Changelog
All notable changes made in 2.x
releases are shown below. See the full list of releases for the complete changelog.
2.7.0 - 2025-05-05
This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension
with untrusted user input.
Added
- Added
attributes/allow
config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)
Changed
- The
AttributesExtension
blocks all attributes starting withon
unless explicitly allowed via theattributes/allow
config option - The
allow_unsafe_links
option is now respected by theAttributesExtension
when users specifyhref
andsrc
attributes
Older Versions
Please see the full list of releases for the complete changelog.