From 5ko at 5ko.fr  Fri Feb 26 06:10:02 2021
From: 5ko at 5ko.fr (Petko Yotov)
Date: Fri, 26 Feb 2021 15:10:02 +0100
Subject: [pmwiki-announce] PmWiki 2.2.136 released
Message-ID: <6e4e787e73a35642a26e40b6eacd48d1@5ko.fr>

Hello. PmWiki version 2.2.136 was published today, and is available at:

   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.tgz
   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.zip
    svn://www.pmwiki.org/pmwiki/tags/latest

This version fixes a XSS vulnerability for WikiStyles reported today by
Igor Sak-Sakovskiy.

The fix adds a second argument $keep to the core function PQA($attr,
$keep=true) which by default escapes HTML special characters and places
the values in Keep() containers. If you have custom functions that call
PQA() and expect the previous behavior, set the second argument to
false.

If you have any questions or difficulties, please let us know.

Thanks,
Petko
-- 
If you upgrade :  https://www.pmwiki.org/Upgrades


From 5ko at 5ko.fr  Fri Feb 26 11:16:32 2021
From: 5ko at 5ko.fr (Petko Yotov)
Date: Fri, 26 Feb 2021 20:16:32 +0100
Subject: [pmwiki-announce] PmWiki 2.2.137 released
In-Reply-To: <6e4e787e73a35642a26e40b6eacd48d1@5ko.fr>
References: <6e4e787e73a35642a26e40b6eacd48d1@5ko.fr>
Message-ID: <2b3b7fa2306f2f2461e33d9b111aa552@5ko.fr>

This is a quick update to 2.2.137 to fix a bug with entities
encoded twice in the quoted attributes.

   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.137.tgz
   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.137.zip
    svn://www.pmwiki.org/pmwiki/tags/latest

Only pmwiki.php changed since 2.2.136.

Thanks,
Petko

On 26/02/2021 15:10, Petko Yotov wrote:
> Hello. PmWiki version 2.2.136 was published today, and is available at:
> 
>   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.tgz
>   https://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.136.zip
>    svn://www.pmwiki.org/pmwiki/tags/latest
> 
> This version fixes a XSS vulnerability for WikiStyles reported today by
> Igor Sak-Sakovskiy.
> 
> The fix adds a second argument $keep to the core function PQA($attr,
> $keep=true) which by default escapes HTML special characters and places
> the values in Keep() containers. If you have custom functions that call
> PQA() and expect the previous behavior, set the second argument to
> false.
> 
> If you have any questions or difficulties, please let us know.
> 
> Thanks,
> Petko