W3C home > Mailing lists > Public > html-tidy@w3.org > October to December 2008

Re: Very serious security problem

From: Arnaud Desitter <arnaud02@users.sourceforge.net>
Date: Wed, 19 Nov 2008 10:06:21 +0000
Message-ID: <a240ddd00811190206p384fe25bge98ce6cd2e2da800@mail.gmail.com>
To: "John Haugeland" <john.haugeland@kayako.com>
Cc: html-tidy@w3.org

Send it to me.
Regards,

2008/11/18 John Haugeland <john.haugeland@kayako.com>:
> We have become aware of a very serious XSS injection in HTML Tidy (several
> weeks late because securityfocus does not report defects to vendors, which
> is a significant problem of its own right.)  I am prepared to provide a
> trivial patch to close it.
>
>
>
> What is the appropriate process for reporting security defects in private,
> to allow the patch cycle to close the problem without aggravating it?
Received on Wednesday, 19 November 2008 10:07:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 April 2012 06:13:59 GMT