Headline
CVE-2021-46888: Release 1.23 · simonmichael/hledger
An issue was discovered in hledger before 1.23. A Stored Cross-Site Scripting (XSS) vulnerability exists in toBloodhoundJson that allows an attacker to execute JavaScript by encoding user-controlled values in a payload with base64 and parsing them with the atob function.
Capital gains report,
separate symbol/number display,
command line commodity styling,
budget selection,
weekday/weekend recurrence,
10% speedup,
fixes.
Release notes: https://hledger.org/release-notes.html#hledger-1-23
This release may be packaged for your system: check https://hledger.org/download.html#binary-packages. Or, you can try the binaries built by our github CI setup, below. Notes:
Download and unzip the appropriate “hledger-PLATFORM.zip” file below. This will unpack 2 or 3 hledger binaries into the current directory. On mac and unix machines, you will need to chmod +x these files to make them executable.
Windows binaries are built on Windows Server 2019. There is no hledger-ui binary for Windows.
Mac binaries are built on macos 10.15 catalina. You will need to mark them as trusted before you can run them: run open . to view the current folder in Finder; control-click hledger; option-click "Open"; allow running it.
Linux binaries are static and should run on most GNU/Linux machines with x64 or (when provided) arm32v7 architecture.