0.19.3
Security
- Fixed unauthenticated IDOR on
GET /activitypub/trail/{id}andGET /activitypub/comment/{id}— private records are now access-checked before being returned. (GHSA-9qg7-jr2x-prvh, reported by @de3erve-hunter) - Fixed stored XSS via
waypoint.iconin map markers — the icon value is now validated against an allowlist before being passed toinsertAdjacentHTML. (GHSA-hx3v-rv4v-w875, reported by @de3erve-hunter) - Fixed stored XSS via
waypoint.nameandwaypoint.iconin the elevation profile — replaced unsafeinnerHTMLassignment with safe DOM construction. (GHSA-m7v2-6gj3-3g2p, reported by @de3erve-hunter)