[CKAN-Security] Fanstatic-related XSS vulnerability

[Thrawn]

CKAN 2.0.2, and probably later versions, has a cross-site scripting vulnerability in its use of fanstatic.

A request to

/fanstatic/%22><img src=x onerror=alert(1); >

will cause an alert box to appear.

This affects even such prominent sites as data.gov, but does not appear to affect demo.ckan.org since it returns undecorated 404 pages.