Version 1.4 of the hotfix is available:
plone.org. If you grab the zip from here, please check that the
version.txtcontains 1.4 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding
Recommended for all. From the changelog:
Use safe html transform instead of escape for richtext diff. Otherwise the inline diff is not inline anymore.
(Note: I forgot to add this to the changelog on PyPI/plone.org).
PLONEHOTFIX20210518_NAMEDFILE_USE_DENYLIST=1in the OS environment, use a denylist for determining which mimetypes can be displayed inline.
By default we use an allowlist with the most used image types, plain text, and PDF.
By popular request, allow showing PDF files inline.
Note: browser preference plays a part in what actually happens.
In untrusted path expressions with modules, check that each module is allowed.
In the first version of the hotfix we disallowed modules that were available as a 'private' alias, for example
random.itertoolswithout underscore would have been available, it was still allowed, even though
itertoolshas not been explicitly allowed.
itertoolsmight be fine to allow, it is just an example.)
This version is a recommended upgrade for all users.