Serendipity 2.0-rc2 released

A possible XSS attack vector was found and reported by Steffen Rösemann (many thanks!), which would not properly escape blog comments displayed in the admin start page. The 2.0-rc2 addresses this issue. We are thankful to be able to fix this issue in our road to the 2.0 final release.

The patch is quite easy, so if you do not want to upload the whole release package, you can manually apply this patch to templates/2k11/admin/overview.inc.tpl.

Another issue that Steffen addresses in his advisory is that by default editors are allowed to post HTML to blog entries. This is a choice we made by default, to trust in the actual blog editors. If this is not the case in your installation, you should install the serendipity_event_xsstrust plugin, which specifically allows you to block HTML code for entries made by blog editors.

The new release can be found as usual on our download page.