civictheme 1.12.0

Security Release

This release contains fixes for:

• CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112
• CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

We recommend updating to CivicTheme 1.12.0. Sites on earlier versions should upgrade to version 1.12 to remediate the risk.

We recognise that sub-theme's of CivicTheme can also carry these XSS and information disclosure risks.

We have created manual mitigation instructions if you are unable to update to CivicTheme 1.12.0 right away and for how to assess risk within your sub-theme customisations.

These can be found here

Key Information for Sub-Theme updates and security hardening

CivicTheme provides a field API system for retrieving commonly used field values specific to CivicTheme.

We strongly recommend that you use this system solely to retrieve field data for use within components.
Not using this API will mean that the developer is reliant on implementing mitigations for XSS.

The following functions are available for use:

• civictheme_get_field_value - retrieves field values from fields that CivicTheme regularly uses. All field types within CivicTheme are supported and several more. Raise an issue if you require other field types supported.
• civictheme_get_field_referenced_entities - retrieves and checks access to referenced entities in a field of an entity. Also manages the cacheability metadata for the referenced entities.
• civictheme_get_field_referenced_entity - retrieves the first referenced entity in a field of an entity.
• civictheme_get_referenced_entity_labels - retrieves labels of the referenced entities.
• civictheme_embed_svg - embeds SVG from provided URL. This function does not protect against XSS and relies on appropriate level of user managing SVG Icons.

We recommend reviewing the civictheme/includes/utilities.inc for these utility functions and review their use within CivicTheme to see how it is used.

On existing sites we also recommend reviewing access to create and edit items in the Icons media type. The theme is unable to sufficiently filter SVGs which are embedded into the page. As a mitigation it is recommended to only allow the Site Administrator or another user with elevated permissions to manage media items of this type.

We also recommend using SVG Sanitizer module to sanitize SVGs.

New Features in CivicTheme 1.12.0

Theme Features

• #3549887 Slot validation errors in Single Directory Components @joshua-salsadigital (#1432)
• #3550601 by larowlan, richardgaunt, fionamorrison23, joshua1234511: The "file_validate_is_image" plugin does not exist @joshua-salsadigital (#1431)
• #3545860: Video player transcript @alan-cole (#1422)
• #3525185 by anirudhsingh19: Expose banner type as a variable @anirudhsingh-7773 (#1418)
• #3543729 by richardgaunt, ivan zugec: Add a script to automate setting up of GovCMS site @richardgaunt (#1417)
• #3543470 Updated provision callbacks to provide the theme_name to apply provisioning to. @richardgaunt (#1416)
• #3542546 by alex.skrypnyk: Apply TOC and tags only to the full view mode of Page @AlexSkrypnyk (#1415)
• Removed obsolete Referenced card template that was never used. @AlexSkrypnyk (#1413)
• [CHORE] Relax Stylelint rules to allow local SCSS variables in sub-themes. @AlexSkrypnyk (#1412)
• [CHORE] Fixed Shipshape installation requiring an access token. @AlexSkrypnyk (#1410)
• #3471956 by joshua1234511, richardgaunt, fionamorrison23: Enhance Civictheme menu theming system @joshua-salsadigital (#1350)
• #3501085 by richardgaunt, fionamorrison23, joshua1234511: Message - new paragraph component @joshua-salsadigital (#1405)
• #3501085 by richardgaunt, fionamorrison23, nidhish, joshua1234511: images with 'image style' should have relative link @joshua-salsadigital (#1404)
• #3527810 by richardgaunt, fionamorrison23, joshua1234511: Site is broken when trying to view a node that references an archived webform @joshua-salsadigital (#1406)
• #3537532 by richardgaunt, rraney, fionamorrison23, joshua1234511: Added Single Directory Component validation. @joshua-salsadigital (#1403)
• #3533316 Includes using the subtheme namespace do not work in storybook. @alan-cole (#1395)
• #3482790 by joshua1234511, richardgaunt, ameymudras, lavanyatalwar, fionamorrison23: Logo path with space causes issue. @joshua-salsadigital (#1401)
• #3501085 by richardgaunt, fionamorrison23, nidhish, joshua1234511: images with 'image style' should have relative link @joshua-salsadigital (#1399)
• #3456204 by tirupati_singh, sourojeetpaul, sime, fionamorrison23, richardgaunt, joshua1234511: Fixed search form element. @joshua-salsadigital (#1400)
• #3507328 Added new message paragraph component @febdao (#1340)
• #3537535 by ivan zugec, petednz: Remove workflow dependency from entity form displays @IvanZugec (#1391)
• #3512939 by richardgaunt, fionamorrison23: incorrectly turns email addresses into links @febdao (#1363)
• #3530263 Updated support message component in 642 @alan-cole (#1393)
• #3527182 Removed examples from civictheme_starter_kit @alan-cole (#1392)
• #3527169 Updated directory of font assets in starter_theme_kit. @joshua-salsadigital (#1396)
• #3508583 Updated field descriptions for Limit fields on Automated list. @nickgeorgiou (#1345)
• #3510841 Added support for primary navigation in header bottom region @febdao (#1356)
• #3527810 by alan.cole: Fix for striptags error on webform message. @alan-cole (#1390)

UI Kit Features

• [#769] Fixed inline filter component design to support a large label instead of a title. @alan-cole (#794)
• [#520] Grouped related fields and placed aria-invalid on correct input element. @nickgeorgiou (#524)
• [#805] Fixed spacing below content on mobile for chrome in layout component. @alan-cole (#806)
• [#772] Fixed php twig bug - menu_level_modifier_class not in scope. @alan-cole (#812)
• [#447] Fixed visibility on mobile menu non drawer/dropdown links. @alan-cole (#801)
• [#769] Added inline filter component for search page. @alan-cole (#788)
• [#366] Update slider to remove tab index. @alan-cole (#789)
• [#772] Add CSS versions of SCSS variables. @alan-cole (#775)
• [#759] Fixed dark theme on transcript component's basic content. @alan-cole (#787)
• [#706] Added transcript collapsible to video player. @alan-cole (#760)
• [#751] Fixed Attachment component does not resets the extension from the previous item. @AlexSkrypnyk (#752)
• [#719] Added hover styling to focus state of links. @alan-cole (#749)
• [#737] Added css variables for typography use. @alan-cole (#738)
• Fixed Chip events and removed button state management from the Single filter. @AlexSkrypnyk (#647)
• [#718] Removed border-color from :visited:hover on content links. @alan-cole (#723)
• [#694] Added fast fact card. @alan-cole (#712)
• [#688] Card design updates. @alan-cole (#695)
• [#689] Updated link hover state to include an underline. @alan-cole (#698)
• [#700] Updated content link visited colors to existing var names. @alan-cole (#701)
• [#467] Multi-line header @joshua-salsadigital (#702)
• [Chore] Dependency and package updates within UIKit.