document XSS

master
Joey Hess 2011-01-22 10:23:09 -04:00
parent b5d7469830
commit afeb8db569
1 changed files with 9 additions and 0 deletions

View File

@ -453,3 +453,12 @@ preview or moderation of comments with such a configuration.
These problems were discovered on 12 November 2010 and fixed the same These problems were discovered on 12 November 2010 and fixed the same
hour with the release of ikiwiki 3.20101112. ([[!cve CVE-2010-1673]]) hour with the release of ikiwiki 3.20101112. ([[!cve CVE-2010-1673]])
## javascript insertation via insufficient checking in comments
Dave B noticed that attempting to comment on an illegal page name could be
used for an XSS attack.
This hole was discovered on 22 Jan 2011 and fixed the same day with
the release of ikiwiki 3.20110122. An upgrade is recommended for sites
with the comments plugin enabled.