#45: Don't use gensym for actions to avoid XSS attacks ------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: low | Milestone: 0.2 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: security ------------------------+--------------------------------------------------- Changes (by sakhmechet):
* milestone: => 0.2 * priority: critical => low * version: => pre-0.1
Comment:
I don't think this is an issue. Weblocks stores actions per session specifically so that a user cannot access another user's actions (unless the session has been highjacked). If a malicious site generates a lot of 'transfer' actions the user still won't be able to access them.
It's probably better to use a scheme that makes action URLs harder to guess anyway, but this isn't critical. Moving to 0.2.