In the logout view the 'continue' parameter is placed directly into the href value of the 'no' option without rejecting invalid url/locations (url which are not actual http link). So a javascript target is permitted ... for example http://SITE.lol/_openid/logout?continue=javascript:alert(1)
results in the following html for the 'No' option : '<a href="javascript:alert(1)">No</a>'.
d1b
commented
13 years ago