v5.8.2

What's Changed

• Security: prevent symlinks inside a trusted secure_dir/template directory from being used to read files outside of it (CWE-22 path traversal), affecting {include} and {fetch} of local files
• Security: {html_image} now escapes the file, path_prefix, href/link, width and height attributes (it already escaped alt and pass-through attributes), and {html_select_date} casts day_size/month_size/year_size to int (matching {html_select_time}), preventing untrusted values passed into these attributes from breaking out of the generated HTML (CWE-79)
• Security: {fetch} no longer follows HTTP redirects for remote resources while a security policy is active, preventing an open redirect on a trusted host from bypassing trusted_uri (CWE-918 server-side request forgery)
• Fixed "Attempt to assign property step on null" error when using a {for} loop inside a block of an extended template #1036

New Contributors

• @antman3351 made their first contribution in #1071

Full Changelog: v5.8.1...v5.8.2