Zenario 9.0.55141
·
27 commits
to latest-public-release
since this release
This release contains some security fixes for managing files.
We are no longer allowing .html files to be uploaded into the CMS.
We've also added some restrictions to SVGs. You can no longer upload and attach SVGs to forum posts and replies, and visitors can no longer upload SVGs to use as user avatars. We've also added sanitisation for all SVGs that are uploaded, to protect against attackers embedding XSS attacks inside them.
We've also fixed a bug where an administrator could change the extension of a document by manipulating inputs when editing its properties.
This release also fixes some missed escaping when sending an etag from the server to the client, and contains several other minor bugfixes.