Forum OpenACS Q&A: Response to Bugtraq: cross site scripting

Posted by Rich Graves on
If you use ad_page_contract religiously and don't drop protections
with :allhtml you should be pretty safe.

ACS also wins because of a page flow we usually find very annoying.
Give bad input, it tells you to hit your Back button and fix it.
Most web apps will helpfully give you a prefilled form with bad
input highlighted, sometimes forgetting to sanitize it first.

Starting with ACS 4.x and 3.4.10, ad_page_contract got an ingenious
-verify parameter. It should be used on sensitive pages.

Ben did a good cleanup job a while back, but it's possible that
openacs 3.2.5 could have some lingering problems.

CSS problems can crop up in unexpected places... ever use analog to
help visualize site traffic?

(Is it possible that some UNICODE tricks would slip pass the
ad_page_contract filters? How paranoid has the internationalization
team been?)