Nic, Which fix are you referring to, specifically? Thanks, Bruno On Wed, Apr 6, 2011 at 9:26 AM, Nic <[email protected]> wrote:
> Any word on the progress of this fix or how long it might be until it > is done? > > Thanks, > -Nic > > On Mar 14, 7:16 am, hewbrocca <[email protected]> wrote: > > The problem is not working out how to unescape HTML -- CE already stores > > safe HTML unescaped in its database, having passed it through WhiteList > > before storing it to ensure that it is not, in fact, malicious. The > problem > > is deciding when and how to override Haml's default escaping of HTML it > > sends to the browser. The safe thing to do is probably to override HTML > > escaping only where it's needed (preserve sanitized user formatting, > etc.), > > but you could argue that since CE is very careful about what it already > > stores in the database and sends to the browser, you don't need the extra > > level of protection from Rails/Haml. I'm hoping Bruno will weigh in and > > suggest the right way to handle this such that he would accept a patch. > > > > --Hugh > > -- > You received this message because you are subscribed to the Google Groups > "CommunityEngine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/communityengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/communityengine?hl=en.
