Release notes: 2020-10-15

Restricted profile pictures to PNGs, JPGs, and JPEGs to prevent uploading malicious files.
Prevented unverified users from viewing and updating profile pictures.
Implemented validation for user input and proper output encoding for the "Forgot your password" link to prevent cross-site scripting (XSS) attacks.
Encoded HTML elements in user data to prevent HTML injections.
Prevented arbitrary URL redirection when generating a PDF assessment report.
Added new functions to prevent cross-site request forgery.
Prevented sensitive information from being included in URLS.
Implemented a check for 2FA requirements before fully authenticating the session to prevent 2FA bypasses.
Fixed an issue with manuals where users could only view manuals they had created.