tags 389523 +upstream
tags 389523 +confirmed
thanks
Hi,
The disabled HTML is intented to be a temporary solution to some farily
serious security flaws. Blindly trusting the HTML from any RSS/Atom feed
is clearly not acceptable. An ideal solution would be to relibably
prevent any script from being executed in the html.
The problem with this is that sanitizing HTML to remove any javascript
(robustly) is non-trivial, and I'm somewhat worried that if I try to do
it myself quickly that I'll open a whole bunch of new securitiy
vulnerabilities. Part of the thing that makes this hard is the multitude
of different ways javascript can be included in an html file:
<a href="javascript:alert('Hello');">
<div onMouseOver="alert('Hello');"> (or any other event type onX)
<script language="javascript">
I've also seen some devious ones that encode the characters or use some
kind of trick with CSS to inject it.
... and probably more. If you know of a free javascript implementation
of a sanitizer that handles all this, let me know and I'll include it
now. Otherwise I'm going to have to work with upstream to resolve this
properly, which may take a while.
Thanks,
Alan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
