Now that we will be exposing our tlstunnel/webserver code to the evils of the unfiltered internet, we probably need to have a more rigorous look through the code to make sure we don't have any obvious security issues. We should also make sure that it is properly robust against various denial of service attacks.
We need to validate input we get from the browser and from the user. Some of this work has been done as part of bug 4840 but a more thorough look is needed.
I've opened new bugs for all issues I've found, but I could find no more in the time spent on this bug. I've created bug 5263 about mitigating denial of service attacks.
Since all issues got new reported as new bugs, there is nothing to test on this bug. Closing.