Re: Drupal all versiyon xss cehennem.org Jan 03 2006 09:43PM
security drupal org
I have inspected the latest XSS filter mechanism of Drupal which is included in 4.5.6 and 4.6.4 versions and onward and both the decimal and the hexadecimal version is escaped when choosing the "Filtered HTML" format. The "Full HTML" format, as its name implies, does not filter HTML and its documented to be so.

I am not aware of any contact attempts w/ the security team before mailing this report to the list.


Karoly Negyesi
Security team coordinator

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus