Security Release
This is a security release that adds better protections against embedded content that could be used in malicious ways. This effectively restricts embedded iframe content in an allow-list approach.
A new ALLOWED_IFRAME_SOURCES option has been added to provide configuration of allowed embed/iframe sources within BookStack pages, and this defaults to a couple of popular services such as YouTube and Vimeo.
Please see this link for more detail regarding this option:
- https://www.bookstackapp.com/docs/admin/security/#iframe-src-control
- ("Iframe Source Control" section)
It's advised to upgrade as soon as possible if untrusted users can create or update pages within your BookStack instance.
Thanks to @416e6e61 (Anna) for discovering and reporting this vulnerability via huntr.dev.