Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

Collapse
5: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages (response to 1)
Posted by Torben Brosten on 02/10/11 04:12 PM
Eduardo, That should be doable without affecting anything. Coincidentally, I noticed that variables weren't checked last week while working on an alternate paradigm to ad_page_contract. iirc, ad_page_contract is where the vulnerability exists. I'll take a quick peek, see if I can identify the problem and suggest a solution.
Collapse
6: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages (response to 5)
Posted by Dave Bauer on 02/10/11 04:22 PM
I fixed the pages that call account closed to use the user message feature and committed the fix to HEAD.

No reason to pass the message around in that case anyway.