Fixes
- Stop rendering the
titleattribute unescaped inFormatHelper::neighbors(). The link options forcedescape => false, which in CakePHPHtmlHelperdisables escaping of both the link text and attribute values, so thetitleattribute rendered raw from arbitrary DB content (XSS surface). Switched toescapeTitle => falseso the icon HTML stays in the link text but attributes escape normally. Regression test covers<script>and&"payloads in title-field values. - Tighten the HTTP status check in
Tools\Model\Table\Table::_validUrl(). Both ternary branches returned'HTTP', and the[(200|301|302)]regex used a character class instead of an alternation — so it matched any status line containing one of( 0 1 2 3 |). Replaced with a hardcodedHTTP/prefix and real(200|301|302)/(404|999)alternations.
Improvements
- Pagination element is now CSP-compatible. The per-page limit
<select>no longer carries an inlineonchange="window.location.href=this.value"handler — replaced with adata-paginator-navigateattribute and a small delegatedchangelistener at the bottom of the element. The accompanying<script>block carries a CSP nonce sourced from thecspNoncerequest attribute, so apps with a strictscript-src 'self' 'nonce-...'policy can run it; falls back gracefully when no nonce is set. (Inline event handlers are blocked under strict CSP withoutunsafe-inline/unsafe-hashes, and the nonce directive does not cover them per the CSP spec — removing the attribute entirely is the only portable fix.) - Switched all remaining bare
__()calls in user-facing strings to__d('tools', ...)so translations resolve through the plugin's own i18n domain instead of leaking into the host app'sdefaultdomain. Affects four static labels intemplates/Admin/Helper/{chars,bitmasks}.phpand four dynamic title/icon strings inIconCollection,CommonHelper, andFormatHelper. Also refreshesresources/locales/tools.pot(the previous POT was ~6 years stale); existing language files are left for translators tomsgmergeagainst the new POT.
Full Changelog: 3.12.7...3.12.8