mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-27 13:39:19 -05:00
8dbd2da593
As of Forgejo 8.0.1 the release notes were only available in the description of the corresponding milestone which is problematic for: - searching - safekeeping The release-notes-published directory is created to remedy those problems: - a copy of all those release notes from the milestones descriptions is added. - a reference is added to the RELEASE-NOTES.md file which will no longer be used. - a symbolic link to the RELEASE-NOTES.md is added for completeness. - the release process will be updated to populate release-notes-published. The RELEASE-NOTES.md file is kept where it is because it is referenced by a number of URLs. The release-notes directory would have been a better name but it is already used for in flight release notes waiting for the next release. Renaming this directory or changing it is rather involved.
13 lines
1.6 KiB
Markdown
13 lines
1.6 KiB
Markdown
This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v7.0/admin/upgrade/).
|
|
|
|
- Security
|
|
A [change introduced in Forgejo v1.21](https://codeberg.org/forgejo/forgejo/pulls/1433) allows a Forgejo user with write permission on a repository description to [inject a client-side script into the web page viewed by the visitor](https://en.wikipedia.org/wiki/Cross-site_scripting). This XSS allows for `href` in anchor elements to be set to a `javascript:` URI in the repository description, which will execute the specified script upon clicking (and not upon loading). [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI.
|
|
|
|
<!--start release-notes-assistant-->
|
|
|
|
<!--URL:https://codeberg.org/forgejo/forgejo-->
|
|
- Bug fixes
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4896) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4900)): <!--number 4900 --><!--line 0 --><!--description ZGlzYWxsb3cgamF2YXNjcmlwdDogVVJJIGluIHRoZSByZXBvc2l0b3J5IGRlc2NyaXB0aW9u-->disallow javascript: URI in the repository description<!--description-->
|
|
- Localization
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4568) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4882)): <!--number 4882 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgIzQ1NjggIzQ2NjggYW5kICM0NzgzIHRvIHY3-->i18n: backport of #4568 #4668 and #4783 to v7<!--description-->
|
|
<!--end release-notes-assistant-->
|