On 13/02/12 04:48, Moritz Naumann wrote:
Hi Mehdi, Debian WB-Team, debian-ports.org webadmins, I just came across this XSS in the pgstatus code and though I'd let you know.
Thanks for letting us know! In fact, this XSS is somehow useless since the <script> is put in a <div> just to tell the user he made a mistake, and is not used elsewhere. I agree that this is not so pretty. I've added a htmlspecialchars call around the user's input but I wonder if I should just remove the notification that used the malicious input because it was not very useful anyway.Aurélien, can you please apply the last commit to pgstatus's instance on debian-ports.org?
Cheers. -- Mehdi