# CiviCRM 5.65.0
Released September 6, 2023
- **[Security advisories](#security)**
- **[Bugs resolved](#bugs)**
## <a name="synopsis"></a>Synopsis
| *Does this version...?* | |
| Fix security vulnerabilities? | no |
| **Change the database schema?** | **yes** |
| **Alter the API?** | **yes** |
| Require attention to configuration options? | no |
| **Fix problems installing or upgrading to a previous version?** | **yes** |
| **Introduce features?** | **yes** |
| **Fix bugs?** | **yes** |
| **Fix security vulnerabilities?** | **yes** |
## <a name="security"></a>Security advisories
* **[CIVI-SA-2023-07](https://civicrm.org/advisory/civi-sa-2023-07-smarty-math-rce): Smarty Math RCE**
* **[CIVI-SA-2023-08](https://civicrm.org/advisory/civi-sa-2023-08-kcfinder-xss): KCFinder XSS**
* **[CIVI-SA-2023-09](https://civicrm.org/advisory/civi-sa-2023-09-getfields-sqli): GetFields SQLI**
* **[CIVI-SA-2023-10](https://civicrm.org/advisory/civi-sa-2023-10-multiple-potential-sqli): Multiple Potential SQLI**
* **[CIVI-SA-2023-11](https://civicrm.org/advisory/civi-sa-2023-11-select2-xss): Select2 XSS**
* **[CIVI-SA-2023-12](https://civicrm.org/advisory/civi-sa-2023-12-jquery-validation-dos): jQuery Validation DoS**
* **[CIVI-SA-2023-13](https://civicrm.org/advisory/civi-sa-2023-13-survey-xss): Survey XSS**
* **[CIVI-SA-2023-14](https://civicrm.org/advisory/civi-sa-2023-14-contact-image-csrf): Contact Image CSRF**
* **[CIVI-SA-2023-15](https://civicrm.org/advisory/civi-sa-2023-15-civievent-xss): CiviEvent XSS**
## <a name="features"></a>Features
### Core CiviCRM
- **Remove top buttons on admin forms
Improves user experience by removing the top buttons on admin forms.
- **Reduce initial height of crm-popup dialog
Improves user experience by reducing the initial height of civi pop ups.
- **Link between Label Page Formats and Address Settings
Adds links between the "Label Page Formats" form and the "Address Settings" form.
- **Allow matching on external_identifier for source/target contacts on Activity
Allows matching on `external_identifier` for source/target contacts on
- **Standalone - Add support for development-friendly file-layouts
Makes it possible to install the Standalone UF.
- **Standalone - Web-based installation for PHP built-in server
Extends support for PHP built-in web-server (SRV profile from #26771)
and enables installation through the web UI.
- **Standalone: implement basic breadcrumb
Implements a rudimentary breadcrumb for CiviCRM Standalone.
- **Standalone civi-setup: grant more permissions to anon, use ts
Sets defaults for Standalone installs, such that anonymous users have
permissions to: view event info and register for online events. Additionally
adds some translation compatibility.
- **standalone: Redirect to login
For standalone implementations makes it so if you are not logged in, visiting
a page that you don't have permission for will send you to
/civicrm/login?anonAccessDenied which will present the login page and a
message saying you gotta login for that. Additionally, If you access / then
it will first check if Civi has a menu item for / (e.g. form builder /
extension) and if not, default to /civicrm, which, if you're not logged in
will in turn redirect you to the login page. If you are logged in and get
permission denied, you are bounced to the civi homepage with a message.
- **add `contactId` to params array in EmailTrait
Makes it so one can access the contactId from the `alterMailParams` hook when
the context is singleEmail.
- **Edits the "Edit Managed Job" and "Manage Scheduled Jobs" forms: remove
double-title, top buttons, help only on the main job page
Makes a variety of small tweaks to improves usability on the "Edit Managed
Job" and "Manage Scheduled Jobs" forms.
- **Add escape=htmlattribute option to the ts function
Adds a new 'escape' => 'htmlattribute' option for the ts translation function.
- **SearchKit - Add ability to run tasks via clicking links
Makes it possible to use tasks and links interchangeably in SearchKit.
- **SearchKit - Improve performance of checking link permissions
Speeds up search display performance by checking link permissions more
- **Create SearchUI extension
Creates a separate extension for Search page replacements. Like AdminUI but
- **SearchUI: add Find Contributions
Replaces the Find Contributions search with a SearchKit/FormBuilder
implementation for those using SearchUI extension.
- **Mark admin_ui extension as 'beta'
Advertises the new AdminUI extension as beta.
- **AdminUI - Add toggle for is_active
Adds convenient enable/disable buttons to the new SearchKit-based screens in
the AdminUI extension.
- **AdminUI: convert 'Assign Users to Roles' ACL configuration page
Adds the 'Assign Users to Roles' form to the Admin UI Extension.
- **AdminUI - Add Administer Scheduled Reminders page
Adds the Administer Scheduled Reminders page to the Admin UI Extension.
- **CRM_Admin_Form - Automatically redirect to the "browse" page after
submission ((https://github.com/civicrm/civicrm-core/pull/26887) and
Makes it so one can set a browse link for admin forms in the metadata and does
so for a bunch of forms.
- **ScheduledReminders - Add option list for limit_to column and fix type
Cleans up metadata for the ActionSchedule.limit_to field to make it easier to
work with in the API.
- **Autoload ActionMappings by enabling global class scanning (Variant 2)
Auto-loading ActionMappings, and makes the auto-loading process easier with a
new AutoSubscriber base class.
- **hook_civicrm_copy: Pass the original id when available
Makes it so extension developers can access the id of the entity from
- **5.65.alpha1 - Define pre-upgrade snapshots (Option B)
For data-structures that are modified by the 5.65.alpha1 upgrade, create some
snapshots (just in case we discover some schema problem later on).
- **Finish allowing use of SSL to connect to database
(Work Towards [dev/core#1926](https://lab.civicrm.org/dev/core/-/issues/1926):
Adds docs link to civicrm.settings.php.template.
- **Financial Batches: remove the creation of activities for New/Edit
Removes the creation of activities whenever a Financial Batch is created or
- **Change Price paths
Changes paths for the Price Sets, Price Fields and Price Field Values settings
forms allowing the original URL's to be overridden by AdminUI.
- **Change default input format for credit card expiration month to NN
Changes the input format for credit card expiration month from the three letter
abbreviation to the two digit month to more closely match whats on the credit card.
- **Show Email bounce history on Contact summary
Adds a link to on hold emails on the contact summary tab to a list of that
emails bounce history.
## <a name="bugs"></a>Bugs resolved
### Core CiviCRM
- **Afform: Radios should show default value when form is loaded/reset
Fixes setting defaults on afforms for radio and checkboxes when values are
- **Make frontend_title consistently required and use it in all front end
presentations (Work Towards
Makes the field frontend_title required for the Group entity and updates the
Group Subscribe message to use frontend_title.
- **Upgrade to 5.65 shows incorrect message about Petition - Signature Added
message template upgrade
Only show templates upgrade message when templates have changed.
- **Status check about accessible dirs can be slow
Avoids slow status checks.
- **search kit: activity search with activity contacts no longer working
Fixes missing links causing SearchKit to return no results.
- **Index not created for ACL priority on upgrade to 5.64
- **View-only custom fields not getting merged
- **(regression) SearchKit doesn't handle delegated access permissions correctly
Fixes SearchKit crash when in-place-editing a field in a joined entity
(under certain conditions).
- **(regression) Add/Edit Scheduled Reminders page does not load if
CiviContribute is disabled
- **Undefined $line and $value when sending offline email receipt
Fixes e-notice by removing unused variables.
- **Search kit - if id is not present then the 'select' is misleading
Fixes SearchKit tasks when ID column is not present.
- **SearchKit - Don't crash afforms with non-dao entities
This fixes a regression from 5.54 that affects search displays embedded in
afforms for entities that don't exist as data objects.
- **SearchKit - Fix assigning searchDisplay tab count
- **Regression: Unable to set price set on contribution page under membership
Fixes membership price sets selection regression on Contribution Pages.
- **Search forms - email validation smashes usability
Changes email fields to text input in search mode to avoid validating that the
input is an email as one might search on part of an email.
- **Afform - Email link doesn't render on individual emails for contacts with
- **Revert "Add apiv4 Survey entity" (already exists in civi_campaign ext)
- **Cannot change membership price set on contribution pages
- **Slow contact lookup query in SearchKit
- **menubar: hide toggleButton when using Standalone
- **Standalone: do not show the Hide Menu option
- **Extension Browser: there are no standalone-specific modules
Under Administer > System Settings > Extensions, there is a mention about
native Standalone modules, which do not exist.
- **FiveSixtyTwo - Fix upgrade for domains with default value of
- **Allow multiple registrations from search actions
- **Use `isQuickConfig()` to determine isQuickConfig (towards php8.x fix)
- **AutoDefinition - Inherit service-tags from interfaces, traits, and parent
- **Fix Import Template path to be dynamic, depending on the entity
- **Check if profile contact employer name matches existing contact employer
name when saving profile
- **Status check - Use guzzle instead to avoid slowness reading zero-length file
- **SearchUI:Move 'Find Contacts' upgrader steps from AdminUI to SearchUI
- **fix lifetime membership calc in contribution pages
- **Fix relative URL generation when using alternate HTTP port
- **getEntitySpecificJoins sometimes returns NULL, triggering deprecation
warning for trim() in php 8.1
- **DAO - Normalize null values in the writeRecord function to avoid subtle bugs
- **Remove gap before delete button on contact
- **ClassScanner - Re-skip `_Form` classes
- **Don't scan QuickForm classes
- **Change Administer > Communications > Label Formats to Label Page Formats
- **Job - uppercase api entity
Uppercases api entity names in scheduled job table.
