[Pkg-javascript-devel] Bug#557745: tag

Michael Gilbert michael.s.gilbert at gmail.com
Wed Dec 2 14:07:32 UTC 2009


reopen 557745
thanks

On Wed, 2 Dec 2009 00:06:14 -0500 (EST), Jaldhar H. Vyas wrote:
> On Tue, 1 Dec 2009, Thomas Koch wrote:
> 
> > So it was a mistake that the bug has been closed in the changelog.
> >
> > But I've explained before, that this bug is not a security issue with YUI or
> > any other JS library, but an issue of web applications vulnerable to XSS
> > attacks.
> > I therefor suggest that this bug should be closed. Is there any other idea on
> > how to proceed?
> 
> As Gerfried suggested, it is not that the bug should be kept open, but 
> that it should have been closed the right way, which is the issue.  I have 
> done that now.

actually, that email was informational on how to close a bug that was
resolved without code changes.

> In my defense FWIW I would like to say that I fully agree with Thomas that 
> this issue is bogus.  It should never have even received a CVE IMO. 
> Unfortunately due to its alarmist tone people have gotten unduly scared. 
> I know from experience that a lot of our less-sophisticated users don't 
> read the bug reports so that's why I put the comment in the changelog 
> where there is atleast some chance they might read it.

i don't really see the alarmism.  this is an issue (just like any
other issue), which is reasonably well defined, so it should be fixed.

at this point, there is a request upstream for an implementation of
secure methods.  once that is implemented, the bug can be resolved.
another option would be development of sufficient documentation for app
developers on how to correctly use secure yui methods and avoid insecure
ones.

mike





More information about the Pkg-javascript-devel mailing list