bug(security): fix XSS exploit in devel and responsive templates Replace all occurances of: tal:content="structure context/MUMBLE/plain" with tal:content="context/MUMBLE/plain" This seems to have been an old way to handle display of a field when the user did not have edit rights. It does not occur in current (later than 2009) classic tracker templates. But probably was unsed in earlier classic templates since devel, reponsive and the roundup issue tracker templates were based on classic. Add CVE placeholder to security.txt and link to fix directions added to upgrading.txt. Add note in announcement.txt and CHANGES.txt Add a details element around the table of contents in the upgrading guide. It was getting long. Updated a missed XSS issue in the roundup tracker template. Live site is already fixed. XSS bug reported by 4bug of ChaMd5 Security Team H1 Group

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
 <head>
  <link rel="stylesheet" type="text/css" href="@@file/style.css" />
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8;" />
  <meta name="robots" content="noindex, nofollow" />
  <title tal:content="string:Roundup Calendar"></title>
  <script language="Javascript"
          type="text/javascript"
	  tal:attributes="nonce request/client/client_nonce"
          tal:content="string:
          // this is the name of the field in the original form that we're working on
          form  = window.opener.document.${request/form/form/value};
          field = '${request/form/property/value}';" >
  </script>
 </head>
 <body class="body"
       tal:content="structure python:utils.html_calendar(request)">
 </body>
</html>