Forum OpenACS Development: OpenACS 5.10 Roadmap?
Gustaf wrote in the thread about "XSS / Reflection with return_url":
Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)
I've seen that there is a new oacs-5-10 branch, but I didn't see a roadmap or a list of issues that are missing? Do you have a proposed release date, or similar information?
I understand that we'd have to upgrade ]po[ to OpenACS 5.10 in order to get these CSP security features?
OTOH, the current version in the oacs-5-10 branch is very stable. We use this in production in the LEARN system of WU, it is also on use on openacs.org. So when we strip down our goals for the release, we will be able to meet our original plans.
The best summary we have right now is:
There are quite a number of ToDos...
I understand you going to stay upward compatible, for example on these planned parameter improvements?
In ]po[ we'd be mainly interested in these security improvements with CSP and ad_page_contract, in order to produce a ]project-open[ V5.1 exclusively with security focus. And not break the running system with incompatibilities...
But from what I see that may still take quite a while, is that correct?
all the best -g
I don't worry much about the application packages, because we don't use much of them, and do not customize them.
Have you tried putting this in the .js.tcl part of the file?