id summary reporter owner description type status priority component severity resolution keywords cc release 7239 serious concerns related to use of HTML generator with potentially insecure input Steffen Hoffmann Steffen Hoffmann "'''Is it still save for your use case to use WikiTicketCalendarMacro''' in it's current state? I'm sorry for the inconvenience, but you should think twice, since it was kindly brought to my attention, that it is quite possible to trick WikiTicketCalendarMacro into showing not Milestone and Ticket data but completely different things by preparing maliciously formed Milestone/Ticket summaries. Thanks for advice by Odd Simon Simonsen at #trac IRC channel today. The bottom line is about using the Genshi HTML generator `Markup()`, that was meant for known good and tightly controlled safe code only, while this is not the case in WikiTicketCalendarMacro, and it never was since the generator call was introduced with version 0.5.0 in October 2009. There to date is no known case, where this had been used for an exploit. But be assured, that I take this still really serious and will try to fix it after investigation of alternatives and looking at how other plugin authors dealt with this issue." defect closed high WikiTicketCalendarMacro blocker fixed security precaution HTML input unsanitized Ryan J Ollos 0.11