[Haskell-cafe] Haskellers.com profiles: advice requested

[Carl Howells]

> Complete side note: it's kind of funny that OpenID let's you specify
> some completely arbitrary string to appear in the resulting
> webpage[2].

Any server with that behavior is out of spec.  Operating securely
requires checking the return_to value against the trust_root, and
checking that the return_to value is a valid url.

But wordpress being out of spec is what was observed to start this,
anyway.  So what's the surprise?

Carl