[OpenStreetMap] #4117: Text between "<" and ">" not shown in private messages on website

OpenStreetMap trac at openstreetmap.org
Thu Dec 1 19:07:02 GMT 2011


#4117: Text between "<" and ">" not shown in private messages on website
------------------------------+---------------------------------------------
  Reporter:  Kurt Krampmeier  |       Owner:  rails-dev@…                
      Type:  defect           |      Status:  reopened                   
  Priority:  major            |   Milestone:                             
 Component:  website          |     Version:                             
Resolution:                   |    Keywords:                             
------------------------------+---------------------------------------------
Changes (by Kurt Krampmeier):

  * status:  closed => reopened
  * resolution:  wontfix =>


Comment:

 Wow, allowing HTML is so wrong. While you seem to have a quite good job in
 filtering dangerous parts, really fixing this behavior still should be
 reconsidered, since the messages are also sent as plain text mails and you
 can also answer these messages through email. Nobody would use HTML markup
 in plaintext mails

 I also would not have figured out, that you can use some (undocumented?)
 HTML subset in the web interface. I guess, the majority of the users (who
 could write HTML) do not either. I expected this problem to be caused by
 incorrectly stripping HTML content instead of encoding dangerous
 characters.

 While it might break some single older messages and blog posts, HTML
 support still should be removed. It think it causes much much more harm
 than good. Breaking of old messages could even be completely avoided by
 keeping the current behaviour for old messages and using a sane behaviour
 for future messages.

 Is there really no chance to get this fixed?

-- 
Ticket URL: <https://trac.openstreetmap.org/ticket/4117#comment:2>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world



More information about the rails-dev mailing list