On 13/02/12 04:48, Moritz Naumann wrote:
Hi Mehdi, Debian WB-Team, debian-ports.org webadmins,
I just came across this XSS in the pgstatus code and though I'd let
you know.
Thanks for letting us know! In fact, this XSS is somehow useless since
the <script> is put in a <div> just to tell the user he made a mistake,
and is not used elsewhere. I agree that this is not so pretty. I've
added a htmlspecialchars call around the user's input but I wonder if I
should just remove the notification that used the malicious input
because it was not very useful anyway.
Aurélien, can you please apply the last commit to pgstatus's instance on
debian-ports.org?
Cheers.
--
Mehdi
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
