#45: Don't use gensym for actions to avoid XSS attacks ------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: closed Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: fixed | Keywords: security ------------------------+--------------------------------------------------- Changes (by sakhmechet): * resolution: => fixed * status: new => closed Comment: Fixed. I implemented approach 3 - action names should now be very hard to guess. I generate a random block of text, hash it with MD5 (to ensure an attacker can't crack the random number generator), and prepend it with a gensym counter (to avoid a very unlikely event of two MD5-encoding action names clashing in the same session). -- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks