Re: XSS in pgstatus code

To: Mehdi Dogguy <mehdi@debian.org>
Cc: Moritz Naumann <bugs.debian.org@moritz-naumann.com>, debian-wb-team@lists.debian.org, wbadm@buildd.debian-ports.org
Subject: Re: XSS in pgstatus code
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Mon, 13 Feb 2012 15:20:54 +0100
Message-id: <[🔎] 4F391C46.3020107@aurel32.net>
In-reply-to: <[🔎] 4F39031F.1000606@debian.org>
References: <[🔎] 4F388818.3090104@moritz-naumann.com> <[🔎] 4F39031F.1000606@debian.org>

Le 13/02/2012 13:33, Mehdi Dogguy a écrit :
> On 13/02/12 04:48, Moritz Naumann wrote:
>> Hi Mehdi, Debian WB-Team, debian-ports.org webadmins,
>>
>> I just came across this XSS in the pgstatus code and though I'd let
>> you know.
>>
> 
> Thanks for letting us know! In fact, this XSS is somehow useless since
> the <script> is put in a <div> just to tell the user he made a mistake,
> and is not used elsewhere. I agree that this is not so pretty. I've
> added a htmlspecialchars call around the user's input but I wonder if I
> should just remove the notification that used the malicious input
> because it was not very useful anyway.
> 
> Aurélien, can you please apply the last commit to pgstatus's instance on 
> debian-ports.org?

Done.

Cheers,
Aurelien

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Reply to:

References:
- XSS in pgstatus code
  - From: Moritz Naumann <bugs.debian.org@moritz-naumann.com>
- Re: XSS in pgstatus code
  - From: Mehdi Dogguy <mehdi@debian.org>

Prev by Date: Re: XSS in pgstatus code
Next by Date: Re: wanna-build deployment for derivatives?
Previous by thread: Re: XSS in pgstatus code
Next by thread: Re: XSS in pgstatus code
Index(es):
- Date
- Thread