[Rabbit-dev] cross-site-scripting vulnerabiltiy
Jeff Adamson
jwa at urbancode.com
Mon Mar 15 16:43:06 CET 2010
By comparing with your spiffy new public git repository :-), it looks like
you covered all the spots that I identified. Thanks
--Jeff
On Sun, Mar 14, 2010 at 11:21 AM, Robert Olofsson <
robert.olofsson at khelekore.org> wrote:
> On Mon, 1 Mar 2010 16:21:43 -0500
> Jeff Adamson <jwa at urbancode.com> wrote:
>
> > I did not see any mechanisms within the rabbIT codebase for escape html
> > strings. I created the following patch which makes use of the Apache
> > commons-lang 2.x project to perform the escaping.
> >
> > I do hope I am not being presumptuous nor intend any insult. I just
> needed
> > the change fixed ASAP for a security audit and so I needed to do it
> myself
> > locally.
>
> I think I have added the core contents of the patch, I did some reworking
> of it and did some cleanup in StandardResponseHeaders.java so the actual
> diff looks a bit different from your patch.
> Please check the actual patches and see if I have missed anything.
>
> I did add the commons-lang version 2.5, it is quite small.
>
> Thanks.
> /robo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khelekore.org/pipermail/rabbit-dev/attachments/20100315/5e0a5d30/attachment-0002.html>
More information about the Rabbit-dev
mailing list