jacek wrote:True, but looking from the point of someone trying to exploit the system. Finding that they can enter any value in the theme field might make them dig deeper instead of giving up.bowersbros wrote:Our idea behind not doing that, was that if somebody manually changes the template, then if it fucks up, its their fault.
Keep going, we have defended against XSS, all it does it use the value you pass to change the name of the file it fetches.
It uses the passed value as a variable
The file name system is:
cookiecommons.[colour].css
So, if the user changes the variable to something not supported, all it will do is throw a nonexistent file (404)