v4.5.15.23 release

v4.5.15.23 had nine improvements and 16 bug fixes.

Significant improvements

• Improved the security of image watermarking URL.
• Replaced *:* queries with ping&df=data. As a result, this change updates the query in dari/db/DefaultDatabasePing to a ping&df=data query. This correction introduced a breaking change described below.
• Made an adjustment to the SAML XML parser to prevent XML eXternal Entity (XXE) attacks.
• Made an improvement to increase security around generating API keys.
• Made an improvement to increase security around API requests.
• Made an improvement to increase security around creating new tool users and their passwords.
• Made an improvement to increase security around generating cookie signatures.
• Improved the speed of the database environment initialization process when stored legacy types contain references.
• Ensured that responses for GraphQL endpoints with a failed schema return the proper 500 error code.

Significant defects addressed

• Corrected an issue preventing UrlBuilder from failing to decode a valid query parameter.
• Corrected an issue preventing the use of a header that returned an http site URL instead of a https site URL.
• Changed two usages of JspUtils#getAbsoluteUrl so that they use UrlBuilder.
• Corrected an issue causing an NPE in Board View when the user attempted to view abstract types in a Draft state.
• Improved security related to a jsoup library. This change introduced a breaking change on the third-party's end. See "Breaking Changes" for more information.
• Corrected an issue causing an RSS feed filter to not resolve feed sources if ending in a trailing slash.
• Corrected an issue preventing UrlBuilder from properly handling URL fragments.
• Corrected an issue causing some Spanish translations to be garbled.
• Updated Facebook oEmbed API to latest version.
• Corrected an issue enabling a user without permissions to Publish or Publish Override to be able to do so.
• Corrected an issue causing the Publish Override option to be available instead of the Publish option.
• Fixed a regression issue preventing some users from accessing Sites & Settings.
• Corrected an issue causing dynamic notes to replace existing notes if the content was the same.
• Corrected an issue preventing the proper display of images when querying and trying to import from external AP Images libraries.
• Fixed a regression issue causing Editorial Content Type fields named id to throw an error.

Breaking changes

• ping APIs have changed to throw Exception instead of Throwable. Implementations should be changed to reflect this.
• Changes were made to remain current with jsoup; however, in doing so, library updates to whitespace handling may change textual content, like stripping spaces that were not previously stripped, vice versa, and other changes. Projects running versions that implement these changes (4.5.15.23, 4.5.27, 4.7.20, and 4.8.0) must address any potential issues surrounding this. The update is from 1.14.3 -> 1.17.3. See jsoup News and release notes for more information on how to resolve issues. Additional references can be found in jsoup’s Parser documentation and on their Issues repository.