Sorry to bring it up here, but can you check your email for an email from david@... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kolapuriya on May 16, 2016 \| parent \| context \| favorite \| on: Powering the Python Package Index Sorry to bring it up here, but can you check your email for an email from david@daviddworken.com? I previously sent in an XSS vulnerability that you fixed quickly, but I found a second one that has not been patched yet (despite being reported on March 26th).

ddworken on May 16, 2016 [–]

Thanks for reposting that comment here (I posted it on /r/python). I'm now in contact with him and I'll update this once it has been fixed.

ddworken on May 17, 2016 | [–]

It has now been fixed. The problem stemmed from allowing the `Javascript:` scheme for the home_page, download_url, and the url parameters in the setup.py.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact