[Haskell-cafe] Haskellers.com profiles: advice requested

Carl Howells chowells79 at gmail.com
Wed Oct 6 20:31:23 EDT 2010


> Complete side note: it's kind of funny that OpenID let's you specify
> some completely arbitrary string to appear in the resulting
> webpage[2].

Any server with that behavior is out of spec.  Operating securely
requires checking the return_to value against the trust_root, and
checking that the return_to value is a valid url.

But wordpress being out of spec is what was observed to start this,
anyway.  So what's the surprise?

Carl


More information about the Haskell-Cafe mailing list