- Bug fix: an open redirect vulnerability has been fixed. It was possible to convince Apostrophe to redirect to a third-party website by appending an escaped URL with a trailing slash added at the end. Apostrophe’s trailing-slash remover would then cause a redirect to the un-escaped version of the slug part of the URL. The fix removes all multiple-slash sequences from the slug part of the URL. This is not a security vulnerability impacting your site as such, but it does prevent phishing attacks that use your website’s URL to appear innocent. Thanks to Bharath for reporting this issue.
- Bug fix: attempting to save a doc with a
arrayfield without ever opening the array editor formerly caused strange behavior. You now get a standard indication that the field is required.
- Feature: the method that supplies the choices for a dynamic
selectelement may be a simple synchronous function, if desired. Formerly returning a promise (or using an async function) was mandatory.
apos.utils.postwill now accept a
FormDataobject as the
dataprameter. In this situation JSON encoding is not used. This may be used to easily submit file uploads with Apostrophe’s CSRF protection and is supported at least back to IE11.