indico v2.3.5 Release Notes
-
๐ Released on May 11, 2021
๐ Security fixes ^
- ๐ Fix XSS vulnerabilities in the category picker (via category titles), location widget (via room and
venue names defined by an Indico administrator) and the "Indico Weeks View" timetable theme (via
contribution/break titles defined by an event organizer). As neither of these objects can be created
by untrusted users (on a properly configured instance) we consider the severity of this vulnerability
"minor" (:pr:
4897
)
Internationalization
- ๐ New translation: Polish
- ๐ New translation: Mongolian
๐ Improvements ^
- โ Add an option to not disclose the names of editors and commenters to submitters in the
Paper Editing module (:issue:
4829
, :pr:4865
)
๐ Bugfixes ^
- Do not show soft-deleted long-lasting events in category calendar (:pr:
4824
) - Do not show management-related links in editing hybrid view unless the user has
access to them (:pr:
4830
) - ๐ Fix error when assigning paper reviewer roles with notifications enabled and one
of the reviewing types disabled (:pr:
4838
) - ๐ Fix viewing timetable entries if you cannot access the event but a specific session
inside it (:pr:
4857
) - ๐ Fix viewing contributions if you cannot access the event but have explicit access to
the contribution (:pr:
4860
) - Hide registration menu item if you cannot access the event and registrations are not
exempt from event access checks (:pr:
4860
) - ๐ Fix inadvertently deleting a file uploaded during the "make changes" Editing action,
resulting in the revision sometimes still referencing the file even though it has been
deleted from storage (:pr:
4866
) - ๐ Fix sorting abstracts by date (:pr:
4877
)
Internal Changes ^
- Add
before_notification_send
signal (:pr:4874
, thanks :user:omegak
)
- ๐ Fix XSS vulnerabilities in the category picker (via category titles), location widget (via room and
venue names defined by an Indico administrator) and the "Indico Weeks View" timetable theme (via
contribution/break titles defined by an event organizer). As neither of these objects can be created
by untrusted users (on a properly configured instance) we consider the severity of this vulnerability
"minor" (:pr: