reopen 327339
thanks
Hi,
I had a look at the security fix for #327339 and I don't think this has been
fixed properly:
The introduced change is:
| elsif ($CLI{format} =~ /html?/i)
| {
| $CLI{format}="htm";
| nprint("\n- NOTE: HTML output is not recommended as it may contain
dangerous characters or sequences. OSVDB-17886.\n\n"); }
How does this prevent the web script code injection from taking place? This
is only a warning, but it doesn't get sanitised. If I'm missing a check on
another code position, please point it out to me.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
