banet wrote:
Check out the site
http://go.ba.net based on eidogo code but with the xss security vulnerability patched.
In your other announcement thread, you said that the vulnerabilities were only "mostly" patched (whatever that means), and based on a quick look, it appears that your javascript is still using eval in a few places to apparently do JSON parsing. Are you sure that you've patched up the XSS vulnerabilities properly?
Also, there seems to be little purpose to linking to your site via an iframe just to use something that is essentially EidoGo, which is already integrated into L19x19. In fact, this could create further security problems, if your site does something malicious or contains unfixed security issues that allows others to do malicious things.
Since your site is based on EidoGo, which is licensed under AGPL requiring derivative works to be open-source under AGPL as well, have you made your modified source code available somewhere (which would be required to comply with the AGPL)?