github binwiederhier/ntfy v2.26.0

4 hours ago

This release hardens message templates, which are now executed with a hard-capped execution timeout. This closes
a denial-of-service hole.

On the web app side, it adds configurable date and time formats, a smoother loading and page-transition experience,
and a fix that strips unsafe URL protocols from rendered Markdown.

Security:

  • Prevent a CPU denial of service via message templates (Template: yes), #1826, thanks to @alanturing881 for reporting)

Features:

  • Web app: Add "Date format" and "Time format" settings (Settings -> Appearance), with ISO 8601, day/month/year (slash or dot) and month/day/year date options and a 12-/24-hour clock option, and base the default format on your browser/system locale rather than the selected display language. When logged in, both settings sync across devices via your account (#1647, thanks to @wsw70 for reporting)

Bug fixes + maintenance:

  • Web app: Smooth transitions and loading animation, remove flickering
  • Web app: GET /account now reads from the primary database instead of a read replica, so the account view no longer shows stale data right after a change when replicas lag behind
  • Docs: Document the third-party HelmForge Helm chart as a Kubernetes installation option (#1727, thanks to @mberlofa)
  • Web app: Strip unsafe URL protocols (javascript:, data:, ...) from links and images in Markdown-rendered messages, so they no longer trigger an uncaught "React has blocked a javascript: URL" error (thanks to @jvoisin for reporting)

Don't miss a new ntfy release

NewReleases is sending notifications on new releases.