XSS in HTML purifier 3.0.0 and 4.0.0

Bug #571505 reported by François Marier
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Critical
François Marier
1.0
Critical
François Marier
1.1
Critical
François Marier

Bug Description

HTML Purifier 4.1 is a major security release that fixes an XSS
vulnerability exploitable on Internet Explorer. It also contains
a number of new features, including dramatically more flexible Flash
support, including %Output.FlashCompat to replace %HTML.SafeEmbed,
optional support for the data: URI scheme and better HTML parsing
capabilities.

Release notes for 4.1:
    http://repo.or.cz/w/htmlpurifier.git?a=blob_plain;f=NEWS

Download links for 4.1:
    http://htmlpurifier.org/releases/htmlpurifier-4.1.0.tar.gz
    http://htmlpurifier.org/releases/htmlpurifier-4.1.0.zip

SHA-1 sums:
e8f6f8f6d03cebcaed87cf335467ebf58223578d htmlpurifier-4.1.0.tar.gz
972368029049af460c07378e77df4ca88240e193 htmlpurifier-4.1.0.zip

Other downloads (standalone and lite):
    http://htmlpurifier.org/download.html

CVE References

Revision history for this message
François Marier (fmarier) wrote :

Unfortunately, this affects all of the Debian and Ubuntu packages :(

We need to pull this dependency out of the packages.

Changed in mahara:
milestone: none → 1.2.5
importance: Undecided → Critical
Changed in mahara:
assignee: nobody → François Marier (fmarier)
status: New → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers