In my understanding the video highlights 2 problems:
a) csrf: Basecamp search results page could reject input that didn't originate from the respective search box. But it's useful to be able to send someone a link that will perform a search - it isn't a state changing operation after all. So everyone allows that.
b) xss: the main problem of course is that the search results page prints the search input without any filtering...
a) csrf: Basecamp search results page could reject input that didn't originate from the respective search box. But it's useful to be able to send someone a link that will perform a search - it isn't a state changing operation after all. So everyone allows that.
b) xss: the main problem of course is that the search results page prints the search input without any filtering...