https://bugzilla.wikimedia.org/show_bug.cgi?id=35491
--- Comment #7 from Krinkle <[email protected]> --- (In reply to comment #4) > ..providing tools to browse/access AFT CSV dumps ;) > And you didn't escape the output to the browser? That doesn't only impose security issues (malicious javascript may be the least of your worries), it is also incorrect and can cause content to be incorrectly displayed. No worries, simple mistake to make. But do understand it! Per "Good security through lazyness", escaping is not related to security, meaning you must not consider it to be a security measure. It is a content measure. If a user comments that they: > would like something to be <than 500 but>100 It should be outputted like that, just like bugzilla did. And it will when you properly escape it. If you don't escape it, you'll get this: > like foo to 100 Because: > <p>like foo to <than 500="" but="">100</than></p> Omitting bogus entries is good and useful for analytical purposes. Even better to keep track of how many were bogus and how many real. But stripping characters from the comments because they are dangerous as HTML, is a whole other thing. It will corrupt the data. The problem is that you must not consider the contents HTML, they're text. Output and use them as such and there is no problem whatsoever. Unless repurposing this bug to find a way to omit bogus entires entirely (in a way more advanced than stripping something that might look like javascript), please wontfix. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
