On Mon, 27 Feb 2012 20:12:08 +0100, Florian Weimer <f...@deneb.enyo.de> wrote: > * Antoine Beaupré: > > > ++ $h =~ s/[<>&%]/./g; > > > ++ $step =~ s/[<>&%]/./g; > > > ++ $mode =~ s/[<>&%]/./g; > > > ++ $t =~ s/[<>&%]/./g; > > > ++ $targ =~ s/[<>;%]/./g; > > > ++ $hierarchy =~ s/[<>;%]/./g; > > These patterns do not match the special character ". Therefore, it is > still possible to escape from the target="$t" parameter (for example) > and inject an onmouseover handler. > > I would prefer if this could be fixed. Has upstream already released > this patch as a security update?
I don't actually know - I followed your lead and used that patch in the bugzilla Redhat bugtrackers: https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw A. -- It is better to sit alone than in company with the bad; and it is better still to sit with the good than alone. It better to speak to a seeker of knowledge than to remain silent; but silence is better than idle words. - Imam Bukhari
pgp7HysRZjrFN.pgp
Description: PGP signature
