What you want is sloppy and risky, only to ensure backwards compatibility you
want OpenACS to be insecure by default.
Please read http://www.cert.org/advisories/CA-2000-02.html
The first fix for "Web Page Developers and Web Site Administrators" is "
Web Page Developers Should Recode Dynamically Generated Pages to Validate
Output" and that is exactly what we did: by default html tags are now quoted
- this is the security aspect.
The more noquote tags in your adp scripts, the less security, you (may have)
captured that quite right.
I don't understand your example though: you created an html file outside of
OpenACS and loaded it and are now wondering about the successfull page
request? This is beyond the scope of the noquote patch. What you describe is
cross-site request forgery and for GET requests OpenACS isn't secured against
that, for post requests it is if you use the form builder.
Have a look here to see what changed in OpenACS code:
http://cvs.openacs.org/cvs/openacs-4/packages/acs-templating/tcl/parse-procs.tcl?r1=1.14&r2=1.15
Now if you adhere to your own high coding standards you can use the noquote
sed oneliners and maybe be getting away with only handful of manual changes.