Roller 3.0.1: minor release to fix security risk *** Fixes for Cross-site Scripting (XSS) vulnerabilities
Fixed multiple XSS vulnerabilities. Changes were isoluated in these files: - WEB-INF/lib/roller-web.jar Now strips HTML from all incoming comment fields - WEB-INF/velocity/weblog.vm Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/authoring/CommentManagement.jsp Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/tiles/head.jsp Eliminated the "look" request parameter, which was for debugging only - roller-ui/widgets/date.jsp Now HTML-escapes value field of date widget Apache Roller 3.0.1 RC1 files are available here: http://people.apache.org/~snoopdave/apache-roller-3.0.1
