XSS in HTML purifier 3.0.0 and 4.0.0
Bug #582576 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php-htmlpurifier (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Karmic |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: php-htmlpurifier
From the HTML Purifier 4.1.1 release announcement:
"HTML Purifier 4.1.1 is a major security and bugfix release that improves on 4.1's fix for an XSS vulnerability exploitable on Internet Explorer."
I couldn't find a CVE number or any details as to what this is. All I got was this:
http://
Both karmic and lucid are affected by this problem.
Related branches
lp:~ari-tczew/ubuntu/lucid/php-htmlpurifier/security
Ready for review
for merging
into
lp:ubuntu/lucid/php-htmlpurifier
- Artur Rona (community): Needs Resubmitting
- Jamie Strandboge: Needs Fixing
-
Diff: 178 lines (+69/-44)5 files modifieddebian/changelog (+10/-0)
debian/control (+2/-1)
library/HTMLPurifier/AttrDef.php (+36/-0)
library/HTMLPurifier/AttrDef/CSS/FontFamily.php (+17/-35)
library/HTMLPurifier/AttrDef/CSS/URI.php (+4/-8)
lp:~ari-tczew/ubuntu/karmic/php-htmlpurifier/security
Ready for review
for merging
into
lp:ubuntu/karmic/php-htmlpurifier
- Artur Rona (community): Needs Resubmitting
- Jamie Strandboge: Needs Fixing
-
Diff: 178 lines (+69/-44)5 files modifiedHTMLPurifier-3.3.0/HTMLPurifier/AttrDef.php (+36/-0)
HTMLPurifier-3.3.0/HTMLPurifier/AttrDef/CSS/FontFamily.php (+17/-35)
HTMLPurifier-3.3.0/HTMLPurifier/AttrDef/CSS/URI.php (+4/-8)
debian/changelog (+10/-0)
debian/control (+2/-1)
CVE References
Changed in php-htmlpurifier (Ubuntu): | |
status: | New → Triaged |
Changed in php-htmlpurifier (Ubuntu Karmic): | |
assignee: | nobody → Artur Rona (ari-tczew) |
Changed in php-htmlpurifier (Ubuntu Lucid): | |
assignee: | nobody → Artur Rona (ari-tczew) |
Changed in php-htmlpurifier (Ubuntu Maverick): | |
assignee: | nobody → Artur Rona (ari-tczew) |
Changed in php-htmlpurifier (Ubuntu Maverick): | |
assignee: | Artur Rona (ari-tczew) → nobody |
Changed in php-htmlpurifier (Ubuntu Karmic): | |
status: | New → Incomplete |
Changed in php-htmlpurifier (Ubuntu Lucid): | |
status: | New → Incomplete |
To post a comment you must log in.
I have just attached the commit in 4.1.0 which fixes that problem.