lucky v0.21.1 Release Notes
Release Date: 2020-05-08 // almost 4 years ago-
🚀 This a release with a security fix. This only affects applications that use
highlight,truncateorsimple_format. These methods had potential to be used for XSS attacks if input is not escaped first. However, the risk is mitigated since Lucky defaults cookies to be read by HTTP only, and not through JS. The cookie value itself is also encrypted and signed.⬆️ It is not best practice to rely purely on HTTP only cookies, so to be safe, we highly recommend upgrading to v0.21.1 as an extra layer of protection.
👀 See more details in #1135