Merge lp:~quam-plures-core/quam-plures/xss-in-balance-tags_alternate into lp:quam-plures
Proposed by
Tilman Blumenbach
Status: | Merged | ||||
---|---|---|---|---|---|
Merged at revision: | 7600 | ||||
Proposed branch: | lp:~quam-plures-core/quam-plures/xss-in-balance-tags_alternate | ||||
Merge into: | lp:quam-plures | ||||
Diff against target: |
64 lines (+8/-16) 2 files modified
qp_inc/_core/_param.funcs.php (+2/-10) qp_inc/xhtml_validator/_xhtml_validator.class.php (+6/-6) |
||||
To merge this branch: | bzr merge lp:~quam-plures-core/quam-plures/xss-in-balance-tags_alternate | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Yabs (community) | Approve | ||
Review via email: mp+53662@code.launchpad.net |
Description of the change
-------
This is an alternative to https:/
Proposed merge to make reviewing easier.
-------
This branch fixes bug 736035 by basically removing any processing instructions in user-supplied HTML. It also moves some HTML hacks to better suited locations.
To post a comment you must log in.
At the moment, this removes the dangerous tokens; it may be wise to escape them instead ("<?" becomes "<?" and "<!" becomes "<!" -- this would make it possible to simply use "<!--" instead of having to write "<!--" in comments etc.).