From daaf32beb5bb80d0f6ec06dd3df845b66c9aa7bd Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Thu, 23 Feb 2017 18:58:17 -0500 Subject: Always escape initials in LetterAvatarProvider --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index ff19067c..eaa964bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,10 @@ Bug fixes: * Upload files button stay disabled when there are other submit buttons on the same page * Hiding subtasks from hidden tasks in dashboard + +Security: + +* Fix XSS in LetterAvatarProvider (render broken image) * Avoid potential XSS in project overview when listing users (was avoided by default CSP rules) Version 1.0.39 (Feb 12, 2017) -- cgit v1.2.3