<+ Multiple XSS +> There're multiple XSS in `post comment': [1] `name' variable is not filtered when it's assigned to `value' on the `<input>' in the form when the comment it's posted. [2] Happends the same as [1] with `website' variable. [3] `comment', this variable only filtered " and ' chars, this makes possible to use < and >, thus this permit an attacker to inject any HTML (or script) code that he/she want but without any " or ' character, this only happends if the user that post the comment it's the admin (any registered kind of `user').
superlag please bump as soon as a fix/new upstream version is available, thanks.
For [1] and [2] it's not usable for XSS (only affects you) For [3] it needs to be posted by the admin (or approved by him) so very low risk. We should probably invalidate it.
based on koon's comments, i think we can pass this over to maintainers
Invalid as a security issue
