[rt-devel] Re: RT 2.1.56 (wrong charset)

Jesse Vincent jesse at bestpractical.com
Fri Jan 24 17:31:44 EST 2003



On Fri, Jan 24, 2003 at 02:20:17PM -0800, Stanislav Sinyagin wrote:
> 
> > So. Mason now has pluggable html escaping rules. I'd be thrilled if you
> > could hand me the one-line patch that makes it do the right thing. 
> 
> will look into that. But I think disabling 
>    default_escape_flags => 'h'
> in lib/RT/Interface/Web.pm  would be enough for now. 
> 

DO NOT do thst on a production system. It will open you up 
to a wide variety of cross-site scripting attacks. Anyone who sends mail
to RT will be able to compromise the account of any RT user who even has
a ticket listed in their homepage.


-- 
»|« http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.



More information about the Rt-devel mailing list