nystudio107
diff --git a/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎buildchain/package-lock.json‎
Lines changed: 552 additions & 616 deletions b/‎buildchain/package-lock.json‎
Lines changed: 552 additions & 616 deletions
diff --git a/‎buildchain/src/vue/SchemaTypeList.vue‎
Lines changed: 5 additions & 5 deletions b/‎buildchain/src/vue/SchemaTypeList.vue‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎composer.json‎
Lines changed: 1 addition & 1 deletion b/‎composer.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/docs/using/index.md‎
Lines changed: 20 additions & 0 deletions b/‎docs/docs/using/index.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎docs/docs/using/twig-sandbox.md‎
Lines changed: 1 addition & 2 deletions b/‎docs/docs/using/twig-sandbox.md‎
Lines changed: 1 addition & 2 deletions
@@ -1,5 +1,15 @@
 # SEOmatic Changelog
 
+## 4.1.17 - 2025.08.17
+### Changed
+* Use `StringHelper::convertToUtf8()` instead of our homebrew solution
+* Change `http` to `https` for schema.org type `@context`
+* Don't cache sitemaps if they are somehow generated via a Craft preview with token parameters ([#1636](https://github.com/nystudio107/craft-seomatic/issues/1636))
+
+### Fixed
+* Fix an issue where emptying a section could cause the sitemap to throw an exception with certain versions of PHP ([#1629](https://github.com/nystudio107/craft-seomatic/issues/1629))
+* Fix weirdness in rendering of certain schema type descriptions of the source information was malformed with spurious spaces ([#1623](https://github.com/nystudio107/craft-seomatic/issues/1623))
+
 ## 4.1.16 - 2025.06.11
 ### Fixed
 * Removed `parseEnv` from the default `seomatic-sandbox.php`, because it is used by SEOmatic for rendering JSON-LD entity IDs ([#1616](https://github.com/nystudio107/craft-seomatic/issues/1616))
 
@@ -5,11 +5,11 @@
       <treeselect
         ref="treeselect"
         v-model="value"
-        :multiple="false"
-        :flat="false"
         :default-expand-level="0"
-        :options="options"
         :disabled="disabled"
+        :flat="false"
+        :multiple="false"
+        :options="options"
       />
     </div>
     <div
@@ -19,11 +19,11 @@
       <div class="instructions">
         <p>
           <a
-            :href="'http://schema.org/' + schemaName"
+            :href="'https://schema.org/' + schemaName"
             rel="noopener"
             target="_blank"
           >{{ schemaName }} info: </a>
-          <span v-html="renderHtml(schemaDescription)" />
+          <span v-html="renderHtml(schemaDescription)"/>
         </p>
         <p v-if="Object.keys(schemaRichSnippetUrls).length">
           <a
 
@@ -2,7 +2,7 @@
   "name": "nystudio107/craft-seomatic",
   "description": "SEOmatic facilitates modern SEO best practices & implementation for Craft CMS 4. It is a turnkey SEO system that is comprehensive, powerful, and flexible.",
   "type": "craft-plugin",
-  "version": "4.1.16",
+  "version": "4.1.17",
   "keywords": [
     "craft",
     "cms",
 
@@ -329,3 +329,23 @@ This will output:
   * This property is recommended by Google.
 
 If the site has `devMode` on, all of the meta objects are automatically validated as they are rendered, with the results displayed in the Yii Debug Toolbar. The Yii Debug Toolbar can be enabled in your account settings page.
+
+## Unsafe User Input & SSTIs
+
+A [server-side template injection](https://docs.cobalt.io/bestpractices/prevent-ssti/#best-practices) (SSTI) allows an attacker to execute server-side commands by injecting malicious data into a template.
+
+SEOmatic guards against SSTIs by automatically sanitizing unsafe user input that it uses, but if you are manually setting SEOmatic variable to unsafe user input you will need to [sanitize the data](https://docs.cobalt.io/bestpractices/prevent-ssti/#sanitize-data) yourself.
+
+Fortunately, SEOmatic provides a helper function to allow you to do just that:
+
+```twig
+{% set primaryUrl = craft.app.request.getHostInfo %}
+{% set primaryUrl = seomatic.helper.sanitizeUserInput(primaryUrl) %}
+{% do seomatic.meta.setAttributes({
+   canonicalUrl: primaryUrl
+}) %}
+```
+
+Here are we using unsafe user input (the value of `hostInfo` from the `request`), and instead of using it directly, we are using the `seomatic.helper.sanitizeUserInput()` helper function to sanitize the unsafe user input before we set it to an SEOmatic variable.
+
+**Note:** You do _not_ need to sanitize everything you set an SEOmatic variable to, only things that come from unsafe user input.
@@ -10,7 +10,7 @@ Should you wish to customize it, you can copy the `seomatic-sandbox.php` to the
 
 The `seomatic-sandbox.php` file in the Craft `config/` directory will be automatically used if it exists, instead of the built-in version of the file, 
 
-Here's what the default `seomatic-sandbox.php` looks like:
+Here’s what the default `seomatic-sandbox.php` looks like:
 
 ```php
 <?php
@@ -139,7 +139,6 @@ return [
         'hiddenInput',
         'input',
         'parseBooleanEnv',
-        'parseEnv',
         'plugin',
         'redirectInput',
         'renderObjectTemplate',