This release is a stable bugfix release, including fixes for security issues.
Changes since release 0.3.6:
repository summary: prevent cross-site scripting (XSS) issue when rendering repository 'README' files. This was already fixed in 0.3.6 for Markdown-rendered README files, but not for other formatting types like ReStructuredText (RST). See details.
prevent cross-site scripting (XSS) issue with manipulated URLs containing forged repository changesets or branch names. See details.
pullrequests: prevent cross-site scripting (XSS) issue when users' first and/or last names cannot be trusted. See details.
repository summary: prevent cross-site scripting (XSS) issue when downloading the archive or using the compare feature for a manipulated branch/tag/bookmark name. See details.
All the above security issues were reported by Bob Hogg, many thanks!