On Thu, Jan 29, 2015 at 5:38 PM, Brad Jorsch (Anomie) <[email protected] > wrote:
> On Thu, Jan 29, 2015 at 2:47 PM, Arlo Breault <[email protected]> > wrote: > > https://gerrit.wikimedia.org/r/#/c/181519/ > > > > To clarify, the possible solutions seem to be: > > 1. Unstrip the marker and then encode the content. This is a security hole > (T73167) > I'd be inclined to unstrip the marker *and squash HTML to plaintext*, then encode the plaintext... -- brion > > 2. Encode the marker. This results in strip markers in the output. > > 3. Ignore the marker. This leaves non-encoded content in the middle of what > is supposed to be encoded content. > > 4. Remove the marker. This loses whatever is inside the marker. > > 5. Just output an error, to make it obvious something stupid is going on. > > There's no good option, so which of 2, 3, 4, and 5 is least bad? > > > -- > Brad Jorsch (Anomie) > Software Engineer > Wikimedia Foundation > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
