Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

Hi Dave and Torben,

Dave, your patch doesn't include the util_user_message call. I've just included it, but it's not working somehow. Take a look at how my patch is right now: http://pastebin.info/902

Torben, I'm also working on ad-page-contract. I'll probably insert the same check as we have on the forms. As soon as it's working I'll post a patch.

Hmmm.

The ad_returnredirect -message $message

has the same effect as calling util_user_message and it worked on a clean oacs-5-7 checkout.

Note your master template has to correctly inject the user message div. Not sure which template this is in , blank-master or default-master.