Hi!
The following changeset fixes an XSS vulnerability: http://trac.roundcube.net/changeset/2245
Roundcube is packaged in Debian Lenny and the version that is considered for this version is 0.1.1. It is not possible to package a more recent version due to the way Debian manages to publish a "stable" version.
The code is really different for 0.1.1. From my understanding of the code, it seems that 0.1.1 is not vulnerable, but I will test this.
We also have 0.2-alpha. We are in the process to release 0.2-stable as well but this is not done yet since some pieces are missing in Debian. 0.2-alpha does not accept the background attribute, so no problem with this one. However, the patch also changes a regexp. Is this change related to the XSS vulnerability?
Make sure comments and code agree. - The Elements of Programming Style (Kernighan & Plauger) _______________________________________________ List info: http://lists.roundcube.net/users/