[OpenStreetMap] #4117: Text between "<" and ">" not shown in private messages on website

OpenStreetMap trac at openstreetmap.org
Thu Dec 1 21:01:02 GMT 2011 

#4117: Text between "<" and ">" not shown in private messages on website
------------------------------+---------------------------------------------
  Reporter:  Kurt Krampmeier  |       Owner:  rails-dev@…                
      Type:  defect           |      Status:  reopened                   
  Priority:  major            |   Milestone:                             
 Component:  website          |     Version:                             
Resolution:                   |    Keywords:                             
------------------------------+---------------------------------------------

Comment(by Kurt Krampmeier):

 I wonder, what would happen, if you would simply disallow HTML in messages
 completely. Probably nobody would care much. See, the two other issues you
 just fixed (#4118, #4119 - thanks!) likely have affected a lot more users
 and perhaps more than half of all mails were broken. But still nobody
 considered these problems as significant enough, to file a bug report
 until I did it today.

 Now just make a guess: How many users will open older mails, stored in
 their accounts before the change? These numbers will cease fast. How many
 of these mails will contain HTML intentionally, which could look broken
 more or less after the change? Probably not even 1%. How many will look
 right for the first time, because they contain some HTML syntax
 unintentionally? Maybe more than the ones, that get broken. How many mails
 will be broken so badly, that the cannot be read anymore? Probably none,
 since at least nothing would be hidden. The worst case would be some
 excessive markup, that gets displayed in the web interface. It is already
 displayed that way in the emails. Nobody cared about that ...

 What would be the benefit? New Messages will also look right as emails.
 Nothing will be accidentally lost between braces. The risk of XSS and/or
 spoofing due to incomplete filtering of dangerous HTML parts is removed.

 I simply do not see any relevant point for keeping the current behavior.

-- 
Ticket URL: <https://trac.openstreetmap.org/ticket/4117#comment:4>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world

More information about the rails-dev mailing list