Yes, I enabled render_unsafe_html. We don't have an external TRAC, so I'm less concerned about attacks than I probably should be. I am using php ( CodeIgniter ) to render chunks of page contents without the page headers, and it seems to work well. For instance, emitting a table by itself works well without page header etc.
Dan Winslow Director of Information Technology, AIM INSTITUTE 1905 Harney Street, Suite 700 Omaha, NE 68102 402-345-5025 x156 [email protected] www.aiminstitute.org -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Hal Sent: Thursday, June 10, 2010 9:58 AM To: Trac Users Subject: [Trac] Re: Inserting HTML from arbitrary URL into a wiki page On Jun 9, 11:35 am, "Noah Kantrowitz" <[email protected]> wrote: > The Include macro does this, with the appropriate flags set. > > Disclaimer: May cause security holes and CSRF/XSS attacks. > > --Noah Dan, FWIW, depending on your need, you may need to modify the include macro. I fought with it a bit this last weekend. There is no way to say "get me the content (body) of the HTML page at XXXX", so you only get to render the entire page, including <head /> section. Since <html /> is not considered "safe" by Genshi, the net effect is nothing is rendered. (It might be if you enable render_unsafe_html, but I that is not something I've explored) There are a number of patches posted to address the issue, if your needs aren't met out-of-the-box. --Hal -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
