diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd0e7e5d..e053ba54 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,21 @@
+# v4.0.0
+## 10/06/2019
+
+1. [](#new)
+ * Added `tabindex` to global attributes of default field
+ * Add ability to Sanitize SVGs on upload (Grav 1.7+ required)
+1. [](#improved)
+ * Deprecate `select_optgroup` as `select` can handle optgroups now
+ * Added missing tabindex checks
+ * Refactored field inheritance to make things more reliable
+ * Removed jQuery dependency for the reCaptcha field and VanillaJS-ified it instead
+ * Removed a stray `dump()` command
+ * Refactored the base `templates/forms/default` twig templates to make things more extensible
+ * Added a new `templates/forms/layouts` set of twit templates to allow for easier customization
+1. [](#bugfix)
+ * Fixed `Badly encoded JSON data` warning when uploading files [grav#2663](https://github.com/getgrav/grav/issues/2663)
+ * Fixed a number of escaping issues [#368](https://github.com/getgrav/grav-plugin-form/issues/368)
+
# v3.0.9
## 09/19/2019
diff --git a/blueprints.yaml b/blueprints.yaml
index e4940e0b..7b7d19fc 100644
--- a/blueprints.yaml
+++ b/blueprints.yaml
@@ -1,5 +1,5 @@
name: Form
-version: 3.0.9
+version: 4.0.0
testing: false
description: Enables the forms handling
icon: check-square
diff --git a/classes/Form.php b/classes/Form.php
index f36f3c7d..285c735e 100644
--- a/classes/Form.php
+++ b/classes/Form.php
@@ -11,6 +11,7 @@
use Grav\Common\Inflector;
use Grav\Common\Language\Language;
use Grav\Common\Page\Interfaces\PageInterface;
+use Grav\Common\Security;
use Grav\Common\Uri;
use Grav\Common\Utils;
use Grav\Framework\Filesystem\Filesystem;
@@ -652,6 +653,11 @@ public function uploadFiles()
$upload['file']['name'] = $filename;
$upload['file']['path'] = $path;
+ // Special Sanitization for SVG
+ if (method_exists('Grav\Common\Security', 'sanitizeSVG') && Utils::contains($mime, 'svg', false)) {
+ Security::sanitizeSVG($upload['file']['tmp_name']);
+ }
+
// We need to store the file into flash object or it will not be available upon save later on.
$flash = $this->getFlash();
$flash->setUrl($url)->setUser($grav['user'] ?? null);
diff --git a/templates/forms/default/field.html.twig b/templates/forms/default/field.html.twig
index 68a87e76..eb4c9908 100644
--- a/templates/forms/default/field.html.twig
+++ b/templates/forms/default/field.html.twig
@@ -1,4 +1,7 @@
-{% if not field.validate.ignore %}
+{% if not field.validate.ignore %}
+
+{% use 'forms/layouts/field-variables.html.twig' %}
+{% block field_override_variables_before %}{% endblock %}
{% set field_name = (scope ~ field.name)|fieldName %}
{% set vertical = field.style == 'vertical' %}
@@ -27,6 +30,12 @@
{# DEPRECATED: Needed by old form fields; remove when backwards compatibility breaks are allowed #}
{% set isDisabledToggleable = toggleable and not toggleableChecked %}
+{% if toggleable %}
+ {% set form_field_toggleable %}
+ {% include 'forms/default/toggleable.html.twig' with {checked: toggleableChecked} %}
+ {% endset %}
+{% endif %}
+
{% set errors = attribute(form.messages, field.name) %}
{% set required = client_side_validation and field.validate.required in ['on', 'true', 1] %}
{% set autofocus = (inline_errors == false) and field.autofocus in ['on', 'true', 1] %}
@@ -35,105 +44,112 @@
{% set autofocus = true %}
{% endif %}
-{% block field %}
-
- {% block contents %}
- {% if field.label is not same as(false) and field.display_label is not same as(false) %}
-
- {% if toggleable %}
- {% include 'forms/default/toggleable.html.twig' with {field_name: field_name, field: field, checked: toggleableChecked} %}
- {% endif %}
-
-