-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just switch your svn:externals to the branch. Thus you will also get future security-fixes (if any). New tags will not be created for the old branches. ................................... : ___ _ ___ ___ ___ _ ___ : : | \ /_\ / __| _ \ _ (_) \ : : | |) / _ \\__ \ _/ / | |) | : : |___/_/:\_\___/_| |_|_\_|___/ : :........:........................: : Web : http://www.dasprids.de : : E-mail : m...@dasprids.de : : Jabber : jab...@dasprids.de : : ICQ : 105677955 : :........:........................:
Bradley Holt schrieb: > Wil, > > We have one project that is running on a client's RHEL server and are > using ZF 1.6.2 due to compatibility issues. I see that these fixes have > been backported to the release-1.6 branch but no new tag was created > (the last tag in 1.6 is 1.6.2 last updated on 10/12/2008). Wouldn't it > be appropriate to create a new 1.6.3 tag with this backported fix? If > not, I can simply switch my svn:externals to use the branch instead of a > tag but it just seems more appropriate for me to use tags instead of > branches in my svn:externals. > > Thanks, > Bradley > > On Thu, Mar 19, 2009 at 4:56 PM, Wil Sinclair <w...@zend.com > <mailto:w...@zend.com>> wrote: > > The Zend Framework team was recently notified of an XSS attack > vector in its Zend_Filter_StripTags class. Zend_Filter_StripTags > offers the ability to strip HTML tags from text, but also to > selectively choose which tags and specific attributes of those tags > to keep. > > > > The XSS attack vector was due to a bug in matching HTML tag > attributes to retain. If whitespace was introduced surrounding the > attribute assignment operator or the value included newline > characters, the attribute would always be included in the final > output- even if it was not marked to retain. > > > > A security fix has been created and released with Zend Framework 1.7.7. > > > > Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 > release branches. > > > > The Zend Framework team strongly recommends upgrading to version > 1.7.7. If you cannot upgrade at this time, we recommend exporting > from the release branch matching the minor release you are currently > using, or downloading the file listed below and pushing it into your > Zend Framework installation. > > > > > > http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php > > > > Thank you. > > > > ,Wil > > > > > > > -- > Bradley Holt > bradley.h...@foundline.com <mailto:bradley.h...@foundline.com> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknD778ACgkQ0HfT5Ws789CV0QCeLNU+r05mE7+Z02wipOTV7sAg F8UAoICIBOrb7oDvlo7Oaf8wT0vupSjf =xbi5 -----END PGP SIGNATURE-----
