what XSS do you fix, eh?
Any HTML in double quotes: <script>alert('hi');</script>
Any HTML in referrers (see /referres for this page).
Yes we did know that. Our recent changes on the code should have been said "limitation of XSS".
A new information for us is that it also work with /referrers : thank you RomanIvanov
Not at all.
We already fix all this issues in WackoWiki
. But fix for double quotes is sad: htmlspecialchars() on it.
For html insertion we include new formatting: <# #> (it makes less problems, because double quotes may be found in HTML (alt for 1x1.gif, for example)).
Also we add wakka.conf option: allow_rawhtml
that is 0 by default.