kanboard

Security Improvements

• Added missing authorization checks in multiple controllers.
• Enforced project-level authorization checks where they were missing.
• Improved plugin security by enforcing installer checks in PluginController actions.
• Enabled Parsedown safe mode to add an extra layer of protection to Markdown rendering against unsafe content.
• Added CSRF protection for projec...

Security

• Fixed an LDAP injection issue by properly escaping placeholders in LDAP queries.
• Prevented protocol-relative URLs (//example.com) from being used as login redirect targets.
• Added a new TRUSTED_PROXY_NETWORKS configuration option to explicitly define trusted reverse proxy networks.
• Introduced an optional security feature to block private network access when fetching e...

• fix: handle Windows-style paths in sanitize_path function
• feat(locale): added missing German translation phrases
• feat(locale): added Arabic translation
• feat(api): add board, rss and ical public links to the API response
• feat: display sub-tasks completion in numbers (x/y) alongside percentage
• feat: add basic support for right-to-left (RTL) languages
• chore: update .gitattribute...

• refactor: add namespace to test files
• fix: the $escape parameter must be provided in PHP 8.4 for CSV functions
• fix: sanitize and validate uploaded files path
• fix: do not load RememberMeAuth provider when REMEMBER_ME_AUTH is false
• fix: avoid PHP warning when external user creation is disabled
• feat!: remove file cache driver to avoid using unserialize()
• feat!: ignore le...

• refactor: update return type in filter apply methods
• fix(security): prevent potential Host header injection via SERVER_NAME
  • You must specify the Kanboard application URL explicitly to generate correct URLs from email notifications. The default is http://localhost/.
• fix: make various PHP 8.x compatibility changes
• fix: avoid Implicitly nullable parameter declarations errors...