Opened 10 years ago

Closed 9 years ago

#1984 closed defect (fixed)

Railsport doesn't validate HTML in diary entries

Reported by: avar Owned by: Tom Hughes
Priority: minor Milestone: Wishlist
Component: website Version:
Keywords: rails Cc:

Description

If someone enters and unclosed HTML tag in a diary post it'll destroy the layout of the site, e.g.:

<div>

Change History (4)

comment:1 Changed 10 years ago by Tom Hughes

I'm not sure there's much we can do about this - we already run the rails HTML sanitizer on it and it's impossible to guess all the stupid things somebody might do.

comment:2 Changed 10 years ago by HannesHH

A quick web search led me to this: http://www.anyexample.com/webdev/rails/how_to_allow_some_safe_html_in_rails_projects.xml

If I understand that code right, it checks the escaped content for "full" tags (opened AND closed) before converting some tags back to HTML (unescaping the <>). That means properly closed tags will work and anything else will render like text.

I am not sure if it strips unwanted attributes (like style) too like the site currently does.

comment:3 Changed 10 years ago by Tom Hughes

Keywords: security removed
Milestone: Wishlist
Priority: majorminor

comment:4 Changed 9 years ago by Tom Hughes

Resolution: fixed
Status: newclosed

Fixed by new sanitizer added in r20340.

Note: See TracTickets for help on using tickets.