Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)

Congrats Jade, and then a plea...

Can someone explain this in terms us mortals might understand?

What does it really take to allow a user to break ad_form?

If for instance, I display their name in a form, is there anyway that there claiming to be "Joe [rm -rf /] Random" will get executed?

I don't really understand what Lars' changes are, but prior to the bug-fix -- yes, this is exactly what would happen: you would delete your hard disk, say, when you look at a form that lists all the users in a select list using ad_form.