Forum OpenACS Q&A: Response to Bugtraq: cross site scripting

Posted by David Walker on
I am of the opinion that creating an id and placing it in the html code is a bad
thing.  I once created 10 users (in OpenACS 3.2.5) and sent out confirmation
email for each one only to find out that since I had used the back button to do
it each one overwrote the previous one and I had really only added one user
and then overwritten them 7 times.

I think these types of values should either be written to a server side variable
or returned in an encrypted format.  The encrypted format method wouldn't
have stopped my problem but it could prevent people from replacing the id
with their own and overwriting important data.