-
v0.10.6 Stable
Fletcher released this
2026-03-09 20:02:49 +00:00 | 59 commits to main since this releaseThis release focuses on preparing the application for wider usage within the test org.
Security
- Clickjacking: Prevent iframes 🖥️
- Image endpoint: Implement access control for image endpoint based on reference keys 🖥️
- Volunteer tokens approval UI: Escape entry descriptions when rendering to prevent stored XSS for approvers viewing the tokens page 🖥️
- Admin concessions CRN: Sanitise CRN to alphanumeric only before display and copy to prevent XSS 🖥️
- Forgejo webhook: Reject webhook requests when no secret is configured instead of skipping verification 🖥️
- Post-login redirect: Further restrict post-login redirect targets 🖥️
- Form statistics charts: Escaped chart titles in bar charts so user-controlled text cannot break out of script context 🖥️
- Volunteer token authorisation: Restricted token user search endpoints to volunteer and approval roles, and blocked non-approvers from reassigning token entries 🖥️
- Notification tracking links: Encrypted notification tracking tokens to prevent exposing notification IDs in forwarded emails 🖥️
- Remote image fetching: Blocked private-network and non-public image URLs during server-side image imports to reduce SSRF risk 🖥️
- Training wiki rendering: Removed Jinja template evaluation from wiki content responses to reduce server-side template injection risk 🖥️
- Markdown rendering: Added
nh3sanitisation to rendered markdown 🖥️ - OAuth login flow: Added
stateprotection for SSO sign in and linking flows 🖥️ - API key authentication: Remove query support for api keys 🖥️
- Request forgery protection: Added CSRF protection for browser-based mutating requests and changed logout to use POST 🖥️