Skip to content

v0.19.2
Compare
Choose a tag to compare
@kyoshino kyoshino released this 09 Apr 19:16
· 855 commits to main since this release
v0.19.2
684e633
This commit was signed with the committer’s verified signature.
kyoshino Kohei Yoshino
GPG key ID: EDE7F092647CAE41
Learn about vigilant mode.
  • Security Update: Fixed a cross-site scripting (XSS) vulnerability in the content editor that could allow an attacker to inject arbitrary HTML code into the Markdown preview using dynamic default values. Although the XSS risk is clearly stated in the widget document, the preview is not sanitized according to the default configuration. Sveltia CMS now removes all HTML tags from dynamic default values for Markdown fields, regardless of the sanitize_preview option. We recommend all users to always set up Content Security Policy (CSP) to mitigate risks and keep the CMS up to date. (Don’t include a fixed version number in <script src>.)
  • Fixed other issues with dynamic default values.

Full Changelog: v0.19.1...v0.19.2

Assets 2
Loading