Update immediately from Nephtali 3.3.0 to 3.3.1 for a bug fix
Sorry, there is a big string escaping bug in Nephtali 3.3.0. Please update immediately to Nephtali 3.3.1. The unit test didn’t show the issue because I only added one data row and because of caching, one row didn’t show the issue, you need 2 rows to see the bug.
Again, my apologies.
Update Feb. 23, 2012: To clear up confusion, the bug did not leave sites vulnerable in terms of security. Rather, Nephtali’s default behavior to escape all output overrode any whitelists that were set up to pass through the escaping mechanism. What this means is that sites were not left vulnerable to XSS attacks, but they were likely vulnerable to ugly aesthetics when expected tags were escaped.