Tracker error messages are inadequately output encoded when rendered by the
tracker information page inside the WebUI, allowing a malicious tracker to
inject an XSS payload into the page. Esploiting this issue allows an
attacker to supply arbitrary client-side code that will ultimately be
rendered and executed within the end user's web browser.
Found by Rory McNamara (Gotham Digital Science). CVE pending.
Adjust CFBundleVersion format to fix Sparkle update check
Set the first version component to be the same as the last Subversion-based
release build version and add two more components (major and minor version
numbers). To allow for nightly build updates this should probably include
another component (e.g. build timestamp), but we're not there yet.