmation emails were sent with 'low' priority, which could cause long delays for subscribers on instances that sent out a large number of other emails. After applying the hotfix, the priority of such confirmation emails is set to 'normal'.

The hotfix updates the Microsoft Translator Text API from Version 2 (V2) to Version 3 (V3), because V2 will be discontinued on April 30, 2019. In addition, the 'Speak' method of the 'MicrosoftTranslatorService' class, which could be used in custom code for text-to-speech functionality, is no longer supported after applying the hotfix.

When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.

When a page with a workflow applied contained an 'Editable text' web part, the latest version of the web part's content was not displayed in 'Preview' mode when viewing child pages which inherited the original page's content (via page nesting and the 'Page placeholder' web part).

When a page with an associated SKU was under a workflow, modified fields of the SKU that contained ID values (such as the 'SKUDepartmentID' field) were not staged correctly if the IDs were different between the staging servers, but the 'NodeSKUID' field was identical.

When editing forms on a Portal Engine site via the 'Form builder' tab in the 'Forms' application, removing or cloning of fields did not work if the field's 'Label' value contained an apostrophe (single quote) character.

If an email widget property used the 'Macro editor' form control, context specific objects were not available in the macro autocomplete feature and 'Insert Macro' dialog. It was still possible to enter such objects manually.

The 'Uni selector' form control did not save selected items correctly if the returned value (determined by the control's 'Return column name' setting) contained special characters. The problem occurred in selection modes that utilize a dialog, such as 'Multiple'.

The 'FormFieldRenderingConfiguration.GetConfiguration' event added as part of the form builder markup customization API introduced in hotfix 12.0.14 was incorrectly invoked in certain scenarios. After applying the hotfix, the event is only triggered for forms rendered by the 'Form' widget. All documented customization scenarios remain unaffected.

For users with an associated customer, setting the 'First name', 'Last name' or 'Email' property to an empty value incorrectly cleared the corresponding value for the customer entity. These are required fields for customers, so this type of synchronization caused an invalid state. After applying the hotfix, only non-empty name and email values are synchronized from users to customers.

When using custom form components in the configuration dialog for page builder widget properties, scrolling functionality was incorrectly disabled. As a result, form components with scrollable elements (e.g. advanced drop-down options) did not work when used to edit widget properties.

When calling the 'modalDialog' JavaScript function in custom client code within the administration interface, the function's 'otherParams' parameter was ignored in certain cases (in locations where the system opened an advanced modal dialog). As a result, developers could not control parameters such as the resizability of the opened dialog.

When running a campaign on an MVC site, the value of the 'utm_content' parameter used in the campaign's links was not logged correctly for conversions or displayed in the campaign's reports.

The 'ResourceStringInfoProvider.TranslationExists' method returned an incorrect result in certain cases (after the system's cache was cleared).

An error occurred when attempting to select a file in the 'Linked file' property of the 'Javascript' web part if another file was already specified.

When using the Advanced export feature for contacts in the 'Contact groups' application with the 'Export raw database data' option selected, it was not possible to select custom contact fields for the export.

Processing of requests containing a query string parameter without a value, such as '?param', could result in an error in certain scenarios. For example, the errors could occur for requests that loaded files and other resources.

The 'SKU selector' form control did not work if its 'Allow multiple choice' setting was enabled.

If the product variant editing form (i.e. the 'Variant properties' alternative form of the 'SKU 'class) was customized to display the 'Image' field (SKUImagePath), the field's default 'Product image selector' form control did not correctly save information about uploaded image metafiles. This resulted in incorrect behavior, for example when displaying or staging the variant and its image.

Tabs displayed by the 'Tabs layout' web part were not hidden correctly in certain cases when their content was empty, even when the web part's 'Hide empty tabs' property was enabled. For example, the problem occurred if a tab contained a Repeater web part with an empty data source and the 'Hide if no record found' property enabled.

If a report had parameters with defined validation rules, the validation did not work when the report and its parameter filter were displayed on a website page using a reporting web part or widget.

When deleting a linked page from the content tree in the 'Pages' application, it was not possible to select an alternative page to which old URLs could be redirected.

The hotfix introduces additional API that enables more extensive markup customization options for forms built using the 'Form builder' feature. See the hotfix instructions for details.

The 'Seznam' search engine defined in the 'Search Engines' application had an obsolete domain configured in its 'Domain rule' property. As a result, visitors from the Seznam search engine (seznam.cz) were not being tracked accurately. After applying the hotfix, the system correctly tracks all visitors that access a site from the 'Seznam' search engine.

Authentication of requests to the Kentico REST service failed if the provided password contained the colon character (':').

If an MVC widget or form component was registered with an identifier containing a certain suffix (e.g. matching a blocked IIS extensions such as '.resources' or '.sitemap'), an error occurred when the item was added to the page or form builder.

When publishing an MVC live-site application (e.g., via the Visual Studio 'Publish' wizard), the publishing process did not copy certain .NET Resource (.resx) files. This resulted in unresolved resource strings in parts of the published application. The problem occurred when using versions 12.0.1 to 12.0.12 of the 'Kentico.AspNet.Mvc' NuGet package. From package version 12.0.13, all necessary resource files are copied during the publishing process.

The system allowed invalid characters as part of the 'Name' property of form fields (adjustable via the Properties tab of the MVC Form builder). After applying the hotfix, the 'Name' property must begin with a letter or an underscore ('_') character and may contain only letters, numbers, and additional underscore characters.

All event attendees stored for an event, represented as a page of the 'Event (booking system)' page type, were removed when one of the page's culture versions was deleted. After applying the hotfix, event attendees are removed only after the deletion of the event's last remaining culture version.

Calling the 'GetPage' method in the Index action of an MVC widget without any properties defined resulted in an error when the widget was displayed.

The hotfix removes the 500 character restriction placed on the 'Text area' form component for the MVC Form builder. After applying the hotfix, the character limit is by default set to the maximum number of characters allowed by the underlying database column. However, note that this change is only reflected in form fields created after the hotfix was applied. See the hotfix instructions for details.

The system did not send confirmation emails to recipients who unsubscribed from a single email feed of the 'Email campaign' type. Additionally, confirmation emails were incorrectly sent in certain cases after unsubscribing from all email feeds (email campaigns and newsletters), which is not intended behavior.

If a tax exemption for customers was created by registering a custom 'ICustomerTaxClassService' implementation, it was only applied for products with a tax class that had the 'Zero tax if tax ID is supplied' property enabled. After applying the hotfix, the property no longer affects custom tax exemptions (unless checked in the code of the custom implementation).

If the default CSRF security token functionality was disabled using the 'CMSEnableCsrfProtection' web.config key, custom 404 error handling pages assigned through the 'Page not found URL' setting were not displayed when a POST request targeted a non-existing URL (by default the standard IIS 404 page was displayed instead).

Widgets or sections that utilized actions other than 'Index' (for example the submit action of the default 'Form' widget) did not work correctly in certain scenarios. The problem could occur if the MVC application's route collection did not contain a general route with a controller and action parameter, or if a different route with a custom controller and the 'Index' action matched the page builder URLs.

Page builder and preview functionality did not work on pages whose controller and action was accessed through another action using an MVC redirect method (for example 'RedirectToAction').

A validation error occurred when attempting to save a field with the 'Form field selector' form control if the control's 'Field data type' setting was set to the 'All' option.

After installing or updating the 'Kentico.AspNet.Mvc' NuGet package, the 'CMSApplicationModule' module in the MVC project's web.config file did not contain the 'preCondition' attribute, which could have a negative performance impact on the application. Versions 12.0.10 and newer of the package ensure that the preCondition is correctly set to 'managedHandler'.

If multiple staging tasks were synchronized in a single batch, and the synchronization failed for one or more of the tasks, the entire batch remained in the task list (including tasks that were already successfully processed).

A move operation on a subset of pages under an Azure search index redundantly updated all pages in the corresponding index. This could result in very long indexing operations on sites with a large number of indexed pages.

Processing of requests to virtual paths defined by the Microsoft ASP.NET Web Optimization Framework, such as JavaScript or CSS bundles, resulted in an error (null reference exception). The errors occurred only for requests handled by the Kentico web project (not in MVC applications using the Kentico API).

Products that use inventory tracking and have the 'Sell only if items available' property enabled may in some cases be sold even when the inventory is depleted if multiple customers place orders concurrently. After applying the hotfix, the system logs a warning into the event log if such a situation occurs. Additionally, the hotfix introduces the 'CMSUseStrictInventoryManagement' web.config key, which you can enable to prevent the system from creating such orders. If you enable the key and have an MVC site or Portal Engine site with custom checkout components, you need to ensure that your custom code handles the resulting 'InvalidOperationException' and displays appropriate information to customers.

When a page with an associated SKU was synchronized with the 'Publish from' field set to a future date, fields of the SKU were not staged correctly (except the name and description fields).

Synchronizing pages with an associated product (SKU) could break the relationship between the page and the product on the target server (in cases where the IDs of the given SKU were different between the staging instances).

The 'DataItemCount', 'IsFirst()' and 'IsLast()' transformation property and methods did not work correctly for data returned by the smart search (for example in transformations used by the 'Smart search results' web part). After applying the hotfix, the property and methods return the correct values for the currently displayed page of results.

The system did not allow users to manually recalculate a persona after a new rule was added for the persona in the 'Personas' application.

When selecting or uploading an image file in certain types of media selection dialogs (for example in a page field using the 'Media selection' form control), resizing of the image with a locked aspect ratio did not work correctly.

The 'Order by' property of the 'Selector' UI web part did not work, and also could not be set through the properties of UI elements that used the 'Listing with general selector' page template. After applying the hotfix, custom UI elements based on this template can now have their selector order by value configured through a new property.

The 'DefaultValue' property of the 'EditingComponent' attribute did not initialize form components (e.g., in forms or widget properties dialogs) with the specified default value. After applying the hotfix, the 'DefaultValue' property correctly sets a form component's default value when necessary.

When multiple content editors attempted to save pages under a workflow in the Pages application, a deadlock could occur in certain cases.

If an existing page type inherited fields from another page type, and a new field or category was added to the parent, the position of the new field in the inherited type could be incorrect (the order was not adjusted according to the inherited type's own additional fields). After applying the hotfix, such new fields are always added directly below the inherited field that precedes the new field in the parent page type.

The 'Default value' of page type fields was always loaded in the editing form, even for existing pages that had a different value specified. Saving such forms could cause users to make unintended changes in the page data. The problem was introduced by applying hotfix 12.0.5. However, applying hotfix 12.0.6 reverts an older bug fix, and prevents the default value from being applied for the following system page fields: DocumentInheritsStylesheet, DocumentShowInSiteMap, DocumentMenuItemHideInNavigation, DocumentIsArchived, DocumentUrlPath, DocumentWildcardRule and DocumentPriority.

If the page builder was initialized in a controller of a page located in an MVC Area, an error was displayed instead of the content on the live site and when previewing the page.

When erasing personal data from the system in the 'Data protection' application on the 'Right to be forgotten' tab, data subject identifiers (e.g. an email address) that contained certain special characters, such as '+', were not processed correctly, which could result in data not being removed.

