首頁 探索 說明
登入
CityApper
/
wagtail
镜像来自 https://github.com/wagtail/wagtail
2
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: f886b1b65b
分支列表 標籤列表
wagtail
/
docs
/
releases
/
2.11.7.rst

2.11.7.rst 885 B
文件歷史 原始文件

123456789101112131415161718 
  1. ============================
    2. 

  2. Wagtail 2.11.7 release notes
    3. 

  3. ============================
    4. 

  4. 

  5. .. contents::
    6. 

  6.     :local:
    7. 

  7.     :depth: 1
    8. 

  8. 

  9. 

  10. What's new
    11. 

  11. ==========
    12. 

  12. 

  13. CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in rich text fields
    14. 

  14. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    15. 

  15. 

  16. This release addresses a cross-site scripting (XSS) vulnerability in rich text fields. When saving the contents of a rich text field in the admin interface, Wagtail did not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
    17. 

  17. 

  18. Many thanks to Kevin Breen for reporting this issue.
    19.