On Dec 6, 2005, at 1:07 AM, Piers Cawley wrote: > Piers Cawley <[EMAIL PROTECTED]> writes: > >> [EMAIL PROTECTED] writes: >> >>> With a typo 2.6 install, I see properly formed hyperlinks in >>> comments on >>> blog entries are being rendered as plain text. The comments >>> filter is set >>> to Markdown with Smartypants. >>> >>> Bug? Feature? User error? >> >> A glance at test/functional/articles_controller_test.rb seems to >> imply >> it's a bug. > > But I'm looking at the trunk not 2.6, so it might be a little longer > before I take a closer look.
With 2.6 (or any version before about 3 days ago, minus a few bugs), *all* HTML was stripped out of comment bodies. If you wanted a link, then you needed to ask for one using Markdown or Textile, because the user wasn't allowed to enter HTML directly. This broke somewhere along the way in the trunk, which caused a XSS vulnerability, which is the main reason that we'd restricted HTML in the first place. The fix that's currently in place in the trunk doesn't actually block HTML (although we might turn that back on soon), it uses Rails' sanitize function to remove <script> and other Javascript from the source HTML. So users can still add <blink> and friends, and they can screw up the site's formatting by putting in naked </div>s, but by and large I think we're headed in the right direction. Scott _______________________________________________ Typo-list mailing list [email protected] http://rubyforge.org/mailman/listinfo/typo-list
