Hi, * Steffen Joeris <steffen.joe...@skolelinux.de> [2008-12-17 17:53]: > The patch for CVE-2007-2739 seems to be incomplete as already discussed > via private mail. Just using htmlspecialchars(), instead of the replace > calls should do the trick. > I've requested a new CVE id for this and will paste it here as soon as > I get it.
Why do you think it is incomplete? You can't do an XSS just with & and without the other characters that are escaped. Just because the patch doesn't escape anything htmlspecialchars does doesn't mean it's incomplete. I suggest you downgrade this bug to normal as there is no reason to fix this with some selfmade hack. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpiQzMIyTV8T.pgp
Description: PGP signature
