PagePrincipale :: DerniersChangements :: DerniersCommentaires :: ParametresUtilisateur :: Vous êtes
what XSS do you fix, eh?

Any HTML in double quotes: <script>alert('hi');</script>
Any HTML in referrers (see /referres for this page).
-- RomanIvanov.

Yes we did know that. Our recent changes on the code should have been said "limitation of XSS".
A new information for us is that it also work with /referrers : thank you RomanIvanov !
-- CharlesNepote.

Not at all.
We already fix all this issues in WackoWiki. But fix for double quotes is sad: htmlspecialchars() on it.
For html insertion we include new formatting: <# #> (it makes less problems, because double quotes may be found in HTML (alt for 1x1.gif, for example)).
Also we add wakka.conf option: allow_rawhtml that is 0 by default.

We have plans to create safe_html formatter that will cleanup any possible danger html from <# #> (not only javascript, but embed, object, applet, dynsrc and many other things).
-- RomanIvanov.
Il n'y a pas de commentaire sur cette page. [Afficher commentaires/formulaire]