search

canjs / can-stache

Live binding handlebars templates
https://canjs.com/doc/can-stache.html
MIT License
10 stars 13 forks source link

Reflective XSS exploit #600

Open gsmeets opened 6 years ago

gsmeets commented 6 years ago

temporarily redacted until we have a solution

justinbmeyer commented 6 years ago

Thanks for reporting! I'm going to edit so the problem isn't well known until after we have a fix. In the future, if you find these sorts of things, reporting through email might be good so we can have a patch out first.

gsmeets commented 6 years ago

Roger

justinbmeyer commented 6 years ago

Fixed here: https://github.com/canjs/can-stache/releases/tag/v4.14.0

gsmeets commented 6 years ago

Will there also be a backport for 2.3?

justinbmeyer commented 6 years ago

@gsmeets eventually (especially if someone wants to do a PR). Here is the branch: https://github.com/canjs/canjs/commits/2.3-legacy

I'm working on a 3.0 one right after I get this fix in 5.0 fully released.

chasenlehara commented 5 years ago

@justinbmeyer Can this be closed, or do we need to make a patch for 2.3?

justinbmeyer commented 5 years ago

We should leave open for 2.3