Any word on the progress of this fix or how long it might be until it is done?
Thanks, -Nic On Mar 14, 7:16 am, hewbrocca <[email protected]> wrote: > The problem is not working out how to unescape HTML -- CE already stores > safe HTML unescaped in its database, having passed it through WhiteList > before storing it to ensure that it is not, in fact, malicious. The problem > is deciding when and how to override Haml's default escaping of HTML it > sends to the browser. The safe thing to do is probably to override HTML > escaping only where it's needed (preserve sanitized user formatting, etc.), > but you could argue that since CE is very careful about what it already > stores in the database and sends to the browser, you don't need the extra > level of protection from Rails/Haml. I'm hoping Bruno will weigh in and > suggest the right way to handle this such that he would accept a patch. > > --Hugh -- You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/communityengine?hl=en.
