Thymeleaf 3.0.15 — Release Notes
Thymeleaf 3.0.15 (3.0.15.RELEASE) has
just been published.
This is a highly recommended security update with some bugfixing and feature changes.
Security improvements:
- Fixed inconsistent restricted variable access check due to caching.
- Improved detection of restricted expression execution scenarios.
- Improved detection of restricted usages of view names in direct request input.
This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.
If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:
- thymeleaf: see milestone.
- thymeleaf-spring: see milestone.
Thymeleaf 3.0.14 — Release Notes
Thymeleaf 3.0.14 (3.0.14.RELEASE) has
just been published.
This is a highly recommended security update with some bugfixing and feature changes.
Security improvements:
- Fixed inconsistent restricted variable access check due to caching.
- Improved detection of restricted expression execution scenarios.
- Improved detection of restricted usages of view names in direct request input.
This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.
If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:
- thymeleaf: see milestone.
- thymeleaf-spring: see milestone.
Thymeleaf 3.0.13 — Release Notes
Thymeleaf 3.0.13 (3.0.13.RELEASE) has
just been published.
This is a highly recommended security update with some bugfixing and feature changes.
Security improvements:
- Fixed CVE-2021-43466: Specific scenarios in template injection may lead to remote code execution.
Issues fixed:
- Fixed incorrect double-unescaping of request parameters breaking processing of forms during restricted mode checks.
- Fixed SpringStandardDialect not allowing the use of a custom IStandardConversionService.
This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.
If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:
- thymeleaf: see milestone.
- thymeleaf-spring: see milestone.
Thymeleaf 3.0.12 — Release Notes
Thymeleaf 3.0.12 (3.0.12.RELEASE) has
just been published.
This is a highly recommended security update with some bugfixing and feature changes.
Security improvements:
- Avoided instantiation of new objects and calls to static classes in restricted expression evaluation mode, both for OGNL and SpringEL-based scenarios.
- Users of Spring: Avoided execution of view names as a fragment expressions when the view name is contained in the URL path or query parameters.
Issues fixed:
- Fixed #numbers.format*(...) expression utility methods not producing numbers using the correct digit symbols for locales that use them (e.g. farsi), in JDK versions where NumberFormat does this.
- Fixed package-list not being produced for JavaDoc since JDK 11 started being used for compiling the project.
- Users of Spring: Fixed memory leak at ThymeleafViewResolver in redirects to dynamically built URLs.
Feature changes:
- Users of Spring 5.x: Added encode() method to the #mvc.url(...) expression utility methods.
- Users of Spring 5.x and Spring WebFlow: Adapted support of WebFlow to Spring WebFlow 2.5 after changes in API (WebFlow 2.5.0+ is now required).
Dependency updates:
- OGNL updated to 3.1.26.
- Jackson updated to 2.11.3.
This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.
If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:
- thymeleaf: see milestone.
- thymeleaf-spring: see milestone.
Thymeleaf 3.0.11 — Release Notes
Thymeleaf 3.0.11 (3.0.11.RELEASE) has
just been published.
This is a maintenance release with some minor bugfixing for a couple of issues introduced with 3.0.10. These issues affected:
- Users of JPMS (Java Platform Module System): some Thymeleaf modules declared invalid module names.
- Users of Spring WebFlux.fn (functional side of Spring WebFlux): an exception was being thrown when templates using the SpringStandard dialect were rendered.
This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.
If you are currently using a version older than 3.0.10, please visit the release announcement for 3.0.10 in order to know more about new features.
If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:
- thymeleaf: see milestone.
- thymeleaf-spring: see milestone.