[rt-devel] HTML escaping bug in Update.html / "security problem"

Jesse Vincent jesse at bestpractical.com
Fri Apr 5 10:30:18 EST 2002

On Fri, Apr 05, 2002 at 05:47:29AM -0800, ivan wrote:
> See http://fsck.com/rt2/Ticket/Display.html?id=1330 (if it hasn't been
> fixed already).

Thanks for the heads up. Now fixed in CVS. This will be in 2.0.14. 

> HTML escaping bugs are probably a "security problem" of sorts as a ticket
> submitter (anonymous or with minimal permissions) can do all sorts of
> nasty things to the browsers of those reading the tickets.

*nod* It's definitely something that should be (and has been) fixed, though
I'm not going to roll a patch release right this instant, as users can't
easily get to the Update page without seeing a potential malicious subject
line first. I'd put 2.0.14 in the ~2 weeks timeframe. It'll be maybe a 
half-dozen tiny cleanups but not likely any real user-visible enhancements.

> Thanks!
> (p.s. mmmmm being an RT user... much better than hacking RT :)


http://www.bestpractical.com/products/rt  -- Trouble Ticketing. Free.

More information about the Rt-devel mailing list