[typo] A possibly dumb question...

Scott Laird scott at sigkill.org
Tue Dec 6 10:36:36 EST 2005


On Dec 6, 2005, at 1:07 AM, Piers Cawley wrote:

> Piers Cawley <pdcawley at bofh.org.uk> writes:
>
>> rodgerd at diaspora.gen.nz writes:
>>
>>> With a typo 2.6 install, I see properly formed hyperlinks in  
>>> comments on
>>> blog entries are being rendered as plain text.  The comments  
>>> filter is set
>>> to Markdown with Smartypants.
>>>
>>> Bug?  Feature?  User error?
>>
>> A glance at test/functional/articles_controller_test.rb seems to  
>> imply
>> it's a bug.
>
> But I'm looking at the trunk not 2.6, so it might be a little longer
> before I take a closer look.

With 2.6 (or any version before about 3 days ago, minus a few bugs),  
*all* HTML was stripped out of comment bodies.  If you wanted a link,  
then you needed to ask for one using Markdown or Textile, because the  
user wasn't allowed to enter HTML directly.  This broke somewhere  
along the way in the trunk, which caused a XSS vulnerability, which  
is the main reason that we'd restricted HTML in the first place.

The fix that's currently in place in the trunk doesn't actually block  
HTML (although we might turn that back on soon), it uses Rails'  
sanitize function to remove <script> and other Javascript from the  
source HTML.  So users can still add <blink> and friends, and they  
can screw up the site's formatting by putting in naked </div>s, but  
by and large I think we're headed in the right direction.


Scott


More information about the Typo-list mailing list