Comment URL not cleaned before set in cookie
|Reported by:||skeltoac||Owned by:||anonymous|
The following article claims that this is a security hole. Dougal and I disagree: you can't steal cred cookies with this vector because the URL cookie is only set in the browser of the person submitting the comment, and the affected control only appears when the visitor is not logged in. Anyway, attached is a patch to clean the URL before setting the cookie.