<
From version < 27.5 >
edited by Sergiu Dumitriu
on 2010/10/25
To version < 27.6 >
edited by Sergiu Dumitriu
on 2010/10/25
>
Change comment: Merged two Security sections

Summary

Details

Page properties
Content
... ... @@ -226,15 +226,13 @@
226 226  
227 227  == Security improvements ==
228 228  
229 -Fixed a few XSS bugs, fixed a broken check on rights from the Rest system, fixed a missing author update when editing classes.
230 -
231 -== Various Security improvements ==
232 -
233 233  Continuing a push for better security started this summer, 2.5 fixes some of the few remaining cross-site scripting and SQL injections holes, and tightens the scope of programming rights. Of particular concern:
234 234  
235 235  * With a default skin, the panels and the bottom tabs can no longer use restricted APIs.
236 236  * To explicitly drop programming rights, a new API method was introduced: ##$xcontext.dropPermissions()##
237 237  * An experimental Cross-Site Request Forgery prevention mechanism is included, though not enabled by default. To enable it and test/upgrade your custom applications for compatibility, edit ##xwiki.properties## and flip on the ##core.csrf.enabled## setting.
234 +* Fixed a broken check on rights from the Rest system
235 +* Fixed a missing author update when editing classes.
238 238  
239 239  == Translations ==
240 240  

Get Connected