On 01/05/2014 10:34 AM, Matthew Toseland wrote: > First off, themes *are* filtered. Secondly, he's talking about freesites
I can't find a place where they are filtered. The Configuration > Web Interface > "Override the CSS with a custom one" setting has "WARNING: CSSes can be dangerous and won't be filtered! use at your own risks." in its description. It is served through StaticToadlet, and StaticToadlet does not perform filtering. [0][1] > mainly, and I agree we need more CSS3 support. Work on the content > filter (src/freenet/client/filter/CSSTokenizerFilter.java) is fairly > self-contained and not dependant on any larger refactoring: Just keep it > reasonably clean and *strictly whitelist only* (i.e. only pass what you > understand, stick to the spec, be conservative even within the spec e.g. > just because it's okay to put quotes in a class id doesn't mean we > should allow it, see the mXSS stuff for why), and it could be a big gain > for a relatively small amount of work. Agreed. > [snip] [0] https://github.com/freenet/fred-staging/blob/next/src/freenet/clients/http/SimpleToadletServer.java#L300 [1] https://github.com/freenet/fred-staging/blob/next/src/freenet/clients/http/StaticToadlet.java#L77
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl