1. Summary
  2. Files
  3. Support
  4. Report Spam
  5. Create account
  6. Log in

Ticket #15772 (closed: wontfix)

Opened 3 years ago

Last modified 20 months ago

OpenID - should ignore HTML comments

Reported by: grawity Owned by: ctsai
Keywords: ENGR AT-642 Cc:
Private: no


I was trying to add my OpenID http://nullroute.eu.org/~grawity/ to my SourceForge account. The OpenID is currently delegated to Google Profile, so I expected SF to use that - however, I got redirected to VeriSign PIP instead.

The problem appears to be that SourceForge's OpenID system uses the first "<link>" tag it finds, even if it happens to be inside a HTML comment, as it was in this case: I have the VeriSign PIP delegation tags commented out in case I wanted to switch back from Google Profile.

In other words:

<link rel="openid2.provider openid.server"
<link rel="openid2.local_id openid.delegate"
<meta http-equiv="X-XRDS-Location"

<link rel="openid2.provider"
<link rel="openid2.local_id"

In the example above (copied directly from my OpenID URL), only the last two tags should be used by an OpenID application.

Change History

Changed 3 years ago by ctsai

  • keywords ENGR AT-642 added; openid removed
  • owner set to ctsai
  • status changed from new to assigned

Thank you for this report, I'm escalating this to our engineering team for further review.

Chris Tsai, SourceForge.net Support

Changed 20 months ago by ctsai

  • status changed from assigned to closed
  • resolution set to wontfix


We are going to be re-writing our login system, and I expect that the new implementation will solve this issue, however this will not be fixed in the current system so I'm closing this ticket out as "wontfix".

Chris Tsai, SourceForge.net Support

Note: See TracTickets for help on using tickets.