[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jquery / CVE-2020-7656

Hi Brian May,

> The simplest possible solution would be to update that regexp to allows
> white space in the closing tag.

I believe I addressed this in my initial triage of the issue. Quoting
from dla-needed.txt:

  NOTE: 20200606:                                   We could easily change the
  NOTE: 20200606: the rscript regex to also match the problematic whitespace, but
  NOTE: 20200606: this may not be complete as it does not do all the other checks
  NOTE: 20200606: and magic that parseHTML does (eg. hacking document.implementation)
  NOTE: 20200606: I do not know enough about this sanitisation and we don't want
  NOTE: 20200606: to be playing whack-a-mole here. (lamby)

You don't seem to address this concern which leaves open the
possibility that you did not see this or I did not communicate it
effectively enough. If the latter, please let me know how I could make my
language clearer.


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

Reply to: