mmm c'est pas un peu bourrin? ça risque pas de péter les recherches parfois
?
ce que je fais généralement, c'est deux variables: une "échappée" que
j'utilise dès que je veux écrire, une "non échappée" pour les appels
d'API.
Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
un avec le form::field là, mais je vois pas les autres
On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
J'ai commité un truc vite fait pour tenter de corriger ça. Vous
pouvez
vérifier demain avec la nightly ? (branche 2.6)
2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
> Where is your patch Julien ? :-D
>
>
> 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
>
> note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
>>
>>
>> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
>>
>> > moi je vois en clair dans le source:
>> >
>> > <input type="submit" value="ok"
/></p><input type="hidden"
>> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
/><input
>> type="hidden" name="q" value=""><img src=0
onerror=alert(document.cookie)>"
>> /><input type="hidden" name="qtype"
value="p" /></div></form><form
>> action="/blog/admin/search.php" method="get"><div
class="pager"><ul><li
>> class="first no-link btn"><img
src="images/pagination/no-first.png"
>> alt="Première page"/></li><li class="prev no-link
btn"><img
>> src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
>> class="active"><strong>Page 1 /
16</strong></li><li class="next btn"><a
>>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
>> src="images/pagination/next.png" alt="Page
suivante"/></a><span
>> class="hidden">Page suivante</span></li><li
class="last btn"><a
>>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
>> src="images/pagination/last.png" alt="Dernière
page"/></a><span
>> class="hidden">Dernière page</span></li><li
class="direct-access">Aller
à
>> la page : <input type="text" size="3"
name="page" maxlength="10"
/><input
>> type="submit" value="ok" class="reset"
name="ok" /><input type="hidden"
>> name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input
>> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
>> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
>> page</h3>
>> >
>> >
>> > (cherche "xd_check")
>> >
>> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je
>> vois
>> > quand même bien qu'on échappe pas l'entrée utilisateur alors
qu'on le
>> > devrait.
>> >
>> >
>> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
>> >
>> >> Re,
>> >>
>> >>
>> >> 2014-07-08 17:28 GMT+02:00 Franck Paul
<carnet.franck.paul(a)gmail.com
>:
>> >>
>> >> > Apparemment c'est un problème côté firefox, pas Dotclear. les
chaînes
>> >> sont
>> >> > à priori bien échappées à la recherche et à l'affichage.
>> >> >
>> >> > Et oui Franck, sinon le problème existerait quel que soit le
>> navigateur.
>> >>
>> >>
>> >>
>> >> >
>> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
>> >> >
>> >> > > Je reproduis avec Firefox seulement aussi, sur la version
2.6.3
et
>> >> > 2.7-dev
>> >> > > --
>> >> > > Philippe
>> >> > >
>> >> > >
>> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
>> >> > > > Je reproduis aussi mais uniquement avec le panda bleu !
:-)
>> >> > > >
>> >> > > >
>> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
>> >> > > >
>> >> > > >> je reproduis sur mon blog (mais qui a pas la
dernière version)
>> >> > > >>
>> >> > > >>
>> >> > > >> On 8 July 2014 16:26, Franck Paul <
carnet.franck.paul(a)gmail.com
>> >
>> >> > wrote:
>> >> > > >>
>> >> > > >> > JPCERT97966327
>> >> > > >> >
>> >> > > >> >
>> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<
felash(a)gmail.com
>> >:
>> >> > > >> >
>> >> > > >> > > faut le mot de passe :)
>> >> > > >> > >
>> >> > > >> > >
>> >> > > >> > > On 8 July 2014 16:04, Dotclear (contact)
<
>> contact(a)dotclear.net
>> >> >
>> >> > > wrote:
>> >> > > >> > >
>> >> > > >> > > > L'archive qui détaille un peu
tout :
>> >> > > >> > > >
>> >> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
>> >> > > >> > > >
>> >> > > >> > > >
>> >> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear
(contact) <
>> >> > > contact(a)dotclear.net
>> >> > > >> >:
>> >> > > >> > > >
>> >> > > >> > > > > Jour les gens,
>> >> > > >> > > > >
>> >> > > >> > > > > On a reçu ce matin un rapport au
sujet d'une faille
XSS
>> >> (voir
>> >> > > >> > > ci-dessous,
>> >> > > >> > > > > le mot de passe de l'archive
est JPCERT97966327) mais
je
>> >> > > n'arrive
>> >> > > >> > pas à
>> >> > > >> > > > > reproduire la faille.
>> >> > > >> > > > > Quelqu'un peut regarder ça
de son côté ?
>> >> > > >> > > > >
>> >> > > >> > > > > Franck
>> >> > > >> > > > >
>> >> > > >> > > > > ---------- Forwarded message
----------
>> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
>> >> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
>> >> > > >> > > > > Subject: Re: Inquiry on
vulnerability found in
Dotclear
>> >> 2.6.3
>> >> > > VN:
>> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
>> >> > > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
>> >> > > >> > > > >
>> >> > > >> > > > >
>> >> > > >> > > > > Hello xave @ the Dotclear Team,
>> >> > > >> > > > >
>> >> > > >> > > > > We have received a vulnerability
report for one of
your
>> >> > > products:
>> >> > > >> > > > >
>> >> > > >> > > > > - Dotclear 2.6.3 vulnerable to
cross-site scripting
>> >> > > >> > > > >
>> >> > > >> > > > > I have attached the details of
the reported
>> vulnerability
>> >> to
>> >> > > this
>> >> > > >> > > email.
>> >> > > >> > > > > The password for the zip file
will be sent in a
separate
>> >> > email.
>> >> > > >> > > > > The original report was against
version 2.6.2, but the
>> >> issue
>> >> > was
>> >> > > >> also
>> >> > > >> > > > > verified to still exist in
2.6.3. Please see the
report
>> for
>> >> > more
>> >> > > >> > > details.
>> >> > > >> > > > >
>> >> > > >> > > > > Please take a look at the report
and return to us with
>> the
>> >> > > >> > information
>> >> > > >> > > > > such as;
>> >> > > >> > > > > -validate the products, and
whether the reported
>> >> > vulnerability
>> >> > > is
>> >> > > >> > > > > confirmed or not
>> >> > > >> > > > > -solutions (e.g., patch or
module update)
>> >> > > >> > > > > -workarounds if any
>> >> > > >> > > > > -estimated time for creation of
fixes
>> >> > > >> > > > > -preferable date for public
release on your site
>> >> > > >> > > > > *we will also publish an
advisory for this issue on
>> our
>> >> > > >> > vulnerability
>> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
>>
http://jvn.jp/en/,
>> >> > > >> > > > > synchronizing with your
release schedule.
>> >> > > >> > > > >
>> >> > > >> > > > > **Caution**
>> >> > > >> > > > > We have assigned the tracking
number for this
>> >> vulnerability
>> >> > > >> issue;
>> >> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
>> >> > > >> > > > > Please be sure to include
these numbers in the
subject
>> >> line
>> >> > > for
>> >> > > >> > > > > future communication with us.
We appreciate your
>> >> > cooperation
>> >> > > on
>> >> > > >> > > this.
>> >> > > >> > > > >
>> >> > > >> > > > > If you have any questions and
concerns, please do not
>> >> hesitate
>> >> > > to
>> >> > > >> > > > > contact us any time.
>> >> > > >> > > > >
>> >> > > >> > > > > Thank you in advance for your
attention on this
matter.
>> >> > > >> > > > > We are looking forward to
hearing from you.
>> >> > > >> > > > >
>> >> > > >> > > > > Sincerely yours,
>> >> > > >> > > > >
>> >> > > >> > > > > Takayuki Uchiyama
>> >> > > >> > > > > JPCERT/CC Vulnerability Handling
Team
>> >> > > >> > > > >
>> >> > > >> > > > > > Hello,
>> >> > > >> > > > > >
>> >> > > >> > > > > > Please be aware that
Dotclear 2.6.2 is not the
latest
>> >> > version:
>> >> > > >> > v2.6.3
>> >> > > >> > > > > > was released in May to
patch vulnerabilities found
in
>> >> 2.6.2
>> >> > > >> (listed
>> >> > > >> > > at
>> >> > > >> > > > > >
>> >> > > >> > > > >
>> >> > > >> > > >
>> >> > > >> > >
>> >> > > >> >
>> >> > > >>
>> >> > >
>> >> >
>> >>
>>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
>> >> > > >> > > > > > )
>> >> > > >> > > > > >
>> >> > > >> > > > > > If the vulnerabilities you
found are not the one
>> listed
>> >> and
>> >> > > still
>> >> > > >> > > > > > exist in 2.6.3, please send
any information to
>> >> > > >> > security(a)dotclear.net
>> >> > > >> > > > > > where you'll reach
several members of the team (we
do
>> not
>> >> > use
>> >> > > a
>> >> > > >> GPG
>> >> > > >> > > > > > key).
>> >> > > >> > > > > >
>> >> > > >> > > > > > xave, for the Dotclear
Team.
