[Cosmo-dev] Bug 9930: XSS vulnerability (or,
h4x0r5 will steal ur passwurds!)
Brian Moseley
bcm at osafoundation.org
Fri Jul 13 21:44:07 PDT 2007
On 7/13/07, Travis Vachon <travis at osafoundation.org> wrote:
> Personally, I would suggest that we consider any XSS bugs we find
> blockers for the release, since they tend to be easy to fix (see
> r5077) but wait until later to do a thorough code review. Perhaps
> foolishly, I volunteer to grab any that we find.
they are easy to fix as one-offs, but in the long that's detrimental
to the maintainability of the code. what we really need to do is agree
on a policy for rendering html and executing javascript in user data
and provide a utility that we can funnel all user data through to
scrub it before it's rendered. i don't think that's something we need
to mess with at this point. rather, i think we should acknowledge that
0.7 has xss vulnerabilities and set peoples' expectations that they
shouldn't rely on it for data that should be secure.
More information about the cosmo-dev
mailing list