reopen 557745 thanks On Wed, 2 Dec 2009 00:06:14 -0500 (EST), Jaldhar H. Vyas wrote: > On Tue, 1 Dec 2009, Thomas Koch wrote: > > > So it was a mistake that the bug has been closed in the changelog. > > > > But I've explained before, that this bug is not a security issue with YUI or > > any other JS library, but an issue of web applications vulnerable to XSS > > attacks. > > I therefor suggest that this bug should be closed. Is there any other idea > > on > > how to proceed? > > As Gerfried suggested, it is not that the bug should be kept open, but > that it should have been closed the right way, which is the issue. I have > done that now.
actually, that email was informational on how to close a bug that was resolved without code changes. > In my defense FWIW I would like to say that I fully agree with Thomas that > this issue is bogus. It should never have even received a CVE IMO. > Unfortunately due to its alarmist tone people have gotten unduly scared. > I know from experience that a lot of our less-sophisticated users don't > read the bug reports so that's why I put the comment in the changelog > where there is atleast some chance they might read it. i don't really see the alarmism. this is an issue (just like any other issue), which is reasonably well defined, so it should be fixed. at this point, there is a request upstream for an implementation of secure methods. once that is implemented, the bug can be resolved. another option would be development of sufficient documentation for app developers on how to correctly use secure yui methods and avoid insecure ones. mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
