This release hardens message templates, which are now executed with a hard-capped execution timeout. This closes
a denial-of-service hole.
On the web app side, it adds configurable date and time formats, a smoother loading and page-transition experience,
and a fix that strips unsafe URL protocols from rendered Markdown.
Security:
- Prevent a CPU denial of service via message templates (
Template: yes), #1826, thanks to @alanturing881 for reporting)
Features:
- Web app: Add "Date format" and "Time format" settings (Settings -> Appearance), with ISO 8601, day/month/year (slash or dot) and month/day/year date options and a 12-/24-hour clock option, and base the default format on your browser/system locale rather than the selected display language. When logged in, both settings sync across devices via your account (#1647, thanks to @wsw70 for reporting)
Bug fixes + maintenance:
- Web app: Smooth transitions and loading animation, remove flickering
- Web app:
GET /accountnow reads from the primary database instead of a read replica, so the account view no longer shows stale data right after a change when replicas lag behind - Docs: Document the third-party HelmForge Helm chart as a Kubernetes installation option (#1727, thanks to @mberlofa)
- Web app: Strip unsafe URL protocols (
javascript:,data:, ...) from links and images in Markdown-rendered messages, so they no longer trigger an uncaught "React has blocked a javascript: URL" error (thanks to @jvoisin for reporting)