Bug: XSRF through sesskey

[skodak]

UPDATE: The message was deleted for failure to conform with the repository's code of conduct.

[michael-milette]

Petr, while I appreciate your intention, you are exhibiting unprofessional behaviour, putting site owners in danger and attempting to coerce. This is a direct violation of the repositories code of conduct that you agreed to. If you continue with this unprofessional behaviour, I will have no other choice than to ban you from this repo. You will not receive any additional warnings.

Did you try the latest release of FilterCodes?

[andrewhancox]

@skodak Surely the fact that the sesskey is available from the sesskey property of the M.cfg object means this is either not an issue, or at least not an issue unique to this plugin?

[andrewhancox]

Totally down with the OWASP top 10 - I get the issue now, the filter will enable users to build a URL in a post with a valid sesskey that an instructor could inadvertently open. I was just looking at it from the perspective XSRF/XSS attacks from other applications...

[michael-milette]

@skodak thank you for your comments. I try to see past your poor attitude as the points you bring up are actually very helpful use cases that I had not considered. I will be taking these into consideration.

Please keep in mind that I do this on a voluntary basis. Nobody is paying me to work on this plugin. I am sorry that resolving this issue isn't moving ahead as quickly a you might prefer. Consider financially sponsoring the development of solutions to these issues if you would like it to move faster.

Is there a reason that you keep recommending that people uninstall the plugin rather than just disable the sesskey tag in the settings or make use of the Word Censorship plugin to disable any tags they don’t want?