https://sourceforge.net/p/allura/tickets/6604/ is a ticket I just resolved regarding how IE9 (and earlier) handle JSON for URLs ending in .htm(l) This is a vulnerability in the wiki since a page can be named "foo.html"
See the commit https://git-wip-us.apache.org/repos/asf?p=incubator-allura.git;a=commitdiff;h=1843655afd93053119ad454a6628083c0e06284d for the fix and test case. I recommend all Allura users upgrade or apply this fix. We may want a better way to distribute security information, rather than just using this mailing list. I'm interested in any suggestions. -- Dave Brondsema : [email protected] http://www.brondsema.net : personal http://www.splike.com : programming <><
