Hi,

I'm curious:

"jQuery versions 1.6.3 and higher provide protection against common
forms of this problem; thus, the vulnerability is mitigated if your site
has upgraded to a recent version of jQuery"

does that mean the drupal-7 package *could* now use the libjs-jquery
package instead of an embedded copy?

The libjs-jquery/1.7.2 package seems it was already immune to this
issue.  (Proof of concept at http://ma.la/jquery_xss/ - save it locally
and you can swap out the jquery.js to test other versions).

Regards,
-- 
Steven Chamberlain
[email protected]


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to