Re: jquery / CVE-2020-7656
Hi Brian May,
> The simplest possible solution would be to update that regexp to allows
> white space in the closing tag.
I believe I addressed this in my initial triage of the issue. Quoting
from dla-needed.txt:
NOTE: 20200606: We could easily change the
NOTE: 20200606: the rscript regex to also match the problematic whitespace, but
NOTE: 20200606: this may not be complete as it does not do all the other checks
NOTE: 20200606: and magic that parseHTML does (eg. hacking document.implementation)
NOTE: 20200606: I do not know enough about this sanitisation and we don't want
NOTE: 20200606: to be playing whack-a-mole here. (lamby)
You don't seem to address this concern which leaves open the
possibility that you did not see this or I did not communicate it
effectively enough. If the latter, please let me know how I could make my
language clearer.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply to: