[OSM-dev] XSS Vulnerabilities
Tom Hughes
tom at compton.nu
Thu Jan 17 14:48:20 GMT 2008
In message <fmnp2a$q1j$2 at ger.gmane.org>
Gervase Markham <gerv-gmane at gerv.net> wrote:
> Tom Hughes wrote:
>> It breaks all the harmless HTML tags people have used in their
>> diary entries though, most notably any links people have put in.
>>
>> What we should have done is use one the plugins that offers a
>> wiki-ish type benign markup but now we have legacy entries using
>> raw HTML tags.
>
> You can get libraries which permit a defined subset of HTML tags. So you
> may be able to use one of those to restore the original diary entries
> (mostly), and allow people to keep using HTML as their markup language.
Keep up at the back - we did that a couple of days ago.
It's still a bit scary given all the "don't really trust this" warnings
that the sanitiser is covered in...
Tom
--
Tom Hughes (tom at compton.nu)
http://www.compton.nu/
More information about the dev
mailing list