>> >> > > >> > > > > >
>> >> > > >> > > > > >
>> >> > > >> > > > > >
>> >> > > >> > > > > > On Wed, Jun 25, 2014 at
5:10 AM, JPCERT/CC <
>> >> > vuls(a)jpcert.or.jp
>> >> > > >
>> >> > > >> > > wrote:
>> >> > > >> > > > > > > To whom it may
concern,
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Hello. This is Noriko
Takahashi from JPCERT/CC
>> >> > > Vulnerability
>> >> > > >> > > > > > > Handling Team. Please
excuse the sudden contact.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > If you're not
familiar with us or our activities,
>> >> please
>> >> > > >> > > > > > > check the following
websites for more information.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
>> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
>> >> > > >> > > > > > >
>> >> > > >> > > > >
>> >> > > >> >
>> >> > >
>> >>
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
>> >> > > >> > > > > > >
http://jvn.jp/en/
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > We have received a
report of a vulnerability found
>> in
>> >> the
>> >> > > >> > > > > > > product "Dotclear
2.6.2" from a researcher/user
>> here in
>> >> > > Japan
>> >> > > >> > > > > > > under the
vulnerability handling framework called
>> >> > > "Information
>> >> > > >> > > > > > > Security Early Warning
Partnership" and the
official
>> >> > > >> announcement
>> >> > > >> > > > > > > #235 "Software
Vulnerability Related Information
>> >> Handling
>> >> > > >> > Measures"
>> >> > > >> > > > > > > which were designed by
Ministry of Economy, Trade
>> and
>> >> > > Industry
>> >> > > >> > > > (METI),
>> >> > > >> > > > > > > a Japanese cabinet.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > From the website
>> >> > > >> > > > > > >
http://dotclear.org/contact
>> >> > > >> > > > > > > we found this email
address. We would like to
>> >> coordinate
>> >> > > with
>> >> > > >> you
>> >> > > >> > > > > > > to solve the reported
vulnerability, and your
>> >> cooperation
>> >> > > would
>> >> > > >> > be
>> >> > > >> > > > > > > greatly appreciated.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Before we provide you
the details of the reported
>> >> > > >> vulnerability,
>> >> > > >> > > > > > > we would like to know
the appropriate
>> point-of-contact
>> >> > > person,
>> >> > > >> > > > > > > or
department/group/team to communicate in regards
>> to
>> >> this
>> >> > > >> issue.
>> >> > > >> > > > > > > It would be greatly
appreciated if you could
>> provide us
>> >> > the
>> >> > > >> below
>> >> > > >> > > > > > > information at your
earliest convenience.
>> >> > > >> > > > > > > -Name of the
person/team who is in charge of such
>> >> issues
>> >> > > >> > > > > > > -Email address
>> >> > > >> > > > > > > -PGP key if
available
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Once we receive your
reply and and
point-of-contact
>> >> > > >> information,
>> >> > > >> > > > > > > we will then send you
the original vulnerability
>> report
>> >> > and
>> >> > > the
>> >> > > >> > > > > > > details either in a
PGP encrypted message or in a
>> >> password
>> >> > > >> > > protected
>> >> > > >> > > > > > > zip file.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > If you have any
questions or concerns, please do
not
>> >> > > hesitate
>> >> > > >> > > > > > > to contact us any
time.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Thank you in advance
for your attention to this
>> email.
>> >> > > >> > > > > > > We would very much
appreciate your prompt reply.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Sincerely yours,
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Noriko Takahashi
>> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
>> >> > > >> > > > > > > Information
Coordination Group
>> >> > > >> > > > >
>> >> > > >> >
>> >> >
>> ======================================================================
>> >> > > >> > > > > JPCERT Coordination Center
(JPCERT/CC)
>> >> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
>> >> > > >> vuls(a)jpcert.or.jp
>> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35
2D 39 19 29 63 89 52
>> D4
>> >> F8
>> >> > 8D
>> >> > > 50
>> >> > > >> FC
>> >> > > >> > > > >
https://www.jpcert.or.jp/english
http://jvn.jp/en/
>> >> > > >> >
http://jvn.jp
>> >> > > >> > > > >
>> >> > > >> > > > >
>> >> > > >> > > > >
>> >> > > >> > > > > --
>> >> > > >> > > > > Dotclear Team
>> >> > > >> > > > >
>> >> > > >> > > >
>> >> > > >> > > >
>> >> > > >> > > >
>> >> > > >> > > > --
>> >> > > >> > > > Dotclear Team
>> >> > > >> > > > --
>> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
>> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
>> >> > > >> > > >
>> >> > > >> > > --
>> >> > > >> > > Dev mailing list - Dev(a)list.dotclear.org
-
>> >> > > >> > >
http://ml.dotclear.org/listinfo/dev
>> >> > > >> > >
>> >> > > >> >
>> >> > > >> >
>> >> > > >> >
>> >> > > >> > --
>> >> > > >> > Franck
>> >> > > >> > --
>> >> > > >> > Dev mailing list - Dev(a)list.dotclear.org -
>> >> > > >> >
http://ml.dotclear.org/listinfo/dev
>> >> > > >> >
>> >> > > >> --
>> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
>> >> > > >>
http://ml.dotclear.org/listinfo/dev
>> >> > > >>
>> >> > > > --
>> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
>> >> > >
http://ml.dotclear.org/listinfo/dev
>> >> > > --
>> >> > > Dev mailing list - Dev(a)list.dotclear.org -
>> >> > >
http://ml.dotclear.org/listinfo/dev
>> >> > >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Franck
>> >> > --
>> >> > Dev mailing list - Dev(a)list.dotclear.org -
>> >> >
http://ml.dotclear.org/listinfo/dev
>> >> >
>> >> --
>> >> Dev mailing list - Dev(a)list.dotclear.org -
>> >>
http://ml.dotclear.org/listinfo/dev
>> >>
>> >
>> >
>> --
>> Dev mailing list - Dev(a)list.dotclear.org -
>>
http://ml.dotclear.org/listinfo/dev
>>
>
>
>
> --
> Franck
>
--
Franck
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev