Dirk, from the CERT advisory:
* Web servers that dynamically generate pages based on unvalidated input
The problem is unvalidated _input_. And Web Browsers.
I don't expect any changes from OpenACS, I think I started the thread with "Boy, talk about missing out on something..."
Thanks for the link to the changes. Seems easy enough to work with. My main concern is with the need to maintain two lines of development, but backporting looks like it might be a good choice.
