Forum OpenACS Q&A: Response to Bugtraq: cross site scripting

Posted by Don Baccus on
ACS also wins because of a page flow we usually find very annoying. Give bad input, it tells you to hit your Back button and fix it. Most web apps will helpfully give you a prefilled form with bad input highlighted, sometimes forgetting to sanitize it first.

Proper use of the form builder in OpenACS 4.5 gives you the form back with highlighted errors, and making proper use requires that you bypass ad_page_contract.

This is something to investigate. We already know that we need to better integrate ad_page_contract and the form builder/template system, and flesh out the form builder so it knows about verified forms, etc.