If you use ad_page_contract religiously and don't drop protections
with :allhtml you should be pretty safe.
ACS also wins because of a page flow we usually find very annoying.
Give bad input, it tells you to hit your Back button and fix it.
Most web apps will helpfully give you a prefilled form with bad
input highlighted, sometimes forgetting to sanitize it first.
Starting with ACS 4.x and 3.4.10, ad_page_contract got an ingenious
-verify parameter. It should be used on sensitive pages.
Ben did a good cleanup job a while back, but it's possible that
openacs 3.2.5 could have some lingering problems.
CSS problems can crop up in unexpected places... ever use analog to
help visualize site traffic? http://www.analog.cx/security4.html
(Is it possible that some UNICODE tricks would slip pass the
ad_page_contract filters? How paranoid has the internationalization
team been?)
