-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Thijs,
Thijs Kinkhorst wrote: > I don't think this is in any way an issue, even not with "normal" > severity. in my opinion, it remains a bug for the reasons given below. Personally, I don't really care whether or not it's changed/fixed, though. I think it remains a bug because (a) the script handles output of " (double quotes) incorrectly (it is not encoded). You will retrieve broken output when using this character. (b) not every user agent (web browser) handles domain context seperation correctly. As such, depending on the client application being used, it's possible that the script injection may be usable to inject HTTP requests within all subdomains of the debian.org domain. This is, of course, solely a bug in the client, but this unexpected server side behaviour could be considered as contributing. Moritz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFDoDfn6GkvSd/BgwRAlvcAJ936ZTgBcVZ2ej4q9W9nF8YennrewCdE471 Hs7BoaXShTUKJsP3Vn5Y08o= =zD3y -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