The 'Users data source' web part did not order data correctly if the 'ORDER BY condition' property contained multiple columns with different order directions (ASC or DESC keywords). The last order keyword was incorrectly used for all columns.

Created Azure search indexing tasks were processed synchronously, which could result in an unresponsive user interface (e.g., when manipulating indexed pages in the content tree). After applying the hotfix, created Azure search tasks are processed asynchronously in one-minute intervals (if not customized otherwise).

The external Windows service for running scheduled tasks did not release allocated memory correctly in certain cases, which resulted in high memory consumption.

If a macro expression was added into the 'Default value' of a page type field with the 'Required' flag enabled, certain types of macros, for example {% EditedObject %}, were not evaluated correctly and returned a null value when creating new pages of the given type.

If an MVC site was configured to convert URLs to lower case (by setting the 'RouteCollection.LowercaseUrls' property to true in the code of the related MVC project), errors occurred in certain parts of the page builder and form builder interface, for example the widget property configuration dialog.

The Import Toolkit utility did not reflect application keys in the web.config file of the related Kentico project. For example, this caused incorrect behavior when importing data with continuous integration enabled and a custom repository path configured in the target project's web.config. Additionally, serialization of continuous integration data was incorrectly performed when running a simulated import of data in the utility. To fix the issues, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

The 'Process domain prefix' setting was not taken into account when tagging links in marketing emails with UTM parameters. If the domain prefix in an email link's URL was different from the prefix in the main domain set for the site, the given link was not tagged with the specified UTM parameters.

Updating or assigning page categories caused indexing tasks for Azure indexes of the 'Pages' type to fail if the index was newly created and not yet rebuilt, or if the subset of the content tree to be indexed, as specified on an index's 'Indexed content' tab, did not yet contain any pages.

A license limitation error was logged for license editions lower than EMS when working with MVC widgets in the page builder. After applying the hotfix, such errors only occur if there are personalization condition types registered in the system (which require an EMS license).

When an advanced workflow containing an asynchronous step (e.g., the 'Wait' or 'Send email' step) was applied to a page in a staging environment, changes to the page past the asynchronous step were not logged into the selected staging task group.

When indexing page attachments, errors caused by invalid Unicode surrogate pairs in PDF files terminated the indexing operation. Since such invalid surrogate pairs can occur in otherwise valid PDF files, the pairs are now stripped during the indexing process.

When sending newsletters, the "License for feature 'NewsletterABTesting' not found" error was logged in the event log and the newsletters were not sent on sites with lower than EMS licenses.

The 'Chat support request' web part did not render correctly in certain cases (e.g., on 404 error pages).

The system disregarded all multi-factor authentication validity interval customizations (via overriding the 'ClockDriftTolerance' property).

The 'ORDER BY expression' field was not taken into account when displaying related pages using the 'Repeater' web part. The default order of the related pages was always displayed.

When indexing page attachments, errors caused by malformed attachment content (e.g., invalid Unicode characters) displayed insufficient debugging information. After applying the hotfix, the error message contains the ID and name of the attachment causing the exception.

Certain operations with products could lead to SQL deadlock errors on sites with the 'Kentico CMS Base' or lower license editions.

When accessing forum groups belonging to a specific group on the 'Forums' tab of the 'Group' application, more strict permissions than necessary were required.

When setting the 'Subsidiary of' field on the 'General' tab of an account in the 'Contact management' application, the system did not preserve the account selection if the parent account was selected via the '(more items…)' dialog window.

Activities of the 'Form submission' type were logged with an incorrect 'Activity URL' value on content-only (MVC) sites. After applying the hotfix, such activities are logged with the URL of the page displaying the given form.

When logging new events into the event log, the system did not delete old events according to the limit specified in the 'Event log size' setting.

On Kentico EMS instances hosting multiple sites, subscriber data was processed incorrectly when automatically merging contacts who subscribed to newsletters from different sites. This could lead to marketing emails not being sent to subscribers and loss of subscriber data in some cases.

When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.

Applying hotfix 11.0.39 or newer introduced a change in the e-commerce API, which could cause undetected broken functionality for sites with a customized tax calculation process. After applying hotfix 11.0.47, such cases now clearly result in a runtime and compilation error. Any custom code that prepares 'TaxCalculationResult' objects can no longer use the setter of the 'TotalTax' property, and must instead set the new 'ItemsTax' and 'ShippingTax' properties.

Certain operations with products could lead to SQL deadlock errors on sites with the 'Kentico CMS Base' or lower license editions.

When indexing page attachments, errors caused by malformed attachment content (e.g., invalid Unicode characters) displayed insufficient debugging information. After applying the hotfix, the error message now contains the ID and name of the attachment causing the exception.

On Kentico EMS instances hosting multiple sites, subscriber data was processed incorrectly when automatically merging contacts who subscribed to newsletters from different sites. This could lead to marketing emails not being sent to subscribers and loss of subscriber data in some cases.

If certain drop-down selector form controls (e.g. the 'Uni selector' in 'Single drop down list' selection mode) were placed into a form that was displayed in a dialog, such as the web part configuration dialog, and the field's settings also used an 'Enabled condition', clicking the '(more items...)' option in the list did not work correctly and the additional selection dialog was not opened.

When writing custom code that obtained a shopping cart object for an existing order using the 'ShoppingCartInfoProvider.GetShoppingCartInfoFromOrder' method, the cart's 'OrderDiscount' property was not set and always returned 0 (until the shopping cart was recalculated by calling its 'Evaluate()' method).

The 'Contact has agreed with consent' macro rule was not evaluated correctly in certain types of conditions (for example in marketing automation process triggers), and always returned a false value.

When importing a page type or custom table on an instance where the given object did not exist yet, role permissions configured for the page type or custom table were not imported.

Authentication failed when signing in to a website through the 'Facebook Connect logon' web part (a JavaScript error occurred due to changes in the Facebook SDK).

An error occurred on pages that displayed product details using an ASCX transformation containing the 'ShoppingCartItemSelector' control, if the control's 'UnavailableVariantInfoEnabled' property was enabled and the displayed product did not have any defined variants.

Local search indexes did not work when running Kentico as a scaled out Azure Web App with the 'CMSSharedFileSystem' web.config key enabled (this key was introduced in hotfix 11.0.23).

Attempting to publish a page under a workflow after restoring it from the recycle bin worked incorrectly. This happened only if the workflow was applied to an existing page after its creation.

If the 'Membership reminder', 'Report subscription sender' or 'Users delete non activated user' scheduled tasks were imported within a package from an older version, the given tasks could not be executed due to an incorrect assembly and class name.

When using the general export feature of listings in the administration interface (export to Excel, CSV or XML files), text data containing special characters, such as diacritics, could be malformed in the exported files.

Due to changes in the Facebook API and updated security requirements, the initial Facebook authentication and page publishing functionality in Kentico no longer works. To use the features, you need to apply the hotfix, and manually set 'Valid OAuth redirect URIs' for your Facebook app, and ensure that it has the required permissions via the Facebook App Review. See the hotfix instructions for details.

On sites using an Azure Search index, updating a page that had the 'Exclude from search' option enabled (on the 'Properties -> Navigation' tab of the Pages application) resulted in a failed indexing task, which blocked further processing of Azure Search tasks (until the failed task was manually deleted).

A warning message about not saved changes was displayed after editing and saving a page field using the 'Uni selector' form control (on the Form or Content tab of the Pages application). The warning message was displayed even when all changes were correctly saved.

If a multilingual page used an ad-hoc page template shared by all culture versions, deleting a culture version of the page also permanently deleted the page template (this caused the remaining culture versions to display blank content). After applying the hotfix, templates shared by multiple culture versions are deleted only after deleting the last culture version of a page.

Output caching did not work correctly on the pages of MVC sites for registered users due to unnecessary cookie operations performed by the system. The problem affected users whose 'Preferred user interface culture' was set to '(default)', for example newly registered users.

Certain macros related to email marketing did not take A/B testing variants of emails into account. For example, this could lead to incorrect evaluation of conditions that used the "Contact has opened marketing email" macro rules.

Smart search indexes of the 'Pages crawler' type used incorrect URLs for pages of content only page types, which prevented content from being indexed (for example on MVC sites).

When adding system page fields to a page type (fields with the 'Field type' set to 'Page field'), the 'Default value' was not applied in the resulting editing form for certain system fields, for example 'DocumentMenuItemHideInNavigation'.

If a contact was already subscribed to a newsletter with double opt-in enabled and attempted to subscribe again after the double opt-in interval had expired, the system did not inform them about the existing subscription. Similarly, calling the 'IsSubscribed' API method of the default 'ISubscriptionService' in custom code incorrectly returned a false value in these cases.

When a page field was edited on the Form tab of the Pages application with a value that did not meet the requirements of a validation rule, repeated submission of the data (e.g., moving to the next workflow step) incorrectly resulted in successful validation (while the original data was submitted).

If a scheduled task was configured to run only on specific days of the week, the 'Next run' time was calculated incorrectly under certain circumstances.

On sites running in a web farm environment, duplicate copies were sent out for a portion of newsletter or email campaign emails in certain cases.

Resizing of attachment images according to device profiles did not work correctly. Resizing was performed according to the device profile active when the image was requested for the first time. The result was cached and incorrectly served for all other profiles until the cache expired.

Payments using the default PayPal provider failed if the site was configured to include tax in prices. If you have customized the tax calculation process by creating your own 'ITaxCalculationService' implementation, you need to manually update your code after applying the hotfix. When preparing 'TaxCalculationResult' objects, set the new 'ItemsTax' and 'ShippingTax' properties instead of the original 'TotalTax'.

If the 'Documents' macro was used together with the 'Columns' macro method, the returned pages did not contain coupled data columns of specific page types (even when the 'WithAllData' property was added to the Documents collection, and the given columns were specified in the 'Columns' method).

The 'RelatedDocuments' property available for page objects in macros did not work correctly (the macro is used to retrieve a collection of all pages related to the given page through a relationship with the specified name).

An unhandled error occurred when creating fields with a data type for which no form control was available (e.g. 'Binary' type fields in custom module classes). After applying the hotfix, the error no longer occurs in these cases and the 'Form control' selector is disabled. However, it is still necessary to implement a custom form control if you wish to display fields of the given type in forms.

The primary or secondary contact assigned to an account was removed if the corresponding contact was merged with another contact (for example with a new anonymous contact).

When a field using the 'reCAPTCHA' form control was added to a form, the resulting HTML code was invalid (a <span> tag containing <div> elements). After applying the hotfix, the rendered <span> is replaced by a <div>.

The 'HTML5 input' form control only accepted integer (whole number) values when configuring the 'Max', 'Min' and 'Step' attributes. After applying the hotfix, other types of values, such as decimal numbers or dates, can be saved into the attributes.

In special cases, switching between sites in the header of the administration interface could cause an error (stack overflow exception) and a possible site crash. The problem occurred only on instances with customizations performing certain types of actions within handlers for the user update event.

Licenses were not loaded correctly when using cultures with certain calendar types (for example the Persian calendar).

Page aliases containing wildcards were processed in an incorrect order in certain cases. For example, if a page had two aliases with paths like '/page/{param}' and '/page/{p1}-{p2}', accessing the URL path '/page/value1-value2' resulted in the first alias being selected instead of the second (the value of the 'param' parameter was 'value1-value2', and the 'p1' and 'p2' parameters were not set). After applying the hotfix, you need to resave all page aliases where this problem occurs.

After enabling SCAYT (Spell Check As You Type) functionality in the editor, the options dialog (languages, dictionaries, etc.) did not work correctly.

On sites running in a web farm environment, content personalization conditions based on the visitor's persona were not evaluated correctly in some cases, which caused the incorrect personalized content to be displayed.

If the serialization of an object by the continuous integration solution failed because the resulting file's absolute path exceeded the maximum limit of 260 characters, the system logged a 'PathTooLongException' error into the event log without any additional debugging information. After applying the hotfix, the error message contains the absolute path of the file.

When storing smart search indexes on a shared file system (for example Azure Blob storage or on instances deployed to Azure Web Apps), the index files could become locked if an application restart occurred while building or updating an index. This blocked further index operations, such as index rebuilds. After applying the hotfix, the system is able to automatically resolve most scenarios related to locked index files. If your system already contains index lock files created before applying the hotfix, you need to manually delete them from the file system.

The 'Sales' and 'Number of orders' e-commerce reports displayed an incorrect "Total" value when filtering with a specific 'To' date was used.

On instances with a database hosted on SQL Server 2008 R2, an error occurred when selecting a query in the configuration dialog of a custom query web part (for example via the 'Query name' property of the 'Repeater with custom query' web part). The issue only occurred after applying hotfix 11.0.12 or newer.

When using the Kentico integration API for Salesforce in custom code, a FormatException error occurred after executing a SOQL query that returned an empty value for a field.

When using a selection dialog to select items with a specified filter (e.g., adding applications filtered by name to the default system dashboard for individual roles via the 'Roles' application), the filtering operation was also applied to the existing selection of items, often causing the loss of a portion of the selected items.

The menu providing data export options did not work in the 'Contact demographics' report accessible from the 'Email marketing' and 'Campaigns' applications.

In an environment with multiple sites running on a single domain, an error occurred when a user tried to create a new email feed in the 'Email marketing' application.

The 'Country selector' form control did not display the state selector element if used for a field in a form that was placed into an editable text area through the 'On-line form' inline widget.

When displaying coupon codes added to a customer's shopping cart, it was not possible to adjust the appearance of codes that are no longer valid (for example after the cart's total price falls under the value required by the coupon code's discount). After applying the hotfix, coupon code transformations provide an 'IsApplied' data property, which can be used to evaluate whether codes are still valid.

Users without the administrator privilege level encountered an 'Access denied' error when attempting to edit hierarchical transformations from the web part configuration dialog in the Pages application, even if they had sufficient permissions for the 'Design' and 'Content' modules.

After attempting to save a domain alias with a domain value that was already used by another alias (on the same site or another site), the edited site was stopped.

When using the Advanced export feature for page aliases in the 'View all aliases' dialog in the Pages application, an error occurred if the 'Current page only' option was disabled.

When an administrator performed actions while impersonating another user, entries created in the system's event log did not contain the administrator's original name (only the name of the impersonated user).

Sending of marketing emails failed if monitoring of bounced emails was enabled and the sender name configured for the email feed or specific email contained a comma character.

Users without the administrator privilege level were not allowed to manually create or edit coupon codes for gift cards, even with sufficient permissions for managing gift cards.

The API incorrectly allowed 'Union', 'UnionAll', 'Intersect' and 'Except' operations to be used with IMultiQuery objects (most commonly 'MultiDocumentQuery' objects returned when retrieving pages of multiple types). These operations are not supported for such objects and generated incorrect queries. After applying the hotfix, such operations result in a "not supported" exception.

By default, the geolocation feature uses MaxMind's GeoLite or GeoIP Legacy Databases, which will be discontinued in the future. The hotfix allows you to manually integrate the newer GeoIP2 Databases. To do this, you need to apply the hotfix, then install the 'Kentico.Geolocation.Update-v11' NuGet package, and add the required database files into your web project. See the hotfix instructions for details.

'Unsubscribe from newsletter' action of the 'Newsletter subscription' step in Marketing automation did not work correctly.

Payments using the default PayPal provider failed if the order had an applied Buy X Get Y discount or Product coupon discount with a certain type of additional condition (for example a discount available only for registered users).

When a URL path value of the 'Route' type was modified for a page, the changes were not synchronized correctly between web farm servers.

When using the Advanced export feature for the activity log in the 'Contact management' application, an error occurred if the 'Export raw database data' option was enabled and columns that are not included in the activity list by default were selected.

Default values of email widget properties were incorrectly applied whenever empty values were saved to the properties.

When performing page content tree actions in a modal dialog (for example moving a page), the interface could be confusing after switching to the listing mode that shows all sub-pages of a specific page. After applying the hotfix, a notification message is displayed to inform the user about the change of listing mode and to enable them to get back to the original listing.

If content personalization was enabled, adding a widget with the 'Skip initial configuration' option enabled on a page under workflow could cause other widgets in the given zone to disappear after the page was saved.

Email widgets did not reflect the selected UI culture when storing their properties which could lead to an error when editing the widget. After applying the hotfix, you need to manually re-save the configuration of affected widgets in your emails.

The system incorrectly resolved URLs of videos inserted via the 'YouTube video' web part or widget. The issue only occurred after applying hotfix 11.0.22 or newer.

When clicking the 'Clear' button next to the 'In roles' and 'Not in roles' fields in the advanced user search on the 'Users' tab of the 'Users' application, the textbox field was not cleared.

Translations.com submission could fail when a page was submitted for translation into multiple cultures, but was already translated into some of the target cultures (even though the 'Skip already translated pages' checkbox was selected).

The system did not accept values of the floating-point number (double) type that contained a digit group separator (thousands separator), but did not have a decimal part. The problem occurred only after applying hotfix 11.0.22 or newer.

Errors were generated in the system's event log when web bots, such as search engine crawlers, processed pages containing certain types of selector components (for example a country selector).

Searching for personal data in the 'Data protection' application was inefficient. Applying the hotfix improves the performance of the personal data search.

Code generated for page types, custom tables, forms or module classes was invalid if the given object had a field with a description containing newline characters. Saving the resulting code could lead to an error on the site (the code could not be compiled).

Redundant web farm synchronization tasks were being created and processed in environments where multiple web farm instances shared a single file system (e.g., when running Kentico in Azure Web Apps). This could lead to unwanted side effects, e.g., when synchronizing smart search indexes. The hotfix introduces a new 'CMSSharedFileSystem' web.config key that notifies web farm instances they are operating over a shared file system and configures them accordingly. See the hotfix instructions documentation page for more details.

If the '~\CMSPages\PortalTemplate.aspx' page was customized by adding the Async="true" attribute to the 'Page' directive, resolving of resource strings in page content did not work correctly.

If the Target framework of a Kentico web project was set to .NET Framework 4.7.2, a compilation error occurred due to an ambiguous reference (ToHashSet method). The error could also occur after installing .NET Framework 4.7.2 if live site debugging was enabled on the live site.

The access denied page of the administration interface did not work correctly when running on certain types of domains, and a generic 403 error was displayed instead when a user attempted to access an administration page without the required permissions.

Links to pages inserted into consent text in the 'Data protection' application did not always reflect the culture selected in the 'Language of consent' selector.

When the 'Cookie law and tracking consent' web part was placed on a page and the 'Default cookie level' setting was set to 'System', users were repetitively signed out from the administration interface after attempting to view this page in the Pages application.

When running continuous integration configured to not exclude any object types, or using the object blacklist (i.e. having objects specified under the '<ExcludedObjectTypes>' element in the 'repository.config' file) and restoring a new custom table type already containing some data, the corresponding data was restored only after the second time continuous integration was run. After applying the hotfix, new custom table definitions together with their corresponding data are restored in a single run of the continuous integration application.

Adding a site-specific role to a user on the Roles tab in the Users application caused all global roles to be removed for the given user.

The processing of on-line marketing activities could malfunction and log errors in the event log under certain circumstances.

Evaluation of form field validation rules could fail or lead to errors in special cases.

If a field using a text area form control (e.g. 'Text area' or 'Rich text editor') had a specified maximum text length, the system logged macro security warnings in the event log when the text length was exceeded in the resulting form, even if the text did not contain any macros.

Merging of contacts who subscribed to newsletters from different sites caused data inconsistencies, which could lead to errors when sending the newsletters.

If object locking of page templates was enabled, templates containing the 'Customer address' or 'Customer detail' web part could not be checked in while displaying web part content (on the Design tab of the Pages application).

Macros placed in the code of transformations could become invalid in special cases after re-signing macros in System -> Macros -> Signatures. The problem occurred if the macro expression contained certain characters (e.g. '<' or '>'), and object versioning was used for transformations, for example when undoing check-out or restoring an older version of a transformation.

An error occurred when restoring continuous integration files if the data contained an object with a field representing an optional reference to another object, and the referenced object was deleted (for example, the 'ItemCreatedBy' field of custom table data items referencing a user object). After applying the hotfix, such objects are restored successfully with a null value in the given reference field.

Code generated for page types, custom tables, forms or module classes was invalid if the given object had a field of the Text or Long text type with a default value containing certain characters (for example newlines or quotation marks). Saving the resulting code could lead to an error on the site (the code could not be compiled).

When selecting a layout of a widget in the 'Widgets' application, an error occurred if there was a large number of available layouts and the '(more items...)' option was selected.

Discount coupon codes could be applied more than once during checkout in certain cases.

Effective May 18th, 2018, the LinkedIn API will no longer work with the original OAuth 1.0 implementation in Kentico. The hotfix updates the system to use OAuth 2.0 authentication for LinkedIn company management and authentication functionality. After applying the hotfix, you need to add appropriate 'Authorized Redirect URLs' for your application in the LinkedIn developer portal, and also 'Reauthorize' all LinkedIn company profiles in your 'LinkedIn' application in Kentico. See the hotfix instructions for details.

The 'Log on-line marketing activity' property was reset for pages under workflow every time a new version of the page was created.

Sending of emails failed and an error was logged in certain cases if one of the email address field values (e.g., email recipients) ended with a semicolon character (typically used as a separator between addresses). For example, the problem occurred when sending form email notifications.

When a user without the Global administrator privilege level searched for users in the 'Users' application, the results incorrectly included users who were not assigned to the current site.

If the names of products, option categories, product options, or product variants were localized using resource strings, the names were not resolved in the order data sent to PayPal when making payments through the default PayPal gateway. After applying the hotfix, localized product names are resolved into the content culture that was active for the customer during checkout.

Due to an incorrect permission check, users with the 'Start process' permission for the 'On-line marketing' module could not start automation processes.

