Apostrophe 2.119.1: security fix for CSRF vulnerability in "nlbr" and "nlp" Nunjucks filters

[boutell]

Fixed in Apostrophe 2.119.1:

The nlbr and nlp Nunjucks filters Apostrophe provides in Nunjucks templates marked their output as safe to preserve the tags that they added, without first escaping their input, creating a CSRF risk.

These filters have been updated to escape their input unless it has already been marked safe. No code changes are required to templates whose input to the filter is intended as plaintext, however if you were intentionally leveraging this bug to output unescaped HTML markup you will need to make sure your input is free of CSRF risks and then use the | safe filter before the | nlbr or | nlp filter.

If you are not using these Nunjucks filters then you are not at risk.