Changelog

All notable changes made in 2.x releases are shown below. See the full list of releases for the complete changelog.

2.7.0 - 2025-05-05

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

• Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

• The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
• The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes

Older Versions

Please see the full list of releases for the complete changelog.

Edit this page