Ticket #15772 (closed: wontfix)
OpenID - should ignore HTML comments
|Reported by:||grawity||Owned by:||ctsai|
I was trying to add my OpenID http://nullroute.eu.org/~grawity/ to my SourceForge account. The OpenID is currently delegated to Google Profile, so I expected SF to use that - however, I got redirected to VeriSign PIP instead.
The problem appears to be that SourceForge's OpenID system uses the first "<link>" tag it finds, even if it happens to be inside a HTML comment, as it was in this case: I have the VeriSign PIP delegation tags commented out in case I wanted to switch back from Google Profile.
In other words:
<!-- <link rel="openid2.provider openid.server" href="https://pip.verisignlabs.com/server"> <link rel="openid2.local_id openid.delegate" href="https://grawity.pip.verisignlabs.com/"> <meta http-equiv="X-XRDS-Location" content="https://pip.verisignlabs.com/user/grawity/xrds"> --> <link rel="openid2.provider" href="https://www.google.com/accounts/o8/ud?source=profiles"> <link rel="openid2.local_id" href="http://www.google.com/profiles/grawity">
In the example above (copied directly from my OpenID URL), only the last two tags should be used by an OpenID application.