[bigiain]

Just a quick note - these "assurances" that the Quora-like skin was just a prototype doesn't do anything to allay my suspicions that the xss vulnerability is probably a core issue with the "general purpose Q&A engine" underneath it. If you're relying on the "skin" to enforce xss security, you don't really understand the importance of the various bits of MVC.

[uptown]

I believe the skin and the XSS vulnerability were two separate issues. Even if the site had been using a different skin, the XSS vulnerability would have still existed.

[bigiain]

Precisely my point.

I shouldn't be hearing "Oh, the Quora skin is just a prototype", I should be hearing something like "the dev site the Quora prototype skin was being developed on was running a 6 month old branch of our engine software, check out out github history to see all the security changes made in the "production ready" branch since November".

[JeremyBanks]

I believe he mentioned in response to people's complaints that the site looked like Quora; I don't think he meant to relate it to security at all.

[bigiain]

Yeah, I suppose there was a "Quora engineers vandalized a Quora-clone site (with an xss vulnerability)" discussion going on, and my attention immediately zeros in on the xss enabled vandalization as being "the important news", and the response I saw (and commented on) was all about the "Quora clone" accusation (which I don't find very interesting).

(see my other comment downthread for clarification)