XSS in HTML purifier 3.0.0 and 4.0.0

Bug #571505 reported by François Marier
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Critical
François Marier
1.0
Fix Released
Critical
François Marier
1.1
Fix Released
Critical
François Marier

Bug Description

HTML Purifier 4.1 is a major security release that fixes an XSS
vulnerability exploitable on Internet Explorer. It also contains
a number of new features, including dramatically more flexible Flash
support, including %Output.FlashCompat to replace %HTML.SafeEmbed,
optional support for the data: URI scheme and better HTML parsing
capabilities.

Release notes for 4.1:
    http://repo.or.cz/w/htmlpurifier.git?a=blob_plain;f=NEWS

Download links for 4.1:
    http://htmlpurifier.org/releases/htmlpurifier-4.1.0.tar.gz
    http://htmlpurifier.org/releases/htmlpurifier-4.1.0.zip

SHA-1 sums:
e8f6f8f6d03cebcaed87cf335467ebf58223578d htmlpurifier-4.1.0.tar.gz
972368029049af460c07378e77df4ca88240e193 htmlpurifier-4.1.0.zip

Other downloads (standalone and lite):
    http://htmlpurifier.org/download.html

CVE References

Revision history for this message
François Marier (fmarier) wrote :

Unfortunately, this affects all of the Debian and Ubuntu packages :(

We need to pull this dependency out of the packages.

Changed in mahara:
milestone: none → 1.2.5
importance: Undecided → Critical
Changed in mahara:
assignee: nobody → François Marier (fmarier)
status: New → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers