It was reported [1],[2] that he generated gravatar HTML wasn't handling escaping of the display name of the user, allowing an attacker to choose a name that would close out the <img> tag and inject a <script> tag. By switching to Django's format_html(), we can guarantee safe escaping of content. Patches for 0.7.x [3] and 0.8.x [4] are available. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1105560 [3] http://seclists.org/oss-sec/2014/q2/494 [4] https://reviews.reviewboard.org/r/5947/diff/ [5] https://reviews.reviewboard.org/r/5946/diff/
Created python-djblets tracking bugs for this issue: Affects: epel-6 [bug 1106859]
python-djblets-0.7.30-2.fc20 has been pushed to the Fedora 20 stable repository. python-djblets-0.7.30-2.fc19 has been pushed to the Fedora 19 stable repository.