That was good, because a regexp could have been vulnerable to some sort of xss/injection sort of problem. But, the patch mistakenly left the following no-longer-true comment in place:
# we ask for a JSON structure from lp_page, we could use
# simplejson, but the format is simple enough for the regexp
By the way, this patch replaced a regexp with json.loads(): http:// bazaar. launchpad. net/~ubuntu- branches/ ubuntu/ quantal/ software- properties/ quantal/ revision/ 77
That was good, because a regexp could have been vulnerable to some sort of xss/injection sort of problem. But, the patch mistakenly left the following no-longer-true comment in place:
# we ask for a JSON structure from lp_page, we could use
# simplejson, but the format is simple enough for the regexp
That comment should be removed.