v0.13.5-cryptowarning.2

Thanks to walle303 for letting us know these weren't being checked.

CHANGELOG.md

@@ -1,3 +1,22 @@
+Changes in [0.13.5-cryptowarning.2](https://github.com/vector-im/riot-web/releases/tag/v0.13.5-cryptowarning.2) (2018-03-26)
+============================================================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.5-cryptowarning.1...v0.13.5-cryptowarning.2)
+
+ * Fix strings file
+
+Changes in [0.13.5-cryptowarning.1](https://github.com/vector-im/riot-web/releases/tag/v0.13.5-cryptowarning.1) (2018-03-26)
+============================================================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.5...v0.13.5-cryptowarning.1)
+
+ * Disable e2e crypto with a big warning if the database schema is newer than we expect.
+
+Changes in [0.13.5](https://github.com/vector-im/riot-web/releases/tag/v0.13.5) (2018-02-09)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.4...v0.13.5)
+
+ * SECURITY UPDATE: Sanitise URLs from 'external_url'. Thanks to walle303 for contacting
+   us about this vulnerability.
+
 Changes in [0.13.4](https://github.com/vector-im/riot-web/releases/tag/v0.13.4) (2018-01-03)
 ============================================================================================
 [Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.3...v0.13.4)

electron_app/package.json

@@ -2,7 +2,7 @@
   "name": "riot-web",
   "productName": "Riot",
   "main": "src/electron-main.js",
-  "version": "0.13.4",
+  "version": "0.13.5-cryptowarning.2",
   "description": "A feature-rich client for Matrix.org",
   "author": "Vector Creations Ltd.",
   "dependencies": {

package.json

@@ -2,7 +2,7 @@
   "name": "riot-web",
   "productName": "Riot",
   "main": "electron_app/src/electron-main.js",
-  "version": "0.13.4",
+  "version": "0.13.5-cryptowarning.2",
   "description": "A feature-rich client for Matrix.org",
   "author": "Vector Creations Ltd.",
   "repository": {
@@ -68,8 +68,8 @@
     "gfm.css": "^1.1.1",
     "highlight.js": "^9.0.0",
     "linkifyjs": "^2.1.3",
-    "matrix-js-sdk": "0.9.2",
-    "matrix-react-sdk": "0.11.3",
+    "matrix-js-sdk": "0.9.2-cryptowraning.1",
+    "matrix-react-sdk": "0.11.4-cryptowarning.2",
     "modernizr": "^3.1.0",
     "pako": "^1.0.5",
     "prop-types": "^15.5.10",

src/components/views/context_menus/MessageContextMenu.js

@@ -1,5 +1,6 @@
 /*
 Copyright 2015, 2016 OpenMarket Ltd
+Copyright 2018 New Vector Ltd
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -25,6 +26,7 @@ import { _t } from 'matrix-react-sdk/lib/languageHandler';
 const Modal = require('matrix-react-sdk/lib/Modal');
 const Resend = require("matrix-react-sdk/lib/Resend");
 import * as UserSettingsStore from 'matrix-react-sdk/lib/UserSettingsStore';
+import { isUrlPermitted } from 'matrix-react-sdk/lib/HtmlUtils';
 
 module.exports = React.createClass({
     displayName: 'MessageContextMenu',
@@ -275,7 +277,10 @@ module.exports = React.createClass({
         }
 
         // Bridges can provide a 'external_url' to link back to the source.
-        if( typeof(this.props.mxEvent.event.content.external_url) === "string") {
+        if(
+            typeof(this.props.mxEvent.event.content.external_url) === "string" &&
+            isUrlPermitted(this.props.mxEvent.event.content.external_url)
+        ) {
           externalURLButton = (
               <div className="mx_MessageContextMenu_field">
                   <a href={ this.props.mxEvent.event.content.external_url }