Skip to content

Commit c0c5cb8

Browse files
zpaozpao
committed
Changelog, blog post for 0.5.2, 0.4.2
1 parent aabfe79 commit c0c5cb8

File tree

2 files changed

+30
-0
lines changed

2 files changed

+30
-0
lines changed

CHANGELOG.md

+7
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
## 0.5.2, 0.4.2 (December 18, 2013)
2+
3+
### React
4+
5+
* Fixed a potential XSS vulnerability when using user content as a `key`: [CVE-2013-7035](https://groups.google.com/forum/#!topic/reactjs/OIqxlB2aGfU)
6+
7+
18
## 0.5.1 (October 29, 2013)
29

310
### React

docs/_posts/2013-12-18-react-v0.5.2-v0.4.2.md

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
---
2+
title: "React v0.5.2, v0.4.2"
3+
layout: post
4+
author: Paul O'Shannessy
5+
---
6+
7+
Today we're releasing an update to address a potential XSS vulnerability that can arise when using user data as a `key`. Typically "safe" data is used for a `key`, for example, an id from your database, or a unique hash. However there are cases where it may be reasonable to use user generated content. A carefully crafted piece of content could result in arbitrary JS execution. While we make a very concerted effort to ensure all text is escaped before inserting it into the DOM, we missed one case. Immediately following the discovery of this vulnerability, we performed an audit to ensure we this was the only such vulnerability.
8+
9+
This only affects v0.5.x and v0.4.x. Versions in the 0.3.x family are unaffected.
10+
11+
Updated versions are available for immediate download via npm, bower, and on our [download page][download].
12+
13+
We take security very seriously at Facebook. For most of our products, users don't need to know that a security issue has been fixed. But with libraries like React, we need to make sure developers using React have access to fixes to keep their users safe.
14+
15+
While we've encouraged responsible disclosure as part of [Facebook's whitehat bounty program][bounty] since we launched, we don't have a good process for notifying our users. Hopefully we don't need to use it, but moving forward we'll set up a little bit more process to ensure the safety of our users. Ember.js has [an excellent policy][ember] which we may use as our model.
16+
17+
You can learn more about the vulnerability discussed here: [CVE-2013-7035][cve].
18+
19+
[download]: http://facebook.github.io/react/downloads.html
20+
[bounty]: https://www.facebook.com/whitehat/
21+
[ember]: http://emberjs.com/security/
22+
[cve]: https://groups.google.com/forum/#!topic/reactjs/OIqxlB2aGfU
23+

0 commit comments

Comments
 (0)