Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

Hi everybody,

More updates on this issue:

1 - AllowedTag is working for HTML code supplied as URL vars for ad_page_contact. I guess I had a cache problem. Sorry about that.

2 - Torben is right about our security in ad_html_security_check The checks done by this proc are good, but they don't answer to more sofisticated atack scenarios. I'm looking at some encoding tips to fix this matter: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

3 - XoWiki doesn't run ad_html_security_check for supplied HTML code. That's where I'm working now, and if anybody can give me a clue about HTML parsing on XoWiki it would be helpfull.

Best regards and thank you for your comments.