Zope 4.8.7 → 4.8.10
-------------------

- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. <img src="image.svg" /> works the same as before. (CVE-2023-42458) See security advisory.
- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
- Update RestrictedPython to version 5.4 to fix a potential a security issue. (CVE-2023-41039)
- Update AccessControl to version 4.4 to fix a potential a security issue. (CVE-2023-41050)
- Sanitize tainting fixing #1095
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
- Only set response header Content-Type as text/html on exception views when the response has content. (#1089)
Update dependencies to the latest releases for each supported Python version.

plone.recipe.zope2instance: 6.12.0 → 6.12.1
-------------------------------------------
Documentation:

- Update README: for ``RotatingFileHandler`` ``maxCount`` is not a valid keyword argument.
  Use ``backupCount``.
  [gforcada] (#190)


plone.releaser: 1.8.8 → 1.8.9
-----------------------------
Bug fixes:

- Allow disabling PyPI rights check, as this does not know how to check organisations.
  Set env variable ``PLONE_RELEASER_CHECK_PYPI_ACCESS=0`` if you want to disable it.
  Also, we do not check PyPI if the user is `__token__`, so using an API token.
  [maurits] (#50)

- Fix missing changelog entries when running ``bin/manage changelog``.
  [maurits] (#60)


Plone: 5.2.13 → 5.2.14
----------------------
Bug fixes:

- Release Plone 5.2.14.
  [maurits]


plone.app.multilingual: 5.6.4 → 5.6.6
-------------------------------------
Bug fixes:

- Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``.
  [maurits] (#304)

- Fix ``set_recursive_language`` to actually find child objects.
  [maurits] (#304)

- Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred.
  [maurits] (#304)

- Do not unset the language on the Indonesian root language folder when saving the control panel.
  This language has ``id`` as code.  This is not allowed as an id in Plone, so it is created as ``id-id`` instead.
  This needs some special handling.
  Added upgrade to recursively fix this language folder to set the Indonesian language.  This is only done when the folder itself has the wrong language.
  [maurits] (#304)


plone.app.upgrade: 2.1.6 → 2.1.7
--------------------------------
Bug fixes:

- Added upgrade to 5222, Plone 5.2.14.
  [maurits] (#5222)


plone.namedfile: 5.6.0 → 5.6.1
------------------------------
Bug fixes:

- Fix stored XSS (Cross Site Scripting) for SVG images.
  Done by forcing a download instead of displaying inline.
  See `security advisory <https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x>`_.
  [maurits] (#1)


plone.restapi: 7.8.2 → 7.8.3
----------------------------
Bug fixes:

- Fix content serializer with an old version of an item that was renamed. @davisagli (#1651)


Products.CMFCore: 2.7.0 → 2.7.1
-------------------------------
- Make ``decodeFolderFilter`` and ``encodeFolderFilter`` non-public.
  This is the workaround from `CVE-2023-36814 <https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87>`_.


Products.CMFPlone: 5.2.13 → 5.2.14
----------------------------------
Bug fixes:

- Update metadata version to 5222, Plone 5.2.14.
  [maurits] (#5222)