Forum OpenACS Q&A: Response to Bugtraq: cross site scripting

Posted by russ m on
ad_page_contract's :verify (mentioned above) would do the trick
if we were willing to accept an extra confirmation page to sign
form vars and display them to the user before doing any DML.

The problem with a global no-programmer-effort-required
solution (if one is possible) is that it'd break user's ability to do
things like bookmark or link to specific bboard threads or
whatever, which is functionality that is well worth keeping. At the
very least the site developer needs to specify per-page "it
does/doesn't matter where the form values I'm using here came

One possibility I've been thinking of is a required -secure or
-insecure option for ad_page_contract (basically integrating
magic token style validation into ad_page_contract). Pages
specified -secure would need to have an aditional form var
carrying a token previously retrieved by the user. As far as I can
see the only data that would need to be tracked/verified is the
token value and the user_id that it was issued to.

The problem with signing and verifying everything is that it
requires the stressed/tired/time-limited developer to say "this
page does something potentially dangerous, so I need to
include an extra verification step". I like the idea outlined above
as it requires no change to existing pageflow to secure what
already exists (just time to audit existing pages and flag them
appropriately), and it forces developers to at least think about
doing the right thing in the future.