[rt-devel] I18N bug fixed
Stanislav Sinyagin
ssinyagin at yahoo.com
Fri Feb 28 14:58:20 EST 2003
--- Jesse Vincent <jesse at bestpractical.com> wrote:
> Stan,
>
> Your first change opens RT up to a cross-site scripting attack, as I
> mentioned in January:
>
> http://lists.fsck.com/pipermail/rt-devel/2003-January/002943.html
>
>
> I suspect that what you really want is to tell mason to a different sort
> of html escaping, rather than none. I'll have a look at the fix to
> encoding {}
I'll take a closer look. Can you give some examples of dangerous code
when not escaping?
More information about the Rt-devel
mailing list