mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-26 13:29:12 -05:00
8dbd2da593
As of Forgejo 8.0.1 the release notes were only available in the description of the corresponding milestone which is problematic for: - searching - safekeeping The release-notes-published directory is created to remedy those problems: - a copy of all those release notes from the milestones descriptions is added. - a reference is added to the RELEASE-NOTES.md file which will no longer be used. - a symbolic link to the RELEASE-NOTES.md is added for completeness. - the release process will be updated to populate release-notes-published. The RELEASE-NOTES.md file is kept where it is because it is referenced by a number of URLs. The release-notes directory would have been a better name but it is already used for in flight release notes waiting for the next release. Renaming this directory or changing it is rather involved.
1.6 KiB
1.6 KiB
This is a security release. See the documentation for more information on the upgrade procedure.
- Security
A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for
href
in anchor elements to be set to ajavascript:
URI in the repository description, which will execute the specified script upon clicking (and not upon loading).AllowStandardURLs
is now called for the repository description policy, which ensures that URIs in anchor elements aremailto:
,http://
orhttps://
and thereby disallowing thejavascript:
URI.
- Bug fixes
- PR (backported): disallow javascript: URI in the repository description
- Localization
- PR (backported): i18n: backport of #4568 #4668 and #4783 to v7