Security: fixes stored XSS in avatar.Proxy by rejecting non-image avatar content before storage and before serving. Also adds CSP/nosniff headers, WebP-safe validation, ETag parsing fixes, and decompression-bomb checks. Credit to @paskal.
Changes since v2.1.3
- #290 prevent stored XSS via avatar content-type spoofing
Full Changelog: v2.1.3...v2.1.4
Contributors
paskal