-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Frank,
Frank Lichtenheld wrote: > On Tue, Sep 18, 2007 at 08:23:48PM +0200, Moritz Naumann wrote: >> there's an XSS issue in the updated p.d.o: >> >> http://packages.debian.org/content%3D0%3Bjavascript%3Aalert%280%29%3E/http-equiv%3Drefresh/%3Cmeta >> >> The '0' which is output could be replaced by encoded text or arbitrary >> javascript instructions. > > Thanks for your report. I have indentified the issue and will try to > deploy the fix ASAP. thanks for fixing this so quickly. I'm not sure if this is related, but the error message at http://packages.debian.org/sid/xxx now echoes HTML code (duplicate entity encoding): No such package.<br><a href="?lang=en&suite=sid&keywords=xxx">Search for the package</a> The source code for this is: <p>No such package.<br><a href="?lang=en&amp;suite=sid&amp;keywords=xxx">Search for the package</a></p> Moritz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG8XYan6GkvSd/BgwRCnGRAJ9ptPnTpdD/aL7pU8QI4rcgCRhoPACgjDBk mB2EY67wGPgOnEKM0L3D0ag= =x0vC -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
