Plone 6.0.7 released

Release notes for Plone 6.0.7

If you want to jump straight in, here are two important links:


Major changes since 6.0.6:

  • This includes security fixes from today's announcement:
  • Zope:
    • Security fixes in AccessControl and RestrictedPython. See community announcement.
    • Allow only some image types to be displayed inline. Force download for others, especially SVG images.
    • Tighten down the ZMI frame source logic to only allow site-local sources.
    • Added image dimensions to SVG file properties.
  • plone.namedfile:
    • Fix stored XSS (Cross Site Scripting) for SVG images.
    • Add internal modification timestamp with fallback to _p_mtime.
    • Use new internal modification timestamp as part of the hash key for scales.
    • Fixed issue with SVG images that contain extensive metadata.
  • When ++api++ is in the url multiple times, redirect to the proper url.
  • plone.restapi:
    • Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
    • Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas.
    • When serializing blocks, image_scales is now added to blocks that contain a resolveuid-based url.
    • When deserializing blocks, image_scales is removed.
    • Add visit_blocks util for finding all nested blocks.
  • plone.dexterity: Fix a memory leak. For details see issue 3829.
  • Make this package deprecated. It still works, and is included in Plone 6.0, but Plone 6.1 will not ship with it.
    Widget base classes have been moved to
    Also see for information about moving utility methods to their new location.
  • Add support for playwright-based tests via robotframework-browser.
  • Introduce new Email-Widget which is used for fields. It uses the input type email.
  • plone.volto: Add block_types index to zcatalog. By default it is only added for new Plone sites.
    To add it to an existing site, run plone.volto.upgrades.add_block_types_index manually.
  • Fixes for Indonesian in a multilingual site. Fix set_recursive_language to actually find child objects.
  • Fix the `currentUser`` operation when the current user's username is different from their user id.
  • plone.staticresources: Update Bootstrap to 5.3.2, bootstrap-icons to 1.11.1 and Mockup to 5.1.5:
    • pat structure: Fix popover-structure-columns, use 2-column layout. (9fb499e)
    • pat structure: Fix sticky position when toolbar is on top.
    • pat tinymce: Fix image modal with selected image. Properly await the select2 initialization when using it from the insert image or insert link dialogs.
  • plonetheme.barceloneta: Update Bootstrap to 5.3.2
  • Products.CMFCore:
    • Improve handling of PortalFolder filter input.
    • Provide a way to not publish items that are acquired.
  • Updates to nl translations.

Volto frontend

The default frontend for new Plone 6 sites is Volto. Latest release is 16.24.0. See the changelog.
Note that this is a JavaScript frontend that you need to run in a separate process with NodeJS.

Also, existing Plone sites need some or more extensive changes to be upgraded before they can use the Volto Frontend. Please read the guide on migrating from Plone Classic UI to Volto.

Classic UI

The HTML based and server side rendered UI that was present in Plone 5.2 and earlier major Plone releases is still available and has also been updated and improved upon in Plone 6. Our documentation now refers to this frontend as 'Classic UI'. Support for Classic UI is especially relevant for existing Plone sites which for whatever reason or requirements are not yet ready to be upgraded to the Volto frontend.

Python compatibility

This release supports Python 3.8, 3.9, 3.10, and 3.11.

pip, buildout, setuptools

In Plone core we use these versions to install Plone:


In general you are free to use whatever versions work for you, but these worked for us.

Note that setuptools 66 or higher is more strict with what versions it can recognize. If you run pip or buildout and it suddenly cannot find a package with a non-standard version, then this may be the cause.
And setuptools 68.1.0 until at least 68.1.2 may give problems with namespace packages, especially when they have multiple levels, like*, and are installed in editable mode. And pinning a specific version of setuptools in your virtual environment may not even be enough for this case. See ModuleNotFoundError when running tests on Python 3.11 · Issue #172 · plone/meta · GitHub


For installation instructions, see the documentation.


If you find any issues, please report them in the main issue tracker.


With the new Zope version included in Plone 6.0.7 you may see a zExceptions.BadRequest: data exceeds memory limit when uploading an image or file that is larger than 1 MB.
To get rid of this error, edit etc/zope.conf to include something like this:

    form-memory-limit 4MB

If you use Buildout, you will first need to update plone.recipe.zope2instance to 6.12.2, and include the dos_protection lines in a zope-conf-additional option in your instance/zeoclient buildout config.

See Unable to upload files larger than 1mb after Plone 6.0.7 upgrade · Issue #3848 · plone/Products.CMFPlone · GitHub
Thanks to @mamico for fixing this in plone.recipe.zope2instance.


Just print plone.recipe.zope2instance >= 6.12.2 and buildout?

This return error

Installing instance.
Error: The requirement ('plone.recipe.zope2instance>=6.12.2') is not allowed by
your [versions] constraint (6.12.1)

Please let me know the right way for doing that.

Many thanks

this pinning does the job in my buildout.cfg:

[clientX or instance]
zope-conf-additional =
    form-memory-limit 256MB


also put in buildout.cfg ?

Thanks in advance

If you have a single instance setup, you find the [instance] section in your buildout, if you run a zeo setup you find a [clientX] section or [client_base] section. Put the snippet in these sections. or post your buildout.cfg without sensitive data here and we can help.

1 Like