Skip to content
This repository was archived by the owner on Oct 6, 2021. It is now read-only.

Version 1.1.4 - Of SVG and Madness

Choose a tag to compare

View all tags
@paragonie-scott paragonie-scott released this 02 Jul 18:12
· 523 commits to master since this release
v1.1.4
This tag was signed with the committer’s verified signature.
paragonie-security P.I.E. Security Team
GPG key ID: 6B97A1C2826404DA
Verified
Learn about vigilant mode.
2faea68
  • i18n - run parameters through HTMLPurifier (with caching) to prevent future
    XSS payloads in case someone forgets to escape these parameters. HTML is
    still allowed, so if you're inserting in an HTML attribute, use the
    |e('html_attr') filter on your input.
  • Use the correct POST index in account recovery.
  • Treat SVG and XML files as plaintext, to prevent stored XSS. Reported on
    HackerOne.
  • Send Content-Security-Policy headers on file downloads as well as web
    pages. Just in case another file type exists in the world that executes
    JavaScript when the file is viewed.
Assets 4
Loading