Hi!

The following changeset fixes an XSS vulnerability: http://trac.roundcube.net/changeset/2245

Roundcube is packaged in Debian Lenny and the version that is considered for this version is 0.1.1. It is not possible to package a more recent version due to the way Debian manages to publish a "stable" version.

The code is really different for 0.1.1. From my understanding of the code, it seems that 0.1.1 is not vulnerable, but I will test this.

We also have 0.2-alpha. We are in the process to release 0.2-stable as well but this is not done yet since some pieces are missing in Debian. 0.2-alpha does not accept the background attribute, so no problem with this one. However, the patch also changes a regexp. Is this change related to the XSS vulnerability?

Thanks for any input.

Make sure comments and code agree. - The Elements of Programming Style (Kernighan & Plauger) _______________________________________________ List info: http://lists.roundcube.net/users/