Hi With François and Nourredine, we have just checked the Tapestry 5.2.4 datefield.js. A part of our patch was not included into the new javascript file. We still have an vulnerability in the sendServerRequest method. We can inject some JavaScript code for example, using the Paros software.
But the methods escape or escapeHTML do not work in this case. I am working on that bug. Do I have to recreate a new JIRA? Emmanuel -- View this message in context: http://tapestry.1045711.n5.nabble.com/XSS-vulnerability-in-calendar-component-tp2433878p3377170.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
