0
0
mirror of https://github.com/wagtail/wagtail.git synced 2024-11-30 01:46:24 +01:00
wagtail/docs/releases/2.12.4.rst

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

28 lines
1.0 KiB
ReStructuredText
Raw Normal View History

2021-04-19 11:08:45 +02:00
============================
Wagtail 2.12.4 release notes
============================
2021-04-19 10:42:34 +02:00
*April 19, 2021*
2021-04-19 10:42:34 +02:00
.. contents::
:local:
:depth: 1
What's new
==========
CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in rich text fields
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This release addresses a cross-site scripting (XSS) vulnerability in rich text fields. When saving the contents of a rich text field in the admin interface, Wagtail did not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Many thanks to Kevin Breen for reporting this issue.
2021-04-19 10:42:34 +02:00
Bug fixes
~~~~~~~~~
* Prevent reverse migration errors in images and documents (Mike Brown)
* Avoid wagtailembeds migration failure on MySQL 8.0.13+ (Matt Westcott)