Releases: luckyframework/lucky
Releases · luckyframework/lucky
v0.27.1
v0.27.0
v0.26.0
v0.25.0
v0.24.0
v0.23.0
v0.22.0
This release is the same as 0.21.1, but with support for Crystal 0.35.0.
For information on upgrading, check out our UPGRADE_NOTES
Change HTML text helpers to escape by default
This a release with a security fix. This only affects applications that use highlight, truncate or simple_format. These methods had potential to be used for XSS attacks if input is not escaped first. However, the risk is mitigated since Lucky defaults cookies to be read by HTTP only, and not through JS. The cookie value itself is also encrypted and signed.
It is not best practice to rely purely on HTTP only cookies, so to be safe, we highly recommend upgrading to v0.21.1 as an extra layer of protection.
See more details in #1135