Thymeleaf

Thymeleaf 3.0.15 — Release Notes

Thymeleaf 3.0.15 (3.0.15.RELEASE) has just been published.

This is a highly recommended security update with some bugfixing and feature changes.

Security improvements:

  • Fixed inconsistent restricted variable access check due to caching.
  • Improved detection of restricted expression execution scenarios.
  • Improved detection of restricted usages of view names in direct request input.

This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.

If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:

Thymeleaf 3.0.14 — Release Notes

Thymeleaf 3.0.14 (3.0.14.RELEASE) has just been published.

This is a highly recommended security update with some bugfixing and feature changes.

Security improvements:

  • Fixed inconsistent restricted variable access check due to caching.
  • Improved detection of restricted expression execution scenarios.
  • Improved detection of restricted usages of view names in direct request input.

This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.

If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:

Thymeleaf 3.0.13 — Release Notes

Thymeleaf 3.0.13 (3.0.13.RELEASE) has just been published.

This is a highly recommended security update with some bugfixing and feature changes.

Security improvements:

  • Fixed CVE-2021-43466: Specific scenarios in template injection may lead to remote code execution.

Issues fixed:

  • Fixed incorrect double-unescaping of request parameters breaking processing of forms during restricted mode checks.
  • Fixed SpringStandardDialect not allowing the use of a custom IStandardConversionService.

This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.

If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:

Thymeleaf 3.0.12 — Release Notes

Thymeleaf 3.0.12 (3.0.12.RELEASE) has just been published.

This is a highly recommended security update with some bugfixing and feature changes.

Security improvements:

  • Avoided instantiation of new objects and calls to static classes in restricted expression evaluation mode, both for OGNL and SpringEL-based scenarios.
  • Users of Spring: Avoided execution of view names as a fragment expressions when the view name is contained in the URL path or query parameters.

Issues fixed:

  • Fixed #numbers.format*(...) expression utility methods not producing numbers using the correct digit symbols for locales that use them (e.g. farsi), in JDK versions where NumberFormat does this.
  • Fixed package-list not being produced for JavaDoc since JDK 11 started being used for compiling the project.
  • Users of Spring: Fixed memory leak at ThymeleafViewResolver in redirects to dynamically built URLs.

Feature changes:

  • Users of Spring 5.x: Added encode() method to the #mvc.url(...) expression utility methods.
  • Users of Spring 5.x and Spring WebFlow: Adapted support of WebFlow to Spring WebFlow 2.5 after changes in API (WebFlow 2.5.0+ is now required).

Dependency updates:

  • OGNL updated to 3.1.26.
  • Jackson updated to 2.11.3.

This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.

If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations:

Thymeleaf 3.0.11 — Release Notes

Thymeleaf 3.0.11 (3.0.11.RELEASE) has just been published.

This is a maintenance release with some minor bugfixing for a couple of issues introduced with 3.0.10. These issues affected:

  • Users of JPMS (Java Platform Module System): some Thymeleaf modules declared invalid module names.
  • Users of Spring WebFlux.fn (functional side of Spring WebFlux): an exception was being thrown when templates using the SpringStandard dialect were rendered.

This version should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.

If you are currently using a version older than 3.0.10, please visit the release announcement for 3.0.10 in order to know more about new features.

If you are interested, you can have a look at the list of issues on GitHub, which usually contain more detailed explanations: