X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/26d4641d02eeea87c2c061ecf24f9846d97cb780..d092b0b77701a4c5cd9c8464b774a6a1da1f02cd:/doc/news/version_3.20160506.mdwn

diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn
index 650588c6e..6800a3022 100644
--- a/doc/news/version_3.20160506.mdwn
+++ b/doc/news/version_3.20160506.mdwn
@@ -1,15 +1,19 @@
 News for ikiwiki 3.20160506:
 
    To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
-   the `[[!img]]` directive is now restricted to these common web formats by
+   the `\[[!img]]` directive is now restricted to these common web formats by
    default:
+
    * JPEG (`.jpg`, `.jpeg`)
    * PNG (`.png`)
    * GIF (`.gif`)
    * SVG (`.svg`)
+
    (In particular, by default resizing PDF files is no longer allowed.)
+
    Additionally, resized SVG files are displayed in the browser as SVG
    instead of being converted to PNG.
+
    If all users who can attach images are fully trusted, this restriction
    can be removed with the new img\_allowed\_formats setup option.
    See [[ikiwiki/directive/img]] for more details.
@@ -18,7 +22,7 @@ ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
 [[!toggleable text="""
  * [ [[Simon McVittie|smcv]] ]
    * HTML-escape error messages, in one case avoiding potential cross-site
-     scripting (OVE-20160505-0012)
+     scripting ([[!cve CVE-2016-4561]], OVE-20160505-0012)
    * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
      - img: force common Web formats to be interpreted according to extension,
        so that "allowed\_attachments: '*.jpg'" does what one might expect