Apparently nobody on the list has time to check these XSS fixes out, but it's pretty clear we need to validate these builds and get the fixes out.
To encourage others to help with testing, should I post about them on the Project blog and say something like: "Roller patch releases in testing. New builds of Roller Version 2.3 and Roller 3.0 have been created to address security vulnerabilities. These builds are "release candidate" builds and are for testing purposes only. You can get builds Roller 3.0.1 RC1 and Roller 2.3.1 RC1 from this location: XXX" - Dave On 3/23/07, Dave <[EMAIL PROTECTED]> wrote:
Roller 3.0.1: minor release to fix security risk *** Fixes for Cross-site Scripting (XSS) vulnerabilities Fixed multiple XSS vulnerabilities. Changes were isoluated in these files: - WEB-INF/lib/roller-web.jar Now strips HTML from all incoming comment fields - WEB-INF/velocity/weblog.vm Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/authoring/CommentManagement.jsp Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/tiles/head.jsp Eliminated the "look" request parameter, which was for debugging only - roller-ui/widgets/date.jsp Now HTML-escapes value field of date widget Apache Roller 3.0.1 RC1 files are available here: http://people.apache.org/~snoopdave/apache-roller-3.0.1
