@ansuz ansuz released this Mar 2, 2017 · 3862 commits to master since this release

Assets 2

CryptPad v1.1.1 (Bunyip's revenge)

What's new

  • stronger Content Security Policy headers harden CryptPad against cross-site scripting (XSS) attacks
  • new bootloader script for compatibility with CSP headers, which loads scripts and forcefully overrides browser caching issues

Bug fixes

  • More careful handling of strings which are passed into alertify.js
    • popup logs are sanitized (always)
    • alerts, prompts, confirms are validated by default, and must be overridden with a 'force' flag
  • fixed pad export vulnerability which allowed XSS
    • our very special thanks to Martin Gubri for bringing this to our attention
  • userlist no longer updates its content as HTML, protecting against XSS
  • Removed toString api from hyperjson
    • new major semver revision used by CryptPad
  • fixed bug in /slide/ that affected present mode under certain circumstances
  • removed ugly red outline on images in /slide/
    • somehow this snuck in from debugging