Tracks v2.5.1 Release Notes
Release Date: 2020-09-24 // over 4 years ago-
๐ See doc/upgrading.md for the upgrade documentation!
๐ Security issue disclosure
Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
๐ fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
in the user's own data. The content is only shown to the user themself,
which mitigates the vulnerability in the normal use case where a single
๐ user account is only used by one person. The CVSS rating for self-XSS is
debatable and thus is not published for this issue.I want to thank Joe for reporting the issue and for the insightful discussion
regarding the issue. Thanks to the disclosure there is now also a written
๐ security policy for the project.๐ Bug fixes
- ๐ Editing a due date in the calendar view fixed
- โ Adding actions in the context view fixed
- ๐ Fixed the recurring todo UI
Previous changes from v2.5.0
-
๐ See doc/upgrading.md for the upgrade documentation!
๐ New features
- ๐ Updated documentation both in the doc directory and online.
- โฌ๏ธ .skip-docker file has been replaced with .use-docker, see upgrading.md for
details. - โ Added email, last login, creation and update time to the user model.
- โ Added terms of service and email fields to the signup form. The TOS link is
๐ defined in site.yml, see config/site.yml.tmpl. - ๐ New, lighter default color scheme. The black color scheme is also available
0๏ธโฃ for selection in the user preferences. Default theme can be set in site.yml. - โ Added a help page to the ? menu linking to online help assets.
- ๐ Allow the user to remove their own account.
โ Removed features
- ๐ Ruby versions below 2.5 are no longer supported.
- ๐ Old Internet Explorer versions (7 and 8) are no longer supported.
๐ Bug fixes
- ๐ Fixed the signup form to use login form styles.
- โฌ๏ธ Lots of dependencies have been upgraded, including Rails major upgrade.
- ๐ Fixed some minor UI bugs.