Hi!
The following changeset fixes an XSS vulnerability:
http://trac.roundcube.net/changeset/2245
Roundcube is packaged in Debian Lenny and the version that is considered
for this version is 0.1.1. It is not possible to package a more recent
version due to the way Debian manages to publish a "stable" version.
The code is really different for 0.1.1. From my understanding of the
code, it seems that 0.1.1 is not vulnerable, but I will test this.
We also have 0.2-alpha. We are in the process to release 0.2-stable as
well but this is not done yet since some pieces are missing in
Debian. 0.2-alpha does not accept the background attribute, so no
problem with this one. However, the patch also changes a regexp. Is this
change related to the XSS vulnerability?
Thanks for any input.
--
Make sure comments and code agree.
- The Elements of Programming Style (Kernighan & Plauger)
_______________________________________________
List info: http://lists.roundcube.net/users/
