Bug#987039: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u3
On Fri, 2021-04-16 at 09:49 +0200, Yadd wrote:
> dojo/dijit is vulnerable to cross-site-scripting (#970000,
> CVE-2020-4051).
>
Apologies for not getting back to this sooner.
[...]
> This update should minimally affect production applications:
> * The behavior of existing links with HTML content will be unchanged
> * Existing links that are edited and saved will be filtered (this is
> only if
> the link is edited, other content within the editor can be edited
> without
> affecting the link)
> * Newly created links will be filtered by default
> * For production code to continue working as-is with new data the
> application
> code will have to be updated to specify `true` for the
> `LinkDialog` plugin's
> `allowUnsafeHtml` option
>
Do we have any idea what the likely size of the impact of that last
comment is? "continue working as-is with new data" seems a little
unclear.
Regards,
Adam
Reply to: