Version 1.5.3.1 — Security Patch #
Fixes script injection in Schema.org output and property injection in calendar export files.
21 Feb 2026
Version 1.5.3.1 is a security patch addressing two output sanitisation issues in the structured data and calendar export features.
Schema.org Script Injection
JSON-LD structured data now encodes HTML angle brackets, preventing event content containing </script> from breaking out of the JSON-LD block. Previously, if an event's description included a closing script tag, it could terminate the structured data block early and allow arbitrary script injection on the single event page.
Calendar Export Property Injection
URL values in .ics download files (virtual meeting links, event URLs) are now sanitised to prevent CRLF sequences from injecting additional calendar properties. A crafted meeting URL could previously embed extra iCalendar properties into the exported file.