Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

No one has commented on the approach I took with my patch ( https://openacs.org/forums/message-view?message_id=183809 ) so I take it it's not a candidate for adding to the toolkit ... At any rate, it allows me to post images in blogs for instance on my personal site in what I think is a reasonably secure manner which could easily be made securer by simply extending the checks in ad_html_security_check. For instance, it would be easy to disallow external image references if off-site redirects back to your own site are a concern.

This approach is of course based on all forms being migrated to ad_form and ad_html_security_check being called with all form builder datatypes that are in use.

Is the suggested approach totally inadequate or what?