mirror of
https://github.com/Foundry376/Mailspring.git
synced 2024-12-25 09:32:33 +08:00
Update Changelog to mention security contributions from Positive Technologies, Payatu, Sonar
Payatu - https://payatu.com Postive Technologies - https://www.ptsecurity.com/ww-en/ Sonar - https://sonarsource.com
This commit is contained in:
parent
9a7e1a7843
commit
e7daf5abf2
1 changed files with 6 additions and 4 deletions
10
CHANGELOG.md
10
CHANGELOG.md
|
@ -6,9 +6,11 @@ Happy new year! This is a small update to Mailspring with a few important change
|
|||
|
||||
- On macOS, long-pressing a key to show it's available subtitutions (eg: `e` to see `é, ê, etc.`) now works properly in the email composer. Sorry for the delay fixing this issue, for many non-english speakers on macOS we know it's a core part of your email workflow.
|
||||
|
||||
- We now escape subject and participant names in the print modal, ensuring that they render properly for printing.
|
||||
- We now escape subject and participant names in the print modal, ensuring that they render properly for printing. Thanks to Andrialdy R for identifying and documenting a related vulnerability.
|
||||
|
||||
- We now use DOMPurify to sanitize the content of HTML emails for display. DOMPurify is maintained by a team of security-oriented web engineers and will ensure Mailspring protects you from the widest possible range of XSS attacks and exploits.
|
||||
- We now use DOMPurify to sanitize the content of HTML emails for display. DOMPurify is maintained by a team of security-oriented web engineers and will ensure Mailspring protects you from the widest possible range of XSS attacks and exploits. Thanks to Yaniv Nizry of [Sonar](https://sonarsource.com) for identifying and reporting weaknesses in our old sanitizer.
|
||||
|
||||
- As part of the DOMPurify change, Mailspring now supports a smaller range of links in emails (https://, tel://, mailto:// etc). Thanks to Vaibhav Rajput and Prajyot Chemburkar of [Payatu](https://payatu.com/) for reporting that smb:// links were previously allowed and useful in triggering exploits.
|
||||
|
||||
## 1.13.2
|
||||
|
||||
|
@ -86,7 +88,7 @@ Bug Fixes:
|
|||
|
||||
Developer:
|
||||
|
||||
- Mailspring now uses a more restrictive Content-Security-Policy that includes `object-src none; media-src mailspring:; manifest-src none;`. If your plugin packaged media such as sounds, you may need to reference them via the mailspring:// URL syntax (ala 2b75347c)
|
||||
- Mailspring now uses a more restrictive Content-Security-Policy that includes `object-src none; media-src mailspring:; manifest-src none;`. If your plugin packaged media such as sounds, you may need to reference them via the mailspring:// URL syntax (ala 2b75347c) (Thanks to Igor Sak-Sakovskiy of [Positive Technologies](https://www.ptsecurity.com/ww-en/) for a related vulnerability report.)
|
||||
|
||||
## 1.10.8 (12/29/2022)
|
||||
|
||||
|
@ -124,7 +126,7 @@ Changes:
|
|||
|
||||
- Mailsync now requests fewer emails at a time, fixing compatibility issues with large Office365 accounts. (Thanks @BrandonGillis for extensive testing of this change!)
|
||||
|
||||
- Inline image "cid:" references may appear only in `<img src=“”>`, and may not appear elsewhere in message bodies.
|
||||
- Inline image "cid:" references may appear only in `<img src=“”>`, and may not appear elsewhere in message bodies. (Thanks to Igor Sak-Sakovskiy of [Positive Technologies](https://www.ptsecurity.com/ww-en/) for this vulnerability report.)
|
||||
|
||||
- Mailspring uses iframe sandboxing to disallow interactivity in message bodies, in addition to santizing loaded HTML down to a strict list of tags and attributes.
|
||||
|
||||
|
|
Loading…
Reference in a new issue