🎉 Node-RED 0.20.8 released

knolleary · 6 September 2019 09:41

I've just published Node-RED 0.20.8. It contains two fixes:

Sanitize tab name in edit dialog - this fixes a potential XSS issue where a well-formed (or badly formed, depending on your perspective) flow name could be used to inject javascript into the editor.
Pass httpServer to runtime even when httpAdmin disabled Fixes #2272
This fixes an issue where if you disabled the HTTP Admin and Editor (by setting httpAdminRoot to false, Node-RED Dashboard would stop working. This means it is now much easier to create an instance of Node-RED that only exposes the dashboard and does not allow any admin access.

Enjoy!

TotallyInformation · 6 September 2019 10:50

That's interesting, would that have stopped uibuilder from working as well as it also uses the ExpressJS app?

knolleary · 6 September 2019 10:52

It caused RED.server to be null when it shouldn't have been. If uibuilder uses RED.server (for example, to create a websocket listener) then yes, it would have been affected.

TotallyInformation · 6 September 2019 13:45

Doh!

github.com

TotallyInformation/node-red-contrib-uibuilder/blob/1e60585a0d4cf6f9425f894d179a799cedaa587f/nodes/uibuilder.js#L203-L203


var io = socketio.listen(RED.server, {'path': uib_socketPath}) // listen === attach

Too many things to test!

Thanks for fixing.

Topic		Replies	Views
[Minor Update] alternate-node-red-uibuilder v4.1.1 Share Your Nodes	0	314	8 August 2021
[New Dev Build (v3.3.0)] uibuilder Share Your Nodes node-red-contrib-uibuilder	2	453	13 May 2021
Bypass HTTP Node Security prompt for uibuilder, but not dashboard General node-red-contrib-uibuilder	4	220	9 November 2022
Uibuilder v1.2.0 published - bug fix and feature release Share Your Nodes	1	443	23 February 2019
[Update] node-red-contrib-uibuilder - bugfix release v1.2.2 Share Your Nodes	0	421	23 March 2019

🎉 Node-RED 0.20.8 released

Related Topics