Always escape initials in LetterAvatarProvider

author: Frederic Guillot <fred@kanboard.net> 2017-02-23 18:58:17 -0500
committer: Frederic Guillot <fred@kanboard.net> 2017-02-23 18:58:17 -0500
commit: daaf32beb5bb80d0f6ec06dd3df845b66c9aa7bd (patch)
tree: d3695d9daa16e5bd697548ff1486843d96d79d0a /ChangeLog
parent: dd579937e36ec494372d8d99b49d0943ea2b721d (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index ff19067c..eaa964bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,10 @@ Bug fixes:
 
 * Upload files button stay disabled when there are other submit buttons on the same page
 * Hiding subtasks from hidden tasks in dashboard
+
+Security:
+
+* Fix XSS in LetterAvatarProvider (render broken image)
 * Avoid potential XSS in project overview when listing users (was avoided by default CSP rules)
 
 Version 1.0.39 (Feb 12, 2017)
author	Frederic Guillot <fred@kanboard.net>	2017-02-23 18:58:17 -0500
committer	Frederic Guillot <fred@kanboard.net>	2017-02-23 18:58:17 -0500
commit	daaf32beb5bb80d0f6ec06dd3df845b66c9aa7bd (patch)
tree	d3695d9daa16e5bd697548ff1486843d96d79d0a /ChangeLog
parent	dd579937e36ec494372d8d99b49d0943ea2b721d (diff)