> This might open up a security hole - I'm not sure. Anyone please > comment if you have information one way or the other. > > This sounds like a duplicate of SHIRO-22 [1] Peter, Could you please confirm?
Yes, same issue. > The reason SHIRO-22 is not yet implemented is because I don't think we > came to a consensus on its implications. That is, is this a smart > thing to do? It sounds like it could be a potential security risk to > me - what if the post represents a credit card submission? What are the risks? > Would a potentially better solution be to translate a saved POST > request to newly constructed GET request that has all the request > parameters set? This way a form could be shown again pre-populated so > the user can choose to submit themselves? Hmmm...not sure that works particularly well with <textarea> elements. File upload is another tricky problem. I know LinkedIn populate a page with the form data (hidden) which then submits itself (via Javascript). Cheers, Peter
