Hi,
On 09:59 PM, renework wrote:
> While discussing markup and markdown i looked over wikiformat.c and notice
> the case of selectively allowing HTML elements.
>
> I wonder what the threat is in allowing all HTML elements.
>
Submit the following ticket (or any equivalent example from
http://ha.ckers.org/xss.html):
"I have found a bug in <SCRIPT>alert("Owned: XSS")</SCRIPT> your code"
As stated on Fossils Admin -> Configuration page: "CAUTION: when
enabling, all HTML tags and attributes are accepted in the wiki. No
sanitization is done. This means that it is very possible for malicious
users to inject dangerous HTML, CSS and JavaScript code into your wiki."
Regards,
Twylite
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
