Merge branch 'hotfix/4.7.17.5'

2025-10-16 09:22:33 +00:00 · 2019-08-02 20:59:23 +02:00
parent c9f4cf4f34 b217acfe26
commit ece0c99dbb
6 changed files with 16 additions and 7 deletions
--- a/.sandstorm/changelog.md
+++ b/.sandstorm/changelog.md
@@ -1,6 +1,10 @@
+# 4.7.17.5 (API 0.9.2)
+
+- Several XSS issues, found by [@0x2500](https://github.com/0x2500).
+
 # 4.7.17.4 (API 0.9.2)

- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne).
+- Several XSS issues, found by [@0x2500](https://github.com/0x2500).

 # 4.7.17.3 (API 0.9.2)

--- a/.sandstorm/sandstorm-pkgdef.capnp
+++ b/.sandstorm/sandstorm-pkgdef.capnp
@@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = (

  manifest = (
    appTitle = (defaultText = "Firefly III"),
-    appVersion = 30,
-    appMarketingVersion = (defaultText = "4.7.17.4"),
+    appVersion = 31,
+    appMarketingVersion = (defaultText = "4.7.17.5"),

    actions = [
      # Define your "new document" handlers here.
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,7 @@
 sudo: required
 language: bash
 env:
-  - VERSION=4.7.17.4
+  - VERSION=4.7.17.5

 dist: xenial

--- a/changelog.md
+++ b/changelog.md
@@ -2,10 +2,15 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).

+## [4.7.17.5 (API 0.9.2)] - 2019-08-02
+
+### Security
+- Several XSS issues, found by [@0x2500](https://github.com/0x2500).
+
 ## [4.7.17.4 (API 0.9.2)] - 2019-08-02

 ### Security
- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne).
+- Several XSS issues, found by [@0x2500](https://github.com/0x2500).

 ## [4.7.17.3 (API 0.9.2)] - 2019-07-16

--- a/config/firefly.php
+++ b/config/firefly.php
@@ -93,7 +93,7 @@ return [
        'is_demo_site'     => false,
    ],
    'encryption'                   => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true,
-    'version'                      => '4.7.17.4',
+    'version'                      => '4.7.17.5',
    'api_version'                  => '0.9.2',
    'db_version'                   => 10,
    'maxUploadSize'                => 15242880,
--- a/resources/views/v1/transactions/convert.twig
+++ b/resources/views/v1/transactions/convert.twig
@@ -17,7 +17,7 @@
                    </div>
                    <div class="box-body">
                        {{ ExpandedForm.staticText('type', sourceType.type|_) }}
-                        {{ ExpandedForm.staticText('description', '<a href="'~route('transactions.show', journal.id)~'">'~journal.description~'</a>') }}
+                        {{ ExpandedForm.staticText('description', '<a href="'~route('transactions.show', journal.id)~'">'~journal.description|escape~'</a>') }}
                        {{ ExpandedForm.staticText('date', journal.date.formatLocalized(monthAndDayFormat)) }}

                        {# in case of withdrawal #}