Security Release
- Fixed a vulnerability where maliciously renamed file attachments could execute JavaScript in the gallery UI.
- The issue originated from an upstream library
react-photoswipe-gallery, but PLANKA has patched it locally to prevent the use of dangerousinnerHTMLwhen setting gallery captions. - Users should update to PLANKA
>= 1.26.3or>= 2.0.0-rc.4to be protected. - More details and credits: Security Advisory
- Reported by @AmjadAlii via responsible disclosure.
What's Changed
- fix: Patch react-photoswipe-gallery to prevent XSS in captions
Full Changelog: v2.0.0-rc.3...v2.0.0-rc.4
Contributors
AmjadAlii