Apostrophe 3.4.0 #3416
agilbert
announced in
Release Notes
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi everyone,
This week we are pleased to share the release of Apostrophe 3.4.0. Coming in after the big release of our localization features, these latest updates are more incremental in nature. You'll see some security enhancements and stability improvements around the undo/redo behaviors as well as other fixes related to how the localization module intersects with other core modules.
Since the last release, we have also kicked off the effort of porting our native Forms module from A2 to A3. This will be scheduled for release in early October and we look forward to sharing more about it then.
Read on below for the full details. 🙇♂️
Apostrophe 3.4.0
Security
img
tag, which ignores XSS vectors, an XSS attack might still be possible if the image were opened directly via the Apostrophe media library's convenience link for doing so. All SVG uploads are now sanitized via DOMPurify to remove XSS attack vectors. In addition, all existing SVG attachments not already validated are passed through DOMPurify during a one-time migration.Fixes
apos.attachment.each
method, intended for migrations, now respects itscriteria
argument. This was necessary to the above security fix.@apostrophecms/express
bodyParser.json
options that prevented adding custom options to the body parser.req.clone
consistently when creating a newreq
object with a different mode or locale for localization purposes, etc.req.session
object now exists in taskreq
objects, for better compatibility. It has no actual persistence.localize: false
option). UI for this is under discussion, this is just a bug fix for the back end feature which already existed.Adds
apostrophe-
prefixes even if they don't have a module directory (e.g., only inapp.js
).warnDev
messages with a line break and warning symbol (apos.util.onReady
aliasesapos.util.onReadyAndRefresh
for brevity. Theapos.util.onReadyAndRefresh
method name will be deprecated in the next major version.Changes
trace
method from the@apostrophecms/db
module.apostrophe:modulesReady
event has been renamedapostrophe:modulesRegistered
, and theapostrophe:afterInit
event has been renamedapostrophe:ready
. This better reflects their actual roles. The old event names are accepted for backwards compatibility. See the documentation for more information.Apostrophe 2.220.6
Security
img
tag or as a CSS background, which is normally the case for SVGs uploaded to Apostrophe. However, Apostrophe does provide a "View File" button in the media manager which could load the file in a way that could trigger XSS attacks in a carefully crafted SVG intentionally designed to phish Apostrophe admins. To mitigate this risk, starting with version 2.220.6 the "View File" button downloads the SVG file to the local computer as an attachment. This removes it from the domain of the website, so that any embedded JavaScript cannot be used to trigger actions in Apostrophe. However please note that it is your responsibility to avoid the use of inlinesvg
with untrusted SVG files, or the use ofiframe
,embed
orobject
tags with untrusted SVG files. If you have not enabled thesvgImages
option toapostrophe-attachments
, then your site does not accept SVG uploads and this risk is not relevant to you.Fixes
transitionend
events have been observed not to fire, resulting in unreliable test suites. A change has been made to accommodate this scenario with a fallback timer relating to indicating the current topmost modal.Other modules
sanitize-html 2.5.0
allowedScriptHostnames
option, it enables you to specify which hostnames are allowed in a script tag.allowedScriptDomains
option, it enables you to specify which domains are allowed in a script tag. Thank you to Yorick Girard for this and theallowedScriptHostnames
contribution.Beta Was this translation helpful? Give feedback.
All reactions