- Pull down top-right 0 button to show console
- New UiPluginManager plugin: Manage and install third-party plugins.
- Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
- Fix a bug that did not load merged site data for 5 sec after the site got added
- Add fake SNI and ALPN to peer connections to make it more like standard https connections
Important security update:
Wrapper template HTML injection vulnerability [Reported by ivanq]
In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.
Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.
Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations,
restricted open_browser configuration values to avoid possible RCE in case of sandbox escape.