Re: XSS in pgstatus code

To: Moritz Naumann <bugs.debian.org@moritz-naumann.com>
Cc: debian-wb-team@lists.debian.org, wbadm@buildd.debian-ports.org
Subject: Re: XSS in pgstatus code
From: Mehdi Dogguy <mehdi@debian.org>
Date: Mon, 13 Feb 2012 13:33:35 +0100
Message-id: <[🔎] 4F39031F.1000606@debian.org>
In-reply-to: <[🔎] 4F388818.3090104@moritz-naumann.com>
References: <[🔎] 4F388818.3090104@moritz-naumann.com>

On 13/02/12 04:48, Moritz Naumann wrote:

Hi Mehdi, Debian WB-Team, debian-ports.org webadmins,

I just came across this XSS in the pgstatus code and though I'd let
you know.


Thanks for letting us know! In fact, this XSS is somehow useless since
the <script> is put in a <div> just to tell the user he made a mistake,
and is not used elsewhere. I agree that this is not so pretty. I've
added a htmlspecialchars call around the user's input but I wonder if I
should just remove the notification that used the malicious input
because it was not very useful anyway.

Aurélien, can you please apply the last commit to pgstatus's instance ondebian-ports.org?


Cheers.

--
Mehdi

Reply to:

Follow-Ups:
- Re: XSS in pgstatus code
  - From: Aurelien Jarno <aurelien@aurel32.net>
- Re: XSS in pgstatus code
  - From: info@moritz-naumann.com

References:
- XSS in pgstatus code
  - From: Moritz Naumann <bugs.debian.org@moritz-naumann.com>

Prev by Date: wanna-build deployment for derivatives?
Next by Date: Re: XSS in pgstatus code
Previous by thread: XSS in pgstatus code
Next by thread: Re: XSS in pgstatus code
Index(es):
- Date
- Thread