Wil, We have one project that is running on a client's RHEL server and are using ZF 1.6.2 due to compatibility issues. I see that these fixes have been backported to the release-1.6 branch but no new tag was created (the last tag in 1.6 is 1.6.2 last updated on 10/12/2008). Wouldn't it be appropriate to create a new 1.6.3 tag with this backported fix? If not, I can simply switch my svn:externals to use the branch instead of a tag but it just seems more appropriate for me to use tags instead of branches in my svn:externals.
Thanks, Bradley On Thu, Mar 19, 2009 at 4:56 PM, Wil Sinclair <[email protected]> wrote: > The Zend Framework team was recently notified of an XSS attack vector in > its Zend_Filter_StripTags class. Zend_Filter_StripTags offers the ability to > strip HTML tags from text, but also to selectively choose which tags and > specific attributes of those tags to keep. > > > > The XSS attack vector was due to a bug in matching HTML tag attributes to > retain. If whitespace was introduced surrounding the attribute assignment > operator or the value included newline characters, the attribute would > always be included in the final output- even if it was not marked to retain. > > > > A security fix has been created and released with Zend Framework 1.7.7. > > > > Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release > branches. > > > > The Zend Framework team strongly recommends upgrading to version 1.7.7. If > you cannot upgrade at this time, we recommend exporting from the release > branch matching the minor release you are currently using, or downloading > the file listed below and pushing it into your Zend Framework installation. > > > > > http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php > > > > Thank you. > > > > ,Wil > > > -- Bradley Holt [email protected]
