[rickross]

Just for the record, I meant it sincerely when I said that we were grateful that Ben Newman and Albert Sheu showed us an XSS hole in Qato, and that has now been fixed.

The site in question was just an unpromoted testing prototype which barely has any content and happened to have the Quora-like skin on at that moment. It probably shouldn't even have been publicly accessible.

Another Qato site on the same server is http://robofaqs.com, which is sporting our OSQA clone theme. It doesn't look anything like Quora at all, but is powered by literally the same server instance. That's what we're trying to say - Qato is the general purpose Q&A engine under the skin, and these various skins just modulate the way a Qato site looks.

[jasonkester]

FYI, underlined hyperlinks make it impossible to tell the difference between a "q" and a "g" in a URL. As such, I'd suggest you spend some time finding a better name for that unfortunately named site you linked.

[nbpoole]

So I take it you're not a fan of http://www.gamefaqs.com ? ;-)

[potatolicious]

Gamefaqs has a self-describing name that pertains to their main business (Game. FAQs.) Qato doesn't have the same thing going for it.

[shalmanese]

Did robofaqs have the same vulnerability? If so, that's a way bigger story than this brouhaha.

[bigiain]

Just a quick note - these "assurances" that the Quora-like skin was just a prototype doesn't do anything to allay my suspicions that the xss vulnerability is probably a core issue with the "general purpose Q&A engine" underneath it. If you're relying on the "skin" to enforce xss security, you don't really understand the importance of the various bits of MVC.

[uptown]

I believe the skin and the XSS vulnerability were two separate issues. Even if the site had been using a different skin, the XSS vulnerability would have still existed.

[bigiain]

Precisely my point.

I shouldn't be hearing "Oh, the Quora skin is just a prototype", I should be hearing something like "the dev site the Quora prototype skin was being developed on was running a 6 month old branch of our engine software, check out out github history to see all the security changes made in the "production ready" branch since November".

[JeremyBanks]

I believe he mentioned in response to people's complaints that the site looked like Quora; I don't think he meant to relate it to security at all.

[bigiain]

Yeah, I suppose there was a "Quora engineers vandalized a Quora-clone site (with an xss vulnerability)" discussion going on, and my attention immediately zeros in on the xss enabled vandalization as being "the important news", and the response I saw (and commented on) was all about the "Quora clone" accusation (which I don't find very interesting).

(see my other comment downthread for clarification)