Because developers trust Ember.js to handle sensitive customer data in
production, we take the security of the project extremely seriously. In
fact, we're one of the few JavaScript projects that has a clearly
outlined security policy and a
low-traffic mailing list exclusively for security
announcements.
Today we are announcing the release of Ember.js 1.2.2,
1.3.2, and 1.4.0-beta.6 that contain an important security fix:
- 1.4.0-beta.6 -- Compare View
- 1.3.2 -- Compare View
- 1.2.2 -- Compare View
These releases contain the fix for an XSS vulnerability that
you can learn more about on our security mailing list:
It is recommended that you update immediately. In order to ease
upgrading, the only major change in each release is the security fix
(other than 1.4.0-beta.6, which is a normal beta channel release with
the fix rolled in).
We would like to thank Hyder Ali of Zoho
for responsibly disclosing and working with us on the patch
and the advisory.
If you discover what you believe may be a security issue in Ember.js, we
ask that you follow our responsible disclosure
policy.
If you are using Ember.js in production, please consider subscribing to
our security announcements mailing
list. It is
extremely low-traffic and only contains announcements such as these.
Additional Reading