ApostropheCMS v2.119.1 Release Notes
Release Date: 2021-05-27 // almost 3 years ago-
🔒 Security Fixes
⚡️ The
nlbr
andnlp
Nunjucks filters marked their output as safe to preserve the tags that they added, without first escaping their input, creating a CSRF risk. These filters have been updated to escape their input unless it has already been marked safe. No code changes are required to templates whose input to the filter is intended as plaintext, however if you were intentionally leveraging this bug to output unescaped HTML markup you will need to make sure your input is free of CSRF risks and then use the| safe
filter before the| nlbr
or| nlp
filter.🛠 Fixes
- ⚡️ Updates uses of "whitelist" to "allowlist" to follow project practices.