Hi, On 09:59 PM, renework wrote: > While discussing markup and markdown i looked over wikiformat.c and notice > the case of selectively allowing HTML elements. > > I wonder what the threat is in allowing all HTML elements. > Submit the following ticket (or any equivalent example from http://ha.ckers.org/xss.html):
"I have found a bug in <SCRIPT>alert("Owned: XSS")</SCRIPT> your code" As stated on Fossils Admin -> Configuration page: "CAUTION: when enabling, all HTML tags and attributes are accepted in the wiki. No sanitization is done. This means that it is very possible for malicious users to inject dangerous HTML, CSS and JavaScript code into your wiki." Regards, Twylite _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users