When continuous integration was enabled, certain operations that affected a large number of related objects caused the system to generate extremely complex SQL queries, which could lead to incorrect behavior or logged SQL server errors. For example, the problem could occur after changing the 'Page alias' of a page.

When working with an instance of 'CKEditorControl' in custom code, setting the control's 'EnterMode' or 'ShiftEnterMode' properties did not correctly adjust the HTML output generated by the resulting editor.

Due to a misconfiguration of the system, POST requests missing a CSRF token leading to nonexistent pages on sites with a configured 'Page not found URL' setting resulted in a 'CSRF' exception being logged in the 'Event log' application. After applying the hotfix, the system logs a standard 'PAGENOTFOUND' exception and returns the server's default 404 response.

Opened emails and links clicked within those emails were not being tracked when the recipient's email address contained a plus ('+') sign.

Applying the hotfix changes the license limitations on the maximum number of enabled products. The limit is removed completely for 'Kentico CMS Ultimate' license editions and increased to 500 products for 'Kentico CMS Base' editions.

The expiration time of output cache items was incorrect for pages under workflow that had a 'Publish to' value specified (in cases where the 'Publish to' time occurred later than the expiration time determined by the 'Cache minutes' set for the output cache).

Staging tasks were not logged for changes made in the 'Settings' application.

If a page with output caching enabled was accessed with UTM parameters in the URL query string, a license limitation error occurred if the site had a lower license edition than EMS.

An error occurred when retrieving SharePoint list data that did not contain the 'Title' field.

Processing of search indexing tasks for custom table data failed if the primary key column of the related custom table had a different name than 'ItemID'. Such custom tables can be created via the 'Use an existing database table' option in the custom table creation wizard.

On instances using Windows authentication, an error was logged into the system's event log if a visitor's first request targeted a resource handler that used a read-only session (for example an attachment or media file URL).

Form fields without a specified 'Default value' that had the 'Required' property enabled incorrectly contained a default value when using certain form controls. For example, if a required field of the 'Decimal number' data type used the 'Text box' form control and had no 'Default value' specified, the field's value was '0' in the resulting form.

The selection dialogs for queries and transformations incorrectly displayed the page type or custom table prefix twice in the names of the listed transformations or queries (for example when selecting a transformation in the configuration of a listing web part).

If a macro that accessed the current shopping cart was added to a condition which the system resolved during the shopping cart calculation process, an infinite loop could occur, leading to a stack overflow error and possible server crash. For example, the problem could be triggered by using the 'ECommerceContext.CurrentShoppingCart' macro within the condition of a discount. Applying the hotfix prevents such errors. However the 'ECommerceContext.Current*' macros are not intended for use in shopping cart calculation conditions (e.g. discounts) and may still work incorrectly - use the Context specific macro objects instead.

If a customer selected an existing address during checkout (via the 'Customer address' web part), another copy of the given address was created for the customer.

When importing a package from an older version that contained form, custom table, page type or module class objects, the field definitions and database structure of the given objects could be overwritten even if the objects were not selected during the import. Additionally, an error occurred in some cases when importing packages with this type of data.

The original implementation of the 'reCAPTCHA' form control will stop working after March 31, 2018. The hotfix updates the control to use reCAPTCHA v2 (allows users to prove they are human simply by clicking a checkbox). Please register your site again at https://www.google.com/recaptcha/admin, select the 'reCAPTCHA v2' type, and copy the new API keys into the corresponding Kentico settings.

When viewing stand-alone SKUs in the 'Products' application, an error was displayed above the list and the product data was not loaded correctly. The problem occurred only after applying hotfix 11.0.3 or newer.

The 'SharePoint data source' web part did not correctly handle multiselect fields with complex types. The hotfix ensures that the data source processes such fields into strings consisting of the type's properties separated by semicolon (;) characters, and individual entries separated by newline characters (environment specific). You need to manually parse the string within the transformations applied to the data source's output, for example: 'String.Split(Eval<string>("MultiselectField"), Environment.NewLine).Select(l => String.Format("{1} ({0})", String.Split(l, ";")))'

If the 'Allow preview mode on the live site' setting was disabled, certain widget dashboards in the administration interface reloaded constantly (for example the 'Dashboard' page in the 'Web analytics' application).

The hotfix adds support for app secret proof parameters when communicating with integrated Facebook apps. If your website uses the Facebook page integration features or Facebook authentication, we strongly recommend applying the hotfix and then securing your Facebook app. Configure your app at https://developers.facebook.com/apps and enable the 'Require App Secret' option in the 'Settings -> Advanced' section.

The synonym search functionality of locally stored search indexes did not work (when using the 'Any words or synonyms' search mode).

Marketing emails were incorrectly sent to contacts labeled as 'Undeliverable', if this status was reached after a marketing automation process set the number of bounced emails for the contact.

Logging of web analytics did not work correctly for cultures using a year numbering system different from the Gregorian calendar.

If a form contained a field named 'DisplayName' and another field using the 'User selector', 'Multiple user selector', 'User name selector' or 'Community group members selector' form control, the value of the DisplayName field was always overwritten to '##USERDISPLAYFORMAT##' when the resulting form was saved. The issue occurred for all types of forms (fields of page types, custom tables, online forms, etc.).

A licensing error occurred in certain cases when using the API to get the current contact on a site with a lower license edition than EMS.

If multiple pages had URLs with wildcards and the URLs had at least one wildcard in common (for example '/Articles/{topic}' and '/Articles/{topic}/{date}'), the system returned a 404 Page Not Found error when the page with the more specific URL was requested.

When using the Advanced export feature for recipients in the Email marketing application, the values of certain columns (e.g. 'Newsletter subscription', 'Receiving marketing email') were not exported correctly if the number of records was very large (more than 1000).

A runtime error occurred after installing the 'Kentico.Libraries.Web.UI' NuGet package into an external project. To resolve the issue, apply the hotfix to the related Kentico project and database, and then update the package in your external project to the corresponding version (11.0.6 or newer).

If the 'Field description' text of a page type field contained a macro that accessed the property or value of a different field, the description was not displayed correctly (in the field's tooltip) after a page was saved on the Form tab in the Pages application.

An error could occur on pages containing the 'Event calendar' web part when running under heavy load.

On upgraded Kentico instances, an error occurred when editing an email feed with A/B tested emails that were created before the upgrade, i.e., on previous Kentico versions.

When importing a package containing marketing emails with A/B testing applied, the variants of the email were duplicated.

An error occurred when viewing the 'Activities' tab of a specific contact in the Contact management application. The problem occurred only after applying hotfix 11.0.3 or newer.

Code files generated for all page types on a site were created in a different location than the one specified. This could prevent the user from finding and working with the given code files.

Moving a set of over 500 pages with the 'Remember original URLs when moving pages' setting enabled did not create the appropriate page aliases for some of the pages.

Paging of contacts did not work in the 'Contact demographics' report accessible from the 'Campaigns' and 'Email marketing' applications.

When checking for available hotfixes and upgrades in the Kentico Installation Manager utility using the 'Check' function, the tree containing available updates displayed major versions in an incorrect order. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

When attempting to import certain object types (for example pages) using the Kentico Import Toolkit utility, an error occurred in the source data preview step ("Cannot load default column mappings. Class not found.").

The 'reCAPTCHA' form control did not work in environments using an HTTPS proxy (SSL offloading). The control incorrectly generated HTTP URLs instead of using HTTPS.

Tracking of clicked links did not work in page-based newsletters due to incorrect generating of tracking URLs. This issue only occurs on instances upgraded from Kentico 10 with hotfix 11.0.3 or later applied.

On sites with multiple content cultures, the 'Related pages' web part displayed the default culture version for untranslated related pages, even if the 'Combine with default culture' setting was disabled.

On sites that had the 'Combine with default culture' setting disabled, page aliases with the Culture set to '(all)' did not work for pages that were not translated in the site's default culture.

When using Amazon S3 for file storage, file access errors could occur on the live site in rare cases. The Amazon S3 storage provider incorrectly opened files in a way that prevented concurrent access.

When checking for available hotfixes and upgrades in the Kentico Installation Manager utility using the 'Check' function, an error occurred if the registered instances included at least two different major versions. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

The 'HTML5 input' form control generated misspelled 'minlength' and 'maxlength' attributes, which resulted in invalid output. The misspellings were also present in the form control's configuration interface.

Editing of properties did not work for inline widgets placed into a rich text field of a content only page (the opened configuration dialog was blank).

The REST service limits the length of request data in JSON format to 2097152 characters (4 MB of Unicode string data) by default, which is not sufficient in certain cases (for example when creating objects with large attachments). After applying the hotfix, the character limit can be adjusted using the 'CMSRestMaxJsonLength' web.config key.

Viewing a preview link in a private window or a browser where the preferred culture (cookie) was not set resulted in the access denied page being displayed, even if the page was publicly accessible. The problem only occurred when opening the preview link for the first time.

When using the Advanced export feature for the activity log in the Contact management application, an error occurred if the 'Export raw database data' option was enabled and columns that are not included in the activity list by default were selected.

It was not possible to configure and send existing page-based (dynamic) newsletters on upgraded instances due to incorrect backward compatibility.

When editing product pages under workflow, the changes were displayed on the live site before they were published in certain cases (for example product names or prices displayed in shopping cart content). Applying the hotfix also disables inline editing of prices in product lists for products under workflow (inline editing is not compatible with product workflow).

Payments using the default PayPal provider failed if the purchased items contained a free product obtained by fulfilling the conditions of a Buy X Get Y discount.

The E-commerce API contained the 'ShoppingCartItemParameters.Price' property, which was no longer necessary and incorrectly used the 'double' type. After applying the hotifx, the property is marked as obsolete.

When creating or editing fields of custom module classes, the system incorrectly offered the 'File' data type. This data type is not intended for use with module class fields.

When attempting to hotfix a project that was set to use .NET 4.7.1, an error occurred in the hotfix utility, stating that the .NET Framework version could not be determined. Hotfixes 11.0.2 and newer support all build versions of .NET 4.6 and 4.7.

Payments using the default PayPal provider failed for customers who specified their phone number during checkout.

If a selection dialog contained a filter with another object selector that offered a sufficiently large number of items, the '(more items..)' option did not work.

When a user submitted an on-line form which contained a field with the 'Consent agreement' form control, the system displayed recorded data for the form in the 'Forms' application as if the user gave an agreement with the specified consent, even when the user revoked the consent agreement.

The content of a visitor's shopping cart was lost if the 404 error page was loaded or a resource on the current page returned a 404 not found error, and the error page itself or its master page accessed the 'EcommerceContext.CurrentShoppingCart' object.

An error occurred when restoring continuous integration files if the data of a custom table was added to the '<IncludedObjectTypes>' whitelist in the repository.config file (using an object type with the 'customtableitem.' prefix) and the corresponding custom table definition (cms.customtable object) was not yet created in the target database. The problem typically occurred when attempting to restore a new custom table definition together with its data.

<p>Added security improvements to the application.</p>

The content of a visitor's shopping cart was lost if the 404 error page was loaded or a resource on the current page returned a 404 not found error, and the error page itself or its master page accessed the 'EcommerceContext.CurrentShoppingCart' object.

