On Tue, 1 Dec 2009 14:23:30 +0100, Thomas Koch wrote:> So it was a mistake that the bug has been closed in the changelog.
>
> But I''ve explained before, that this bug is not a security issue
with YUI or
> any other JS library, but an issue of web applications vulnerable to XSS
> attacks.
> I therefor suggest that this bug should be closed. Is there any other idea
on
> how to proceed?
as can be concluded by reading the pdf, this indeed is a security flaw
and is exposed due to the implementation/design of the javascript
frameworks studied. since the flaw resides in the frameworks
themselves, the only logical conclusion is that the fixes should be
applied there as well.
if you need help in this endeavor, i recommend collaborating with your
upstream (who should have the appropriate knowledge/capability), or
failing that, you can make a request for help from the security team;
however, their time is limited and usually devoted to more important
issues than this one.
mike