[
https://issues.apache.org/jira/browse/SHINDIG-377?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12604066#action_12604066
]
Brian Eaton commented on SHINDIG-377:
-------------------------------------
The unparseable cruft does no harm, and does provide protection against cross
site script inclusion. We should remove the comment, not the code.
> Remove UNPARSEABLE_CRUFT
> ------------------------
>
> Key: SHINDIG-377
> URL: https://issues.apache.org/jira/browse/SHINDIG-377
> Project: Shindig
> Issue Type: Bug
> Components: Features (Javascript), Gadget Rendering Server (Java),
> Gadget Rendering Server (PHP)
> Reporter: Chris Chabot
>
> features/core.io/io.js has the following todo (line 112):
> // remove unparseable cruft.
> // TODO: really remove this by eliminating it. It's not any real security
> // to begin with, and we can solve this problem by using post requests
> // and / or passing the url in the http headers.
> Shall we go ahead and remove it then? Or otherwise if there is still a good
> reason for it being there, remove the comment?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
