Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

In ad_page_contract, the variable name is set to whatever is passed to ad_page_contract (via url) with no checking that it's a contiguous alphanumeric (plus dot) value:

# The name of the argument passed in the form
set actual_name [ns_set key $form $form_counter_i]

# The name of the formal argument in the page
set formal_name $actual_name

Fixing this, I believe will take care of the share of the problems you are referring to.

A glob based check, such as with "string match" would probably be faster than checking via regexp.

cheers!

..for example:
string match -nocase {[a-z0-9_\.]*} $actual_name
How exactly does this affect the HTML content passed in the URL variables?

Is this a different problem you are addresses regarding varaible names? I thought they were confirmed against the ad_page_contract.