Hi,
I'm working with a government agency that requires security scans for new sites. Using this testing suite, they've identified a number of issues affecting Omeka.
- Autocomplete on email/password-related inputs...
- admin login and forgot-password forms
- Guest User login, register, forgot-password forms
- Cross-frame scripting on admin login forms
To address item #1, I've found it most expedient to use Javascript to add "autocomplete=off" as needed within custom theme templates (for user-facing forms) and via plugin (for admin-related forms). It would admittedly probably be better to filter the forms' HTML output. I'd appreciate any tips to that end.
As for issue #2, perhaps someone can offer some details on how best to fix it as I'm not entirely sure where to start.
Cheers -- E