- **ReportTemplate data provider - skip rather than mark incomplete event/income
- **Standardize title as Administer in breadcrumbs and on main Administer page
- **Upgrade doesn't work
- **Ensure that we only check permissions if we want to in getActions follow up
to #26823 ((https://github.com/civicrm/civicrm-core/pull/26835))**
- **Fix checkbox JS regression for import data selection and email new template
- **Fix js error on CiviImport when csv has additional fields
- **Scheduled Job Admin: fix breadcrumb
- **Run regen, with data fix to allow it to run
- **hide view only custom fields on merge screen
- **Debounce SK title
- **Search kit action links cleanup
- **SearchKit - fix min-width of buttons
- **SearchKit - Remove irrelevant link from default display
- **Notice fix - ensure extends_entity_column_value isset
- **E-notice fix (smarty)
- **Undefined property fix
- **Stop setting unused property & creating notices
- **Re-remove TRUE and true IF
- **In smarty, TRUE is not true
- **Remove 'browse' link that shouldn't be there
- **Clean up CaseSummary Report removing undeclared properties and minor fixes
- **Undefined index: payment_type
Fixes e-notice with Manual processor
- **fix duplicate id for softCredit
- **Fix adding onclick for other_amount in pricesets
- **Check `isBackOffice` before checking `billing_profile_id` (e-notice fix)
- **Add/edit financial type screen broken
- **Don't allow scheduled reminders for events to also include groups
Disables broken also include groups feature for event scheduled reminders.
- **Fix missing event pay later receipt text
This resolves a regression in 5.63.0 where pay later text on the receipt would
appear as "1".
- **Fix bug exposed by invalid data warning
When a event registration is being transferred the email would be sent before
the line item is transferred. This meant line item in the email would be
missing in the email. This change resolves this issue.
- **Fix event fee help
- **Fix PHP8 tax_rate warning on Participant
- **Notice fixes on CiviEvent Component settings form
- **Remove meaningless header in batch update participants
- **Fix multi-value custom fields on participant import
- **Fix enotice on updating a participant on the back end to mark them paid
- **CiviMail - throw 400 (Bad Request) rather than 500 (Server Error) if public
url endpoints hit with bad parameters
- **Mail accounts help bubbles not working on edit form
- **Non-administrators can't select mailing groups on 5.64
### Drupal Integration
- **Use full setting path rather than relative
### WordPress Integration
- **E2E_Core_PathUrlTest::testGetUrl_WpAdmin() fails because CiviCRM routing is
Fixes unit test failure on WordPress by specifying --entry=backend.
## <a name="misc"></a>Miscellany
- **Define soon as 'in 9 years'
- **Stop setting undeclared property in previously shared code
- **Add classes to membership results
- **[PHP Deprecation] trim(): Passing null to parameter #1 () of type string
- **[PHP8.2] Remove undefined property in favour of calc-as-needed
- **[PHP8.2] Convert remaining properties to local variables / private
- **[php8.2] Fix undeclared properties on case custom data form
- **[PHP8.2] move property declaration form CRM_Member_Form_Membership to parent
- **Deprecate probably never true condition
- **CRM_Utils_System::url - Remove unused param to double-escape html
- **Remove unvariable variables from previously shared function
- **Remove ts for message that should never be seen by normal people
- **Remove never set property from previously shared code
- **Remove old broken code
- **Remove never-true-if
- **Remove `_subName` property
- **Remove last reference to undefined property `_subType`
- **[PHP8.2] Remove undeclared property
- **Follow on cleanup - remove unused assign
- **Superficial cleanup in pledge form
- **Fold private `setGroupTree` function back into caller
- **Fold `preProcess` into `run`
- **[Ref] [php8] Unshare shared function
`CRM_Custom_Form_CustomData::setGroupTree` in order to clean-up
- **[REF][PHP8.2] Ref fix deprecation in PHP8.2 about dynamic property _ssID
- **[REF] [PHP8.2] Post unshare cleanup
- **[REF] [PHP8.2]Treat subType as a internal varible, not a form property
- **[REF][PHP8.2] Fix Deprectation notice due to dynamic properties on the
Contribute History report
- **[REF][PHP8.2] Fix deprecated dynamic properties in Logging Report Detail
- **[REF][PHP8.2] Fix Dynamic Property Deprecation notice in MultiRecordListing
- **[REF][PHP8.2] Move declaration of _actionButtonName from
