From fe6ea5791f916d8ff13f21ff54ac21039cb4a9c6 Mon Sep 17 00:00:00 2001
From: Marc Englund <marc@vaadin.com>
Date: Tue, 11 Feb 2014 15:37:12 +0200
Subject: [PATCH] Release notes updated to describe #13310 #13311

Change-Id: Id1b612a74f2f8717f98a3dca81489425686237f7
---
 WebContent/release-notes.html | 40 ++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html
index a11e526c3f..c7e7558e6a 100644
--- a/WebContent/release-notes.html
+++ b/WebContent/release-notes.html
@@ -41,6 +41,7 @@
         <ul>
             <li><a href="#overview">Overview of Vaadin
                     @version@ Release</a></li>
+			<li><a href="#security-fixes">Security fixes</a></li>
             <li><a href="#changelog">Change log for Vaadin
                     @version@</a></li>
             <li><a href="#enhancements">Enhancements in Vaadin
@@ -75,7 +76,44 @@
                 href="http://vaadin.com/download/release/@version-minor@/@version-minor@.0/release-notes.html">Release
                 Notes for Vaadin @version-minor@.0</a>.
         </p>
-
+        
+        <!-- ================================================================ -->
+		<h3 id="security-fixes">Security fixes in Vaadin Framework 7.1.11</h3>
+		
+		<p>
+		  Vaadin 7.1.11 fixes two security issues discovered during internal review. 
+		</p>
+		<p><b>Escaping of OptionGroup item icon URLs</b></p>
+		<p>
+			The issue affects OptionGroup with item icons. Proper escaping of the 
+			src-attribute on the client side was not ensured when using icons for 
+			OptionGroup items. This could potentially, in certain situations, allow
+			a malicious user to inject content, such as javascript, in order to 
+			perform a cross-site scripting (XSS) attack.
+		</p>
+		<p>
+			In order for an application to be vulnerable, user provided input must
+			be used to form a URL used to display an icon for an OptionGroup item, 
+			when showing that Option Group to other users.<br/>
+			The vulnerability has been classified as moderate, due to it's limited
+			application. 
+		</p>
+		<p><b>Escaping of URLs in Util.getAbsoluteUrl()</b></p>
+		<p>
+			The client side Util.getAbsoluteUrl() did not ensure proper escaping
+			of the given URL. This could potentially, in certain situations, allow
+			a malicious user to inject content, such as javascript, in order to 
+			perform a cross-site scripting (XSS) attack.
+		</p>
+		<p>
+			The method is used internally by the framework in such a manner that it
+			is unlikely this attack vector can be utilized in practice. However,
+			third party components, or future use of the method, could make an 
+			attack viable.<br/>
+			The vulnerability has been classified as moderate, due to it's limited
+			application. 
+		</p>
+        
         <h3 id="changelog">Change log for Vaadin @version@</h3>
 
         <p>This release includes the following closed issues:</p>
-- 
2.39.5