This version contains security fixes to prevent possible XSS attacks as described in #1441. They don’t relate to user data submitted to Hangfire directly via method arguments, but it’s recommended to upgrade anyway. If you are using Hangfire 1.6, please upgrade to version 1.6.26 instead.
- Affected Packages
- Hangfire.Core ≤ 1.6.25, 1.7.0, 1.7.1, 1.7.2
- Affected Platforms
- All, including .NET Core, .NET Framework, Mono of any version
Steps to reproduce
public static void Xss()
{
BackgroundJob.Enqueue(() => Xss2());
}
public static void Xss2()
{
throw new Exception("<script>alert(1);</script>");
}
Release notes
Hangfire.Core
-
SECURITY – Use
HtmlEncode
in all remaining places in Dashboard UI to prevent XSS attacks. - Added – Added Dutch language, and updated missing translation on “Servers” page (by @r-win).
-
Added –
Cron.Never
method for adding manual recurring jobs that never fire (by @michaltalaga). -
Fixed – Add missing
AddOrUpdate
extension methods for theIRecurringJobManager
interface. -
Deprecated – Unused
HtmlHelper.FormatProperties
method is now obsolete.
Hangfire.SqlServer
- Fixed – Wrong error message in migration script, when @CurrentSchemaVersion has a NULL value (by @penenkel).
Reporting security issues
In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please email us at security@hangfire.io with details and we will respond ASAP. Security issues always take precedence over bug fixes and feature work. We can and do mark releases as “urgent” if they contain serious security fixes.