[typo] A possibly dumb question...
Scott Laird
scott at sigkill.org
Tue Dec 6 10:36:36 EST 2005
On Dec 6, 2005, at 1:07 AM, Piers Cawley wrote:
> Piers Cawley <pdcawley at bofh.org.uk> writes:
>
>> rodgerd at diaspora.gen.nz writes:
>>
>>> With a typo 2.6 install, I see properly formed hyperlinks in
>>> comments on
>>> blog entries are being rendered as plain text. The comments
>>> filter is set
>>> to Markdown with Smartypants.
>>>
>>> Bug? Feature? User error?
>>
>> A glance at test/functional/articles_controller_test.rb seems to
>> imply
>> it's a bug.
>
> But I'm looking at the trunk not 2.6, so it might be a little longer
> before I take a closer look.
With 2.6 (or any version before about 3 days ago, minus a few bugs),
*all* HTML was stripped out of comment bodies. If you wanted a link,
then you needed to ask for one using Markdown or Textile, because the
user wasn't allowed to enter HTML directly. This broke somewhere
along the way in the trunk, which caused a XSS vulnerability, which
is the main reason that we'd restricted HTML in the first place.
The fix that's currently in place in the trunk doesn't actually block
HTML (although we might turn that back on soon), it uses Rails'
sanitize function to remove <script> and other Javascript from the
source HTML. So users can still add <blink> and friends, and they
can screw up the site's formatting by putting in naked </div>s, but
by and large I think we're headed in the right direction.
Scott
More information about the Typo-list
mailing list