id	summary	reporter	owner	description	type	status	priority	component	severity	resolution	keywords	cc	release
7239	serious concerns related to use of HTML generator with potentially insecure input	hasienda	hasienda	'''Is it still save for your use case to use WikiTicketCalendarMacro''' in it's current state?\r\n\r\nI'm sorry for the inconvenience, but you should think twice, since it was kindly brought to my attention, that it is quite possible to trick WikiTicketCalendarMacro into showing not Milestone and Ticket data but completely different things by preparing maliciously formed Milestone/Ticket summaries. Thanks for advice by Odd Simon Simonsen at #trac IRC channel today.\r\n\r\nThe bottom line is about using the Genshi HTML generator `Markup()`, that was meant for known good and tightly controlled safe code only, while this is not the case in WikiTicketCalendarMacro, and it never was since the generator call was introduced with version 0.5.0 in October 2009.\r\n\r\nThere to date is no known case, where this had been used for an exploit. But be assured, that I take this still really serious and will try to fix it after investigation of alternatives and looking at how other plugin authors dealt with this issue.	defect	closed	high	WikiTicketCalendarMacro	blocker	fixed	security precaution HTML input unsanitized	rjollos	0.11