Djblets 0.8.3 Release Notes¶
Release date: June 6, 2014
Security¶
Fixed a XSS issue in the gravatars code.
Users could construct a name that would allow for injecting JavaScript in the page. That name is now properly escaped.
This is CVE-2014-3995.
Fixed a XSS issue in
json_dumps()
.JSON payloads constructed based on user input and then injected into a page could result in custom JavaScript being injected into the page. Additional escaping is now performed to ensure this does not happen.
This is CVE-2014-3994 (discovered by “uchida”, Bug #3406).
Contributors¶
Christian Hammond
David Trowbridge
Uchida