Version 1.4 of the hotfix is available:
-
plone.org. If you grab the zip from here, please check that the
version.txt
contains 1.4 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding?x=1
then. - PyPI
Recommended for all. From the changelog:
1.4 (2021-06-08)
-
Use safe html transform instead of escape for richtext diff. Otherwise the inline diff is not inline anymore.
(Note: I forgot to add this to the changelog on PyPI/plone.org). -
With
PLONEHOTFIX20210518_NAMEDFILE_USE_DENYLIST=1
in the OS environment, use a denylist for determining which mimetypes can be displayed inline.
By default we use an allowlist with the most used image types, plain text, and PDF.
The denylist contains svg, javascript, and html, which have known cross site scripting possibilities. -
By popular request, allow showing PDF files inline.
Note: browser preference plays a part in what actually happens. -
In untrusted path expressions with modules, check that each module is allowed.
In the first version of the hotfix we disallowed modules that were available as a 'private' alias, for examplerandom._itertools
.
But ifrandom.itertools
without underscore would have been available, it was still allowed, even thoughitertools
has not been explicitly allowed.
(itertools
might be fine to allow, it is just an example.)
This version is a recommended upgrade for all users.