Bug#987039: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u3

To: Yadd <yadd@debian.org>, 987039@bugs.debian.org
Subject: Bug#987039: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u3
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 05 Aug 2022 20:11:24 +0100
Message-id: <[🔎] a3a55ea175326d32ea769b3753c7166f6013eb6e.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 987039@bugs.debian.org
In-reply-to: <161855936402.3396882.2044823709276725968.reportbug@deb007.xnr.fr>
References: <161855936402.3396882.2044823709276725968.reportbug@deb007.xnr.fr> <161855936402.3396882.2044823709276725968.reportbug@deb007.xnr.fr>

On Fri, 2021-04-16 at 09:49 +0200, Yadd wrote:
> dojo/dijit is vulnerable to cross-site-scripting (#970000,
> CVE-2020-4051).
> 

Apologies for not getting back to this sooner.

[...]
>  This update should minimally affect production applications:
>  * The behavior of existing links with HTML content will be unchanged
>  * Existing links that are edited and saved will be filtered (this is
> only if
>    the link is edited, other content within the editor can be edited
> without
>    affecting the link)
>  * Newly created links will be filtered by default
>  * For production code to continue working as-is with new data the
> application
>    code will have to be updated to specify `true` for the
> `LinkDialog` plugin's
>    `allowUnsafeHtml` option
> 

Do we have any idea what the likely size of the impact of that last
comment is? "continue working as-is with new data" seems a little
unclear.

Regards,

Adam

Reply to:

Prev by Date: Bug#948375: marked as done (buster-pu: package ceph/12.2.12+dfsg-1)
Next by Date: Bug#1008578: buster-pu: golang-github-russellhaering-goxmldsig/0.0~git20170911.b7efc62-1+deb10u1
Previous by thread: Bug#948375: marked as done (buster-pu: package ceph/12.2.12+dfsg-1)
Next by thread: Bug#1008578: buster-pu: golang-github-russellhaering-goxmldsig/0.0~git20170911.b7efc62-1+deb10u1
Index(es):
- Date
- Thread