HTML escaping bug in Update.html / "security problem"

See http://fsck.com/rt2/Ticket/Display.html?id=1330 (if it hasn’t been
fixed already).

HTML escaping bugs are probably a “security problem” of sorts as a ticket
submitter (anonymous or with minimal permissions) can do all sorts of
nasty things to the browsers of those reading the tickets.

Thanks!

(p.s. mmmmm being an RT user… much better than hacking RT :slight_smile:

_ivan

See http://fsck.com/rt2/Ticket/Display.html?id=1330 (if it hasn’t been
fixed already).

Thanks for the heads up. Now fixed in CVS. This will be in 2.0.14.

HTML escaping bugs are probably a “security problem” of sorts as a ticket
submitter (anonymous or with minimal permissions) can do all sorts of
nasty things to the browsers of those reading the tickets.

nod It’s definitely something that should be (and has been) fixed, though
I’m not going to roll a patch release right this instant, as users can’t
easily get to the Update page without seeing a potential malicious subject
line first. I’d put 2.0.14 in the ~2 weeks timeframe. It’ll be maybe a
half-dozen tiny cleanups but not likely any real user-visible enhancements.

-j

Thanks!

(p.s. mmmmm being an RT user… much better than hacking RT :slight_smile:

:stuck_out_tongue:

http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.