Skip to content

1.3.0
Compare
Choose a tag to compare
@0xTim 0xTim released this 07 Aug 15:40
· 39 commits to main since this release
1.3.0
e57cde5
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

⚠️ This release may contain some breaking behavioural changes if you're relying on HTML content to be untouched when rendering custom tags. You will need to migrate any custom tags to conform to UnsafeUnescapedLeafTag to avoid your rendered strings from escaping. No other changes are required. ⚠️

This release fixes a potential XSS vulnerability in LeafKit. Before Leaf would render any parameters passed to any tags without escaping any HTML allowing an attacker to inject malicious scripts. All tags built into LeafKit now escape any rendered strings, apart from the new unsafeHTML tag.

  • Introduces a new unsafeHTML for rendering parameters you trust that contain HTML you want to leave intact
  • Introduces UnsafeUnescapedLeafTag to conform custom tags to that won't escape any HTML.
Assets 2
Loading