 dc5bc1fe5b
			
		
	
	
	dc5bc1fe5b
	
	
	
		
			
			- adds the `toml` plugin to the `eslint` linting → expect to have `options/setting/config.toml` by #6862 - fixes `make lint-codespell` commands - related concerning `codespell`: #3270 - info: codespell check is and was not activated in the workflows (could maybe, runs only few seconds on my system) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7007 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Robert Wolff <mahlzahn@posteo.de> Co-committed-by: Robert Wolff <mahlzahn@posteo.de>
		
			
				
	
	
	
	
		
			3.4 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	
			3.4 KiB
		
	
	
	
	
	
	
	
This is a security release. See the documentation for more information on the upgrade procedure.
- Security bug fixes
A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for hrefin anchor elements to be set to ajavascript:URI in the repository description, which will execute the specified script upon clicking (and not upon loading).AllowStandardURLsis now called for the repository description policy, which ensures that URIs in anchor elements aremailto:,http://orhttps://and thereby disallowing thejavascript:URI.
- User Interface bug fixes
- PR (backported): Do not include trailing EOL character when counting lines
- PR (backported): Add background to reactions on hover
- PR (backported): Prevent uppercase in header of dashboard context selector
- PR (backported): Fix page layout in admin settings
 
- Bug fixes
- PR (backported): disallow javascript: URI in the repository description
- PR (backported): Ensure all filters are persistent in issue filters
- PR (backported): Allow 4 character SHA in /src/commit
 
- Localization
- PR (backported): i18n: backport of #4668 and #4783 to v8