[vdaniuk]

What are you arguing exactly? Is allowing HTML unescaped a really bad security practice? Sure it is.

Does it say anything about the overall software quality of a corporation that employs more than 45 000 people? No, it doesn't.

[anon1385]

It says a lot. It's a fundamental mistake of such egregious proportions that it indicates a complete failure of processes. How did the hiring process accept people that don't understand the basics of web security? How did the management allocate them in a position to write frontend code for one of the largest sites on the web? How did the code review, security audits and static analysis fail to catch such a basic mistake?

I'm sorry if you work at Google and feel personally insulted by this, but Google have put out a lot of crappy software. Good software too, but your original argument seemed to be that Google is so magnificent that they don't have any shoddy products at all, and the very idea was unthinkable. That is clearly false.

[vdaniuk]

Non sequitur if I ever seen one.

1. I never stated that Google software is magnificent. I stated that it is ridiculous to judge a corporate giant with thousands of engineers by pointing to a bad bug created by one team.

2. I do not work at Google anymore. And my view of the company is worse after my employment there. But I reserve my criticism for issues that I consider to be really important like NSA spying or limiting keyword search data to website owners.

3. I feel personally offended with all the emotional FUD that is going on what is assumed to be one of the best discussion forums on the internet.