IDs is disabled for civicrm/ajax/rest

CRM/Core/IDS.php skips array( 'civicrm/ajax', 'civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates' );

Meaning you can put stuff like <script>alert ('no good'); as values

With edit in place, we expose more of these ajax backend, increasing the risks of being abused.

Kurund thought it was there for a different menu than ajax/rest. we might need to put back the whitelist, but be more targeted than civicrm/ajax/*.)

(08:13:51) xavier_d: re IDS, do you recall why it was excluding ajax/rest?
(08:14:19) xavier_d: (you're the one on the svn blame, might be because you merged from another branch)
(08:27:50) kurund: xavier_d: i think for wysiwyg custom data that was loaded via ajax was having some problem
(08:28:09) kurund: xavier_d: can you create custom data and check if that works..
(08:28:25) kurund: xavier_d: basically try saving after load it via ajax
(08:28:54) xavier_d: Where is the ajax/rest used for custom data wysiwyg?
(08:29:06) xavier_d: (so I can test the right screen)
(08:31:15) kurund: xavier_d: skip is for civicrm/ajax'
(08:31:46) kurund: xavier_d: for e.g., create a custom data of type Meeting
(08:32:10) kurund: and then in standalone activity mode change the activity to Meeting.. and try saving it ..
(08:33:08) xavier_d: ok, trying
(08:34:05) xavier_d: the type field the more likely to trigger is note I presume?
(08:44:37) kurund: xavier_d: rich text editor
(08:58:27) xavier_d: kurund: I have a custom set on activity meeting with a rich text, I've tried to edit/view/create a meeting from the contact, and create a new activity from the menu then set the type to meeting. The only civicrm/ajax I've seen is when displaying the tab with the list of activities. Do you recall where it was called exactly?
(08:59:13) kurund: xavier_d: use standalone activity mode
(08:59:49) kurund: xavier_d: http://drupal.demo.civicrm.org/civicrm/activity?action=add&reset=1&context=standalone
(09:00:42) xavier_d: ok, but when I choose meeting, it calls /civicrm/activity?snippet=4&type=Activity&subType=1&qfKey=e21969c6dfab7fd3ed15530cf6c72adf_4879&cgcount=1
(09:00:47) xavier_d: not civicrm/ajax
(09:02:24) kurund: xavier_d: ok kool.. so that is fine I guess..
(09:03:35) kurund: xavier_d: can you also check tabbed multi-value custom data of type contact
(09:03:59) xavier_d: with a note rich text inside too?
(09:04:01) xavier_d: ok, trying
(09:04:12) kurund: xavier_d: yes
(09:18:40) xavier_d: kurund it's mostly using /civicrm/contact/view/cd/edit/...
(09:19:12) kurund: xavier_d: okie.. can't think of anything else now
(09:19:28) xavier_d: the only civicrm/ajax/customvalue I could see was when deleting one, (with a simple post containing only contactid &group id & valueid)
(09:20:35) xavier_d: Shall I put back the IDS for ajax/civicrm & send a warning to a team & planning?
(09:21:39) kurund: xavier_d: sure..
(09:21:51) kurund: sounds good to me..
(09:23:00) xavier_d: Ok, removing it locally and working on other things on my trunk this am, if I don't see any pb I commit and warn that it might have side effects