CVS Commit Overview for 2006-10-23
==================================
2006-10-23 Tibor Simko <[email protected]>
* modules/webbasket/lib/webbasket.py,
modules/webbasket/lib/webbasket_templates.py: Fixed the most
visible XSS vulnerability issues in WebBasket.
2006-10-23 Tibor Simko <[email protected]>
* modules/webmessage/lib/webmessage.py: Fixed XSS vulnerability in
the warning box about non-existent users or groups.
2006-10-23 Tibor Simko <[email protected]>
* modules/webmessage/lib/webmessage_templates.py: Fixed the most
obvious XSS vulnerability issues in WebBasket. Beware, in the
message display, the "final_body" now gets fully escaped, which
results in an impossibility to format messages in HTML. For a
less-severe approach, only known vulnerable tags (such as
PLAINTEXT, SCRIPT, etc) could be removed; or, even better, only
pre-defined whitelisted tags (such as STRONG, EM, P, BR) could be
allowed. Currently no HTML is interpreted at all.
2006-10-23 Tibor Simko <[email protected]>
* modules/webalert/lib/webalert.py,
modules/webalert/lib/webalert_templates.py,
modules/webalert/lib/webalert_webinterface.py: Fixed basket
checking code when setting up a new alert with no storing of
results into any basket. At the same time, fixed the most apparent
XSS vulnerability issues of the interface.
2006-10-23 Tibor Simko <[email protected]>
* modules/websubmit/lib/websubmit_engine.py: Fixed problem of
Propose_Next_Action's language argument not being initialized.
2006-10-23 Tibor Simko <[email protected]>
* modules/websession/lib/websession_templates.py: Fixed some XSS
vulnerabilities when editing and displaying user groups.
--
CDS Invenio Developers <[email protected]>
