Hi Dave, On Apr 5, 2007, at 8:53 AM, Dave wrote:
Apparently nobody on the list has time to check these XSS fixes out,
+1
but it's pretty clear we need to validate these builds and get the fixes out.
+1
To encourage others to help with testing, should I post about them on the Project blog and say something like: "Roller patch releases in testing. New builds of Roller Version 2.3 and Roller 3.0 have been created to address security vulnerabilities. These builds are "release candidate" builds and are for testing purposes only. You can get builds Roller 3.0.1 RC1 and Roller 2.3.1 RC1 from this location: XXX"
I think this is a fine idea. Craig
- Dave On 3/23/07, Dave <[EMAIL PROTECTED]> wrote:Roller 3.0.1: minor release to fix security risk *** Fixes for Cross-site Scripting (XSS) vulnerabilitiesFixed multiple XSS vulnerabilities. Changes were isoluated in these files:- WEB-INF/lib/roller-web.jar Now strips HTML from all incoming comment fields - WEB-INF/velocity/weblog.vm Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/authoring/CommentManagement.jsp Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/tiles/head.jspEliminated the "look" request parameter, which was for debugging only- roller-ui/widgets/date.jsp Now HTML-escapes value field of date widget Apache Roller 3.0.1 RC1 files are available here: http://people.apache.org/~snoopdave/apache-roller-3.0.1
Craig Russell Architect, Sun Java Enterprise System http://java.sun.com/products/jdo 408 276-5638 mailto:[EMAIL PROTECTED] P.S. A good JDO? O, Gasp!
smime.p7s
Description: S/MIME cryptographic signature
