« Return to Thread: SECURITY ADVISORY
SECURITY ADVISORY
by wllm
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
The Zend Framework team was recently notified of an XSS
attack vector in its Zend_Filter_StripTags class. Zend_Filter_StripTags offers
the ability to strip HTML tags from text, but also to selectively choose which
tags and specific attributes of those tags to keep.
The XSS attack vector was due to a bug in matching HTML
tag attributes to retain. If whitespace was introduced surrounding the
attribute assignment operator or the value included newline characters, the
attribute would always be included in the final output- even if it was not
marked to retain.
A security fix has been created and released with Zend
Framework 1.7.7.
Additionally, the fix has been back-ported to the 1.6,
1.5, and 1.0 release branches.
The Zend Framework team strongly recommends upgrading to
version 1.7.7. If you cannot upgrade at this time, we recommend exporting from
the release branch matching the minor release you are currently using, or
downloading the file listed below and pushing it into your Zend Framework
installation.
Thank you.
,Wil
« Return to Thread: SECURITY ADVISORY
| Free embeddable forum powered by Nabble | Forum Help |
