On Thu, Aug 23, 2012 at 10:50 AM, Matthew Wilkes <[email protected]> wrote: > I would be hesitant to change this by default, as it means that if a > malicious user can get cookies set for another user they can insert > arbitrary HTML.
It would be awfully convenient to have sanitized rich-text in the messages though? I want to even just style some text in them or bold some part of the message. Surely there is a cross-site-attack-proof way to handle these narrow cases, maybe cleaning the cookie value prior to insertion as HTML? Ideas? Sean _______________________________________________ Product-Developers mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-product-developers
