= Description =
A XSS issue has been found in the code that is used to feed the GUI editor.

The erroneous code enables to put arbitrary html into the editor area of the gui editor, including Javascript code.

== Component selection ==
 * GUI editor (or more exact: the formatter used to feed the gui editor)

== Details ==
||'''!MoinMoin Version''' ||likely all since gui editor was introduced, including 1.5.8, 1.6dev, 1.7dev ||
||'''OS and Version''' ||all ||
||'''Python Version''' ||all ||


== Workaround ==
To avoid users easily going into this trap, you could just disable the gui editor:

{{{
    editor_force = True
    editor_default = 'text'  # internal default, just for completeness
}}}
/!\ Please note that there are other means to call the gui editor formatter (e.g. via a specially prepared URL), so while this avoids calling the problematic code via the UI, it doesn't help against users following specially prepared URLs they got via mail or on a wiki page.

If you have disabled the GUI editor, you can try just removing `MoinMoin/formatter/text_gedit.py*` to be safe.

= Discussion =
Might get into a 1.5.9 release later.

For now, please apply those patches:

 * 1.5: http://hg.moinmo.in/moin/1.5/rev/d0152eeb4499
 * 1.6: backported from 1.7: http://hg.moinmo.in/moin/1.6/rev/4ae8e12f2246
 * 1.7: http://hg.moinmo.in/moin/1.7/rev/28b851be0844

= Plan =
 * Priority: high
 * Assigned to: ThomasWaldmann
 * Status: fixed

----
## If you are a moin core developer, replace the category to Category* in these cases:
## Category MoinMoinNoBug - if this is not a bug.
## Category MoinMoinBugConfirmed - if you can confirm the bug on current code.
## Category MoinMoinBugFixed - after the bug is fixed in current code.
CategoryMoinMoinBugFixed