An error occurred when restoring continuous integration files if the data of a custom table was added to the '<IncludedObjectTypes>' whitelist in the repository.config file (using an object type with the 'customtableitem.' prefix) and the corresponding custom table definition (cms.customtable object) was not yet created in the target database. The problem typically occurred when attempting to restore a new custom table definition together with its data.

When saving a new culture version of a product page that was created based on the content of another culture version, with the 'Save the new page before editing' option disabled, the values of any modified product fields were overwritten by the original values of the source culture version.

The output filter for resolving relative URLs did not work in special cases for websites running under heavy load.

Custom fields added to the Contact class under a custom category were not displayed correctly in the contact editing form. In general, the problem was caused by incorrect transferring of fields to alternative forms in cases where the original form and the alternative form contained a different category structure.

On instances that were upgraded from Kentico 9, the User class had its 'Overwrite existing contact information' option disabled by default. As a result, updates of user values were not transferred correctly to the corresponding contact. Applying the hotfix enables the option (if the On-line marketing settings are not customized for the User class in the Modules application).

Only the first property value configured for inline widgets was saved correctly for properties using certain form controls that store values into multiple fields (for example the 'Report graph selector' form control).

An error occurred on pages containing the 'On-line users' web part in special cases when the 'Store on-line users in database' setting was disabled.

If the image field configured in the search settings of a page type or object stored absolute image URLs (for example images served from a CDN), the images were not displayed in the search results.

An error occurred when a user with the Editor privilege level clicked the 'View all aliases' button while creating or editing a page alias (on the URLs tab of the Pages application).

If the 'Country selector' form control was configured to return the ID of the selected state for an integer type field, the state selector in the resulting form did not filter the displayed states based on the selected country in certain cases (states from all countries were loaded).

An error occurred when recipients of a particular newsletter email feed were exported using the 'Advanced export' action with the 'Export raw database data' option and 'Email' column selected.

When cloning a page template, the template's scopes were cloned even if the 'Clone page template scopes' option was disabled in the cloning dialog.

An error occurred when cloning a form that contained a field with a reserved SQL keyword in its name (for example "function").

For product pages using workflow or versioning on a site with multiple content cultures, the values of the 'Product name', 'Short description' and 'Description' fields were not saved correctly when editing a product page in a non-default culture.

The serialized data created by the continuous integration solution for certain types of bindings (M:N relationships between objects) had an inconsistent order. The different data order caused unnecessary changes in the CI repository files (even when the binding data remained the same). To fix the problem, you need to apply the hotfix and then serialize all objects again in the Continuous integration application. The update may cause a large number of changes in existing CI data for bindings.

When importing contacts from a CSV file, the comparison of email address values was case-sensitive. This could cause the import to incorrectly create duplicate contacts instead of updating existing contacts with a matching email address.

If a folder in a media library had a name that matched the name prefix of other folders in the same location, renaming the folder corrupted the file paths of media files contained in the other folders.

The values of properties configured for inline widgets were not saved correctly for properties using a form control that stores values into multiple fields (for example the 'Attachment field selector' form control).

When using workflow or versioning for pages, macro expressions that were stored within the data of a page version and contained certain characters (for example '&' ampersands) became invalid after re-signing macros in System -> Macros -> Signatures. As a result, such macros could not be resolved when displaying content from a page version (for example in preview mode) or after rolling back to an older page version.

When a widget with a property using the 'Media selection' form control was inserted into a page field on the Form tab in the Pages application, the media selection dialog opened when setting the property's value did not display the Attachments tab.

If an empty value was saved into a widget property with a text data type, the property's default value was always loaded instead when the widget's configuration dialog was re-opened.

When using multiple Kentico applications with a shared file system and enabled web analytics, file lock errors could occur when processing the analytics log files. If you have such an environment, you also need to manually ensure that the file system is configured as shared after applying the hotfix (see the Hotfix instructions for more information).

If a site was configured to always use URLs without a trailing slash together with certain other combinations of settings from the 'URLs and SEO' category, the Google sitemap generated by the system still contained URLs with a trailing slash. This caused unnecessary URL redirections.

The system did not trigger any global events when creating objects by directly inserting data into a database table (for example when a user imported contacts from a CSV file). After applying the hotfix, developers can perform custom actions before or after such actions by assigning a handler to the new 'SqlEvents.BulkInsert' event.

The 'Data from last' parameter set when creating report subscriptions was not applied correctly if the current site's default culture used a different date and time format than the English (en-US) culture. The time range of the report data sent to the subscriber was not limited according to the set value.

When viewing the details of a page version on the 'Versions' tab in the Pages application, information about editor widgets placed on the given page was not displayed (in the 'DocumentWebParts' field). The problem occurred only after applying hotfix 10.0.41.

Contacts were created or updated when submitting on-line forms, even though the 'Enable on-line marketing' setting was disabled.

The system always used a preset HTTP endpoint for the REST API request that determined the region of Amazon S3 buckets. This could cause problems in environments where non-HTTPS requests are restricted. After applying the hotfix, the Amazon S3 REST API endpoint can be configured to use HTTPS via the following web.config key: <add key="CMSAmazonRestApiEndPoint" value="https://s3.amazonaws.com" />

Manual synchronizing of scheduled task objects using the 'Synchronize current subtree' action did not work (on the Objects tab of the Staging application).

The 'SearchResultUrl' and 'GetSearchImageUrl' transformation methods returned empty values when used to display results for smart search indexes of the 'Custom index' type. The problem occurred only after applying hotfix 10.0.37 or newer.

When comparing two versions of a page, the information about editor widgets placed on the page (the 'DocumentWebParts' field) was switched between the two versions, i.e., the newer version listed the widget content of the former version and vice versa.

If the application started under heavy load and the 'runAllManagedModulesForAllRequests' modules attribute was enabled in the web.config, initialization was not performed correctly in special cases, which could cause errors with the following message: "You cannot change the default type of the generated objects after some objects were created by the generator."

If a customer's shopping cart contained a product that was added automatically as a result of a Buy X Get Y discount, and an application restart occurred on the server, the customer then received an error (stack overflow exception) when viewing any shopping cart-related pages. The problem occurred only after applying hotfix 10.0.24 or newer.

If the 'Country selector' form control was configured to return only the ID of the selected state for an integer type field, an error occurred in the resulting form when attempting to load and display the selected values for the field.

Selection dialogs for objects that can be either site-specific or global did not set their values when global objects were selected (for example the 'In roles' and 'Not in roles' selectors in the advanced search filter of the Users application). The problem occurred only after applying hotfix 10.0.35.

When using Text / XML transformations, it was not possible to access the values of data fields whose name contained characters conflicting with the Kentico macro syntax (for example hyphens in element names when using an XML data source). After applying the hotfix, such fields can be accessed in transformations using the 'DataItem' macro object and indexing, for example: {% DataItem["field-name"] %}

When an object was restored from the recycle bin, or modified by rolling back to an older version or undoing checkout, the resulting staging task did not contain information about the user who performed the change and was not categorized under the staging task group that was active when the change occurred.

When using an external file storage provider for media libraries (for example Azure Storage), an error occurred while displaying media library content in the 'Insert image or media' dialog if the 'Content -> Media -> Use permanent URLs' setting was disabled and the selected library contained more folders than allowed by the 'Max subfolders' setting.

When using the 'Kentico.Libraries.Web.UI' NuGet package in an external project, required third-party libraries were not copied to the correct output folder when building the project.

An error occurred when viewing the 'Page template selector' form control on the 'Preview' tab in the Form controls application.

When staging pages (with enabled versioning without workflow) in an environment where the page IDs were not identical on the source and target server, non-required page fields that had an empty value were not synchronized correctly.

Searching using smart search indexes of the 'Custom index' type did not work. The problem occurred only after applying hotfix 10.0.37.

When resolving the ##WHERE## expression within the code of queries, the system removed adjacent newline characters in special cases, which could result in an incorrect query (for example if the SQL code also contained a single-line comment).

The values of the '_index' and '_type' system fields within smart search indexes were not converted to lower case, which could lead to incorrect search behavior when using these fields in search queries and filters. To ensure that searches filtered according to these fields work correctly, you need to rebuild your search indexes after applying the hotfix.

When creating new pages in the Pages application, an error occurred when uploading a non-image file (pdf, docx, etc.) into a field of the 'File' data type, if the system was configured to store files in the file system and had the integration bus enabled.

When monitoring of on-line users was enabled, the system did not correctly clear expired sessions for anonymous users (guests). As a result, the number of displayed on-line users included guests who were no longer present on the website.

When a visitor reduced their allowed cookie level by clicking the 'Deny all' or 'Allow specific' button provided by the 'Cookie law consent' or 'Simple cookie law consent' web part, already existing cookies that no longer belonged to an allowed level were not invalidated in the visitor's browser.

Selection of multiple items in UniSelector dialogs was processed inefficiently, which could cause the selection to fail in certain cases.

Icons in the administration interface displayed incorrectly in the Google Chrome and Opera web browsers when using built-in developer tools of the browsers.

After application start, Azure Blob storage containers were not initialized correctly under certain circumstances, leading to an error on initial requests.

Mass email feature in the 'Users' application did not work properly on sites with Kentico CMS Base or Free license.

When editing memberships in the 'Membership' application, the 'Products' tab did not display product options (of the 'Products' type) that were associated with the given membership.

Content personalization on a page containing the 'Page placeholder' web part did not work on child pages of the given page. Default variants of the personalized content were displayed instead of the personalized variants.

When creating installation packages for custom modules, the system generated NuGet package files with a name containing an underscore. Such packages could not be installed using Visual Studio 2017. After applying the hotfix, module package files are generated with names in format '<modulename>.<version>.nupkg'.

When viewing the macro report in System -> Macros -> Report, each page in the list of macro expressions displayed one more item than allowed by the selected page size number.

When using Microsoft Azure Storage for the project file system or individual folders, the system logged insufficiently detailed error messages in cases where the storage account values were misconfigured.

New user accounts created via the 'CMSAdminEmergencyReset' web.config key did not have the Global administrator privilege level (when using the key to recover administrator access).

When setting up pages in the Facebook application, the 'Authorize' action always failed (due to changes in the Facebook API used for access token retrieval).

When using a database hosted on Microsoft Azure SQL, an error occurred when separating or rejoining the on-line marketing database (instead of displaying information about the additional manual steps required for Azure databases).

If localization expressions were added into the page title of a page (on the Properties -> Metadata tab in the Pages application), the system always resolved the value into the site's default culture.

When using the import feature to update an existing form, certain parts of the form's configuration were not overwritten correctly (for example the form field definition and alternative forms).

If a custom setting category under a custom module contained at least 11 setting groups and 11 or more setting keys in the first group, an error occurred when viewing the category in the Settings application.

Error messages related to the installation of NuGet module packages were misleading in certain cases. The error message was improved for cases where the module metadata contained multiple versions of the same module (this could occur for projects created using append-only deployment).

When viewing pages in on-site editing mode, localized text displayed by widgets was always in the site's default culture.

