Thymeleaf 3.0.12 (3.0.12.RELEASE) has just been published.
This is a highly recommended security update with some bugfixing and feature changes.
- Avoided instantiation of new objects and calls to static classes in restricted expression evaluation mode, both for OGNL and SpringEL-based scenarios.
- Users of Spring: Avoided execution of view names as a fragment expressions when the view name is contained in the URL path or query parameters.
- Fixed #numbers.format*(...) expression utility methods not producing numbers using the correct digit symbols for locales that use them (e.g. farsi), in JDK versions where NumberFormat does this.
- Fixed package-list not being produced for JavaDoc since JDK 11 started being used for compiling the project.
- Users of Spring: Fixed memory leak at ThymeleafViewResolver in redirects to dynamically built URLs.
- Users of Spring 5.x: Added encode() method to the #mvc.url(...) expression utility methods.
- Users of Spring 5.x and Spring WebFlow: Adapted support of WebFlow to Spring WebFlow 2.5 after changes in API (WebFlow 2.5.0+ is now required).
- OGNL updated to 3.1.26.
- Jackson updated to 2.11.3.
This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.
If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations: