There should be a filter that restricts the input method. For instance I am
getting a lot of reports of dom based xss via cookie value, and I don't care
because this isn't exploitable. Some people might care, so there should be a
configuration option. I have noticed that referer is also very common, and it
might be nice to filter for that as well.
Original issue reported on code.google.com by firealwa...@gmail.com on 3 Sep 2011 at 1:27
Original issue reported on code.google.com by
firealwa...@gmail.com
on 3 Sep 2011 at 1:27