An error occurred when running the Hotfix utility on a system where only version 4.7 of the .NET Framework was installed (without any older versions).

When modifying or removing the security settings of a page (ACLs) for a user or role with content staging enabled, the system logged the staging task for the change incorrectly (or not at all), and an error was displayed in the event log.

When importing classes with query objects, either as part of a custom module or a customizable class (system table), the query import did not work correctly and an import error occurred if one of the class queries already existed on the given instance.

The SharePoint data source web part did not correctly handle multiselect fields (fields whose values are sent as arrays of strings). The hotfix ensures that the data source processes such fields into strings consisting of the array's items separated by newline characters (environment specific). You need to manually parse the string within the transformations applied to the data source's output, for example: 'Eval<string>("MultiselectField").Split(new[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries)'

When adding a new page alias containing a wildcard, the uniqueness validation incorrectly failed if the alias's URL path was a less specific version of an already existing URL path with wildcards.

If the first request during the application start targeted a GetResource.ashx resource handler, initialization was not performed correctly, which could cause the application to become unresponsive in special cases (error message: "You cannot change the default type of the generated objects after some objects were created by the generator.").

When using the 'Payment method selection' web part on checkout pages, changing the payment option did not correctly trigger a refresh of other related content on the page. For example, order discounts applied based on a payment method condition were not immediately displayed by 'Shopping cart totals' web parts when the payment method selection changed.

When editing an object with a very large amount of dependent objects, the continuous integration serialization process could take a long time. Applying the hotfix optimizes the evaluation of object dependencies, which results in improved performance.

Due to an update of the Bing Maps API, the original Bing Maps web parts no longer work after June 30, 2017. Applying the hotfix updates the web parts to use the new Bing Maps V8 API. You may also need to update the transformation used to display location marker (pushpin) infoboxes, and perform additional manual steps if using custom pushpin icons.

If the 'Use server processing' property was enabled for Bing Maps web parts, addresses specified through location fields were not resolved into coordinates and corresponding location markers were not displayed on the map.

The validation of folder names in media libraries was not sufficient for certain types of names containing reserved file system keywords ('aux', 'com1', etc.). Such folders did not work correctly and could lead to errors.

An error occurred (MissingMethodException) when resolving macro methods that modify collections, such as 'OrderBy' or 'Where', if the collection contained Order or Page attachment objects (OrdersCollection, DocumentAttachmentCollection). For example, the error occurred for macro expressions such as: {% ECommerceContext.CurrentCustomer.Orders.OrderBy("OrderDate DESC") %}

When importing page attachments using the Import toolkit, the attachments were always created with a new GUID value, even if a source with existing GUIDs was used for the AttachmentGUID column.

When importing data for certain types of objects (e.g. attachments) in the Import toolkit, the final steps showing the import log and number of imported objects contained misleading data in some cases.

When the value of the 'Bounced email limit' setting was set to 0 (which means there was no limit for bounced emails), an error occurred on the 'Recipients' tab of newsletters in the Email marketing application.

When using continuous integration, the system did not correctly evaluate whether an update of a field definition required re-serialization of the dependent objects (for classes, page types, etc.). This resulted in unnecessary serialization that could take a very long time if the instance contained large numbers of objects of the given type. Additionally, the hotfix improves the performance of the file system repository optimization that occurs after each serialization or restore process.

When generating classes for page types, custom tables or forms on the 'Code' tab of the appropriate editing interface, the application timed out in special cases. The problem occurred if the given object contained a field whose name started with the object's code name, followed by a number (for example, a page type with the code name 'Custom.Article' and a field named 'Article3D').

The 'Display to roles' and 'Show for page types' system properties of widgets had a smaller 'Size' (number of allowed characters) than the corresponding properties of web parts. The size was increased to 1000.

Domain alias redirection did not work if the target URL had the same domain as the alias, only with an additional WWW prefix.

Management of forum and newsletter subscriptions in the 'My profile' and 'Users' applications did not work correctly.

When using a separated on-line marketing database, errors related to missing User-Defined Table Types could occur in the administration interface of on-line marketing applications (for example when viewing the 'Recipients' tab of a newsletter) or when calling the on-line marketing API in custom code.

When re-signing macros in System -> Macros -> Signatures with an 'Old salt' value specified, macro expressions containing open conditions or loops did not preserve the user name in the macro signature. The original name was incorrectly replaced by the name of the user performing the re-signing process.

If a project was upgraded from Kentico version 9 or older without installing the 'Microsoft.CodeDom.Providers.DotNetCompilerPlatform' NuGet package, a compilation error occurred after applying hotfix 10.0.23 or 10.0.24.

A 'BadImageFormatException' error occurred during the application start if an assembly containing native code was present in the CMS web project's 'bin' folder (for example after installing certain types of NuGet packages).

When adding an inherited form control to a form using the Form builder interface, default values of the form control's properties were not saved correctly. This could lead to inconsistencies when later editing the matching field on the form's Fields tab. Additionally, the default timestamp fields of forms (FormInserted, FormUpdated) and custom tables (ItemCreatedWhen, ItemModifiedWhen) had an incorrectly set 'Precision' value.

The web part configuration dialog did not work correctly when creating new web part layouts on the Layout tab. Additionally, the web part layout editing interface behaved incorrectly after making changes in the Preview mode (both in the web part configuration dialog and the Web parts application).

Validation did not work correctly for form fields that used the 'Rich text editor' form control and were set as 'Required'. Values could not be saved more than once if the content only consisted of void HTML tags (for example an iframe or image tag without any other content).

Performing certain types of shopping cart content changes could cause the cart to lose data that was not yet saved to the database (for example a discount applied via a coupon code was removed after updating the unit count of a product in special cases).

In certain cases, 'ShippingAddress' macro expressions returned an empty value for shopping carts or orders that used the billing address for shipping. After applying the hotfix, the macro always returns the billing address for order and shopping carts that do not have a different shipping address specified.

Attempting to perform HTML validation of HTML5 pages resulted in an error.

When configuring the XML definition of UniGrid components, the 'hideifnotauthorized' attribute of 'action' elements did not work.

In certain cases, staging of published pages containing attachments resulted in an error.

Automatic processing of search indexing tasks was not triggered correctly in certain cases (for example when indexing changes of object code names). This could cause search tasks to remain unprocessed in the queue until another task was logged.

The Conversion detail report did not filter data correctly according to the specified 'From' and 'To' dates.

When using macro expressions within marketing automation action steps placed after a 'Wait' step in the process, the 'CurrentSite' value is not available in the macro context. The hotfix adds a new 'ActivitySiteID' macro property, which you can use for automation processes with a 'Contact performed an activity' trigger (for example Abandoned shopping cart processes). The macro resolves into the identifier of the site where the trigger activity occurred.

When setting the 'CssClass' attribute for 'FormControl' tags within custom form layouts of the 'ASCX' type, the specified CSS class was not rendered in the form's output.

When working in 'Select' dialogs (for example after clicking 'Add roles' while editing a user on the Roles tab in the Users application), selecting all objects listed on a page via the header checkbox incorrectly cleared the selection of objects on other pages.

If a validation error occurred for a field in a form using a custom layout of the 'ASCX' type, the system did not add the 'Error' CSS class to the <div> tag containing the invalid field's input element.

When running multiple sites with the 'Use site prefixes for user names' setting enabled and the 'Require unique user emails' setting disabled, the forgotten password functionality generated password reset links for the wrong user in certain cases.

The 'Limit of related pages' setting of fields using the 'Pages' form control incorrectly limited the total number of related pages across all pages of the given page type, instead of only limiting the related pages for individual pages.

In certain cases, the system did not track conversions from links in marketing emails sent via the 'Send marketing email' Marketing automation step.

When restoring a custom binding class with a compound primary key from the continuous integration repository, the class's database table was not created correctly and had missing columns.

Errors that occurred as a result of the system's CSRF protection feature were difficult to identify in certain cases. After applying the hotfix, the related error messages provide more accurate information.

An SQL error occurred when adding a field to a page type if continuous integration was enabled and the system contained a very large number of pages of the given type (over 2000).

When adding resource strings into localizable fields (for fields using the 'Localizable text box' or 'Localizable text area' form control), the Save & Close action in the Localize string dialog did not work if the selected string contained multiple lines of text in the current culture.

If a recipient did not confirm a 'Newsletter' subscription with double opt-in within the set 'Double opt-in interval' ('Setting -> On-line marketing -> Email marketing'), they became unable to subscribe to that newsletter in the future.

If an E-product (a product with the 'Representing' property set to 'E-product') was created as a copy of another product, deleting of attachment files from the 'Files' field did not work correctly and the files remained in the database (COM_SKUFile table).

When uploading files via the 'MultiFileUploader' control (for example into File fields using the 'Direct uploader' form control), the file upload was denied in some cases and the system displayed an "unauthorized user" warning. The problem could occur on instances using Windows authentication while also having anonymous authentication enabled.

The 'Receiving marketing emails' column on the 'Recipients' tab of a 'Newsletter' incorrectly displayed the 'Opted out' status for users unsubscribed only from that single newsletter. After applying the hotfix, the 'Recipients' tab of a 'Newsletter' only displays the 'Opted out' status for users unsubscribed from all 'Newsletters'.

Macros in format 'Subscriber.Contact.<contact_property>' were not resolved correctly within the content of marketing emails for recipients who were added to a 'Newsletter' or 'Email campaign' as part of a contact group.

When a combination of the Pages data source (configured to retrieve multiple page types), Basic repeater, and Universal pager web parts was used with the 'Select top N pages' property, the resulting SQL query was generated incorrectly and caused an error.

In staging environments utilizing a chain of source and target servers with a circular topology, processed staging tasks persisted in the database of the last server in the server chain.

If a user submitted a form while having a non-default content culture selected, localization macros in the form's autoresponder emails were resolved into the site's default culture instead of the user's selected culture.

If a custom macro rule contained a boolean type parameter that was 'Required' and had a default value, an error occurred for users who left the default value while configuring the parameter in the 'Rule designer' dialog.

When using the REST service on instances with Windows authentication, domain user credentials provided in the basic authentication header of REST requests were not recognized correctly, which resulted in 401 Unauthorized responses.

Users granted permission to modify a page via page-level permissions ('ACLs'), but lacking the 'Modify' permission for the 'Content' module, were unable to modify the order of pages added to a page via the 'Pages' form control.

Heavy load on sites hosted on Microsoft Azure and utilizing the 51Degrees Premium integration caused site downtime in certain cases. After applying the hotfix, the 'Devices' selector on the 'General' tab of device profiles in the 'Device profiles' application no longer lists all devices from the 51Degrees Premium library.

On instances containing both an 'EMS' license and another license of the 'Ultimate' edition, certain types of actions could cause license limitation errors on the site using the domain with the EMS license.

If the customer's first or last name exceeded 100 characters, an error occurred when creating a new order.

On pages containing the Google maps web part, the 'SensorNotRequired' warning was being logged to the browser's console due to the inclusion of an obsolete 'sensor' parameter when communicating with the Google Maps API.

