๐ŸŽ‰ Node-RED 0.20.8 released

I've just published Node-RED 0.20.8. It contains two fixes:

  • Sanitize tab name in edit dialog - this fixes a potential XSS issue where a well-formed (or badly formed, depending on your perspective) flow name could be used to inject javascript into the editor.

  • Pass httpServer to runtime even when httpAdmin disabled Fixes #2272
    This fixes an issue where if you disabled the HTTP Admin and Editor (by setting httpAdminRoot to false, Node-RED Dashboard would stop working. This means it is now much easier to create an instance of Node-RED that only exposes the dashboard and does not allow any admin access.



That's interesting, would that have stopped uibuilder from working as well as it also uses the ExpressJS app?

It caused RED.server to be null when it shouldn't have been. If uibuilder uses RED.server (for example, to create a websocket listener) then yes, it would have been affected.

1 Like


Too many things to test!

Thanks for fixing.

1 Like