From 434a2628cf23c72b329d18ee05a6fc03b13685dd Mon Sep 17 00:00:00 2001 From: Jonatan Kronqvist Date: Fri, 11 Apr 2014 15:57:07 +0300 Subject: Add a section on incompatible changes to release-notes (#13502) Change-Id: I73cc9c7b5509dff0cb5376af9bf4b0ef572add05 --- WebContent/release-notes.html | 72 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 60 insertions(+), 12 deletions(-) (limited to 'WebContent') diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html index 01cf665c5d..dccc82e1bf 100644 --- a/WebContent/release-notes.html +++ b/WebContent/release-notes.html @@ -46,6 +46,12 @@ @version@
  • Enhancements in Vaadin @version-minor@
    • +
  • Incompatible changes in + @version-minor@
    • +
  • Behavior altering + changes in @version-minor@
    • +
  • Known issues in + @version-minor@
  • Limitations in @version-minor@
  • Vaadin Installation
    • @@ -76,44 +82,44 @@ href="http://vaadin.com/download/release/@version-minor@/@version-minor@.0/release-notes.html">Release Notes for Vaadin @version-minor@.0.

    - +

    Security fixes in Vaadin Framework 7.1.11

    - +

    - Vaadin 7.1.11 fixes two security issues discovered during internal review. + Vaadin 7.1.11 fixes two security issues discovered during internal review.

    Escaping of OptionGroup item icon URLs

    - The issue affects OptionGroup with item icons. Proper escaping of the - src-attribute on the client side was not ensured when using icons for + The issue affects OptionGroup with item icons. Proper escaping of the + src-attribute on the client side was not ensured when using icons for OptionGroup items. This could potentially, in certain situations, allow - a malicious user to inject content, such as javascript, in order to + a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.

    In order for an application to be vulnerable, user provided input must - be used to form a URL used to display an icon for an OptionGroup item, + be used to form a URL used to display an icon for an OptionGroup item, when showing that Option Group to other users.
    The vulnerability has been classified as moderate, due to it's limited - application. + application.

    Escaping of URLs in Util.getAbsoluteUrl()

    The client side Util.getAbsoluteUrl() did not ensure proper escaping of the given URL. This could potentially, in certain situations, allow - a malicious user to inject content, such as javascript, in order to + a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.

    The method is used internally by the framework in such a manner that it is unlikely this attack vector can be utilized in practice. However, - third party components, or future use of the method, could make an + third party components, or future use of the method, could make an attack viable.
    The vulnerability has been classified as moderate, due to it's limited - application. + application.

    - +

    Change log for Vaadin @version@

    This release includes the following closed issues:

    @@ -182,6 +188,48 @@ Notes for Vaadin 7.0.0.

    +

    Incompatible changes

    + +

    Behavior altering changes

    + + +

    Known issues

    + +

    Limitations