Hello dev-members, We are trying to place our public Galaxy instance<http://galaxy.raetschlab.org>in a more secured manner, Currently I am playing with few test cases about the redirection vulnerabilities. The following link uses a URL variable called “redirect_url” to redirect a user to a given page. While this variable is intended to only direct a user to a trusted page, it fails to validate the provided value and therefore can be used to redirect to any page. http://localhost:8080/datasets/332056/display_at/ucsc_test?redirect_url=http://www.google.com&display_url=http://localhost:8080/root This example redirects a user to Google, but it could just as easily be used to direct a user to a page that contains any malware. To resolve the issue, may be validate all user controlled input, including the GET request variables. If the input is intended to redirect a user, it must be validated to ensure it only presents them with a page on the trusted site. any comments or suggestions to work around this. thanks --/Vipin Rätschlab, Computational biology dept. Memorial Sloan-Kettering Cancer Center