The xsitescript branch has now been committed both on HEAD and SQUID2_3.
------------------------------------------------------------------
Cross-site scripting fixes by Robert Collins and Henrik Nordstrom
Everywhere where Squid inserts text received from the network into
a HTML page (error pages, FTP listings, Gopher listings, ...) care
must be taken to ensure that the text is properly encoded as HTML,
or a malicious user might be able to insert script code or other
HTML tags, and exploit the web browser of any user visiting their
page or clicking on that funny link received in a email..
------------------------------------------------------------------
Duane, can you please publish the attached patch on both "Known bugs"
sections, give it a final test, and then roll a new Squid-2.3 release..
Note: we are again in the situation of having quite critical bugs in the
latest STABLE release.. now both functionally and security related.. I
have said it before: I very much dislike having this situation. If a
STABLE patch has been published then a new STABLE release SHOULD be
rolled at most a couple of weeks after the patch..
/Henrik
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:55 MST