v7.3.0

Security

• CSP directive injection via sandbox, plugin-types, and report-to when given untrusted input — GHSA-rqq5-2gf9-4w4q. Reported by @tonghuaroot. The 2020 source-list scrub was not applied to the sandbox, plugin-types, and report-to directive builders, so caller-supplied values containing ;, \n, or \r were emitted verbatim into the Content-Security-Policy header and could inject arbitrary directives. All three builders now share the same scrub (replace ;, \n, \r with a space and Kernel.warn).

Important

You should never pass user-supplied input into your Content-Security-Policy configuration. CSP directive values are part of a security policy, not user data — any untrusted input creates a policy-injection risk. This fix is a defense-in-depth backstop; it is not a license to feed user input into CSP directives. Treat all CSP values as trusted, application-controlled configuration.

What's Changed

• Fix CSP injection via sandbox / plugin-types / report-to directives (GHSA-rqq5-2gf9-4w4q)
• Bump actions/checkout from 5 to 6 by @dependabot in #582
• Bump ruby/setup-ruby from 1.288.0 → 1.310.0 by @dependabot in #584, #585, #587, #588, #589, #590, #591, #592
• Bump Version to 7.3.0 by @KyFaSt in #593

Full Changelog: v7.2.0...v7.3.0