Update change log and create IdentityServer8.Security package for han…

…dling user input sanitization.
alexhiggins732 · Feb 11, 2024 · 23fb160 · 23fb160
1 parent adab20c
commit 23fb160
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -5,24 +5,26 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning 2](http://semver.org/).
 
 ## [Unreleased] - 2024-02-11
+
+
+## [8.0.1] - 2024-02-10
 
-- Javascript and NPM package updates to address several security vulnerablities.
-- Account Login and View security patch.
+- Security Update: High priority critical security patches addressing issues outline in #9 and #10.
+
 
 ### Added
-- [PROJECTNAME-XXXX](http://tickets.projectname.com/browse/PROJECTNAME-XXXX)
-  MINOR Ticket title goes here.
-- [PROJECTNAME-YYYY](http://tickets.projectname.com/browse/PROJECTNAME-YYYY)
-  PATCH Ticket title goes here.
-
+- `IdentityServer8.Security` nuget packages with services to sanitize user input including html, json, xml, javascript, scripts, urls, logs, css, and style sheets.
+
 ### Changed
 - [Account Login Controller] (https://github.com/alexhiggins732/IdentityServer8/issues/9) 
 - [Account Login View] (https://github.com/alexhiggins732/IdentityServer8/issues/9)  
 
 ### Fixed
 - [Security: User-controlled bypass of sensitive method]
   Login Controller and view have have explicit methods to handle login and cancel to address User-controlled bypass of sensitive method
-
+- [Security: Logging of user-controlled data]
+  Unsanitized user input could be used to forge logs and inject arbitrary commands, including server side includes, xss and sql injection into log files.
+
 ## [8.0.1] - 2024-02-10
 
 Updated build scripts to use Git Flow branching for SemVer2 compatible nuget packages.

diff --git a/src/Security/IdentityServer8.Security/IdentityServer8.Security.csproj b/src/Security/IdentityServer8.Security/IdentityServer8.Security.csproj
@@ -1,14 +1,16 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
-    <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
+    <PropertyGroup>
+        <Description>Security package for user input sanitzation IdentityServer8 services and packages.</Description>
+        <IsPackable>true</IsPackable>
+        <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
-  </ItemGroup>
+    <ItemGroup>
+        <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+        <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    </ItemGroup>
 
 </Project>