engels74/obzorarr 0.1.3
v0.1.3

on GitHub

latest releases: 0.1.10, 0.1.9, 0.1.8...

one month ago

Security Fixes

This release addresses two security vulnerabilities:

Authorization Bypass (High Severity)

Fixed an authorization bypass in the user wrapped page (/wrapped/[year]/u/[identifier]) that allowed unauthorized access when using numeric user IDs instead of share tokens
Unauthorized access now properly returns 403/404 responses

Stored XSS Prevention (Critical Severity)

Added HTML sanitization for custom slide markdown content using sanitize-html
All markdown output is now sanitized before rendering to prevent script injection
Implemented strict allowlist for safe HTML tags, attributes, and URL schemes
Added MIME type validation for data URIs in images

Dependency Updates

Updated unocss from 66.5.11 to 66.5.12
Updated svelte-adapter-bun from 1.0.0 to 1.0.1

Breaking Changes

Custom slides will no longer allow arbitrary HTML; content is sanitized according to a strict allowlist of safe tags and attributes

Check out latest releases or
releases around engels74/obzorarr 0.1.3

Don't miss a new obzorarr release

NewReleases is sending notifications on new releases.

Get notifications