v1.21.3: Minfilia Warde - Echo 3 #908

Xe · 2025-07-25T14:36:44Z

Xe
Jul 25, 2025
Maintainer

This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the javascript: scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button.

This has been fixed by disallowing any URLs without the scheme http or https.

Additionally, the "Try again" button has been fixed to completely ignore the user-supplied redirect location. It now redirects to the home page (/).

Notes

An incomplete version of this fix was tagged at v1.21.2 and then the release process was aborted upon final testing. Do not package or use v1.21.2.

What's Changed

fix(lib): add comprehensive XSS protection logic by @Xe in fix(lib): add comprehensive XSS protection logic #905
fix(web): make the try again button always go back to / by @Xe in fix(web): make the try again button always go back to / #907

Full Changelog: v1.21.2...v1.21.3

This discussion was created from the release v1.21.3: Minfilia Warde - Echo 3.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

v1.21.3: Minfilia Warde - Echo 3 #908

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Uh oh!

v1.21.3: Minfilia Warde - Echo 3 #908

Uh oh!

Xe Jul 25, 2025 Maintainer

Notes

What's Changed

Replies: 0 comments

Xe
Jul 25, 2025
Maintainer