what XSS do you fix, eh?
Any HTML in double quotes: <script>alert('hi');</script>
Any HTML in referrers (see /referres for this page).
--
RomanIvanov.
Yes we did know that. Our recent changes on the code should have been said "limitation of XSS".
A new information for us is that it also work with /referrers : thank you
RomanIvanov !
--
CharlesNepote.
Not at all.
We already fix all this issues in
WackoWiki. But fix for double quotes is sad: htmlspecialchars() on it.
For html insertion we include new formatting: <# #> (it makes less problems, because double quotes may be found in HTML (alt for 1x1.gif, for example)).
Also we add wakka.conf option:
allow_rawhtml that is 0 by default.
We have plans to create safe_html formatter that will cleanup any possible danger html from <# #> (not only javascript, but embed, object, applet, dynsrc and many other things).
--
RomanIvanov.