@kgibson @sneak that's bad, and they need to fix this asap. Not sure about the web interface, but it's hard to verify anyway.
I am afraid that if this kind of problem is a on your attack surface checklist, one should consider moving to a more serious provider. CTemplar comes to mind, their code is verifiable and the feature list demonstrate they truly care:
https://ctemplar.com/features/
Anything else out there at that level!?
@sneak @kgibson very cool!
And about CTemplar, they checked out:-S
But at least the GitHub is up with what appears to be all the relevant code.