Change HTML text helpers to escape by default
This a release with a security fix. This only affects applications that use highlight
, truncate
or simple_format
. These methods had potential to be used for XSS attacks if input is not escaped first. However, the risk is mitigated since Lucky defaults cookies to be read by HTTP only, and not through JS. The cookie value itself is also encrypted and signed.
It is not best practice to rely purely on HTTP only cookies, so to be safe, we highly recommend upgrading to v0.21.1 as an extra layer of protection.
See more details in #1135