chore: v1.6.2 changelog

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
chore: update version constant to v1.6.2
2025-08-18 22:31:32 +02:00 · 2022-11-18 22:38:41 +01:00 · 2022-11-18 22:35:12 +01:00 · 2022-11-18 22:34:29 +01:00 · 2022-11-18 22:32:24 +01:00 · 2022-11-16 12:29:36 +01:00
8 changed files with 24 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog

+## [v1.6.2](https://github.com/flarum/framework/compare/v1.6.1...v1.6.2)
+### Fixed
+* XSS Vulnerability in core (https://github.com/flarum/framework/pull/3684).
+
+## [v1.6.1](https://github.com/flarum/framework/compare/v1.6.0...v1.6.1)
+### Fixed
+* JS dependencies update breaks utilities.

 ## [v1.6.0](https://github.com/flarum/framework/compare/v1.5.0...v1.6.0)
 ### Fixed
--- a/framework/core/js/dist/admin.js
+++ b/framework/core/js/dist/admin.js
--- a/framework/core/js/dist/admin.js.map
+++ b/framework/core/js/dist/admin.js.map
--- a/framework/core/js/dist/forum.js
+++ b/framework/core/js/dist/forum.js
--- a/framework/core/js/dist/forum.js.map
+++ b/framework/core/js/dist/forum.js.map
--- a/framework/core/js/src/common/Application.tsx
+++ b/framework/core/js/src/common/Application.tsx
@@ -410,16 +410,22 @@ export default class Application {
      pageNumber: 1,
    };

-    const title =
+    let title =
      onHomepage || !this.title
        ? extractText(app.translator.trans('core.lib.meta_titles.without_page_title', params))
        : extractText(app.translator.trans('core.lib.meta_titles.with_page_title', params));

-    const tempEl = document.createElement('div');
-    tempEl.innerHTML = title;
-    const decodedTitle = tempEl.innerText;
+    title = count + title;

-    document.title = count + decodedTitle;
+    // We pass the title through a DOMParser to allow HTML entities
+    // to be rendered correctly, while still preventing XSS attacks
+    // from user input by using a script-disabled environment.
+    // https://github.com/flarum/framework/issues/3514
+    // https://github.com/flarum/framework/pull/3684
+    const parser = new DOMParser();
+    const safeTitle = parser.parseFromString(title, 'text/html').body.innerHTML;
+
+    document.title = safeTitle;
  }

  protected transformRequestOptions<ResponseType>(flarumOptions: FlarumRequestOptions<ResponseType>): InternalFlarumRequestOptions<ResponseType> {
--- a/framework/core/src/Foundation/Application.php
+++ b/framework/core/src/Foundation/Application.php
@@ -21,7 +21,7 @@ class Application
     *
     * @var string
     */
-    const VERSION = '1.6.0';
+    const VERSION = '1.6.2';

    /**
     * The IoC container for the Flarum application.
--- a/framework/core/views/frontend/app.blade.php
+++ b/framework/core/views/frontend/app.blade.php
@@ -3,7 +3,7 @@
      @if ($language) lang="{{ $language }}" @endif>
    <head>
        <meta charset="utf-8">
-        <title>{!! $title !!}</title>
+        <title>{{ $title }}</title>

        {!! $head !!}
    </head>
Author	SHA1	Message	Date
Sami Mazouz	8a65ad980d	chore: `v1.6.2` changelog Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>	2022-11-18 22:38:41 +01:00
Sami Mazouz	9a0668effd	chore: update version constant to `v1.6.2` Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>	2022-11-18 22:35:12 +01:00
Sami Mazouz	224b122303	chore: `yarn build` Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>	2022-11-18 22:34:29 +01:00
Sami Mazouz	ed0cee97f5	fix: evaluated page title content (#3684 ) * fix: evaluated page title content * chore: add comment * chore: use DOMParser instead * fix: use `innerHTML` for the actual value Signed-off-by: Sami Mazouz <sychocouldy@gmail.com> Co-authored-by: David Wheatley <hi@davwheat.dev>	2022-11-18 22:32:24 +01:00
Sami Mazouz	b5f324a7b3	chore: v1.6.1 changelog Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>	2022-11-16 12:29:36 +01:00
Sami Mazouz	8ef0df94b2	chore: update app version constant Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>	2022-11-16 12:27:40 +01:00