-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix XSS vulnerability in tag search #2039
Conversation
It affect the title tag of the bookmark list page. Fixes shaarli#2038
5553783
to
ff0aaf4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Beat me to it
There is still the problem of #2029 which causes PHP 8.1/8.2 tests to fail... but Shaarli's Docker image is based on alpine 3.16.7 which has PHP 8.0.30 which is not affected. So it should be fine to release as-is.
However PHP8.0 security supports ends in 3 days so it would be good to update to alpine 3.17 (PHP 8.1.22, not affected either).
Yes good call, I'll bump Alpine's version. Also, I'm not really aware of what's in |
v0.12.2...shaarli:Shaarli:master These are mostly bugfixes, minor config tweaks, build/CI improvements, and documentation updates, |
I'll restart working on #2019 (update base image to alpine 3.18) for the next release. |
The error you had in #2019 seems to happen with Alpine 3.17 as well. I'm going to revert the change and we can upgrade later on, with a next minor release.
|
0ba4f4a
to
ff0aaf4
Compare
Yes, alpine 3.17 changes PHP package names from No problem, let's revert the change, I'll look into it. |
It affects the title tag of the bookmark list page.
Fixes #2038