Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Currently, we do not escape gadgets.Prefs or gadgets.views parameters.
This could potentially result in exploits of data by malicious outside sites.
To remedy this, I propose the attached patch.
As it stands, the spec is silent on the escaping issue, but in practice gmodules.com already does this escaping for user prefs and I suspect that other container sites do as well.
I've also included an unescaping mechanism that I think should ultimately be proposed to the spec discussion group, but that's a later issue.
Feedback is much appreciated. If no one objects, I'll commit this change tomorrow morning.