TL;DR
🔒 This is a security release!
Fixes the following vulnerabilities:
- Improper sanitize of SVG files during content upload ('Cross-site Scripting') in Sylius/Sylius
- Add missing HTTP headers to avoid login forms clickjacking
- Exposure of sensitive information by using the back button after logging out in sylius/sylius
Details
- #13275 [Maintenance] Add note about doctrine/dbal requirement (@lchrusciel)
- #13282 [API] Revert changes of checked keys in cart and checkout responses to fix the build (@GSadee)
- #13730 [Maintenance] Add conflict to symfony/framework-bundle to fix problem with solving path prefix in API scenarios (@GSadee)
- #13750 [Admin][Shop] placehold.it replaced to local placeholders (@ernestWarwas)
- #13765 [Security] Fixes for SVG XSS, wrong cache for logged in users and clickjacking (@ernestWarwas, @lchrusciel, @GSadee, @Zales0123, @Rafikooo)