W3C home > Mailing lists > Public > html-tidy@w3.org > October to December 2008

Re: Very serious security problem

From: Arnaud Desitter <arnaud02@users.sourceforge.net>
Date: Thu, 20 Nov 2008 09:46:12 +0000
Message-ID: <a240ddd00811200146v619bc822wd6d2ec6d449f75e8@mail.gmail.com>
To: "John Haugeland" <john.haugeland@kayako.com>
Cc: html-tidy@w3.org

After discussion with John, it turns out to be unrelated to HTML tidy.

2008/11/18 John Haugeland <john.haugeland@kayako.com>:
> We have become aware of a very serious XSS injection in HTML Tidy (several
> weeks late because securityfocus does not report defects to vendors, which
> is a significant problem of its own right.)  I am prepared to provide a
> trivial patch to close it.
> What is the appropriate process for reporting security defects in private,
> to allow the patch cycle to close the problem without aggravating it?
Received on Thursday, 20 November 2008 09:48:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:38:57 UTC