mirror of
https://github.com/getgrav/grav-plugin-admin.git
synced 2026-01-02 05:40:54 +01:00
99f6532965
Security fixes: 1. GHSA-q3qx-cp62-f6m7: User Enumeration & Email Disclosure - Changed rate-limiter error message in taskForgot() to not include email - Added generic translation key FORGOT_CANNOT_RESET_RATE_LIMITED - Prevents attackers from enumerating valid usernames via forgot password 2. GHSA-rmw5-f87r-w988: Stored XSS in Group Display Name - Added HTML escaping to group.readableName in acl_picker.html.twig - Prevents XSS when malicious group names are rendered in selectize 3. GHSA-gqxx-248x-g29f & GHSA-mpjj-4688-3fxg: XSS in Taxonomy Fields - Added HTML escaping to taxonomy labels in taxonomy.html.twig - Prevents XSS when malicious taxonomy names are rendered 4. GHSA-65mj-f7p4-wggq, GHSA-7g78-5g5g-mvfj: XSS in Selectize Dropdowns - Added SafeRender functions to selectize.js that escape HTML by default - All selectize dropdowns now escape option/item text unless custom render is specified - Provides defense-in-depth against XSS in any selectize-based field