Hacker News new | past | comments | ask | show | jobs | submit login

Just a quick note - these "assurances" that the Quora-like skin was just a prototype doesn't do anything to allay my suspicions that the xss vulnerability is probably a core issue with the "general purpose Q&A engine" underneath it. If you're relying on the "skin" to enforce xss security, you don't really understand the importance of the various bits of MVC.



I believe the skin and the XSS vulnerability were two separate issues. Even if the site had been using a different skin, the XSS vulnerability would have still existed.


Precisely my point.

I shouldn't be hearing "Oh, the Quora skin is just a prototype", I should be hearing something like "the dev site the Quora prototype skin was being developed on was running a 6 month old branch of our engine software, check out out github history to see all the security changes made in the "production ready" branch since November".


I believe he mentioned in response to people's complaints that the site looked like Quora; I don't think he meant to relate it to security at all.


Yeah, I suppose there was a "Quora engineers vandalized a Quora-clone site (with an xss vulnerability)" discussion going on, and my attention immediately zeros in on the xss enabled vandalization as being "the important news", and the response I saw (and commented on) was all about the "Quora clone" accusation (which I don't find very interesting).

(see my other comment downthread for clarification)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: