Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS
Moritz Mühlenhoff
jmm at inutil.org
Mon Dec 19 19:29:18 UTC 2011
On Mon, Dec 19, 2011 at 07:47:52PM +0100, Ansgar Burchardt wrote:
> Ansgar Burchardt <ansgar at debian.org> writes:
> > The JS escaping in libhtml-template-pro-perl misses to escape "<" and
> > ">" which allows XSS. This was fixed in the last upstream release (0.9507).
> >
> > An example script that triggers the bug is attached. With 0.9507 it
> > outputs
> >
> > <evil>
> >
> > older versions generate
> >
> > <evil>
> >
> > instead.
>
> I prepared a backport of the relevant changes to squeeze (attached).
> Lenny might be affected as well, I'll look into that in the next days.
Support for Lenny ends really soon and the final release will be the closing
one, better invest your time elsewhere.
> Does the security team want to release a DSA for this issue or should it
> be fixed via proposed-updates?
Please fix this through a point update, this doesn't warrant a DSA.
Cheers,
Moritz
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list