Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

Hi Dave,

Thank you for your comment. In fact the problem only happens where you have the option to supply the HTML code as query vars in ad_page_contract, and that's exaclty what I'm talking about. These pages show this behaviour in general, and as they are a lot of pages, fix it for every single page would be insane.

However, you gave me a good hint: maybe we should change ad_page_contract to verify the HTML code? I did the test you said: changed the allowedtag parameter, but it seems like this check is only valid to form submition, not to URL vars. A possible fix would be to add this tag check to HTML URL vars?

yes, fix the filter.