+1 if it has been verified. It's certainly safer than the earlier behavior.
If we have some sample attack texts, we should add that to the unit test for
Utilities.removeHTML()
Dave:
There was an issue raised with the search feature, where I could possibly
learn cookies by publishing a constructed URL that invoked the search but
also had embedded script. Was that fixed as well? If not, we should
probably add a fix for that to the 2.3.1 release.
--a.
----- Original Message -----
From: "Dave Johnson" <snoopdave@gmail.com>
To: <roller-dev@incubator.apache.org>
Cc: <shenoi.avinash@gmail.com>
Sent: Monday, July 24, 2006 7:34 AM
Subject: VOTE: to Release Roller 2.3.1 (RC1)
>I have prepared a release candidate for Roller 2.3.1 that fixes one issue:
> http://opensource.atlassian.com/projects/roller/browse/ROL-1196
>
> The release candidate files are available here:
> http://people.apache.org/~snoopdave/
>
> I think ROL-1196 is serious enough to justify "emergency bug fix
> release" status.
>
> - Dave
>
|