Tag Name: 0.11.14
Release Date: 11/7/2018
GhostOpen-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.
This minor release focuses on fixing several security vulnerabilities and bugs related to URL redirects, sanitization issues in subscribers and email notifications. The update addresses potential XSS vulnerabilities and improves how private sites handle redirects, making Ghost more secure and stable for all users.
No migration steps are required for this release. This is a drop-in replacement that focuses on security and bug fixes without introducing breaking changes.
This release contains important security fixes that address potential XSS vulnerabilities. All Ghost users should upgrade to version 0.11.14 as soon as possible to ensure their sites are protected against these security issues.
The upgrade process should be straightforward with no breaking changes or special migration steps required.
Private Sites Redirect Issue: Fixed a problem where private sites were incorrectly redirecting to full URLs instead of just the pathname. The code now properly parses redirects using the blog as the base and redirects to the pathname property of the parsed URL. (#9960)
Query Parameter Handling: Resolved an issue where the code incorrectly assumed that if there were no query parameters, there would be no query object. The logic has been refactored to explicitly check for the existence of an "r" query parameter.
Sanitization in Subscribers: Added proper sanitization to subscribed_url & subscribed_referrer fields when rendering error states, preventing potential XSS vulnerabilities.
User Invitation Email Sanitization: Fixed sanitization of user invited emails for notification messages to prevent potential security issues.
Test Failures Due to DST: Fixed timezone-related test failures in listeners_spec.js by making timezone offsets dynamic, resolving issues related to Daylight Saving Time changes (#9188).
No significant new features were introduced in this release. This is primarily a security and bug fix release.
Subscriber Form Sanitization: Added proper sanitization to subscribed_url & subscribed_referrer fields when rendering error states, preventing potential XSS attacks through maliciously crafted URLs.
User Invitation Email Sanitization: Improved the sanitization of email addresses in user invitation notifications, preventing potential security vulnerabilities.
Private Sites URL Handling: Enhanced the security of private sites by improving how redirects are handled, ensuring that only pathnames are used rather than potentially unsafe full URLs.
No specific performance improvements were mentioned in this release. The focus was primarily on security enhancements and bug fixes.
Ghost 0.11.14 is a security-focused maintenance release that addresses several important vulnerabilities and bugs. The most significant impact is the improvement in security against XSS attacks through better sanitization of user inputs in subscriber forms and invitation emails.
The fixes for private sites improve reliability by ensuring redirects are handled properly, using only pathnames rather than full URLs. This creates a more predictable and secure experience for sites using the private mode feature.
While this release doesn't introduce new features or performance improvements, it strengthens Ghost's security posture and fixes several bugs that could affect the stability and security of Ghost installations. The changes are particularly important for sites that use subscriber features or private site functionality.
You can see the full change log for the details of every change included in this release.
