On Monday 19 May 2008 07:48, Steffen Joeris wrote: > Attached you'll find a complete patch for the mantis issue. I still need to > investigate it a little further and test it.
The patch can be summarised as only allowing POST to things that change stuff. It's not entirely agreed upon that this can completely prevent cross site scripting, but it is a fact that it makes it many times more difficult. Hence, I think this is an acceptable patch without tearing the application apart. cheers, Thijs
pgpDTbp7MzcN0.pgp
Description: PGP signature
