W3C home > Mailing lists > Public > html-tidy@w3.org > October to December 2008

Very serious security problem

From: John Haugeland <john.haugeland@kayako.com>
Date: Tue, 18 Nov 2008 13:15:43 -0700
To: <html-tidy@w3.org>
Message-ID: <005e01c949ba$717bc010$54734030$@haugeland@kayako.com>
We have become aware of a very serious XSS injection in HTML Tidy (several
weeks late because securityfocus does not report defects to vendors, which
is a significant problem of its own right.)  I am prepared to provide a
trivial patch to close it.

 

What is the appropriate process for reporting security defects in private,
to allow the patch cycle to close the problem without aggravating it?
Received on Wednesday, 19 November 2008 08:16:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 April 2012 06:13:59 GMT