# ChurchCRM 7.1.1

**Release Date**: April 6, 2026  
**Previous Release**: [7.1.0](./7.1.0.md)

---

## 🔒 Security Fixes

- **Stored XSS in ListOption name rendering** – Fixed HTML injection via ListOption names by escaping output (GHSA-j9gv-26c7-3qrh) (#8505)
- **CSP nonce on inline scripts** – Added missing `nonce` attributes to inline `<script>` tags in admin export page and other pages so they execute under enforced Content-Security-Policy (#8502, #8503)
- **Inline `onclick` removal** – Replaced inline `onclick` handlers with `data-*` attributes and delegated event listeners in Group, Family, and Person custom field editors — required for CSP enforcement (#8520)

## 🐛 Bug Fixes

- **Login background bleeding onto non-login pages** – Scoped the church-photo background to login pages only; fixes blank kiosk device page caused by background overlay + `d-none`/jQuery incompatibility (#8519)
- **Checkbox and radio styles** – Fixed checkbox and radio input styling to match Tabler design system (#8478)
- **PersonView fix** – Corrected issue on Person profile view page (#8491)

## 🎨 UI / CSS Improvements

- **~170 lines of dead CSS removed** – Scoped remaining global overrides and removed unused custom CSS rules (#8500)

## 🔧 Architecture Changes

- **Notification system redesign** – Replaced per-page-load GitHub polling (`GET /api/system/notification`) with a session-backed notification registry. Remote notifications are fetched once at login via `NotificationService::fetchRemoteNotifications()` and rendered server-side in Header.php. Legacy API endpoints removed (#8476)

## 🌍 Internationalization

- **POEditor locale update** – Updated translation strings across all active locales (#8506)

## 📝 Documentation

- Updated security advisory management patterns and XSS escaping rules in skill docs
- Updated OpenAPI specs

## 📊 Release Statistics

- **14 commits** since 7.1.0
- **3 security fixes** (1 CVE-level XSS, 2 CSP hardening)
- **3 bug fixes**
- **1 architecture improvement** (notification system)

**Download**: [GitHub Release](https://github.com/ChurchCRM/CRM/releases/tag/v7.1.1)
