On Fri, 2021-04-16 at 09:49 +0200, Yadd wrote: > dojo/dijit is vulnerable to cross-site-scripting (#970000, > CVE-2020-4051). >
Apologies for not getting back to this sooner. [...] > This update should minimally affect production applications: > * The behavior of existing links with HTML content will be unchanged > * Existing links that are edited and saved will be filtered (this is > only if > the link is edited, other content within the editor can be edited > without > affecting the link) > * Newly created links will be filtered by default > * For production code to continue working as-is with new data the > application > code will have to be updated to specify `true` for the > `LinkDialog` plugin's > `allowUnsafeHtml` option > Do we have any idea what the likely size of the impact of that last comment is? "continue working as-is with new data" seems a little unclear. Regards, Adam
