id,summary,reporter,owner,description,type,status,priority,component,severity,resolution,keywords,cc,release
7239,serious concerns related to use of HTML generator with potentially insecure input,hasienda,hasienda,'''Is it still save for your use case to use WikiTicketCalendarMacro''' in it's current state?\r\n\r\nI'm sorry for the inconvenience_ but you should think twice_ since it was kindly brought to my attention_ that it is quite possible to trick WikiTicketCalendarMacro into showing not Milestone and Ticket data but completely different things by preparing maliciously formed Milestone/Ticket summaries. Thanks for advice by Odd Simon Simonsen at #trac IRC channel today.\r\n\r\nThe bottom line is about using the Genshi HTML generator `Markup()`_ that was meant for known good and tightly controlled safe code only_ while this is not the case in WikiTicketCalendarMacro_ and it never was since the generator call was introduced with version 0.5.0 in October 2009.\r\n\r\nThere to date is no known case_ where this had been used for an exploit. But be assured_ that I take this still really serious and will try to fix it after investigation of alternatives and looking at how other plugin authors dealt with this issue.,defect,closed,high,WikiTicketCalendarMacro,blocker,fixed,security precaution HTML input unsanitized,rjollos,0.11