Security Updates

Following recent penetration testing, we’ve implemented several critical security improvements:

Scripts are now automatically removed from all input fields to prevent XSS attacks.
HTML is stripped by default unless explicitly allowed in form settings.

Changing a user’s password will now log out all other active sessions by default. (This can be overridden in app settings, though not recommended.)
The “Forgot Password” process no longer confirms if an account exists—helping prevent email/username enumeration.
Password fields are now capped at 255 characters.
Users must enter their current password before updating it via the profile component.