Forum OpenACS Development: Re: XSS / Reflection with return_url
It seems to check if the URL is external. I don't see any script checks there.
This script would also be able to perform checks if every user_id has an user_id:integer data-type and add this in case of necessity
Frank, this happened a few years ago. if you find any any case of not-sufficiently checked input parameters (including all kind of ids, Booleams, returnurls, ...) in OpenACS 5.10, please let us know by writing a issue tracker entry.
See here, how returnurl should be protected in page contracts:
All ~100 packages in oacs-5-10 are checked frequently by us with acunetix. It is also recommended to run OpenACS 5.10 with CSP and the auto-generated security rules enabled. Also this was addressed in all packages in oacs-5-10, but will probably require some work in PO.
Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
I believe we'll need to quickly relase ]po[ V5.1 with OpenACS 5.10...