XSS in HTML purifier 3.0.0 and 4.0.0

Bug #571505 reported by François Marier
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
François Marier
Fix Released
François Marier
Fix Released
François Marier

Bug Description

HTML Purifier 4.1 is a major security release that fixes an XSS
vulnerability exploitable on Internet Explorer. It also contains
a number of new features, including dramatically more flexible Flash
support, including %Output.FlashCompat to replace %HTML.SafeEmbed,
optional support for the data: URI scheme and better HTML parsing

Release notes for 4.1:

Download links for 4.1:

SHA-1 sums:
e8f6f8f6d03cebcaed87cf335467ebf58223578d htmlpurifier-4.1.0.tar.gz
972368029049af460c07378e77df4ca88240e193 htmlpurifier-4.1.0.zip

Other downloads (standalone and lite):

CVE References

Revision history for this message
François Marier (fmarier) wrote :

Unfortunately, this affects all of the Debian and Ubuntu packages :(

We need to pull this dependency out of the packages.

Changed in mahara:
milestone: none → 1.2.5
importance: Undecided → Critical
Changed in mahara:
assignee: nobody → François Marier (fmarier)
status: New → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers