Re: XSS in pgstatus code
Le 13/02/2012 13:33, Mehdi Dogguy a écrit :
> On 13/02/12 04:48, Moritz Naumann wrote:
>> Hi Mehdi, Debian WB-Team, debian-ports.org webadmins,
>>
>> I just came across this XSS in the pgstatus code and though I'd let
>> you know.
>>
>
> Thanks for letting us know! In fact, this XSS is somehow useless since
> the <script> is put in a <div> just to tell the user he made a mistake,
> and is not used elsewhere. I agree that this is not so pretty. I've
> added a htmlspecialchars call around the user's input but I wonder if I
> should just remove the notification that used the malicious input
> because it was not very useful anyway.
>
> Aurélien, can you please apply the last commit to pgstatus's instance on
> debian-ports.org?
Done.
Cheers,
Aurelien
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
Reply to: