Ember 1.9.1 with XSS Improvements Released

[Tom Dale]

We've just released Ember 1.9.1 with more conservative defaults around escaping bound attributes.

Previously, binding unescaped values to an element's attributes could be a potential XSS vector if a user could be induced to, e.g., click a link that had its `href` attribute bound to user-supplied data.

Starting with Ember 1.9.1, we detect bound attributes that start with `javascript:` or `vbscript:` and automatically escape them. This change is potentially breaking if you were relying on binding JavaScript properties to element attributes, but we believe this new, stricter default will lead to fewer inadvertent XSS vulnerabilities.

You should consider auditing your applications to see if you have any instances of binding attributes that expect a URL to user-supplied data. If so, you should upgrade to 1.9.1 or start escaping them immediately.

For more details, please see the blog post at http://emberjs.com/blog/2014/12/23/ember-1-9-1-released.html. Ember 1.9.1 is available at http://www.emberjs.com/builds and the usual distribution channels.