This is a quick update to 2.2.137 to fix a bug with entities encoded twice in the quoted attributes.
https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.137.tgz https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.137.zip svn://www.pmwiki.org/pmwiki/tags/latest Only pmwiki.php changed since 2.2.136. Thanks, Petko On 26/02/2021 15:10, Petko Yotov wrote:
Hello. PmWiki version 2.2.136 was published today, and is available at: https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.tgz https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.zip svn://www.pmwiki.org/pmwiki/tags/latest This version fixes a XSS vulnerability for WikiStyles reported today by Igor Sak-Sakovskiy. The fix adds a second argument $keep to the core function PQA($attr, $keep=true) which by default escapes HTML special characters and places the values in Keep() containers. If you have custom functions that call PQA() and expect the previous behavior, set the second argument to false. If you have any questions or difficulties, please let us know. Thanks, Petko
_______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users