·
1 commit
to main
since this release
ed3149e
This commit was signed with the committer’s verified signature.
mavrokordato
Mavokordato
- Security - Unsafe HTML in field group labels is now correctly escaped for conditionally loaded field groups, resolving a JS execution vulnerability in the classic editor
- Security - HTML is now escaped from field group labels when output in the ACF admin
- Security - Bidirectional and Conditional Logic Select2 elements no longer render HTML in field labels or post titles
- Security - The
acf.escHtmlfunction now uses the third party DOMPurify library to ensure all unsafe HTML is removed. A newesc_html_dompurify_configJS filter can be used to modify the default behaviour - Security - Post titles are now correctly escaped whenever they are output by ACF code. Thanks to Shogo Kumamaru of LAC Co., Ltd. for the responsible disclosure
- Security - An admin notice is now displayed when version 3 of the Select2 library is used, as it has now been deprecated in favor of version 4