Re: [fossil-users] What he danger of allowing all Html
Hi, On 09:59 PM, renework wrote: While discussing markup and markdown i looked over wikiformat.c and notice the case of selectively allowing HTML elements. I wonder what the threat is in allowing all HTML elements. Submit the following ticket (or any equivalent example from http://ha.ckers.org/xss.html): I have found a bug in SCRIPTalert(Owned: XSS)/SCRIPT your code As stated on Fossils Admin - Configuration page: CAUTION: when enabling, all HTML tags and attributes are accepted in the wiki. No sanitization is done. This means that it is very possible for malicious users to inject dangerous HTML, CSS and JavaScript code into your wiki. Regards, Twylite ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] What he danger of allowing all Html
On Thu, May 6, 2010 at 1:16 PM, Christophe Beauregard beauregar...@gmail.com wrote: Before I added the attribute scrubbing to CVSTrac (http://www.cvstrac.org/cvstrac/chngview?cn=610), we were seeing a lot of link spammers wrap their content in things like: p style=display: none It might be interesting to know that Google Code wiki does this as well, only accepting certain tags and eliding most attributes: http://code.google.com/p/support/wiki/WikiSyntax -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] What he danger of allowing all Html
While discussing markup and markdown i looked over wikiformat.c and notice the case of selectively allowing HTML elements. I wonder what the threat is in allowing all HTML elements. Rene ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users