Participants: Don Baccus, Jeff Davis, Peter Marklund, Dirk Gomez
We squeezed this into 10 minutes because there is a consensus that OpenACS
needs noquote and csrf protection. In short:
Noquote is about changing the quoting behaviour of the templating system:
it the next release content from the database will be html-quoted by default.
(See here https://openacs.org/forums/message-view?message_id=81157)
csrf protection is about making sure that a request is not a (potentially
malicious) cross site request.
(https://openacs.org/forums/message-view?message_id=32884)
I already worked on "noquote"-ing a HEAD OpenACS 4.7 as a proof of
concept. However we decided that work will begin from scratch once the bug
fixes from the recent 4.6 releases have been merged into HEAD - this is
scheduled to be finished end of April 2003.
I will then reapply the sed oneliners and the notes I took while working on
the above mentioned system. The changed OpenACS code will then be committed
quickly and remaining quoting bugs need to be fixed by the community at large.
Jeff already changed the form handler to include a tag that prevents changing
prefetched database ids. Ths will be expanded to becoming the csrf protection.