Hi everyone. Can anyone tell how is it that the XSS indicated by this advisory was fixed? I might be something wrong here, but can't see what is it. I was using a fairly old version (2.1.5), and upgraded to 2.1.9. To my surprise, the XSS using the URL with listinfo.html is still working, changing the content (HTML) of the list's info using the PoC URL of the said advisory. Reading the code for edithtml.py I can still see problems here: passing the values using GET still works, and the regular expression looking for <[/]?script.*> still is case sensitive. The diff between revision 7723 and 8001 for edithtml.py (Release_2_1-maint branch) gives me: Index: edithtml.py =================================================================== --- edithtml.py (revision 7723) +++ edithtml.py (working copy) @@ -143,7 +143,8 @@ doc.AddItem('<p>') doc.AddItem('<hr>') form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name) - text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist)) + text = Utils.maketext(template_name, raw=1, mlist=mlist) + # MAS: Don't websafe twice. TextArea does it. form.AddItem(TextArea('html_code', text, rows=40, cols=75)) form.AddItem('<p>' + _('When you are done making changes...')) form.AddItem(SubmitButton('submit', _('Submit Changes'))) I am sure I'm doing something wrong, but can't see what is it. Where's the fix? Cheers, -- Juan