Forum OpenACS Q&A: Response to Cross Site Scripting FAQ (fwd)

Posted by David Walker on
<img> links in html messages or bboard messages are another potential way of getting admin to unwitting perform an action for you. I recommend against using html mail.

Rich Graves had the right idea in our previous cross site scripting thread but I think we need to be even stricter and check that the referer for admin functions is from the same directory on the site to offer some protection against dangerous links in the bboards.
Concerning the article I think it is absolutely important that we filter every bit of data that the client has control over before we either place it in an sql statement or echo it back to the client.