Greetings, while looking at a diff between the 3.0.x branch and trunk for the web frontend noticed the following snippet (htmlentities is missing in 3.0.x) :
@@ -331,7 +330,7 @@ header ("Pragma: no-cache"); // HTTP/1.0 if ($debug) { header ("Content-type: text/html"); - print "$command\n\n\n\n\n"; + print htmlentities( $command ) . "\n\n\n\n\n"; } else { header ("Content-type: image/gif"); I understand that $debug has been hardcoded to disable it in graph.php so this code path should never be exercised, but was still curious about why this snippet wasn't included in 3.0.6 anyway with all the other XSS fixes if it was applied to trunk and obviously available together with all the other changes. anyone could elaborate on the rationale behind that? and since 3.0.7 is going to be released soon could we just add it as well there for consistency? Carlo ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers