Skip to content

2.7.0

Latest
Latest
Compare
Choose a tag to compare
@colinodell colinodell released this 05 May 12:21
2.7.0
This tag was signed with the committer’s verified signature. The key has expired.
colinodell Colin O'Dell
GPG key ID: 60A4DAD272A01CB8
Expired
Verified
Learn about vigilant mode.
6fbb36d
This commit was signed with the committer’s verified signature. The key has expired.
colinodell Colin O'Dell
GPG key ID: 60A4DAD272A01CB8
Expired
Verified
Learn about vigilant mode.

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

  • Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

  • The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
  • The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes
Assets 2
Loading