Dirk, both still exist. The object id manipulation is
reasonably easy to fix by signing the id but the cross site scripting one is a big job. If I had to guess a time
to fix it all I would say probably 5 weeks of full time work
(based on there being 332 -2.tcl files to check and
on how long it took to do the noquote stuff originally).
To date no one has taken it upon themselves to fix it. The noquote stuff is a start as is sweeping through and signing
all the object ids (both of which simply mitigate but do not remove the problem).
ad_form signs keys by default but not that many other places use signed variables (in fact only download seems to use it
and then only for spam and export of data). We could sign hidden variables by default in the templated form stuff system but I think that would break some pages that do javascript manipulation of hidden vars. Also, a lot of the most sensitive pages don't use the form api.
