[rt-devel] I18N bug fixed
Jesse Vincent
jesse at bestpractical.com
Fri Feb 28 16:19:22 EST 2003
http://www.cgisecurity.com/articles/xss-faq.shtml is the faq you want to
read. And change #253 (what will be 2.1.77) is the change in RT where I
finished implementing the fix. your bug report about the encoding sub
was the key to the solution. thanks.
-j
On Fri, Feb 28, 2003 at 11:58:20AM -0800, Stanislav Sinyagin wrote:
>
> --- Jesse Vincent <jesse at bestpractical.com> wrote:
> > Stan,
> >
> > Your first change opens RT up to a cross-site scripting attack, as I
> > mentioned in January:
> >
> > http://lists.fsck.com/pipermail/rt-devel/2003-January/002943.html
> >
> >
> > I suspect that what you really want is to tell mason to a different sort
> > of html escaping, rather than none. I'll have a look at the fix to
> > encoding {}
>
> I'll take a closer look. Can you give some examples of dangerous code
> when not escaping?
>
> _______________________________________________
> rt-devel mailing list
> rt-devel at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-devel
--
http://www.bestpractical.com/rt -- Trouble Ticketing. Free.
More information about the Rt-devel
mailing list