Affects Version/s: 20.2, 21.0, 22.0 [Tentative]
Thymeleaf 3.0.12 (3.0.12.RELEASE) has just been published.
This is a highly recommended security update with some bugfixing and feature changes.
- Avoided instantiation of new objects and calls to static classes in restricted expression evaluation mode, both for OGNL and SpringEL-based scenarios.
- Users of Spring: Avoided execution of view names as a fragment expressions when the view name is contained in the URL path or query parameters.
- Fixed #numbers.format*(...) expression utility methods not producing numbers using the correct digit symbols for locales that use them (e.g. farsi), in JDK versions where NumberFormat does this.
- Fixed package-list not being produced for JavaDoc since JDK 11 started being used for compiling the project.
- Users of Spring: Fixed memory leak at ThymeleafViewResolver in redirects to dynamically built URLs.
- Users of Spring 5.x: Added encode() method to the #mvc.url(...) expression utility methods.
- Users of Spring 5.x and Spring WebFlow: Adapted support of WebFlow to Spring WebFlow 2.5 after changes in API (WebFlow 2.5.0+ is now required).
- OGNL updated to 3.1.26.
- Jackson updated to 2.11.3.
This version should work as a drop-in rep