[Pkg-tcltk-commits] r1714 - in tcllib/branches/squeeze/debian: . patches

sgolovan at alioth.debian.org sgolovan at alioth.debian.org
Tue Mar 10 16:31:00 UTC 2015 

Author: sgolovan
Date: 2015-03-10 16:31:00 +0000 (Tue, 10 Mar 2015)
New Revision: 1714

Added:
   tcllib/branches/squeeze/debian/patches/html-textarea-xss.diff
Modified:
   tcllib/branches/squeeze/debian/changelog
   tcllib/branches/squeeze/debian/patches/series
Log:
[tcllib]
  * Added a patch from upstream which fixes an XSS vulnerability in
    the html module for <textarea/> elements (closes: #780100).


Modified: tcllib/branches/squeeze/debian/changelog
===================================================================
--- tcllib/branches/squeeze/debian/changelog	2015-03-10 16:10:26 UTC (rev 1713)
+++ tcllib/branches/squeeze/debian/changelog	2015-03-10 16:31:00 UTC (rev 1714)
@@ -1,3 +1,10 @@
+tcllib (1.12-dfsg-2+deb6u1) oldstable; urgency=low
+
+  * Added a patch from upstream which fixes an XSS vulnerability in
+    the html module for <textarea/> elements (closes: #780100).
+
+ -- Sergei Golovan <sgolovan at debian.org>  Tue, 10 Mar 2015 19:12:18 +0300
+
 tcllib (1.12-dfsg-2) unstable; urgency=low
 
   * Renamed msgcat.3tcl manpage to doctools_msgcat.3tcl to avoid conflict

Added: tcllib/branches/squeeze/debian/patches/html-textarea-xss.diff
===================================================================
--- tcllib/branches/squeeze/debian/patches/html-textarea-xss.diff	                        (rev 0)
+++ tcllib/branches/squeeze/debian/patches/html-textarea-xss.diff	2015-03-10 16:31:00 UTC (rev 1714)
@@ -0,0 +1,16 @@
+Author: upstream
+Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in
+    the html Tcllib module
+Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300
+
+--- a/modules/html/html.tcl
++++ b/modules/html/html.tcl
+@@ -912,7 +912,7 @@
+ #	The html fragment
+ 
+ proc ::html::textarea {name {param {}} {current {}}} {
+-    ::set value [ncgi::value $name $current]
++    ::set value [quoteFormValue [ncgi::value $name $current]]
+     return "<[string trimright \
+ 	"textarea name=\"$name\"\
+ 		[tagParam textarea $param]"]>$value</textarea>\n"

Modified: tcllib/branches/squeeze/debian/patches/series
===================================================================
--- tcllib/branches/squeeze/debian/patches/series	2015-03-10 16:10:26 UTC (rev 1713)
+++ tcllib/branches/squeeze/debian/patches/series	2015-03-10 16:31:00 UTC (rev 1714)
@@ -1,2 +1,3 @@
 build.diff
 manpages.diff
+html-textarea-xss.diff

More information about the Pkg-tcltk-commits mailing list