CRM_Core_Form_Search to CRM_Core_Form to fix undefined property errors in Job
Report tests ((https://github.com/civicrm/civicrm-core/pull/26815))**
- **[REF][PHP8.2] Apply PR patch to mimetyper to fix deprecated dynamic property
- **[REF][PHP8.2] Resolve PHP8.2 Dynamic property issues by declaring properties
on the class ((https://github.com/civicrm/civicrm-packages/pull/364))**
- **[REF] CRM_Admin_Form - Use metadata instead of boilerplate to set page title
- **[REF] Fix poor checking of extends field as per PR #27079 but this time on
the Amounts tab of the contribution page config
- **REF: Rename variables to make it easier to understand what the code is doing
- **[REF] CiviGrant - Switch to writeRecord/deleteRecord + BAO hooks
- **[Ref] Use `isQuickConfig` function, rather than repetitively looking it up
- **REF - Split variable assignments out of conditionals
- **[REF] Fix CRM_Utils_Array calls that return potentially incorrect value
- **[REF] LocationType - Set defaults, modernize form and BAO
- **[REF] Ensure that url that is stored as context is generated correctly for
backend usage in wordpress
- **ScheduledReminders - Refactor form to work at a standalone url
- **[REF] ScheduleReminders - Cleanup "sublimely stupid" form code
- **[REF] ActionMapping - Improve class structure
- **(REF) CMSUser::create - Rename misleading parameter
- **[REF] Use internal variable rather than property to pass variable
- **[REF] Stop passing `result` into `getContributionParams` to get one value
from it, in one code path
- **[Ref] Minor cleanup on handling of financial type
- **[REF] Ensure that getActions respects any modifications by event listerners
- **[REF] Clarify loading of PriceSetID
- **[REF] Add a note in documentation of CRM_Utils_Mail::send to clarify array
keys are case specific and replace some CRM_Utils_Array::value
- **NFC: Update translation file
- **[NFC] setup/plugins/init/StandaloneUsers: fix missing closing quote in log
- **(NFC) Civi\ESM - Doc cleanups
- **[NFC] Replace nonstandard copyright headers with the standard one
- **[NFC] New Event: remove empty table row
- **[NFC] Delete unused boilerplate comments
- **[NFC][PHP8.2] Fix dynamic property _loggedInUser
- **[PHP8.x] Stop setting undeclared, unused property in test
- **Fix mis-cased apiVersion causing php8.x fails in SavedSearchTest
- **[php8.x] Fix test to use full form flow
- **Update tests to ignore packaged saved searches
- **Reduce test fails on edge for Contact_Detail report
- **Minor cleanup in test class
- **Cleanup test class, including fix undeclared property
- **Fix undeclared property in SyntaxConformanceTests
- **[tests][php8.2] Use function rather than sometimes declared property for
- **ManagedEntityTest - Simplify reconciliation
- **Limit Managed Entity test reconciliation to the entities in the test
- **Update ContributionMainTest to use full form flow
- **Move turning logging off to the tearDown
- **Minor improvement in test set up function
- **Fix saved search test when there is an existing managed saved search
- **God has answered
## <a name="credits"></a>Credits
This release was developed by the following code authors:
AGH Strategies - Andie Hunt; Artful Robot - Rich Lott; Benjamin W; Christian
Wach; CiviCRM - Coleman Watts, Tim Otten; CiviDesk - Yashodha Chaku; Coop
SymbioTIC - Mathieu Lutfy; Dave D; JMA Consulting - Seamus Lee; Megaphone
Technology Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; PERORA
SRL - Samuele Masetto; Progressive Technology Project - Jamie McClelland;
Squiffle Consulting - Aidan Saunders; Third Sector Design - Kurund Jalmi;
Wikimedia Foundation - Eileen McNaughton; Wildsight - Lars Sander-Green
Most authors also reviewed code for this release; in addition, the following
reviewers contributed their comments:
Agileware - Justin Freeman; Australian Greens - John Twyman; Bob Silvern;
BrightMinded Ltd - Bradley Taylor; Circle Interactive - Pradeep Nayak;
Humanists UK - Andrew West; JMA Consulting - Joe Murray, Monish Deb; Korlon -
Stuart Gaston; Megaphone Technology Consulting - Brienne Kordis; Ranjit Pahan;
Richard Baugh; Richard van Oosterhout; Semper IT - Karin Gerritsen; RIPS
Technologies - Dennis Brinkrolf; Tadpole Collective - Kevin Cristiano; Third
Sector Design - William Mortada; Uepal - Jean-Marie Heitz; xavi-xaloc
## <a name="feedback"></a>Feedback
These release notes are edited by Alice Frumin and Andie Hunt. If you'd like
to provide feedback on them, please log in to https://chat.civicrm.org/civicrm
and contact `@agh1`.