mirror/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-23 14:53:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
forgejo/release-notes-published/8.0.1.md
Earl Warren 8dbd2da593
chore(release-notes): keep release notes in release-notes-published 
As of Forgejo 8.0.1 the release notes were only available in the
description of the corresponding milestone which is problematic for:

- searching
- safekeeping

The release-notes-published directory is created to remedy those problems:

- a copy of all those release notes from the milestones descriptions
  is added.
- a reference is added to the RELEASE-NOTES.md file which will no
  longer be used.
- a symbolic link to the RELEASE-NOTES.md is added for completeness.
- the release process will be updated to populate release-notes-published.

The RELEASE-NOTES.md file is kept where it is because it is referenced
by a number of URLs.

The release-notes directory would have been a better name but it is
already used for in flight release notes waiting for the next
release. Renaming this directory or changing it is rather involved.
2024-12-05 17:46:14 +01:00

20 lines
3.4 KiB
Markdown
Raw Blame History

This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v8.0/admin/upgrade/).
- Security bug fixes
A [change introduced in Forgejo v1.21](https://codeberg.org/forgejo/forgejo/pulls/1433) allows a Forgejo user with write permission on a repository description to [inject a client-side script into the web page viewed by the visitor](https://en.wikipedia.org/wiki/Cross-site_scripting). This XSS allows for `href` in anchor elements to be set to a `javascript:` URI in the repository description, which will execute the specified script upon clicking (and not upon loading). [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI.
<!--start release-notes-assistant-->
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4835) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4848)): <!--number 4848 --><!--line 0 --><!--description RG8gbm90IGluY2x1ZGUgdHJhaWxpbmcgRU9MIGNoYXJhY3RlciB3aGVuIGNvdW50aW5nIGxpbmVz-->Do not include trailing EOL character when counting lines<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4836) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4847)): <!--number 4847 --><!--line 0 --><!--description QWRkIGJhY2tncm91bmQgdG8gcmVhY3Rpb25zIG9uIGhvdmVy-->Add background to reactions on hover<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4806) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4807)): <!--number 4807 --><!--line 0 --><!--description UHJldmVudCB1cHBlcmNhc2UgaW4gaGVhZGVyIG9mIGRhc2hib2FyZCBjb250ZXh0IHNlbGVjdG9y-->Prevent uppercase in header of dashboard context selector<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4754) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4756)): <!--number 4756 --><!--line 0 --><!--description Rml4IHBhZ2UgbGF5b3V0IGluIGFkbWluIHNldHRpbmdz-->Fix page layout in admin settings<!--description-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4896) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4901)): <!--number 4901 --><!--line 0 --><!--description ZGlzYWxsb3cgamF2YXNjcmlwdDogVVJJIGluIHRoZSByZXBvc2l0b3J5IGRlc2NyaXB0aW9u-->disallow javascript: URI in the repository description<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4852) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4865)): <!--number 4865 --><!--line 0 --><!--description RW5zdXJlIGFsbCBmaWx0ZXJzIGFyZSBwZXJzaXN0ZW50IGluIGlzc3VlIGZpbHRlcnM=-->Ensure all filters are persistent in issue filters<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4828) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4840)): <!--number 4840 --><!--line 0 --><!--description QWxsb3cgNCBjaGFyYWNodGVyIFNIQSBpbiBgL3NyYy9jb21taXRg-->Allow 4 charachter SHA in `/src/commit`<!--description-->
- Localization
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4668) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4881)): <!--number 4881 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgIzQ2NjggYW5kICM0NzgzIHRvIHY4-->i18n: backport of #4668 and #4783 to v8<!--description-->
<!--end release-notes-assistant-->
Reference in a new issue View git blame Copy permalink