[pmwiki-announce] PmWiki 2.2.137 released

Petko Yotov 5ko at 5ko.fr
Fri Feb 26 11:16:32 PST 2021


This is a quick update to 2.2.137 to fix a bug with entities
encoded twice in the quoted attributes.

   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.137.tgz
   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.137.zip
    svn://www.pmwiki.org/pmwiki/tags/latest

Only pmwiki.php changed since 2.2.136.

Thanks,
Petko

On 26/02/2021 15:10, Petko Yotov wrote:
> Hello. PmWiki version 2.2.136 was published today, and is available at:
> 
>   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.tgz
>   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.zip
>    svn://www.pmwiki.org/pmwiki/tags/latest
> 
> This version fixes a XSS vulnerability for WikiStyles reported today by
> Igor Sak-Sakovskiy.
> 
> The fix adds a second argument $keep to the core function PQA($attr,
> $keep=true) which by default escapes HTML special characters and places
> the values in Keep() containers. If you have custom functions that call
> PQA() and expect the previous behavior, set the second argument to
> false.
> 
> If you have any questions or difficulties, please let us know.
> 
> Thanks,
> Petko



More information about the pmwiki-announce mailing list