On Mon, Dec 19, 2011 at 07:47:52PM +0100, Ansgar Burchardt wrote:
> Ansgar Burchardt writes:
> > The JS escaping in libhtml-template-pro-perl misses to escape "<" and
> > ">" which allows XSS. This was fixed in the last upstream release (0.9507).
> >
> > An example script that triggers the bug is
Ansgar Burchardt writes:
> The JS escaping in libhtml-template-pro-perl misses to escape "<" and
> ">" which allows XSS. This was fixed in the last upstream release (0.9507).
>
> An example script that triggers the bug is attached. With 0.9507 it
> outputs
>
>
>
> older versions generat
> An example script that triggers the bug is attached. With 0.9507 it
> outputs
>
>
>
> older versions generate
>
>
>
> instead.
This time for real.
#! /usr/bin/perl
use strict;
use warnings;
my $var = '';
my $tmpl = <
EOT
use HTML::Template::Pro;
my $t = HTML::Template::Pro->new(
Package: libhtml-template-pro-perl
Version: 0.9502-1
Severity: important
Tags: security
The JS escaping in libhtml-template-pro-perl misses to escape "<" and
">" which allows XSS. This was fixed in the last upstream release (0.9507).
An example script that triggers the bug is attached. With 0.9
4 matches
Mail list logo
