| commit | ea1ca0be0c6e9f7924508a6260fa43dfb57d8427 | |
| author | Christoph Anton Mitterer <mail@christoph.anton.mitterer.name> | |
| Wed, 20 Mar 2013 22:41:43 +0000 (20 23:41 +0100) | ||
| committer | Andrew McMillan <andrew@morphoss.com> | |
| Mon, 2 Sep 2013 02:38:05 +0000 (2 14:38 +1200) | ||
| tree | ca2229b3ea32650ff2d14cc0138266b96f314e38 | treesnapshot (tar.gz zip) |
| parent | 8e60bb3124e2cc4ff09f388e520f3b6935ffc733 | commitdiff |
escape version string to prevent XSS for sure
* HTML escape the remotely retrieved version string printed to the HTML in order
to prevent and attacks (if this would have been possible at all in 12
characters).
The version string read from the davical.org webserver might be changed by an
attacker in order to perform XSS.
Even though this is highly unlikley (there are only 12 characters used) it's
better to HTML escape any such string that is printed to HTML.
This was originally reported at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703290
* HTML escape the remotely retrieved version string printed to the HTML in order
to prevent and attacks (if this would have been possible at all in 12
characters).
The version string read from the davical.org webserver might be changed by an
attacker in order to perform XSS.
Even though this is highly unlikley (there are only 12 characters used) it's
better to HTML escape any such string that is printed to HTML.
This was originally reported at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703290
| ChangeLog | diffblobblamehistory | |
| debian/changelog | diffblobblamehistory | |
| htdocs/setup.php | diffblobblamehistory |