update changelog

Signed-off-by: Andy Miller <rhuk@mac.com>
Add isindex to XSS dangerous tags (CVE-2023-31506 / GHSA-h85h-xm8x-vfw7)
2025-12-05 15:29:57 +01:00 · 2025-11-29 21:18:57 -07:00 · 2025-11-29 21:07:23 -07:00
3 changed files with 19 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,20 @@
+# v1.8.0-beta.27
+## mm/dd/2025
+
+1. [](#improved)
+    * Hardened Twig sandbox with expanded blacklist blocking 150+ dangerous functions and attack patterns
+    * Added static regex caching in Security class for improved performance
+    * Added path traversal protection to backup root configuration
+    * Added validation for language codes to prevent regex injection DoS
+1. [](#bugfix)
+    * Fixed path traversal vulnerability in username during account creation
+    * Fixed username uniqueness bypass allowing duplicate accounts
+    * Fixed arbitrary file read via `read_file()` Twig function
+    * Fixed DoS via malformed cron expressions in scheduler
+    * Fixed password hash exposure to frontend via JSON serialization
+    * Fixed email disclosure in user edit page title
+    * Fixed XSS via `isindex` tag bypass (CVE-2023-31506)
+
 # v1.8.0-beta.26
 ## 11/29/2025

--- a/system/config/security.yaml
+++ b/system/config/security.yaml
@@ -31,6 +31,7 @@ xss_dangerous_tags:
  - bgsound
  - title
  - base
+  - isindex
 uploads_dangerous_extensions:
  - php
  - php2
--- a/system/defines.php
+++ b/system/defines.php
@@ -9,7 +9,7 @@

 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.8.0-beta.26');
+define('GRAV_VERSION', '1.8.0-beta.27');
 define('GRAV_SCHEMA', '1.8.0_2025-09-21_0');
 define('GRAV_TESTING', true);