Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS
Ansgar Burchardt
ansgar at debian.org
Sun Dec 18 22:17:04 UTC 2011
Package: libhtml-template-pro-perl
Version: 0.9502-1
Severity: important
Tags: security
The JS escaping in libhtml-template-pro-perl misses to escape "<" and
">" which allows XSS. This was fixed in the last upstream release (0.9507).
An example script that triggers the bug is attached. With 0.9507 it
outputs
<evil>
older versions generate
<evil>
instead.
Ansgar
More information about the pkg-perl-maintainers
mailing list