1.14.2 - Properly HTML-escape collection values (GHSA-6jj5-j4j8-8473)

⚠️ SECURITY UPDATE ⚠️

This release addresses a security issue where HTML escaping was not being applied to Leaf variable substitutions which addressed array or dictionary data. This allowed for XSS attacks if the content of such data was at least partially under user control.

For more details, see the security advisory: GHSA-6jj5-j4j8-8473.

Thanks to @iCMDdev for reporting this!

Full Changelog: 1.14.1...1.14.2

1.14.1

⚠️ Security Update ⚠️

This release fixes a security issue where HTML escaping could be bypassed using unicode extended grapheme clusters.
For example, the combination "́, (U+0022 + U+0301), forms a single extended grapheme cluster that Swift would treat as different from the standalone " character, causing the escaping function to skip it.
HTML on the other hand would treat them as separate code points (" + ´) and interpret the quotation mark as a single character. This would therefore allow XSS injections attacks. The escaping function now operates on a Unicode level to properly escape all HTML special characters.

For more details see GHSA-4hfh-fch3-5q7p. Thanks to @bawolff for reporting this!

Full Changelog: 1.14.0...1.14.1

1.14.0 - Fix build error with NIO 2.86.1 and bump minimum Swift version

What's Changed

Fix build error with NIO 2.86.1 and bump minimum Swift version by @gwynne in #142

Fixes the incorrect import of the non-underscored NIOFileSystem module; we now correctly import _NIOFileSystem. The minimum Swift version requirement is now 6.0, thanks to the release of Swift 6.2.0.

Closes #141.

This patch was released by @gwynne

Full Changelog: 1.13.1...1.14.0

1.13.1 - Fix comparisons between non-`nil` values and `nil`

What's Changed

Fix comparisons between non-nil values and nil by @gwynne in #138

The changes in #135 introduced a nasty bug where conditions of the form #if (value == nil) or #if (value != nil) would incorrectly treat nil as equal to any non-nil value. Unfortunately, there was no test for this case, so the problem was not caught. This fixes the issue and adds the missing test.

This patch was released by @gwynne

Full Changelog: 1.13.0...1.13.1

1.13.0 - Sendable fixes and other cleanup

What's Changed

Sendable fixes and other cleanup by @gwynne in #135

The big changes in this PR are making the code Sendable-clean and minimally strict Concurrency-correct (emphasis on “minimally”, there’s still a bunch of stuff with futures going on). Accordingly with the release of Swift 6.1, the package also now requires a minimum version of Swift 5.10.

Additional changes:

• README and docs appearance updated.
• Enabled Android CI.
• Replaced the convoluted “performant” HTML escaping logic with straightforward string replacement calls which turn out to actually be more performant than the circa Swift 4.2 unsafe pointer stuff.
• Fixed the tests so they no longer fail if run on a machine set to a timezone where DST is currently in effect. Tests also no longer use EventLoopFuture.wait().
• A pass across the board for basic style, formatting, and readability. There’s a bit less force-unwrapping going around for good measure.

Reviewers

Thanks to the reviewers for their help:

• @ptoffy

This patch was released by @gwynne

Full Changelog: 1.12.0...1.13.0

1.12.0 - Update to Swift 5.9

What's Changed

Update to Swift 5.9 by @fpseverino in #134

• Update swift-tools-version to 5.9
• Add common swiftSettings to targets
• Fix unhandled files warnings
  • Templates folder in test target; added to target’s resources
  • Docs.docc folder in main target; updating swift-tools-version fixes it
• Lock was deprecated in favour of NIOLock
• Add MUSL and iOS in CI

This patch was released by @0xTim

Full Changelog: 1.11.1...1.12.0

1.11.1 - Fix and add tests for `requireBody()` and `requireNoBody()`

What's Changed

Fix and add tests for requireBody() and requireNoBody() by @fpseverino in #133

Issue #123

• Fix and add tests for requireBody() and requireNoBody()

This patch was released by @0xTim

Full Changelog: 1.11.0...1.11.1

1.11.0 - Add support for time zones in `DateTag`.

What's Changed

Add support for time zones in DateTag. by @fpseverino in #131

Adds an additional parameter to DateTag that takes a time zone ID and uses it to set the timeZone property of the DateFormatter.

For example (as you can see in the added tests):

The date is #date(now, "yyyy-MM-dd'T'HH:mm", "America/New_York")

will be three hours ahead of:

The date is #date(now, "yyyy-MM-dd'T'HH:mm", "America/Los_Angeles")

This patch was released by @0xTim

Full Changelog: 1.10.6...1.11.0

1.10.6 - Allow escaped quotes in tag parameters

What's Changed

Allow escaped quotes in tag parameters by @roya1v in #124

Allows escaped quotes in tag parameters so you can do something like #myCustomTag("this \"thing\" is cool")

Solves #122

This patch was released by @0xTim

Full Changelog: 1.10.5...1.10.6

1.10.5 - Fix crash with missing parameter

What's Changed

Fix crash with missing parameter by @b-nassler in #130

This line https://github.com/vapor/leaf-kit/blob/main/Sources/LeafKit/LeafParser/LeafParser.swift#L203
would cause a crash when no parameters are found

Fixed issue that lead to a crash when parameters would be empty in line https://github.com/vapor/leaf-kit/blob/main/Sources/LeafKit/LeafParser/LeafParser.swift#L203

New Contributor

• @b-nassler made their first contribution in #130 🎉

This patch was released by @0xTim

Full Changelog: 1.10.4...1.10.5