http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652587 The JS escaping in libhtml-template-pro-perl misses to escape "<" and ">" which allows XSS. This was fixed in the last upstream release (0.9507). An example script that triggers the bug is attached. With 0.9507 it outputs <evil> older versions generate <evil> instead. Ansgar
Created perl-HTML-Template-Pro tracking bugs for this issue Affects: fedora-all [bug 773453]