If a custom field was added to the SKU class (under the E-commerce module) and configured to be indexed by the smart search, the system did not update related search indexes correctly when the value of the field was changed for a product page.

When an existing contact submitted new information via an alternative form, their updated contact information (e.g. name, address, etc.) was not correctly merged.

Requests made through links in confirmation emails (for example password reset or unsubscription requests) were rejected as invalid in certain cases. The problem could occur if the culture context was different on the page where the request was generated and the page where the request was validated (only for certain cultures).

When using continuous integration to synchronize changes that add or remove fields of the default customizable classes, the restore operation did not refresh database views related to the affected tables. This could lead to errors.

When adding URLs starting with two forward slashes (i.e. protocol-relative URLs) into content managed by the WYSIWYG editor, the system processed the value incorrectly, which resulted in an invalid relative URL.

In certain cases, the Editable text widget could lose its content when moved from one widget zone to another.

Attempting to perform accessibility validation of a page resulted in an error.

When editing macro conditions in the 'Rule designer' dialog, rule parameters with date and time values were displayed incorrectly if the user's selected UI culture was different than 'English - United States'.

When using a custom field to store a search preview image for the CMS.File page type, the system did not properly retrieve the image and instead displayed the default placeholder image in search results in certain cases.

Copying of pages under workflow failed if the given Page type contained a custom field of the 'Unique identifier (GUID)' data type.

After changing the currency of an existing order on the 'Items' tab in the Orders application, discounts that were listed for the order disappeared in the user interface.

When creating categories in the field editor, the category disappeared from the list if the 'Category caption' contained a macro expression that returned an empty string or null.

In staging environments utilizing a chain of source and target servers (e.g. in a circular topology), staging tasks for the "Archive page" task type were not being logged on servers that received the task from another source server higher in the chain.

When a marketing automation process was initiated automatically, the 'Initiated when' value was not shown on the process's Contacts tab.

When processing serialized XML data with custom fields of the 'Decimal number' data type (for example during import, staging, or in the REST service), the system handled certain types of decimal values incorrectly if the culture context of the source data was different than on the target instance. After applying the hotfix, the system attempts to adapt the processing for all types of decimal culture formats. In rare cases this may result in an error, and you then need to fix the source data or as a temporary workaround add the <add key="CMSDisableDecimalSeparatorFix" value="true" /> key to your project's web.config file to return to the previous decimal processing behavior.

When going through the checkout process, an error occurred in some cases if the customer set a different shipping address than the billing address, and then reset back to the billing address after returning from the following checkout step.

The character encoding used when generating files in the 'CIRepository' folder can now be configured via the new 'CMSCIEncoding' web.config key. For example: <add key="CMSCIEncoding" value="utf-8"/>

The system incorrectly validated fields of the 'Long integer number' data type and did not accept values greater than 2*(10^18) or lower than -2*(10^18).

When a file was deleted from a field of the 'File' data type, the 'IfEmpty' transformation method incorrectly evaluated the field as not empty.

When using custom event handlers to automatically synchronize staging tasks, an error occurred after deleting a custom table data record.

When creating an object listing administration interface page for a custom module (using a template containing the 'Listing' UI web part), an error occurred on the page if the assigned Grid definition (xml file) contained an 'externalsourcename' column attribute whose value was not handled in an extender class.

Fields using the 'Uni selector' form control with the 'Selection mode' set to 'Multiple' did not report unsaved changes in the administration interface if a user navigated away from the editing form after removing items from the field.

If the 'Combine CSS from components' setting was enabled, the system added an unnecessary GetResource.ashx request to pages that did not contain any components with assigned CSS.

When deleting pages or objects on instances with multiple sites, the continuous integration solution removed serialized XML files in the 'CIRepository' folder for the wrong site in special cases.

When restoring 'Discount coupon' and 'Buy X Get Y coupon' objects to the database using the continuous integration solution, the current number of redemptions (coupon uses) was set as null instead of 0 and the coupons could not be applied.

When subscribing contacts (for example to a newsletter), an error occurred for contacts with a non-unique email address on instances without an EMS license.

When using the Copy all and Paste functionality to copy all web parts from a web part zone to a personalization variant of a different web part zone, an error could occur.

Altering the query string parameters of a URL leading to a non-existing page (causing a page not found redirect) made it possible for signed-in users with insufficient permissions to access unpublished data on the page not found error page.

When importing an inherited page type together with its parent to an instance where those page types already exist, changes in the parent page type were not reflected in its descendants in certain cases.

Some of the system's default pagination components (pagers based on the 'DataPager' control) generated HTML code that was not valid. The control's output code contained a doubled semicolon in the value of a 'style' attribute.

When rejecting a page under workflow, the Rejected email was not sent to the user who edited or submitted the page for approval in certain cases.

When adding a site using the New site wizard in the Sites application, the site was created incorrectly if the selected 'Site culture' was different than 'English - United States' (or if the system's 'Default content culture' setting was different when creating the site using a web template).

The 'Documents[]' macro expression did not return results (pages) according to the current content culture.

In certain cases, the system task for sending A/B tested email variants was not executed correctly on sites with low traffic. As a result, the A/B tested email variants were not sent.

An error occurred when a contact posted on a forum or subscribed to a forum post on sites with licenses other than EMS.

When building the administration interface for a custom binding class using the default 'Edit bindings' page template, an error occurred if the binding was defined between classes of the same type (for example M:N relationships between users).

When links in marketing emails contained HTML comments (for example <!--</a>-->), the links were not converted into tracking links in certain cases.

If a page had multiple aliases with wildcards in the URL path and the aliases had at least one wildcard in common (for example '/News/{number}' and '/News/{number}/{type}'), the system returned a 404 Page Not Found error when the page was requested through the more specific alias.

The initial invoices of new orders did not contain the invoice number.

The 'IndexLastRebuildTime' field was incorrectly included in the serialized data of search index objects when creating files in the continuous integration repository. This caused unnecessary changes, which were then tracked in the associated source control system.

The system incorrectly created new contacts on every request in cases where the visitor did not allow cookies (for example because of blocked cookies in the browser, or lack of consent on sites using the 'Cookie law consent' web parts).

License objects were not imported from packages that were exported on an instance with a lower hotfix version.

An error occurred after calling the 'DeleteMVTVariantInfo(variantGuid)' method in custom code when deleting MVT variants from pages.

When editing a workflow on the Pages tab in the Workflows application on instances with multiple sites, mass actions were performed for pages on all sites, even when a specific site was selected in the Site filter.

Changing the 'Web part control ID' property of a layout web part removed any content personalization or MVT variants created for web parts placed within the layout.

When using a custom jQuery UI library on live site pages, it was not possible to close modal dialogs in the on-site editing mode for pages based on Portal engine page templates.

Module classes that had the 'Can be customized' flag enabled were not included when creating installation packages for custom modules.

When editing a media library in the Listing mode in the Media libraries application, sorting the media files by size did not work.

Macro expressions with page collection (TreeNodeCollection) components were not resolved correctly on the live site for public users or other users with limited page permissions. For example: {% CurrentDocument.Children.FirstItem.AbsoluteURL %}

Macro expressions that were added in the 'Page title' property on the 'Properties -> Metadata' tab in the Pages application did not resolve correctly on the live site.

The macro report tool in System -> Macros -> Report did not check syntax validity correctly (except for macro rule expressions).

An error occurred when editing and saving images in applications that contain the Theme tab (e.g. Page layouts).

An error occurred when adding widgets containing the Path property to widget dashboards (e.g. My desk).

When using layout widgets on dashboards, the layout content was not saved correctly and disappeared after leaving or refreshing the dashboard page.

When serializing objects whose name starts with a reserved file system name ('aux', 'com1', etc.), the continuous integration solution did not adjust the name correctly in certain cases, which resulted in an error.

If the 'Custom subscription form' web part's control was added into the markup of an ASPX page template, an error occurred after submitting the subscription form on pages using the template.

When resubmitting pages based on the 'ASPX + Portal page' page template for translation, the editable content of the pages could be incorrectly translated in certain cases. For example, when the page template was modified before resubmitting the pages, the system did not distinguish between the IDs of the editable web parts and editable regions in the generated XLIFF files.

Due to a misconfiguration of the system's CSRF protection, an error ocurred when verifying payments that were made using the PayPal payment gateway. As a result, the payment was aborted and the order not marked as paid.

When running on Microsoft Azure, the smart search worker role could not index pages containing widgets. After applying the hotfix, the smart search worker role indexes widget content without the widget default values.

If the 'Check page permissions' setting was enabled or used as a parameter of the DocumentQuery API, the DocumentQuery could return different culture version of pages than expected. For example, this could cause that the page names were displayed in an incorrect culture in the content tree of the Pages application.

When the ID field of a form was not in the first position in the form builder, deleting a form record caused an error if the ID field was displayed on the Recorded data tab in the Forms application.

When editing image attachments of the pages under workflow in the Pages application and saving the images without making any changes, all variants of the edited images disappeared.

When the number of registered web farm servers exceeded the number allowed by the highest instance license, the Servers tab in the Web farm application was inaccessible.

If output compression was enabled, the system could return corrupted responses when serving static files (e.g., images or pages) from an IIS virtual directory located outside of the Kentico project folder.

When creating custom HTML layouts for forms, any <script> tags added to the layout code were not included in the output of the resulting form.

When editing contact groups in the Contact groups application, the percentage of total contact base was not displayed for the individual groups.

After creating a custom forum layout (in the 'CMSModules\Forums\Controls\Layouts' folder), the layout did not appear as an option in the 'Forum layout' property of forum web parts.

Using the 'Numeric up/down' form control for a field with the 'Has depending fields' option enabled caused an infinite refresh on the page containing the resulting form.

When using marketing automation to send email reminders about abandoned shopping carts, the restored shopping cart on the linked page did not contain products if the user was not signed in on the website.

Enabling the output debug could cause the application to return corrupted responses when serving static files (images or pages) from an IIS virtual directory with a physical path outside of the Kentico project files.

When using mixed mode Active Directory authentication, having an incorrectly configured or not responding Active Directory server caused an error when authenticating standard Forms users.

The 'Custom registration form' web part did not work correctly when its control was added into the markup of an ASPX page template.

Added security improvements to the application.

The 'Analytics browser capabilities' web part did not work and pages containing the web part generated logging requests that resulted in an error (CSRF exception). The problem occurred after applying hotfix 9.0.48.

Macros for loading component CSS did not work for transformations and web part layouts. For example: {% CSS.Transformations["custom.article.list"] %}

When the deletion of inactive contacts took longer than 1 minute, the next run of the 'Delete inactive contacts' scheduled task was not set, and the task did not execute again. To fix the problem, you need to manually execute the scheduled task after applying the hotfix.

An error occurred when using transformations with a dot character in their code name. For example, if the system fetched a transformation directly from the database, the transformation's code name was parsed incorrectly and caused an error.

Facebook insight data was not collected for pages assigned to Facebook apps using version 2.7 or newer of the Facebook API (i.e. apps created after July 13, 2016).

An infinite loop could occur when building page smart search indexes if the indexed data fields contained complex HTML or XML structures.

