Changes for page Release Notes for XWiki Enterprise 2.5
Last modified by Thomas Mortagne on 2017/03/24
Change comment:
Merged two Security sections
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -226,15 +226,13 @@ 226 226 227 227 == Security improvements == 228 228 229 -Fixed a few XSS bugs, fixed a broken check on rights from the Rest system, fixed a missing author update when editing classes. 230 - 231 -== Various Security improvements == 232 - 233 233 Continuing a push for better security started this summer, 2.5 fixes some of the few remaining cross-site scripting and SQL injections holes, and tightens the scope of programming rights. Of particular concern: 234 234 235 235 * With a default skin, the panels and the bottom tabs can no longer use restricted APIs. 236 236 * To explicitly drop programming rights, a new API method was introduced: ##$xcontext.dropPermissions()## 237 237 * An experimental Cross-Site Request Forgery prevention mechanism is included, though not enabled by default. To enable it and test/upgrade your custom applications for compatibility, edit ##xwiki.properties## and flip on the ##core.csrf.enabled## setting. 234 +* Fixed a broken check on rights from the Rest system 235 +* Fixed a missing author update when editing classes. 238 238 239 239 == Translations == 240 240