TL;DR

🔒 This is a security release!

Fixes the following vulnerabilities:

• Improper sanitize of SVG files during content upload ('Cross-site Scripting') in Sylius/Sylius
• User token not setup to null after reset password
• Add missing HTTP headers to avoid login forms clickjacking
• Exposure of sensitive information by using the back button after logging out in sylius/sylius

Details

• #13432 Update SalesDataProvider.php (@remoteclient)
• #13723 [Docs] Deployment on artifakt (@AdamKasp)
• #13731 [Taxation] Add validation of negative tax rate (@coldic3)
• #13734 [JS] add empty value to autocomplete selects (@SirDomin)
• #13750 [Admin][Shop] placehold.it replaced to local placeholders (@ernestWarwas)
• #13756 [GitHub Actions] Change PHP ini values + clear cache (@GSadee)
• #13765 [Security] Fixes for SVG XSS, wrong cache for logged in users and clickjacking (@ernestWarwas, @lchrusciel, @GSadee, @Zales0123, @Rafikooo)
• #13766 [Security][API] passwordResetToken nulled after password is changed (@lchrusciel, @ernestWarwas, @GSadee, @TheMilek)