ecrire/inc_version.php | 2 1 + 1 - 0 !
plugins-dist/svp/teleporter/http_deballe_zip.php | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix created directories and files default rights
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

plugins-dist/safehtml/inc/safehtml.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use php-html-safe
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Upstream use its own copy.

ecrire/inc/presentation_mini.php | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 no next upstream version display in private area

No need to link to the next upstream version.

ecrire/inc_version.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix displayed version in the private interface
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Make it obvious its a Debian (patched) version.

ecrire/inc/texte.php | 7 7 + 0 - 0 !
ecrire/inc/texte_mini.php | 43 40 + 3 - 0 !
plugins-dist/revisions/inc/revisions.php | 3 3 + 0 - 0 !
plugins-dist/revisions/prive/squelettes/contenu/revision.html | 6 3 + 3 - 0 !
prive/squelettes/ajax.html | 2 1 + 1 - 0 !
prive/squelettes/head/dist.html | 2 1 + 1 - 0 !
prive/squelettes/structure.html | 4 2 + 2 - 0 !
7 files changed, 57 insertions(+), 10 deletions(-)

 fix xss in private content

Bug: https://core.spip.net/issues/3371

plugins-dist/textwheel/wheels/spip/echappe-js.php | 39 39 + 0 - 0 !
plugins-dist/textwheel/wheels/spip/echappe-js.yaml | 48 48 + 0 - 0 !
plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml | 3 2 + 1 - 0 !
3 files changed, 89 insertions(+), 1 deletion(-)

 fix xss from iframe in private content

Bug: https://core.spip.net/issues/1994, https://core.spip.net/issues/1998

ecrire/inc/filtres.php | 22 17 + 5 - 0 !
1 file changed, 17 insertions(+), 5 deletions(-)

 fix objects injection via unserialize

Bug: https://core.spip.net/issues/3680

ecrire/inc/filtres.php | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 increase sanitizing to fix php code injection

config/ecran_securite.php | 216 145 + 71 - 0 !
1 file changed, 145 insertions(+), 71 deletions(-)

 update security screen

ecrire/exec/valider_xml.php | 21 20 + 1 - 0 !
1 file changed, 20 insertions(+), 1 deletion(-)

 report de r23063 : sanitizer/controler les entree fournies a
 valider_xml_ok (Thomas Chauchefoin)

plugins-dist/forum/formulaires/forum_prive.php | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 ne pas permettre n'importe quoi en url de site (tim coen)

ecrire/index.php | 8 8 + 0 - 0 !
ecrire/public/aiguiller.php | 5 3 + 2 - 0 !
2 files changed, 11 insertions(+), 2 deletions(-)

 report de r23151 : eviter d'accepter n'importe quoi dans les
 redirect de l'espace prive (Tim Coen)

squelettes-dist/formulaires/oubli.php | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 l'url de rappel de mot de passe doit etre une url safe,
 on la force sur l'adresse_site parametree dans la configuration du site

ecrire/inc/minipres.php | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 =?utf-8?b?rxzpdgvyigrlcyaiawxszwdhbcbvzmzzzxqiihnpigwndxrpbglzyxrl?=
 =?utf-8?b?dXIgbidlc3QgcGFzIGNvbm5lY3TDqSAoZMOpasOgIGNvcnJpZ8OpIGVuIDMuMSku?=

ecrire/inc/minipres.php | 4 4 + 0 - 0 !
ecrire/inc/utils.php | 4 3 + 1 - 0 !
2 files changed, 7 insertions(+), 1 deletion(-)

 fix #3831 : report de r23141 et r23148

ecrire/exec/valider_xml.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 report de r23179 : ne pas afficher l'url brute venant de la request
 (Nicolas CHATELAIN)

ecrire/exec/valider_xml.php | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 report de r23180 : pas d'url absolue dans var_url (nicolas
 CHATELAIN)

Oritin: upstream, https://core.spip.net/projects/spip/repository/revisions/23184

ecrire/exec/valider_xml.php | 16 7 + 9 - 0 !
1 file changed, 7 insertions(+), 9 deletions(-)

 report de r23185 : eviter aussi les urls absolues windows c:\xxx et
 supprimer le onfocus obsolete au profit d'un placholder innofensif (Nicolas
 Chatelain)

ecrire/public/compiler.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 report de r23186 : echapper les guillemets dans les noms de fichier
 pour ne pas generer du code invalide (Nicolas Chatelain)

ecrire/exec/valider_xml.php | 96 69 + 27 - 0 !
1 file changed, 69 insertions(+), 27 deletions(-)

 report de r23200 : - ?exec=valider_xml n'est executable que par les
 webmestres - var_url ne doit pas contenir de ../../ ni de ..\..\ (windows) -
 elle ne lance une action que si on a un var_token qui correspond soit a la
 signature de l'action en POST soit a la signature de l'action+var_url en
 GET. Ceci evite de faire lancer le validateur par un lien malveillant fourni
 a un webmstre d'un site auquel on a pas acces (CSRF)

(Nicolas Chatelain)

ecrire/exec/info_plugin.php | 2 1 + 1 - 0 !
ecrire/exec/puce_statut.php | 4 2 + 2 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 =?utf-8?q?fix_=233845_=3a_s=c3=a9curiser_les_exec_info=5fplugin_et?=
 =?utf-8?q?_puce=5Fstatut?=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

merci  felixk3y de PKAV Team pour le signalement

ecrire/exec/plonger.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 =?utf-8?q?fix_=233847_=3a_s=c3=a9curiser_exec_plonger?=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

merci  xiaoL pour le signalement

ecrire/public/balises.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 =?utf-8?q?=c3=a9chapper_le_contenu_de_l=27ent=c3=aate?=

ecrire/public/assembler.php | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 report de r23696 : securiser l'url qu'on insere sur les ancres en
 url arborescentes (xdjuj)

ecrire/inc/utils.php | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 report de r23707 : securiser les urls renvoyees par self() et #self
 qui sont souvent reinjectees dans le HTML (Jarrod Farncomb)

prive/formulaires/configurer_transcodeur.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 report de r23710 : echapper le charset dans le message d'erreur
 (Jarrod Farncomb)

ecrire/inc/texte.php | 25 17 + 8 - 0 !
1 file changed, 17 insertions(+), 8 deletions(-)

 report de r23713 : permettre de passer le mode de filtrage en second
 argument de interdire_script,
 et on utilise la valeur de la globale sinon (comportement par defaut
 inchange)

ecrire/inc/presentation_mini.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 report de r23716 : pas de onclick ni de popup js dans le pied de
 page

ecrire/inc/presentation_mini.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 =?utf-8?q?report_de_r23752_=3a_on_ajoute_sur_le_lien_du_pied_de_pa?=
 =?utf-8?q?ge_priv=C3=A9_un_attribut_rel_=28noopener_noreferrer=29?=

ecrire/exec/valider_xml.php | 21 13 + 8 - 0 !
1 file changed, 13 insertions(+), 8 deletions(-)

 report de r23908 : prise en compte amelioree du flag process