Skip to content

fix for </textarea/> vulnerability#5501

Merged
boutell merged 3 commits into
mainfrom
apostrophe-ghsa-jxwj-j7wr-gfrw
Jul 8, 2026
Merged

fix for </textarea/> vulnerability#5501
boutell merged 3 commits into
mainfrom
apostrophe-ghsa-jxwj-j7wr-gfrw

Conversation

@boutell

@boutell boutell commented Jul 8, 2026

Copy link
Copy Markdown
Member

I'm PR'ing it here because github is stuck and unable to recognize the latest push to the temporary private fork.

@boutell boutell requested a review from BoDonkey July 8, 2026 13:51
@boutell boutell merged commit eae1fb2 into main Jul 8, 2026
24 checks passed
@boutell boutell deleted the apostrophe-ghsa-jxwj-j7wr-gfrw branch July 8, 2026 14:05
boutell added a commit that referenced this pull request Jul 8, 2026
* Fix asset URLs when a site prefix is configured (#5448)

* fix: treat col as a self-closing tag (#5447)

* fix: treat col as a self-closing tag

* Make dateTime field responsive (css) (#5481)

* Fix/from rich text adds metatype (#5488)

* fromRichText adds metatype to new widget

* change

* nodemailer major bump (#5485)

* Harden and centralize the cache invalidation (#5493)

* fix(sanitize-html): emit transformTags text on empty tags when textFilter is set (#5494)

When a transformTags handler adds text to an allowed tag that originally had
no text content, the injected text was silently dropped if any textFilter was
configured. The onopentag branch that emits frame.innerText was guarded by
!options.textFilter, deferring emission to ontext so the filter could run
there. For an empty element htmlparser2 never fires ontext, so the text was
emitted by neither branch.

Emit frame.innerText through options.textFilter here when present (mirroring
the discard path), so the transformTags text contract holds for empty tags
regardless of whether a textFilter is set.

* changeset crediting spokodev for sanitize-html fix (#5498)

* Fix shortcut conflicts (#5499)

* Fix backspace after slash deleting a rich-text widget

* Fix copy/paste widget/text conflicts

* Fix astro redirects (#5500)

* Merge commit from fork

* Merge commit from fork

* Merge commit from fork

* Merge commit from fork

* fix path traversal in import/export

* correct credits

* additional guards

* Merge commit from fork

* fix for </textarea/> vulnerability (#5501)

* wip

* fix for math/svg vulnerabilities

---------

Co-authored-by: Jinka Manohar <145598597+Manohar2503@users.noreply.github.com>
Co-authored-by: Vansh Parmar <vanshparmar8742@gmail.com>
Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com>
Co-authored-by: Stuart Romanek <stuart@apostrophecms.com>
Co-authored-by: spokodev <spoko.dev@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants