XSS in HTML purifier 3.0.0 and 4.0.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
François Marier | ||
1.0 |
Fix Released
|
Critical
|
François Marier | ||
1.1 |
Fix Released
|
Critical
|
François Marier |
Bug Description
HTML Purifier 4.1 is a major security release that fixes an XSS
vulnerability exploitable on Internet Explorer. It also contains
a number of new features, including dramatically more flexible Flash
support, including %Output.FlashCompat to replace %HTML.SafeEmbed,
optional support for the data: URI scheme and better HTML parsing
capabilities.
Release notes for 4.1:
http://
Download links for 4.1:
http://
http://
SHA-1 sums:
e8f6f8f6d03cebc
972368029049af4
Other downloads (standalone and lite):
http://
CVE References
Changed in mahara: | |
assignee: | nobody → François Marier (fmarier) |
status: | New → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
Unfortunately, this affects all of the Debian and Ubuntu packages :(
We need to pull this dependency out of the packages.