Hello Galaxy-team,

A galaxy instance is being hold on our server. 

But last week, an expert in security makes some tests on our server. He warned us that the user creation and login script can be injected with executable javascript in Galaxy, which may make our server vulnerable.

He gives us a report of 3 pages (other issues including Non-SSL Password and cookie of Galaxy). 

We don't know whether it's serious and whether we need to fix these issues immediately. 

Is Galaxy going to update for issues? Or we need to modify them ourselves? Any suggestion is appreciated.

Thanks!