Closed ranginui closed 13 years ago
Thank you for the heads-up regarding these XSS vectors and for the patch which indicates the specific entry points. However, the commit has several typos (e.g. missing spaces between tag elements) and the approach doesn't nip the problem in the bud, allowing users to potentially go on manipulating bogus data with who can say what results. Better to fail quickly. See commit e22b18f for a different approach.
The vulnerability was detected by Yuri Goltsev, Positive Technologies Research Lab