Skip to content

v1.3.2 — Security hardening

Latest

Choose a tag to compare

@smonier smonier released this 09 Jul 16:20

Swept against the Jahia/jahia-security-scan taxonomy: clean on all high-severity classes (no XSS sink, no SQL2 injection, no custom endpoint/CSRF surface, no SSRF, no system session). Two low-severity items hardened:

  • Author identity is never client-trusted — the displayed name is resolved from the server-set jcr:createdBy; the spoofable client-set authorName is no longer written or read (CND field kept as legacy).
  • Task text is stripped of </> before being copied into a jnt:task title/description (defense in depth).

Plus a README currency pass (identity model, build version, full changelog).