Zen of website maintenance
A certain website had a few vuneribilities including XSS and leaking passwords. The fixes were:
- The
<script>
tag was turned on for pending users. Configure off.  All other users get their tags filtered against a safe list - The superuser always skips the filter and sees all tags.  I can’t fix this, but I’ve changed the cookie so that its not useful to a cookie catcher
- The ‘password’ in the cookie was just a hash of the password. It is now a hash of the password, the IP address of the client, and a secret.  A leaked password should only be usable from the same IP
- The ‘password’ field has been removed from all forms and replaced with cookie based authentication