Very serious security problem from John Haugeland on 2008-11-18 (html-tidy@w3.org from October to December 2008)

From: John Haugeland <john.haugeland@kayako.com>
Date: Tue, 18 Nov 2008 13:15:43 -0700
To: <html-tidy@w3.org>
Message-ID: <005e01c949ba$717bc010$54734030$@haugeland@kayako.com>

We have become aware of a very serious XSS injection in HTML Tidy (several
weeks late because securityfocus does not report defects to vendors, which
is a significant problem of its own right.)  I am prepared to provide a
trivial patch to close it.

 

What is the appropriate process for reporting security defects in private,
to allow the patch cycle to close the problem without aggravating it?

Received on Wednesday, 19 November 2008 08:16:18 UTC