The 'Logic CAPTCHA' form control displayed the "(please enter the answer to the question or statement)" text even if its hidden 'ShowAfterText' property was disabled.

An error occurred after applying the subject filter on the 'Emails' tab when editing an email campaign in the Email marketing application.

Changes of license keys were not synchronized correctly between web farm servers, which could lead to logged errors in certain cases.

When sending emails from Kentico (for example in the Email queue application), images added to the email content from a media library with resized dimensions were inserted with a relative URL, which caused them to be unavailable when viewed in email clients.

Kentico instances installed from setup files with hotfix 9.0.40 or newer applied did not work (errors occurred due to missing assembly files).

If the restoring of continuous integration data to the database failed, it was difficult to diagnose the exact cause in certain cases. If the process fails during the composition of an object consisting of multiple parts, the error message now contains the file system paths of the related files.

After exporting and importing a page template containing the 'Output cache dependencies' web part, the keys specified in the web part's 'Cache dependencies' property were processed incorrectly and combined into a single invalid line.

Windows Active Directory authentication could cause an error if replacement of forbidden characters was disabled for roles via the 'CMSEnsureSafeRoleNames' web.config key. The error occurred if import of AD domain groups as roles was enabled and the authenticated user belonged to at least one group with a forbidden character in its name.

When using the search in customer selection dialogs (for example when manually creating new orders), the system only displayed customers with matching last names. After applying the hotfix, the search also uses the first name, company and email address customer fields.

When using certain external identity providers for authentication (for example Access Control Service), the system incorrectly handled situations where the identity provider returned an empty username claim. This caused an authentication loop for the client, which could result in the system generating multiple user accounts.

When using automatic web farm mode, servers were deleted from the system while restarting. As a result, the system did not create file synchronization tasks while the server was missing. After applying the hotfix, servers always remain in the system for 24 hours after shutting down (unless running on Azure Cloud Services).

Date and time values were adjusted incorrectly if the value matched the start or end interval of the active time zone's daylight saving time (after conversion to the server time zone). As a result, the saved time did not match the selected time.

If the 'Check page permissions' setting was enabled, certain pages in the content tree could be incorrectly hidden even though users had sufficient permissions to view the pages.

Due to changes in the Facebook API, an error occurred when a user attempted to sign in through newly registered Facebook authentication apps. After applying the hotfix, the 'Biography' field is no longer offered when configuring mappings of Facebook user profile fields (the field is not available in the Facebook API).

An error (System.NullReferenceException) could occur in certain cases while performing some types of operations on sites under heavy load.

When using the Items property of custom table objects in macros, the data was incorrectly cached. For example, when using the 'GlobalObjects.CustomTables["<customtablecodename>"].Items' macro, the latest data was not returned.

Enabling the 'Has depending fields' option for form fields caused an error in the resulting form when using certain form controls (Category selector, Department roles selector, Report selectors, User selector, Variation selector).

Custom ShippingOptionInfoProvider implementations could allow customers to get into a state when they could not finish their order. If customers changed their information or content of the shopping cart causing that the already selected shipping option was no longer applicable, customers were prevented from changing the invalid shipping option and could not continue with the checkout process.

When editing a primary key (ID) field in an alternative form, the field editor did not allow selection of any form control other than 'Label'.

If the system disabled cookies for a user via the 'Simple cookie law consent' or 'Cookie law consent' web part, an error (CSRF exception) occurred for each post request (button clicks, form submissions, etc.). The hotfix resolves the problem by changing the cookie level of the 'CMSCsrfCookie' cookie to 'System'.

In certain cases, adding an existing page under workflow to a campaign caused the loss of page type data entered on the page's Form tab in the Pages application.

An "Unsupported DLLs version" error occurred when applying the hotfix on some instances that were upgraded from older Kentico versions.

An error occurred when inserting inline widgets into newly created unsaved pages.

When creating a scheduled task in a web farm environment with the 'Create tasks for all web farm servers' option enabled, the scheduled task was not created for the server processing the request.

In certain cases, the value of the 'Settings -> On-line marketing -> Web analytics -> Excluded IP addresses' setting was not applied until the application was restarted.

Marketing automation processes got stuck when they contained a Wait step whose Timeout settings were set to a Specific day with the date or time in the past.

The 'Comment and move to specific step' action did not work when manually moving contacts between the steps of a marketing automation process.

When importing a site package with objects requiring a greater license edition than the one registered on the instance, a license limitation error occurred even if the import package contained a sufficient license key. After applying the hotfix, the system checks for suitable license keys in the content of imported packages.

When used in a form, the 'U.S. phone number' and 'Upload file' form controls generated a hidden <label> element in addition to the label in the form, which caused accessibility validation to fail for the form's output code.

File attachments were not displayed when viewing emails sent from Kentico in the default iOS email client. The problem occurred after applying hotfix 9.0.29.

Removing the UI element representing an application that was added to the system dashboard caused the dashboard to be blank. After applying the hotfix, the dashboard correctly displays applications after one of them is removed from the system.

The '{%OnlineMarketingContext.CurrentContact.ContactGroups.Count%}' macro for counting how many contact groups the contact is a member of did not resolve correctly because the 'ContactGroups' property of the 'ContactInfo' object was cached incorrectly.

When loading data with caching enabled, the system performed multiple load operations in certain cases if running in a heavy-traffic environment with a large number of concurrent requests.

When running in a web farm environment with a load balancer using non-sticky sessions, package files uploaded in the import wizard were not synchronized between servers, which could prevent the import from working.

If a screen lock occurred while impersonating a different user, the unlock dialog incorrectly required the credentials of the user who was being impersonated. After applying the hotfix, the unlock dialog accepts the credentials of the original user.

When deleting pages with the 'Redirect old URLs to another page' option, the system did not create staging tasks to update the page alias.

An error occurred when processing update and publish staging tasks for linked pages that were assigned to a category.

When the system synchronized pages under workflow with the 'Automatically update page alias' setting enabled, an error was incorrectly logged even though the synchronization was successful.

An error occurred when viewing metafiles on the 'System -> Files -> Metafiles' tab if the '(global)' option was chosen in the Site selector.

The Hotfix and upgrade utility did not display its buttons when opened on Windows 10 with 150% DPI scaling.

The system incorrectly performed set and remove session operations when handling requests using read-only session state, which caused errors (visible in the event log).

Enabling the file system (IO) debug through the information message on the 'System -> Files -> Debug' tab incorrectly enabled all types of debugs instead of just the file debug.

The 'Preferred content culture' user setting was ignored when using Windows authentication to authenticate users.

When working with widgets properties, the system was not able to identify properties as inherited from the parent web part in certain cases, leading to duplicated properties in the configuration dialog and incorrectly applied property settings.

When using Azure Blob storage to store files, the system performed an unnecessary number of requests when checking whether a file existed (for non-existing files). After applying the hotfix, information about non-existing Blob files is cached.

When using an external file storage provider (for example Amazon S3), uploading of media files caused the application to become unresponsive for the given user while the upload was in progress.

Updated the Amazon Web Services SDK for .NET to version 3.1.9.0. After applying the hotfix, the Amazon S3 file storage can be used with all Amazon data centers.

When working with the advanced search filter in the Users application, the 'Lock reason' selector incorrectly became disabled after the search was applied to the list of users.

Applications using a tree-based layout (for example the Pages application) could be incorrectly rendered if the tree contained a large number of elements.

In certain environments, the system handled 301 permanent redirects incorrectly if the target URL contained special characters. The redirects resulted in either an invalid URL or a page not found error.

If a page under workflow with child pages had its page name changed and the 'Automatically update page alias' setting was enabled, processing of the related page staging task caused an error.

The system loaded SQL query text to memory even when the SQL debug was disabled. This could lead to heavier memory usage and reduced application performance.

When a culture with a full localization pack was set as a site's 'Default content culture', macros containing 'Contact' objects were not resolved correctly in marketing automation processes for action steps placed after the Wait step.

The user impersonation dialog incorrectly displayed user accounts that were not enabled.

An error occurred when changing the code name of a custom setting key in the Modules application, if the setting had a site-specific value assigned (in the Settings application).

An infinite loop could occur when rebuilding page smart search indexes if the indexed content included certain types of strings with HTML comments.

The 'Has depending fields' setting did not work for fields using the 'Uni selector' form control with the 'Selection mode' set to Single or Multiple text box. The resulting form was not refreshed when the field's value was changed.

When using Output cache for pages with running A/B or MVT tests together with the 'Redirect invalid case URLs to their correct versions' setting configured to a different value than the default 'Do not check the URLs case' option, a blank page was displayed instead of the cached pages.

If the browser's Find dialog was opened by pressing CTRL + F while the cursor was present in the editor's area, pressing the 's' key caused the editor to behave incorrectly and attempt to save the content.

An error could occur when importing submissions translated via the Translations.com translation service if the 'Automatically import translated submissions' setting was enabled.

In a staging environment with multiple servers, the system did not create new staging tasks related to scheduled task objects when processing incoming tasks from another server (even if the 'Log staging changes' setting was enabled).

Pages smart search indexes incorrectly contained properties of the 'Editable image' web part instances. This could affect the accuracy and relevance of search results. After applying the hotfix, web part instances with a modified 'Web part control ID' are also excluded from the search index content.

If a user subscribed to a report while using a UI culture with a different date format than the en-US culture, the system incorrectly processed the value in the subscription's 'Data from last' setting. As a result, the time range of data displayed in the sent reports was incorrect.

The macro re-signing process was inefficient for certain object types. Applying the hotfix improves re-signing performance for instances with a very large number of objects or pages.

When used in a form, the 'Calendar' form control generated a hidden <label> element in addition to the label in the form, which caused accessibility validation to fail for the form's output code.

In certain cases, the winning variant of an A/B tested email was sent to the subscriber test group that already received one variant of the email.

Users with sufficient permissions for managing contacts and contact groups were not able to add contacts to groups on the 'Contact groups' tab of the contact editing interface in the 'Contact management' application. No contact groups were displayed after clicking the 'Add to contact groups' button.

When using custom event handlers for the 'URLRewritingEvents.ProcessRewritingResult' event, the 'URLRewritingEventArgs' parameter of the handler method was always null.

The Google Maps web parts did not specify API version when requesting data. This could cause the experimental Google Maps API version to be used, leading to potentially unstable functionality.

Collections of product and product variant objects in the macro engine were not loaded correctly due to a name conflict between the given macro collections. After applying the hotfix, products are available in the 'SKUs' collection and product variants in the 'SKUVariants' collection, for example {%SiteObjects.SKUs%}.

The system handled text incorrectly in the context of 'Azeri - Azerbaijan' cultures, which caused errors in certain scenarios. For example, an error occurred when creating or editing pages of the 'Page (menu item)' type on a site using Azeri as its content culture.

When using Windows authentication and contact merging, individual contacts and their logged activities were all merged into one contact after creating a new session.

When using Amazon S3 for file storage, uploading of large (100MB+) files was inefficient and sometimes failed without notifying the user.

An error occurred when using the 'Google Sitemap' web part to display the root page.