#45: Don't use gensym for actions to avoid XSS attacks ------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: closed Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: fixed | Keywords: security ------------------------+--------------------------------------------------- Changes (by sakhmechet):
* resolution: => fixed * status: new => closed
Comment:
Fixed. I implemented approach 3 - action names should now be very hard to guess. I generate a random block of text, hash it with MD5 (to ensure an attacker can't crack the random number generator), and prepend it with a gensym counter (to avoid a very unlikely event of two MD5-encoding action names clashing in the same session).