Release note for CVE-2021-29434 in 2.12.4

CHANGELOG.txt

@@ -40,6 +40,7 @@ Changelog
 2.12.4 (xx.xx.xxxx)
 ~~~~~~~~~~~~~~~~~~~
 
+ * Fix: CVE-2021-29434 - fix improper validation of URLs ('Cross-site Scripting') in rich text fields (Kevin Breen, Matt Westcott)
  * Fix: Reverse migration errors in images and documents (Mike Brown)
  * Fix: Avoid wagtailembeds migration failure on MySQL 8.0.13+ (Matt Westcott)
  

CONTRIBUTORS.rst

@@ -504,6 +504,7 @@ Contributors
 * Susan Dreher
 * Dale Evans
 * Vlad Podgurschi
+* Kevin Breen
 
 Translators
 ===========

docs/releases/2.12.4.rst

@@ -10,6 +10,14 @@ Wagtail 2.12.4 release notes - IN DEVELOPMENT
 What's new
 ==========
 
+CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in rich text fields
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This release addresses a cross-site scripting (XSS) vulnerability in rich text fields. When saving the contents of a rich text field in the admin interface, Wagtail did not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
+
+Many thanks to Kevin Breen for reporting this issue.
+
+
 Bug fixes
 ~~~~~~~~~