* Antoine Beaupré: > ++ $h =~ s/[<>&%]/./g;
> ++ $step =~ s/[<>&%]/./g; > ++ $mode =~ s/[<>&%]/./g; > ++ $t =~ s/[<>&%]/./g; > ++ $targ =~ s/[<>;%]/./g; > ++ $hierarchy =~ s/[<>;%]/./g; These patterns do not match the special character ". Therefore, it is still possible to escape from the target="$t" parameter (for example) and inject an onmouseover handler. I would prefer if this could be fixed. Has upstream already released this patch as a security update? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
