Skip to content

Change HTML text helpers to escape by default

Compare
Choose a tag to compare
@paulcsmith paulcsmith released this 08 May 00:26
· 259 commits to master since this release

This a release with a security fix. This only affects applications that use highlight, truncate or simple_format. These methods had potential to be used for XSS attacks if input is not escaped first. However, the risk is mitigated since Lucky defaults cookies to be read by HTTP only, and not through JS. The cookie value itself is also encrypted and signed.

It is not best practice to rely purely on HTTP only cookies, so to be safe, we highly recommend upgrading to v0.21.1 as an extra layer of protection.

See more details in #1135