[rt-devel] Re: RT 2.1.56 (wrong charset)
Jesse Vincent
jesse at bestpractical.com
Fri Jan 24 17:31:44 EST 2003
On Fri, Jan 24, 2003 at 02:20:17PM -0800, Stanislav Sinyagin wrote:
>
> > So. Mason now has pluggable html escaping rules. I'd be thrilled if you
> > could hand me the one-line patch that makes it do the right thing.
>
> will look into that. But I think disabling
> default_escape_flags => 'h'
> in lib/RT/Interface/Web.pm would be enough for now.
>
DO NOT do thst on a production system. It will open you up
to a wide variety of cross-site scripting attacks. Anyone who sends mail
to RT will be able to compromise the account of any RT user who even has
a ticket listed in their homepage.
--
»|« http://www.bestpractical.com/rt -- Trouble Ticketing. Free.
More information about the Rt-devel
mailing list