* Escape HTML in the location field of a calendar event post
- This allowed script tags to be interpreted in the post display of an event.
* Add form security token check to /admin/phpinfo module
- This prevents basic XSS attacks against /admin/phpinfo
* Add form security token check to /babel module
- This prevents basic XSS attacks against /babel
* Prevent pass-through for attachments
- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload
* Prevent overwriting cid on event edit
- This allowed to share an event as any other user after zeroing the cid field of an existing event
Hypolite Petovan
Michael
Hypolite Petovan