Le 13/02/2012 13:33, Mehdi Dogguy a écrit : > On 13/02/12 04:48, Moritz Naumann wrote: >> Hi Mehdi, Debian WB-Team, debian-ports.org webadmins, >> >> I just came across this XSS in the pgstatus code and though I'd let >> you know. >> > > Thanks for letting us know! In fact, this XSS is somehow useless since > the <script> is put in a <div> just to tell the user he made a mistake, > and is not used elsewhere. I agree that this is not so pretty. I've > added a htmlspecialchars call around the user's input but I wonder if I > should just remove the notification that used the malicious input > because it was not very useful anyway. > > Aurélien, can you please apply the last commit to pgstatus's instance on > debian-ports.org?
Done. Cheers, Aurelien -- Aurelien Jarno GPG: 1024D/F1BCDB73 [email protected] http://www.aurel32.net -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
