Package: qa.debian.org Version: N/A Severity: grave Tag: security Take a look at: http://base.debian.net/index.pmz?name=perl using Mozilla (and perhaps other browsers). Scroll down to bug #126608.
According to the BTS, the title of the bug should be: perl-5.005: $_ gets modified by m// inside for(shift) inside &sub($1) Doing a View Source on that page shows that the "&sub($1)" is escaped as "&sub($1)" as you'd want it to be. But on the base.debian.net page for Perl, it doesn't escape the ampersand, with the result that Mozilla displays the is-a-proper-subset-of symbol (confirmed by REC-html40): <!ENTITY sub CDATA "⊂" -- subset of, U+2282 ISOtech --> So the code behind those Web pages isn't escaping HTML characters. Taking a further look for occurrences of < or >, on that same page I see bug #65096: perl-5.005-base: HANDLE->blocking doesn't work which doesn't have the > converted to > like it should (though Mozilla does display it correctly). Again, the linked-to BTS page does the right thing. I've tagged this as a security bug because it could be used as a vector to get malicious script code to people's browsers by a suitably-crafted Subject: line in a bug report. Or, to be more precise, I don't know that it *couldn't* be used in such a fashion. Please reprioritize as desired. Jason B. -- Kindness has converted more sinners than zeal, eloquence, or learning. -- Frederick W. Faber, British theologian