Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS

Ansgar Burchardt ansgar at debian.org
Mon Dec 19 18:47:52 UTC 2011


Ansgar Burchardt <ansgar at debian.org> writes:
> The JS escaping in libhtml-template-pro-perl misses to escape "<" and
> ">" which allows XSS.  This was fixed in the last upstream release (0.9507).
>
> An example script that triggers the bug is attached.  With 0.9507 it
> outputs
>
>   <evil>
>
> older versions generate
>
>   <evil>
>
> instead.

I prepared a backport of the relevant changes to squeeze (attached).
Lenny might be affected as well, I'll look into that in the next days.

Does the security team want to release a DSA for this issue or should it
be fixed via proposed-updates?

Regards,
Ansgar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 652587-squeeze.diff
Type: text/x-diff
Size: 2547 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111219/9ca6ff61/attachment.diff>


More information about the pkg-perl-maintainers mailing list