foster/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-22 12:54:53 -05:00
Code Issues Wiki Activity
forgejo/release-notes-published/7.0.7.md

14 lines
1.6 KiB
Markdown
Raw Permalink Normal View History

chore(release-notes): keep release notes in release-notes-published As of Forgejo 8.0.1 the release notes were only available in the description of the corresponding milestone which is problematic for: - searching - safekeeping The release-notes-published directory is created to remedy those problems: - a copy of all those release notes from the milestones descriptions is added. - a reference is added to the RELEASE-NOTES.md file which will no longer be used. - a symbolic link to the RELEASE-NOTES.md is added for completeness. - the release process will be updated to populate release-notes-published. The RELEASE-NOTES.md file is kept where it is because it is referenced by a number of URLs. The release-notes directory would have been a better name but it is already used for in flight release notes waiting for the next release. Renaming this directory or changing it is rather involved.
2024-12-05 11:33:52 -05:00
This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v7.0/admin/upgrade/).
- Security
A [change introduced in Forgejo v1.21](https://codeberg.org/forgejo/forgejo/pulls/1433) allows a Forgejo user with write permission on a repository description to [inject a client-side script into the web page viewed by the visitor](https://en.wikipedia.org/wiki/Cross-site_scripting). This XSS allows for `href` in anchor elements to be set to a `javascript:` URI in the repository description, which will execute the specified script upon clicking (and not upon loading). [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI.
<!--start release-notes-assistant-->
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4896) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4900)): <!--number 4900 --><!--line 0 --><!--description ZGlzYWxsb3cgamF2YXNjcmlwdDogVVJJIGluIHRoZSByZXBvc2l0b3J5IGRlc2NyaXB0aW9u-->disallow javascript: URI in the repository description<!--description-->
- Localization
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4568) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4882)): <!--number 4882 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgIzQ1NjggIzQ2NjggYW5kICM0NzgzIHRvIHY3-->i18n: backport of #4568 #4668 and #4783 to v7<!--description-->
<!--end release-notes-assistant-->
Copy permalink