[rbates]

There are very serious security blunders here, but I wouldn't go as far as the article to say it needs a complete overhaul. Here are a few example fixes.

1. Most of the XSS errors should be handled by Rails 3 auto-escaping. I'm not certain why this isn't happening. It may be a simple HAML config error or bug.

2. The session key should be moved out of the Git repo.

3. Most of the authorization can be done by reaching through the current user's associations. For example "current_user.photos.destroy" would prevent users from destroying other's photos.

I'm not defending the developers here and agree these should not have gotten past them. My point is these problems can be fixed in a few days, and thanks to open source, there are many eyes looking at the code to find additional security issues.