On Fri Sep 18, 2009 at 14:06:44 +0200, Arnaud Fontaine wrote: > No I didn't, I could not find this discussion, could you please point it > me out? As soon as all these issues will have been addressed, I will > prepare a package (debian-security team: please do not upload the > package for now).
Basically it comes down to CDATA and the handling of <description> This is the comment I received: -- please find attached the two reproducers for the CDATA thing. poc1.xml is not correctly filtered while poc2.xml is filtered, although they are nearly identical. If you edit the newly patched function to print the k and v values, you'll see that the attributes aren't passed through. -- Steve --
poc1.xml
Description: XML document
poc2.xml
Description: XML document
