CVE-2019-10219 Security issue with @SafeHtml

Description

None

Environment

None

Activity

Show:
Guillaume Smet
October 18, 2019, 11:19 AM

Comment nodes were totally ignored in @SafeHtml evaluation whereas they can contain some code (typically, SSI or conditional IE things and so on).

As vendors continuously come with new way to misuse HTML comments, let's play it safe and consider them invalid.

Note that this is a change in behavior and previously safe HTML will now be considered unsafe.

Assignee

Guillaume Smet

Reporter

Guillaume Smet

Labels

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

backportDecision

None

backportReEvaluate

None

Components

Fix versions

Priority

Major
Configure