Mercurial > p > roundup > code
view website/issues/html/_generic.calendar.html @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 7146b68ac263 |
| children |
line wrap: on
line source
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <link rel="stylesheet" type="text/css" href="@@file/style.css" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8;" /> <meta name="robots" content="noindex, nofollow" /> <title tal:content="string:Roundup Calendar"></title> <script language="Javascript" type="text/javascript" tal:attributes="nonce request/client/client_nonce" tal:content="string: // this is the name of the field in the original form that we're working on form = window.opener.document.${request/form/form/value}; field = '${request/form/property/value}';" > </script> </head> <body class="body" tal:content="structure python:utils.html_calendar(request)"> </body> </html>